mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-15 00:03:43 +01:00
updated code to better handle TLS errors
This commit is contained in:
Jeremy Long
@@ -50,10 +50,11 @@ import javax.json.JsonReader;
|
||||
import javax.json.JsonString;
|
||||
import javax.json.JsonValue;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
|
||||
|
||||
/**
|
||||
* Used to analyze Node Package Manager (npm) package.json files via
|
||||
* Node Security Platform (nsp).
|
||||
* Used to analyze Node Package Manager (npm) package.json files via Node
|
||||
* Security Platform (nsp).
|
||||
*
|
||||
* @author Steve Springett
|
||||
*/
|
||||
@@ -161,7 +162,7 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
// Submits the package payload to the nsp check service
|
||||
final List<Advisory> advisories = searcher.submitPackage(nspPayload);
|
||||
|
||||
for (Advisory advisory: advisories) {
|
||||
for (Advisory advisory : advisories) {
|
||||
/*
|
||||
* Create a new vulnerability out of the advisory returned by nsp.
|
||||
*/
|
||||
@@ -247,23 +248,27 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
addToEvidence(packageJson, vendorEvidence, "author");
|
||||
addToEvidence(packageJson, dependency.getVersionEvidence(), "version");
|
||||
dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName()));
|
||||
|
||||
} catch (URLConnectionFailureException e) {
|
||||
this.setEnabled(false);
|
||||
throw new AnalysisException(e.getMessage(), e);
|
||||
} catch (IOException e) {
|
||||
LOGGER.debug("Error reading dependency or connecting to Node Security Platform /check API", e);
|
||||
LOGGER.debug("Error reading dependency or connecting to Node Security Platform - check API", e);
|
||||
this.setEnabled(false);
|
||||
throw new AnalysisException(e.getMessage(), e);
|
||||
} catch (JsonException e) {
|
||||
LOGGER.warn("Failed to parse package.json file.", e);
|
||||
throw new AnalysisException(String.format("Failed to parse %s file.", file.getPath()), e);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Processes a part of package.json (as defined by JsobObject) and
|
||||
* update the specified dependency with relevant info.
|
||||
* Processes a part of package.json (as defined by JsobObject) and update
|
||||
* the specified dependency with relevant info.
|
||||
*
|
||||
* @param dependency the Dependency to update
|
||||
* @param jsonObject the jsonObject to parse
|
||||
*/
|
||||
private void processPackage(Dependency dependency, JsonObject jsonObject, String depType) {
|
||||
for (int i=0; i<jsonObject.size(); i++) {
|
||||
for (int i = 0; i < jsonObject.size(); i++) {
|
||||
for (Map.Entry<String, JsonValue> entry : jsonObject.entrySet()) {
|
||||
/*
|
||||
* Create identifies that include the npm module and version. Since these are defined,
|
||||
@@ -273,7 +278,7 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
moduleName.setConfidence(Confidence.HIGHEST);
|
||||
String version = "";
|
||||
if (entry.getValue() != null && entry.getValue().getValueType() == JsonValue.ValueType.STRING) {
|
||||
version = ((JsonString)entry.getValue()).getString();
|
||||
version = ((JsonString) entry.getValue()).getString();
|
||||
}
|
||||
final Identifier moduleVersion = new Identifier("npm", "Version", null, version);
|
||||
moduleVersion.setConfidence(Confidence.HIGHEST);
|
||||
|
||||
@@ -35,6 +35,7 @@ import javax.json.Json;
|
||||
import javax.json.JsonArray;
|
||||
import javax.json.JsonObject;
|
||||
import javax.json.JsonReader;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
|
||||
|
||||
/**
|
||||
* Class of methods to search via Node Security Platform.
|
||||
@@ -75,70 +76,80 @@ public class NspSearch {
|
||||
}
|
||||
|
||||
/**
|
||||
* Submits the package.json file to the NSP public /check API and returns
|
||||
* a list of zero or more Advisories.
|
||||
* Submits the package.json file to the NSP public /check API and returns a
|
||||
* list of zero or more Advisories.
|
||||
*
|
||||
* @param packageJson the package.json file retrieved from the Dependency
|
||||
* @return a List of zero or more Advisory object
|
||||
* @throws IOException if it's unable to connect to Node Security Platform
|
||||
*/
|
||||
public List<Advisory> submitPackage(JsonObject packageJson) throws IOException {
|
||||
List<Advisory> result = new ArrayList<>();
|
||||
byte[] packageDatabytes = packageJson.toString().getBytes(StandardCharsets.UTF_8);
|
||||
try {
|
||||
List<Advisory> result = new ArrayList<>();
|
||||
byte[] packageDatabytes = packageJson.toString().getBytes(StandardCharsets.UTF_8);
|
||||
|
||||
final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(nspCheckUrl, useProxy);
|
||||
conn.setDoOutput(true);
|
||||
conn.setDoInput(true);
|
||||
conn.setRequestMethod("POST");
|
||||
conn.setRequestProperty("X-NSP-VERSION", "2.6.2");
|
||||
conn.setRequestProperty("Content-Type", "application/json");
|
||||
conn.setRequestProperty("Content-Length", Integer.toString(packageDatabytes.length));
|
||||
conn.connect();
|
||||
final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(nspCheckUrl, useProxy);
|
||||
conn.setDoOutput(true);
|
||||
conn.setDoInput(true);
|
||||
conn.setRequestMethod("POST");
|
||||
conn.setRequestProperty("X-NSP-VERSION", "2.6.2");
|
||||
conn.setRequestProperty("Content-Type", "application/json");
|
||||
conn.setRequestProperty("Content-Length", Integer.toString(packageDatabytes.length));
|
||||
conn.connect();
|
||||
|
||||
try (OutputStream os = new BufferedOutputStream(conn.getOutputStream())) {
|
||||
os.write(packageDatabytes);
|
||||
os.flush();
|
||||
}
|
||||
try (OutputStream os = new BufferedOutputStream(conn.getOutputStream())) {
|
||||
os.write(packageDatabytes);
|
||||
os.flush();
|
||||
}
|
||||
|
||||
if (conn.getResponseCode() == 200) {
|
||||
try (InputStream in = new BufferedInputStream(conn.getInputStream())) {
|
||||
JsonReader jsonReader = Json.createReader(in);
|
||||
JsonArray array = jsonReader.readArray();
|
||||
if (array != null) {
|
||||
for (int i=0; i<array.size(); i++) {
|
||||
JsonObject object = array.getJsonObject(i);
|
||||
Advisory advisory = new Advisory();
|
||||
advisory.setId(object.getInt("id"));
|
||||
advisory.setUpdatedAt(object.getString("updated_at", null));
|
||||
advisory.setCreatedAt(object.getString("created_at", null));
|
||||
advisory.setPublishDate(object.getString("publish_date", null));
|
||||
advisory.setOverview(object.getString("overview"));
|
||||
advisory.setRecommendation(object.getString("recommendation", null));
|
||||
advisory.setCvssVector(object.getString("cvss_vector", null));
|
||||
advisory.setCvssScore(Float.parseFloat(object.getJsonNumber("cvss_score").toString()));
|
||||
advisory.setModule(object.getString("module", null));
|
||||
advisory.setVersion(object.getString("version", null));
|
||||
advisory.setVulnerableVersions(object.getString("vulnerable_versions", null));
|
||||
advisory.setPatchedVersions(object.getString("patched_versions", null));
|
||||
advisory.setTitle(object.getString("title", null));
|
||||
advisory.setAdvisory(object.getString("advisory", null));
|
||||
if (conn.getResponseCode() == 200) {
|
||||
try (InputStream in = new BufferedInputStream(conn.getInputStream())) {
|
||||
JsonReader jsonReader = Json.createReader(in);
|
||||
JsonArray array = jsonReader.readArray();
|
||||
if (array != null) {
|
||||
for (int i = 0; i < array.size(); i++) {
|
||||
JsonObject object = array.getJsonObject(i);
|
||||
Advisory advisory = new Advisory();
|
||||
advisory.setId(object.getInt("id"));
|
||||
advisory.setUpdatedAt(object.getString("updated_at", null));
|
||||
advisory.setCreatedAt(object.getString("created_at", null));
|
||||
advisory.setPublishDate(object.getString("publish_date", null));
|
||||
advisory.setOverview(object.getString("overview"));
|
||||
advisory.setRecommendation(object.getString("recommendation", null));
|
||||
advisory.setCvssVector(object.getString("cvss_vector", null));
|
||||
advisory.setCvssScore(Float.parseFloat(object.getJsonNumber("cvss_score").toString()));
|
||||
advisory.setModule(object.getString("module", null));
|
||||
advisory.setVersion(object.getString("version", null));
|
||||
advisory.setVulnerableVersions(object.getString("vulnerable_versions", null));
|
||||
advisory.setPatchedVersions(object.getString("patched_versions", null));
|
||||
advisory.setTitle(object.getString("title", null));
|
||||
advisory.setAdvisory(object.getString("advisory", null));
|
||||
|
||||
JsonArray jsonPath = object.getJsonArray("path");
|
||||
List<String> stringPath = new ArrayList<>();
|
||||
for (int j=0; j<jsonPath.size(); j++) {
|
||||
stringPath.add(jsonPath.getString(j));
|
||||
JsonArray jsonPath = object.getJsonArray("path");
|
||||
List<String> stringPath = new ArrayList<>();
|
||||
for (int j = 0; j < jsonPath.size(); j++) {
|
||||
stringPath.add(jsonPath.getString(j));
|
||||
}
|
||||
advisory.setPath(stringPath.toArray(new String[stringPath.size()]));
|
||||
|
||||
result.add(advisory);
|
||||
}
|
||||
advisory.setPath(stringPath.toArray(new String[stringPath.size()]));
|
||||
|
||||
result.add(advisory);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
LOGGER.debug("Could not connect to Node Security Platform. Received response code: {} {}",
|
||||
conn.getResponseCode(), conn.getResponseMessage());
|
||||
throw new IOException("Could not connect to Node Security Platform");
|
||||
}
|
||||
} else {
|
||||
LOGGER.debug("Could not connect to Node Security Platform. Received response code: {} {}",
|
||||
conn.getResponseCode(), conn.getResponseMessage());
|
||||
throw new IOException("Could not connect to Node Security Platform");
|
||||
return result;
|
||||
} catch (IOException ex) {
|
||||
if (ex instanceof javax.net.ssl.SSLHandshakeException
|
||||
&& ex.getMessage().contains("unable to find valid certification path to requested target")) {
|
||||
final String msg = String.format("Unable to connect to '%s' - the Java trust store does not contain a trusted root for the cert. "
|
||||
+ " Please see https://github.com/jeremylong/InstallCert for one method of updating the trusted certificates.", nspCheckUrl);
|
||||
throw new URLConnectionFailureException(msg, ex);
|
||||
}
|
||||
throw ex;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,6 +18,8 @@
|
||||
package org.owasp.dependencycheck;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import org.junit.Test;
|
||||
@@ -58,18 +60,23 @@ public class EngineIT extends BaseDBTestCase {
|
||||
try {
|
||||
instance.analyzeDependencies();
|
||||
} catch (ExceptionCollection ex) {
|
||||
if (ex.getExceptions().size() == 1
|
||||
&& (ex.getExceptions().get(0).getMessage().contains("bundle-audit")
|
||||
|| ex.getExceptions().get(0).getMessage().contains("AssemblyAnalyzer"))) {
|
||||
//this is fine to ignore
|
||||
} else if (ex.getExceptions().size() == 2
|
||||
&& ((ex.getExceptions().get(0).getMessage().contains("bundle-audit")
|
||||
&& ex.getExceptions().get(1).getMessage().contains("AssemblyAnalyzer"))
|
||||
|| (ex.getExceptions().get(1).getMessage().contains("bundle-audit")
|
||||
&& ex.getExceptions().get(0).getMessage().contains("AssemblyAnalyzer")))) {
|
||||
//this is fine to ignore
|
||||
} else {
|
||||
throw ex;
|
||||
Set<String> allowedMessages = new HashSet<>();
|
||||
allowedMessages.add("bundle-audit");
|
||||
allowedMessages.add("AssemblyAnalyzer");
|
||||
//allowedMessages.add("Unable to connect to");
|
||||
for (Throwable t : ex.getExceptions()) {
|
||||
boolean isOk = false;
|
||||
if (t.getMessage()!=null) {
|
||||
for (String msg : allowedMessages) {
|
||||
if (t.getMessage().contains(msg)) {
|
||||
isOk=true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!isOk) {
|
||||
throw ex;
|
||||
}
|
||||
}
|
||||
}
|
||||
DatabaseProperties prop = null;
|
||||
|
||||
@@ -32,6 +32,9 @@ import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.net.URL;
|
||||
import java.util.List;
|
||||
import static org.junit.Assume.assumeFalse;
|
||||
import static org.junit.Assume.assumeTrue;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
|
||||
|
||||
public class NspSearchTest extends BaseTest {
|
||||
|
||||
@@ -45,8 +48,7 @@ public class NspSearchTest extends BaseTest {
|
||||
searcher = new NspSearch(new URL(url));
|
||||
}
|
||||
|
||||
//@Test
|
||||
//todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET
|
||||
@Test
|
||||
public void testNspSearchPositive() throws Exception {
|
||||
InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json");
|
||||
try (JsonReader jsonReader = Json.createReader(in)) {
|
||||
@@ -56,17 +58,24 @@ public class NspSearchTest extends BaseTest {
|
||||
final JsonObject nspPayload = builder.add("package", sanitizedJson).build();
|
||||
final List<Advisory> advisories = searcher.submitPackage(nspPayload);
|
||||
Assert.assertTrue(advisories.size() > 0);
|
||||
} catch (Exception ex) {
|
||||
assumeFalse(ex instanceof URLConnectionFailureException
|
||||
&& ex.getMessage().contains("Unable to connect to "));
|
||||
throw ex;
|
||||
}
|
||||
}
|
||||
|
||||
//@Test(expected = IOException.class)
|
||||
//todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET
|
||||
@Test
|
||||
public void testNspSearchNegative() throws Exception {
|
||||
InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json");
|
||||
try (JsonReader jsonReader = Json.createReader(in)) {
|
||||
final JsonObject packageJson = jsonReader.readObject();
|
||||
final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson);
|
||||
searcher.submitPackage(sanitizedJson);
|
||||
} catch (Exception ex) {
|
||||
assumeFalse(ex instanceof URLConnectionFailureException
|
||||
&& ex.getMessage().contains("Unable to connect to "));
|
||||
throw ex;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user