From 1bfd2d7ac11fb97d4ebabce009d2a35db68973ff Mon Sep 17 00:00:00 2001
From: stevespringett <steve@springett.us>
Date: Sat, 9 Sep 2017 21:50:17 -0500
Subject: [PATCH] Added support for retiring analyzers (disabled by default)
 and retired the NodePackageAnalyzer.

---
 .../analyzer/AnalyzerService.java             |  7 +++-
 .../analyzer/NodePackageAnalyzer.java         |  2 +-
 .../dependencycheck/analyzer/Retired.java     | 34 +++++++++++++++++++
 .../main/resources/dependencycheck.properties |  3 ++
 .../test/resources/dependencycheck.properties |  3 ++
 .../owasp/dependencycheck/utils/Settings.java |  4 +++
 6 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Retired.java

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
index 4e136aa6f..d86036c11 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
@@ -86,10 +86,12 @@ public class AnalyzerService {
         final List<Analyzer> analyzers = new ArrayList<>();
         final Iterator<Analyzer> iterator = service.iterator();
         boolean experimentalEnabled = false;
+        boolean retiredEnabled = false;
         try {
             experimentalEnabled = Settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
+            retiredEnabled = Settings.getBoolean(Settings.KEYS.ANALYZER_RETIRED_ENABLED, false);
         } catch (InvalidSettingException ex) {
-            LOGGER.error("invalid experimental setting", ex);
+            LOGGER.error("invalid experimental or retired setting", ex);
         }
         while (iterator.hasNext()) {
             final Analyzer a = iterator.next();
@@ -99,6 +101,9 @@ public class AnalyzerService {
             if (!experimentalEnabled && a.getClass().isAnnotationPresent(Experimental.class)) {
                 continue;
             }
+            if (!retiredEnabled && a.getClass().isAnnotationPresent(Retired.class)) {
+                continue;
+            }
             LOGGER.debug("Loaded Analyzer {}", a.getName());
             analyzers.add(a);
         }
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
index ffd94fa7c..c94376b99 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
@@ -46,7 +46,7 @@ import org.owasp.dependencycheck.exception.InitializationException;
  *
  * @author Dale Visser
  */
-@Experimental
+@Retired
 public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Retired.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Retired.java
new file mode 100644
index 000000000..7f60e9a37
--- /dev/null
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Retired.java
@@ -0,0 +1,34 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2017 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Annotation used to flag an analyzer as retired.
+ *
+ * @author Steve Springett
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.TYPE)
+public @interface Retired {
+
+}
diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties
index 792964606..ea03e3630 100644
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -88,7 +88,10 @@ archive.scan.depth=3
 downloader.quick.query.timestamp=true
 downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
 
+# defines if the experimental and retired analyzers can be enabled
 analyzer.experimental.enabled=false
+analyzer.retired.enabled=false
+
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true
diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties
index 1bdd122ea..87b05d116 100644
--- a/dependency-check-core/src/test/resources/dependencycheck.properties
+++ b/dependency-check-core/src/test/resources/dependencycheck.properties
@@ -83,7 +83,10 @@ archive.scan.depth=3
 downloader.quick.query.timestamp=true
 downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
 
+# defines if the experimental and retired analyzers can be enabled
 analyzer.experimental.enabled=true
+analyzer.retired.enabled=true
+
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true
diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
index f8bf932cc..84b5fbc15 100644
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -256,6 +256,10 @@ public final class Settings {
          * The properties key for whether experimental analyzers are loaded.
          */
         public static final String ANALYZER_EXPERIMENTAL_ENABLED = "analyzer.experimental.enabled";
+        /**
+         * The properties key for whether experimental analyzers are loaded.
+         */
+        public static final String ANALYZER_RETIRED_ENABLED = "analyzer.retired.enabled";
         /**
          * The properties key for whether the Archive analyzer is enabled.
          */