From 2753bb97c8f995dc02bddabb2bbc268867ae4176 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 26 Jul 2017 11:48:50 -0400 Subject: [PATCH] added synchronization per issue #785 --- .../analyzer/AbstractSuppressionAnalyzer.java | 63 ++++++++++--------- .../analyzer/CpeSuppressionAnalyzer.java | 23 +------ .../VulnerabilitySuppressionAnalyzer.java | 26 -------- .../AbstractSuppressionAnalyzerTest.java | 6 +- 4 files changed, 40 insertions(+), 78 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java index da6ac40bc..bab7dcfd1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java @@ -22,9 +22,13 @@ import java.io.IOException; import java.io.InputStream; import java.net.MalformedURLException; import java.net.URL; +import java.util.Collections; import java.util.List; import java.util.Set; import java.util.regex.Pattern; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.xml.suppression.SuppressionParseException; import org.owasp.dependencycheck.xml.suppression.SuppressionParser; @@ -49,8 +53,20 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { * The Logger for use throughout the class */ private static final Logger LOGGER = LoggerFactory.getLogger(AbstractSuppressionAnalyzer.class); + /** + * The list of suppression rules + */ + private List rules; + + /** + * Get the number of suppression rules. + * + * @return the number of suppression rules + */ + protected synchronized int getRuleCount() { + return rules.size(); + } - // /** * Returns a list of file EXTENSIONS supported by this analyzer. * @@ -60,7 +76,6 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { return null; } - // /** * The initialize method loads the suppression XML file. * @@ -75,39 +90,27 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { } } - /** - * The list of suppression rules - */ - private List rules; - - /** - * Get the value of rules. - * - * @return the value of rules - */ - public List getRules() { - return rules; + @Override + protected synchronized void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + if (rules == null || rules.size() <= 0) { + return; + } + for (final SuppressionRule rule : rules) { + rule.process(dependency); + } } /** - * Set the value of rules. - * - * @param rules new value of rules - */ - public void setRules(List rules) { - this.rules = rules; - } - - /** - * Loads all the suppression rules files configured in the {@link Settings} singleton. + * Loads all the suppression rules files configured in the {@link Settings} + * singleton. * * @throws SuppressionParseException thrown if the XML cannot be parsed. */ - private void loadSuppressionData() throws SuppressionParseException { + private synchronized void loadSuppressionData() throws SuppressionParseException { final SuppressionParser parser = new SuppressionParser(); try { final InputStream in = FileUtils.getResourceAsStream("dependencycheck-base-suppression.xml"); - rules = parser.parseSuppressionRules(in); + rules = Collections.synchronizedList(parser.parseSuppressionRules(in)); } catch (SAXException ex) { throw new SuppressionParseException("Unable to parse the base suppression data file", ex); } @@ -124,13 +127,15 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { } /** - * Load a single suppression rules file from the path provided using the parser provided. + * Load a single suppression rules file from the path provided using the + * parser provided. * * @param parser the parser to use for loading the file. * @param suppressionFilePath the path to load. - * @throws SuppressionParseException thrown if the suppression file cannot be loaded and parsed. + * @throws SuppressionParseException thrown if the suppression file cannot + * be loaded and parsed. */ - private void loadSuppressionFile(final SuppressionParser parser, final String suppressionFilePath) throws SuppressionParseException { + private synchronized void loadSuppressionFile(final SuppressionParser parser, final String suppressionFilePath) throws SuppressionParseException { LOGGER.debug("Loading suppression rules from '{}'", suppressionFilePath); File file = null; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java index 18415431a..d563b7248 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java @@ -17,21 +17,17 @@ */ package org.owasp.dependencycheck.analyzer; -import org.owasp.dependencycheck.analyzer.exception.AnalysisException; -import org.owasp.dependencycheck.Engine; -import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.utils.Settings; -import org.owasp.dependencycheck.xml.suppression.SuppressionRule; /** - * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema. - * Any identified CPE entries within the dependencies that match will be removed. + * The suppression analyzer processes an externally defined XML document that + * complies with the suppressions.xsd schema. Any identified CPE entries within + * the dependencies that match will be removed. * * @author Jeremy Long */ public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer { - // /** * The name of the analyzer. */ @@ -60,19 +56,6 @@ public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer { public AnalysisPhase getAnalysisPhase() { return ANALYSIS_PHASE; } - // - - @Override - protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - - if (getRules() == null || getRules().size() <= 0) { - return; - } - - for (final SuppressionRule rule : getRules()) { - rule.process(dependency); - } - } /** *

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java index 3325262fe..37216e894 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java @@ -17,11 +17,7 @@ */ package org.owasp.dependencycheck.analyzer; -import org.owasp.dependencycheck.analyzer.exception.AnalysisException; -import org.owasp.dependencycheck.Engine; -import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.utils.Settings; -import org.owasp.dependencycheck.xml.suppression.SuppressionRule; /** * The suppression analyzer processes an externally defined XML document that @@ -32,7 +28,6 @@ import org.owasp.dependencycheck.xml.suppression.SuppressionRule; */ public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyzer { - // /** * The name of the analyzer. */ @@ -72,25 +67,4 @@ public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyze protected String getAnalyzerEnabledSettingKey() { return Settings.KEYS.ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED; } - // - - /** - * Analyzes a dependency's vulnerabilities against the configured CVE - * suppressions. - * - * @param dependency the dependency being analyzed - * @param engine a reference to the engine orchestrating the analysis - * @throws AnalysisException thrown if there is an error during analysis - */ - @Override - protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - - if (getRules() == null || getRules().size() <= 0) { - return; - } - - for (final SuppressionRule rule : getRules()) { - rule.process(dependency); - } - } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java index 704cf32dd..5f21d1216 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java @@ -103,7 +103,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest { // THEN rules from both files were loaded final int expectedSize = rulesInFirstFile + rulesInSecondFile + rulesInCoreFile; - assertThat("Expected suppressions from both files", instance.getRules().size(), is(expectedSize)); + assertThat("Expected suppressions from both files", instance.getRuleCount(), is(expectedSize)); } @Test(expected = InitializationException.class) @@ -123,7 +123,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest { final AbstractSuppressionAnalyzerImpl coreFileAnalyzer = new AbstractSuppressionAnalyzerImpl(); coreFileAnalyzer.initialize(); - return coreFileAnalyzer.getRules().size(); + return coreFileAnalyzer.getRuleCount(); } /** @@ -138,7 +138,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest { final AbstractSuppressionAnalyzerImpl fileAnalyzer = new AbstractSuppressionAnalyzerImpl(); fileAnalyzer.initialize(); - return fileAnalyzer.getRules().size(); + return fileAnalyzer.getRuleCount(); } public class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer {