From 287b1df3fde674bbdf0321d769e31aed08da4c30 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 26 Dec 2016 09:11:26 -0500 Subject: [PATCH] added enabled settings for all analyzers per #612 --- .../analyzer/AbstractAnalyzer.java | 85 +++++++++++- .../analyzer/AbstractFileTypeAnalyzer.java | 125 +++--------------- .../dependencycheck/analyzer/Analyzer.java | 6 + .../analyzer/ArchiveAnalyzer.java | 4 +- .../analyzer/AssemblyAnalyzer.java | 2 +- .../analyzer/AutoconfAnalyzer.java | 2 +- .../analyzer/CMakeAnalyzer.java | 2 +- .../dependencycheck/analyzer/CPEAnalyzer.java | 34 +++-- .../analyzer/CentralAnalyzer.java | 2 +- .../analyzer/CocoaPodsAnalyzer.java | 2 +- .../analyzer/ComposerLockAnalyzer.java | 2 +- .../analyzer/CpeSuppressionAnalyzer.java | 14 +- .../analyzer/DependencyBundlingAnalyzer.java | 14 +- .../analyzer/DependencyMergingAnalyzer.java | 14 +- .../analyzer/FalsePositiveAnalyzer.java | 13 +- .../analyzer/FileNameAnalyzer.java | 13 +- .../analyzer/FileTypeAnalyzer.java | 4 - .../analyzer/HintAnalyzer.java | 14 +- .../dependencycheck/analyzer/JarAnalyzer.java | 5 +- .../analyzer/NexusAnalyzer.java | 2 +- .../analyzer/NodePackageAnalyzer.java | 2 +- .../analyzer/NuspecAnalyzer.java | 2 +- .../analyzer/NvdCveAnalyzer.java | 33 ++++- .../analyzer/OpenSSLAnalyzer.java | 2 +- .../analyzer/PythonDistributionAnalyzer.java | 2 +- .../analyzer/PythonPackageAnalyzer.java | 2 +- .../analyzer/RubyBundleAuditAnalyzer.java | 4 +- .../analyzer/RubyBundlerAnalyzer.java | 13 +- .../analyzer/RubyGemspecAnalyzer.java | 2 +- .../analyzer/SwiftPackageManagerAnalyzer.java | 2 +- .../VulnerabilitySuppressionAnalyzer.java | 27 +++- .../main/resources/dependencycheck.properties | 10 +- .../AbstractSuppressionAnalyzerTest.java | 7 +- .../analyzer/ArchiveAnalyzerTest.java | 2 +- .../test/resources/dependencycheck.properties | 18 ++- .../owasp/dependencycheck/utils/Settings.java | 56 ++++++-- 36 files changed, 362 insertions(+), 181 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java index 1c933af59..d3a7201e9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java @@ -17,16 +17,86 @@ */ package org.owasp.dependencycheck.analyzer; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.exception.InitializationException; +import org.owasp.dependencycheck.utils.InvalidSettingException; +import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** - * Base class for analyzers to avoid code duplication of initialize and close - * as most analyzers do not need these methods. + * Base class for analyzers to avoid code duplication of initialize and close as + * most analyzers do not need these methods. * * @author Jeremy Long */ public abstract class AbstractAnalyzer implements Analyzer { + /** + * The logger. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(AbstractAnalyzer.class); + /** + * A flag indicating whether or not the analyzer is enabled. + */ + private volatile boolean enabled = true; + + /** + * Get the value of enabled. + * + * @return the value of enabled + */ + @Override + public boolean isEnabled() { + return enabled; + } + + /** + * Set the value of enabled. + * + * @param enabled new value of enabled + */ + public void setEnabled(boolean enabled) { + this.enabled = enabled; + } + + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + protected abstract String getAnalyzerEnabledSettingKey(); + + /** + * Analyzes a given dependency. If the dependency is an archive, such as a + * WAR or EAR, the contents are extracted, scanned, and added to the list of + * dependencies within the engine. + * + * @param dependency the dependency to analyze + * @param engine the engine scanning + * @throws AnalysisException thrown if there is an analysis exception + */ + protected abstract void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException; + + /** + * Analyzes a given dependency. If the dependency is an archive, such as a + * WAR or EAR, the contents are extracted, scanned, and added to the list of + * dependencies within the engine. + * + * @param dependency the dependency to analyze + * @param engine the engine scanning + * @throws AnalysisException thrown if there is an analysis exception + */ + @Override + public final void analyze(Dependency dependency, Engine engine) throws AnalysisException { + if (this.isEnabled()) { + analyzeDependency(dependency, engine); + } + } + /** * The initialize method does nothing for this Analyzer. * @@ -34,7 +104,14 @@ public abstract class AbstractAnalyzer implements Analyzer { */ @Override public void initialize() throws InitializationException { - //do nothing + final String key = getAnalyzerEnabledSettingKey(); + try { + this.setEnabled(Settings.getBoolean(key, true)); + } catch (InvalidSettingException ex) { + LOGGER.warn("Invalid setting for property '{}'", key); + LOGGER.debug("", ex); + LOGGER.warn("{} has been disabled", getName()); + } } /** @@ -49,6 +126,8 @@ public abstract class AbstractAnalyzer implements Analyzer { /** * The default is to support parallel processing. + * + * @return true */ @Override public boolean supportsParallelProcessing() { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java index 7023cb912..4ebcc6b68 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java @@ -17,11 +17,6 @@ */ package org.owasp.dependencycheck.analyzer; -import org.owasp.dependencycheck.Engine; -import org.owasp.dependencycheck.analyzer.exception.AnalysisException; -import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.utils.InvalidSettingException; -import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -40,17 +35,7 @@ import org.owasp.dependencycheck.exception.InitializationException; */ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer { - // - /** - * Base constructor that all children must call. This checks the - * configuration to determine if the analyzer is enabled. - */ - public AbstractFileTypeAnalyzer() { - reset(); - } -// - - // + // /** * The logger. */ @@ -80,30 +65,25 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen this.filesMatched = filesMatched; } + // + // /** - * A flag indicating whether or not the analyzer is enabled. - */ - private volatile boolean enabled = true; - - /** - * Get the value of enabled. + * Initializes the analyzer. * - * @return the value of enabled + * @throws InitializationException thrown if there is an exception during + * initialization */ - public boolean isEnabled() { - return enabled; + @Override + public final void initialize() throws InitializationException { + super.initialize(); + if (filesMatched) { + initializeFileTypeAnalyzer(); + } else { + this.setEnabled(false); + } } - /** - * Set the value of enabled. - * - * @param enabled new value of enabled - */ - public void setEnabled(boolean enabled) { - this.enabled = enabled; - } -// - + // // /** *

@@ -127,80 +107,21 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen */ protected abstract void initializeFileTypeAnalyzer() throws InitializationException; + // /** - * Analyzes a given dependency. If the dependency is an archive, such as a - * WAR or EAR, the contents are extracted, scanned, and added to the list of - * dependencies within the engine. + * Determines if the file can be analyzed by the analyzer. * - * @param dependency the dependency to analyze - * @param engine the engine scanning - * @throws AnalysisException thrown if there is an analysis exception + * @param pathname the path to the file + * @return true if the file can be analyzed by the given analyzer; otherwise + * false */ - protected abstract void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException; - - /** - *

- * Returns the setting key to determine if the analyzer is enabled.

- * - * @return the key for the analyzer's enabled property - */ - protected abstract String getAnalyzerEnabledSettingKey(); - -// - // - /** - * Initializes the analyzer. - * - * @throws InitializationException thrown if there is an exception during - * initialization - */ - @Override - public final void initialize() throws InitializationException { - if (filesMatched) { - initializeFileTypeAnalyzer(); - } else { - enabled = false; - } - } - - /** - * Resets the enabled flag on the analyzer. - */ - @Override - public final void reset() { - final String key = getAnalyzerEnabledSettingKey(); - try { - enabled = Settings.getBoolean(key, true); - } catch (InvalidSettingException ex) { - LOGGER.warn("Invalid setting for property '{}'", key); - LOGGER.debug("", ex); - LOGGER.warn("{} has been disabled", getName()); - } - } - - /** - * Analyzes a given dependency. If the dependency is an archive, such as a - * WAR or EAR, the contents are extracted, scanned, and added to the list of - * dependencies within the engine. - * - * @param dependency the dependency to analyze - * @param engine the engine scanning - * @throws AnalysisException thrown if there is an analysis exception - */ - @Override - public final void analyze(Dependency dependency, Engine engine) throws AnalysisException { - if (enabled) { - analyzeFileType(dependency, engine); - } - } - @Override public boolean accept(File pathname) { final FileFilter filter = getFileFilter(); boolean accepted = false; if (null == filter) { LOGGER.error("The '{}' analyzer is misconfigured and does not have a file filter; it will be disabled", getName()); - } else if (enabled) { + } else if (this.isEnabled()) { accepted = filter.accept(pathname); if (accepted) { filesMatched = true; @@ -209,8 +130,6 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen return accepted; } - // - // /** *

* Utility method to help in the creation of the extensions set. This @@ -227,6 +146,4 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen Collections.addAll(set, strings); return set; } - -// } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java index 420f24042..0180a0d01 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java @@ -83,4 +83,10 @@ public interface Analyzer { * @return {@code true} if the analyzer supports parallel processing, {@code false} else */ boolean supportsParallelProcessing(); + /** + * Get the value of enabled. + * + * @return the value of enabled + */ + boolean isEnabled(); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index ed40d75e8..8cbdc9f0b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -221,7 +221,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * Does not support parallel processing as it both modifies and iterates * over the engine's list of dependencies. * - * @see #analyzeFileType(Dependency, Engine) + * @see #analyzeDependency(Dependency, Engine) * @see #findMoreDependencies(Engine, File) */ @Override @@ -239,7 +239,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * @throws AnalysisException thrown if there is an analysis exception */ @Override - public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { + public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { final File f = new File(dependency.getActualFilePath()); final File tmpDir = getNextTempDirectory(); extractFiles(f, tmpDir, engine); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 690ab6499..6d1e21ce7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -106,7 +106,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { * @throws AnalysisException if anything goes sideways */ @Override - public void analyzeFileType(Dependency dependency, Engine engine) + public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { if (grokAssemblyExe == null) { LOGGER.warn("GrokAssembly didn't get deployed"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java index ed5c29f6c..88beaa168 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java @@ -154,7 +154,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { } @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { final File actualFile = dependency.getActualFile(); final String name = actualFile.getName(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index e81ea6e12..5a889b7d7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -147,7 +147,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { * analyzing the dependency */ @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { final File file = dependency.getActualFile(); final String parentName = file.getParentFile().getName(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index 5d8c577bf..cea9beffc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -50,6 +50,7 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware; import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.utils.DependencyVersion; import org.owasp.dependencycheck.utils.DependencyVersionUtil; +import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -122,7 +123,14 @@ public class CPEAnalyzer extends AbstractAnalyzer { public AnalysisPhase getAnalysisPhase() { return AnalysisPhase.IDENTIFIER_ANALYSIS; } - + /** + * The default is to support parallel processing. + * @return false + */ + @Override + public boolean supportsParallelProcessing() { + return false; + } /** * Creates the CPE Lucene Index. * @@ -131,6 +139,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { */ @Override public void initialize() throws InitializationException { + super.initialize(); try { this.open(); } catch (IOException ex) { @@ -515,7 +524,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { * dependency. */ @Override - public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException { + protected synchronized void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { try { determineCPE(dependency); } catch (CorruptIndexException ex) { @@ -628,6 +637,17 @@ public class CPEAnalyzer extends AbstractAnalyzer { return identifierAdded; } + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_CPE_ENABLED; + } + /** * The confidence whether the identifier is an exact match, or a best guess. */ @@ -808,16 +828,6 @@ public class CPEAnalyzer extends AbstractAnalyzer { .append(evidenceConfidence, o.evidenceConfidence) .append(identifier, o.identifier) .toComparison(); - /* - int conf = this.confidence.compareTo(o.confidence); - if (conf == 0) { - conf = this.evidenceConfidence.compareTo(o.evidenceConfidence); - if (conf == 0) { - conf = identifier.compareTo(o.identifier); - } - } - return conf; - */ } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index 489184bc9..d0f92469c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -193,7 +193,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { * @throws AnalysisException when there's an exception during analysis */ @Override - public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { + public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { if (errorFlag || !isEnabled()) { return; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java index 1108d5e6a..a8a33121e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java @@ -119,7 +119,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { } @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { String contents; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index bb1a24a7f..57c8bf791 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -100,7 +100,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { * @throws AnalysisException if there's a failure during analysis */ @Override - protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { FileInputStream fis = null; try { fis = new FileInputStream(dependency.getActualFile()); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java index 537fa731c..18415431a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java @@ -20,6 +20,7 @@ package org.owasp.dependencycheck.analyzer; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.xml.suppression.SuppressionRule; /** @@ -62,7 +63,7 @@ public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer { // @Override - public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException { + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { if (getRules() == null || getRules().size() <= 0) { return; @@ -72,4 +73,15 @@ public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer { rule.process(dependency); } } + + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_CPE_SUPPRESSION_ENABLED; + } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index dab37cafd..08f4b54c4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -30,6 +30,7 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.utils.DependencyVersion; import org.owasp.dependencycheck.utils.DependencyVersionUtil; +import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -119,6 +120,17 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { return false; } + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_DEPENDENCY_BUNDLING_ENABLED; + } + /** * Analyzes a set of dependencies. If they have been found to have the same * base path and the same set of identifiers they are likely related. The @@ -130,7 +142,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { * file. */ @Override - public synchronized void analyze(Dependency ignore, Engine engine) throws AnalysisException { + protected synchronized void analyzeDependency(Dependency ignore, Engine engine) throws AnalysisException { if (!analyzed) { analyzed = true; final Set dependenciesToRemove = new HashSet(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java index 3ffbaeced..26c1c5bca 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java @@ -25,6 +25,7 @@ import java.util.Set; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -100,6 +101,17 @@ public class DependencyMergingAnalyzer extends AbstractAnalyzer { public boolean supportsParallelProcessing() { return false; } + + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_DEPENDENCY_MERGING_ENABLED; + } // /** @@ -114,7 +126,7 @@ public class DependencyMergingAnalyzer extends AbstractAnalyzer { * file. */ @Override - public synchronized void analyze(Dependency ignore, Engine engine) throws AnalysisException { + protected synchronized void analyzeDependency(Dependency ignore, Engine engine) throws AnalysisException { if (!analyzed) { analyzed = true; final Set dependenciesToRemove = new HashSet(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index 93a36e15a..6312ac14e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -34,6 +34,7 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.VulnerableSoftware; import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -83,6 +84,16 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { public AnalysisPhase getAnalysisPhase() { return ANALYSIS_PHASE; } + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_FALSE_POSITIVE_ENABLED; + } // /** @@ -93,7 +104,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { * @throws AnalysisException is thrown if there is an error reading the JAR file. */ @Override - public void analyze(Dependency dependency, Engine engine) throws AnalysisException { + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { removeJreEntries(dependency); removeBadMatches(dependency); removeBadSpringMatches(dependency); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java index 3ed5b0ffd..21b1d186a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java @@ -27,6 +27,7 @@ import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.utils.DependencyVersion; import org.owasp.dependencycheck.utils.DependencyVersionUtil; +import org.owasp.dependencycheck.utils.Settings; /** * @@ -65,6 +66,16 @@ public class FileNameAnalyzer extends AbstractAnalyzer { public AnalysisPhase getAnalysisPhase() { return ANALYSIS_PHASE; } + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_FILE_NAME_ENABLED; + } // /** @@ -86,7 +97,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer { * file. */ @Override - public void analyze(Dependency dependency, Engine engine) throws AnalysisException { + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { //strip any path information that may get added by ArchiveAnalyzer, etc. final File f = dependency.getActualFile(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java index bb7467a4c..8a6fa0722 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java @@ -26,8 +26,4 @@ import java.io.FileFilter; */ public interface FileTypeAnalyzer extends Analyzer, FileFilter { - /** - * Resets the analyzers state. - */ - void reset(); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java index 47bf33d92..a0a8b00d0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java @@ -82,6 +82,16 @@ public class HintAnalyzer extends AbstractAnalyzer { public AnalysisPhase getAnalysisPhase() { return ANALYSIS_PHASE; } + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_HINT_ENABLED; + } /** * The initialize method does nothing for this Analyzer. @@ -90,8 +100,8 @@ public class HintAnalyzer extends AbstractAnalyzer { */ @Override public void initialize() throws InitializationException { + super.initialize(); try { - super.initialize(); loadHintRules(); } catch (HintParseException ex) { LOGGER.debug("Unable to parse hint file", ex); @@ -123,7 +133,7 @@ public class HintAnalyzer extends AbstractAnalyzer { * the dependency. */ @Override - public void analyze(Dependency dependency, Engine engine) throws AnalysisException { + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { for (HintRule hint : hints.getHintRules()) { boolean shouldAdd = false; for (Evidence given : hint.getGivenVendor()) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 77fc4eeed..58d396b83 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -227,7 +227,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * file. */ @Override - public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { + public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { try { final List classNames = collectClassNames(dependency); final String fileName = dependency.getFileName().toLowerCase(); @@ -633,7 +633,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * @return whether evidence was identified parsing the manifest * @throws IOException if there is an issue reading the JAR file */ - protected boolean parseManifest(Dependency dependency, List classInformation) throws IOException { + protected boolean parseManifest(Dependency dependency, List classInformation) + throws IOException { boolean foundSomething = false; JarFile jar = null; try { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index e01ee9962..8dff9242d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -218,7 +218,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { * @throws AnalysisException when there's an exception during analysis */ @Override - public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { + public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { if (!isEnabled()) { return; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index 50d20b38e..15f7e6d37 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -121,7 +121,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { } @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { final File file = dependency.getActualFile(); JsonReader jsonReader; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index b5d5de5b2..2d6fd1993 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -127,7 +127,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { * @throws AnalysisException when there's an exception during analysis */ @Override - public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { + public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { LOGGER.debug("Checking Nuspec file {}", dependency); try { final NuspecParser parser = new XPathNuspecParser(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java index ffced1d16..4b7c55619 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java @@ -28,15 +28,18 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.exception.InitializationException; +import org.owasp.dependencycheck.utils.Settings; import org.slf4j.LoggerFactory; /** - * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated - * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data. + * NvdCveAnalyzer is a utility class that takes a project dependency and + * attempts to discern if there is an associated CVEs. It uses the the + * identifiers found by other analyzers to lookup the CVE data. * * @author Jeremy Long */ public class NvdCveAnalyzer extends AbstractAnalyzer { + /** * The Logger for use throughout the class */ @@ -56,7 +59,8 @@ public class NvdCveAnalyzer extends AbstractAnalyzer { * @throws SQLException thrown when there is a SQL Exception * @throws IOException thrown when there is an IO Exception * @throws DatabaseException thrown when there is a database exceptions - * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded + * @throws ClassNotFoundException thrown if the h2 database driver cannot be + * loaded */ public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException { cveDB = new CveDB(); @@ -95,14 +99,16 @@ public class NvdCveAnalyzer extends AbstractAnalyzer { } /** - * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency. + * Analyzes a dependency and attempts to determine if there are any CPE + * identifiers for this dependency. * * @param dependency The Dependency to analyze * @param engine The analysis engine - * @throws AnalysisException thrown if there is an issue analyzing the dependency + * @throws AnalysisException thrown if there is an issue analyzing the + * dependency */ @Override - public void analyze(Dependency dependency, Engine engine) throws AnalysisException { + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { for (Identifier id : dependency.getIdentifiers()) { if ("cpe".equals(id.getType())) { try { @@ -147,13 +153,26 @@ public class NvdCveAnalyzer extends AbstractAnalyzer { return AnalysisPhase.FINDING_ANALYSIS; } + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_NVD_CVE_ENABLED; + } + /** * Opens the database used to gather NVD CVE data. * - * @throws InitializationException is thrown if there is an issue opening the index. + * @throws InitializationException is thrown if there is an issue opening + * the index. */ @Override public void initialize() throws InitializationException { + super.initialize(); try { this.open(); } catch (SQLException ex) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index c886814b6..37ecb6ce2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -162,7 +162,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { * analyzing the dependency */ @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { final File file = dependency.getActualFile(); final String parentName = file.getParentFile().getName(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index f9e60a1c0..8fa73202e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -181,7 +181,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { } @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { final File actualFile = dependency.getActualFile(); if (WHL_FILTER.accept(actualFile)) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 02b3ec4cb..7d9bf88e9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -171,7 +171,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { * analyzing the dependency */ @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { final File file = dependency.getActualFile(); final File parent = file.getParentFile(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index 9f4da5b78..83b691e7c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -252,7 +252,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { } /** - * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have + * If {@link #analyzeDependency(Dependency, Engine)} is called, then we have * successfully initialized, and it will be necessary to disable * {@link RubyGemspecAnalyzer}. */ @@ -266,7 +266,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { * @throws AnalysisException thrown if there is an analysis exception. */ @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { if (needToDisableGemspecAnalyzer) { boolean failed = true; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java index df394760f..6502d02ab 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java @@ -27,8 +27,9 @@ import org.owasp.dependencycheck.dependency.Dependency; /** * This analyzer accepts the fully resolved .gemspec created by the Ruby bundler * (http://bundler.io) for better evidence results. It also tries to resolve the - * dependency packagePath to where the gem is actually installed. Then during {@link org.owasp.dependencycheck.analyzer.AnalysisPhase#PRE_FINDING_ANALYSIS} - * {@link DependencyBundlingAnalyzer} will merge two .gemspec dependencies + * dependency packagePath to where the gem is actually installed. Then during + * the {@link org.owasp.dependencycheck.analyzer.AnalysisPhase#PRE_FINDING_ANALYSIS} + * {@link DependencyMergingAnalyzer} will merge two .gemspec dependencies * together if Dependency.getPackagePath() are the same. * * Ruby bundler creates new .gemspec files under a folder called @@ -39,8 +40,8 @@ import org.owasp.dependencycheck.dependency.Dependency; * can't be used for evidences. * * Note this analyzer share the same - * {@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_RUBY_GEMSPEC_ENABLED} as - * {@link RubyGemspecAnalyzer}, so it will enabled/disabled with + * {@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_RUBY_GEMSPEC_ENABLED} + * as {@link RubyGemspecAnalyzer}, so it will enabled/disabled with * {@link RubyGemspecAnalyzer}. * * @author Bianca Jiang (https://twitter.com/biancajiang) @@ -93,9 +94,9 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { } @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - super.analyzeFileType(dependency, engine); + super.analyzeDependency(dependency, engine); //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment" final File gemspecFile = dependency.getActualFile(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index 020f15434..b600236d2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -130,7 +130,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { private static final Pattern GEMSPEC_BLOCK_INIT = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|"); @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { String contents; try { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index d0a6bb0b9..5823d8aaf 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -116,7 +116,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { } @Override - protected void analyzeFileType(Dependency dependency, Engine engine) + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { String contents; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java index 4ceac47ce..3325262fe 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java @@ -20,11 +20,13 @@ package org.owasp.dependencycheck.analyzer; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.xml.suppression.SuppressionRule; /** - * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema. - * Any identified Vulnerability entries within the dependencies that match will be removed. + * The suppression analyzer processes an externally defined XML document that + * complies with the suppressions.xsd schema. Any identified Vulnerability + * entries within the dependencies that match will be removed. * * @author Jeremy Long */ @@ -59,10 +61,29 @@ public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyze public AnalysisPhase getAnalysisPhase() { return ANALYSIS_PHASE; } + + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED; + } // + /** + * Analyzes a dependency's vulnerabilities against the configured CVE + * suppressions. + * + * @param dependency the dependency being analyzed + * @param engine a reference to the engine orchestrating the analysis + * @throws AnalysisException thrown if there is an error during analysis + */ @Override - public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException { + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { if (getRules() == null || getRules().size() <= 0) { return; diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index 53dc1c862..474fff4ee 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -101,4 +101,12 @@ analyzer.cocoapods.enabled=true analyzer.swift.package.manager.enabled=true #whether the nexus analyzer uses the proxy analyzer.nexus.proxy=true - +analyzer.cpe.enabled=true +analyzer.cpesuppression.enabled=true +analyzer.dependencybundling.enabled=true +analyzer.dependencymerging.enabled=true +analyzer.falsepositive.enabled=true +analyzer.filename.enabled=true +analyzer.hint.enabled=true +analyzer.nvdcve.enabled=true +analyzer.vulnerabilitysuppression.enabled=true diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java index ddb075af2..0b8baa362 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java @@ -104,7 +104,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest { public class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer { @Override - public void analyze(Dependency dependency, Engine engine) throws AnalysisException { + public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates. } @@ -117,6 +117,11 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest { public AnalysisPhase getAnalysisPhase() { throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates. } + + @Override + protected String getAnalyzerEnabledSettingKey() { + throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates. + } } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java index 9855d73ad..be418c069 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java @@ -41,7 +41,7 @@ public class ArchiveAnalyzerTest extends BaseTest { } /** - * Test of analyzeFileType method, of class ArchiveAnalyzer. + * Test of analyzeDependency method, of class ArchiveAnalyzer. */ @Test public void testZippableExtensions() throws Exception { diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index 8ac69695b..a53133293 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -4,7 +4,7 @@ autoupdate=true max.download.threads=3 # the url to obtain the current engine version from -engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt +engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt #temp.directory defaults to System.getProperty("java.io.tmpdir") #temp.directory=[path to temp directory] @@ -54,9 +54,10 @@ cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml +cve.cpe.startswith.filter=cpe:/a: cpe.validfordays=30 -cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz +cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz # the URL for searching Nexus for SHA-1 hashes and whether it's enabled @@ -68,7 +69,7 @@ analyzer.nexus.proxy=true # the URL for searching search.maven.org for SHA-1 and whether it's enabled analyzer.central.enabled=true -analyzer.central.url=http://search.maven.org/solrsearch/select +analyzer.central.url=https://search.maven.org/solrsearch/select # the number of nested archives that will be searched. archive.scan.depth=3 @@ -92,8 +93,19 @@ analyzer.nuspec.enabled=true analyzer.openssl.enabled=true analyzer.central.enabled=true analyzer.nexus.enabled=false +analyzer.cocoapods.enabled=true +analyzer.swift.package.manager.enabled=true #whether the nexus analyzer uses the proxy analyzer.nexus.proxy=true #Use your own bundle-audit install directory. analyzer.bundle.audit.path=/usr/local/bin/bundle-audit +analyzer.cpe.enabled=true +analyzer.cpesuppression.enabled=true +analyzer.dependencybundling.enabled=true +analyzer.dependencymerging.enabled=true +analyzer.falsepositive.enabled=true +analyzer.filename.enabled=true +analyzer.hint.enabled=true +analyzer.nvdcve.enabled=true +analyzer.vulnerabilitysuppression.enabled=true diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index cb8ac2559..21784e0c1 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -45,13 +45,6 @@ public final class Settings { */ public static final class KEYS { - /** - * private constructor because this is a "utility" class containing - * constants - */ - private KEYS() { - //do nothing - } /** * The key to obtain the application name. */ @@ -336,13 +329,58 @@ public final class Settings { public static final String VFEED_UPDATE_STATUS = "vfeed.update_status"; /** - * The HTTP request method for query last modified date. + * The key to the HTTP request method for query last modified date. */ public static final String DOWNLOADER_QUICK_QUERY_TIMESTAMP = "downloader.quick.query.timestamp"; /** - * The HTTP protocol list to use. + * The key to HTTP protocol list to use. */ public static final String DOWNLOADER_TLS_PROTOCOL_LIST = "downloader.tls.protocols"; + + /** + * The key to determine if the CPE analyzer is enabled. + */ + public static String ANALYZER_CPE_ENABLED = "analyzer.cpe.enabled"; + /** + * The key to determine if the CPE Suppression analyzer is enabled. + */ + public static String ANALYZER_CPE_SUPPRESSION_ENABLED = "analyzer.cpesuppression.enabled"; + /** + * The key to determine if the Dependency Bundling analyzer is enabled. + */ + public static String ANALYZER_DEPENDENCY_BUNDLING_ENABLED = "analyzer.dependencybundling.enabled"; + /** + * The key to determine if the Dependency Merging analyzer is enabled. + */ + public static String ANALYZER_DEPENDENCY_MERGING_ENABLED = "analyzer.dependencymerging.enabled"; + /** + * The key to determine if the False Positive analyzer is enabled. + */ + public static String ANALYZER_FALSE_POSITIVE_ENABLED = "analyzer.falsepositive.enabled"; + /** + * The key to determine if the File Name analyzer is enabled. + */ + public static String ANALYZER_FILE_NAME_ENABLED = "analyzer.filename.enabled"; + /** + * The key to determine if the Hint analyzer is enabled. + */ + public static String ANALYZER_HINT_ENABLED = "analyzer.hint.enabled"; + /** + * The key to determine if the NVD CVE analyzer is enabled. + */ + public static String ANALYZER_NVD_CVE_ENABLED = "analyzer.nvdcve.enabled"; + /** + * The key to determine if the Vulnerability Suppression analyzer is enabled. + */ + public static String ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED = "analyzer.vulnerabilitysuppression.enabled"; + + /** + * private constructor because this is a "utility" class containing + * constants + */ + private KEYS() { + //do nothing + } } //