github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-21 16:49:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixed compile issues in PR

Browse Source
This commit is contained in:
Jeremy Long
2016-04-30 11:20:26 -04:00
parent 84b992d3a1
commit 35ffd56ea9
1 changed files with 47 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
View File

@@ -32,9 +32,12 @@ import org.slf4j.LoggerFactory;
import java.io.*; import java.io.*;
import java.util.*; import java.util.*;
import java.util.logging.Level;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
/** /**
* Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool. * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party
* bundle-audit tool.
* *
* @author Dale Visser * @author Dale Visser
*/ */
@@ -59,7 +62,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
public static final String ADVISORY = "Advisory: "; public static final String ADVISORY = "Advisory: ";
public static final String CRITICALITY = "Criticality: "; public static final String CRITICALITY = "Criticality: ";
public static CveDB CVEDB = new CveDB(); public CveDB cvedb;
//instance.open(); //instance.open();
//Vulnerability result = instance.getVulnerability("CVE-2015-3225"); //Vulnerability result = instance.getVulnerability("CVE-2015-3225");
@@ -96,20 +99,31 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
} }
/** /**
* Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location. * Initialize the analyzer. In this case, extract GrokAssembly.exe to a
* temporary location.
* *
* @throws Exception if anything goes wrong * @throws Exception if anything goes wrong
*/ */
@Override @Override
public void initializeFileTypeAnalyzer() throws Exception { public void initializeFileTypeAnalyzer() throws Exception {
try {
cvedb = new CveDB();
cvedb.open();
} catch (DatabaseException ex) {
LOGGER.warn("Exception opening the database");
LOGGER.debug("error", ex);
setEnabled(false);
throw ex;
}
// Now, need to see if bundle-audit actually runs from this location. // Now, need to see if bundle-audit actually runs from this location.
Process process = null; Process process = null;
try { try {
process = launchBundleAudit(Settings.getTempDirectory()); process = launchBundleAudit(Settings.getTempDirectory());
} } catch (AnalysisException ae) {
catch(AnalysisException ae) {
LOGGER.warn("Exception from bundle-audit process: {}. Disabling {}", ae.getCause(), ANALYZER_NAME); LOGGER.warn("Exception from bundle-audit process: {}. Disabling {}", ae.getCause(), ANALYZER_NAME);
setEnabled(false); setEnabled(false);
cvedb.close();
cvedb = null;
throw ae; throw ae;
} }
@@ -168,7 +182,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
} }
/** /**
* Returns the key used in the properties file to reference the analyzer's enabled property. * Returns the key used in the properties file to reference the analyzer's
* enabled property.
* *
* @return the analyzer's enabled property setting key * @return the analyzer's enabled property setting key
*/ */
@@ -178,8 +193,9 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
} }
/** /**
* If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will be necessary * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have
* to disable {@link RubyGemspecAnalyzer}. * successfully initialized, and it will be necessary to disable
* {@link RubyGemspecAnalyzer}.
*/ */
private boolean needToDisableGemspecAnalyzer = true; private boolean needToDisableGemspecAnalyzer = true;
@@ -211,7 +227,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
BufferedReader rdr = null; BufferedReader rdr = null;
try { try {
BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8")); BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
while(errReader.ready()) { while (errReader.ready()) {
String error = errReader.readLine(); String error = errReader.readLine();
LOGGER.warn(error); LOGGER.warn(error);
} }
@@ -305,8 +321,15 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
} else if ("Low".equals(criticality)) { } else if ("Low".equals(criticality)) {
vulnerability.setCvssScore(2.0f); vulnerability.setCvssScore(2.0f);
} else { } else {
//vulnerability.getName() try {
//TODO wouldn't we want to do this for all items from bundle-audit? This
//should give a more correct CVSS
Vulnerability v = cvedb.getVulnerability(vulnerability.getName());
vulnerability.setCvssScore(v.getCvssScore());
} catch (DatabaseException ex) {
vulnerability.setCvssScore(-1.0f); vulnerability.setCvssScore(-1.0f);
LOGGER.debug("Unable to look up vulnerability {}",vulnerability.getName());
}
} }
} }
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine)); LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));