diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index f4c23b905..1077dca5b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -280,7 +280,7 @@ public class Engine implements FileFilter, AutoCloseable { } catch (InvalidSettingException ex) { LOGGER.trace("Experimenal setting not configured; defaulting to false"); } - final AnalyzerService service = new AnalyzerService(serviceClassLoader, loadExperimental); + final AnalyzerService service = new AnalyzerService(serviceClassLoader, settings); final List iterator = service.getAnalyzers(mode.getPhases()); for (Analyzer a : iterator) { a.initialize(this.settings); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java index ff0b19428..d6dbecf16 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java @@ -25,6 +25,8 @@ import java.util.Iterator; import java.util.List; import java.util.ServiceLoader; import javax.annotation.concurrent.ThreadSafe; +import org.owasp.dependencycheck.utils.InvalidSettingException; +import org.owasp.dependencycheck.utils.Settings; /** * The Analyzer Service Loader. This class loads all services that implement @@ -47,18 +49,18 @@ public class AnalyzerService { /** * The configured settings. */ - private final boolean loadExperimental; + private final Settings settings; /** * Creates a new instance of AnalyzerService. * * @param classLoader the ClassLoader to use when dynamically loading * Analyzer and Update services - * @param loadExperimental whether or not to load the experimental analyzers + * @param settings the configured settings */ - public AnalyzerService(ClassLoader classLoader, boolean loadExperimental) { - this.loadExperimental = loadExperimental; + public AnalyzerService(ClassLoader classLoader, Settings settings) { service = ServiceLoader.load(Analyzer.class, classLoader); + this.settings = settings; } /** @@ -91,12 +93,23 @@ public class AnalyzerService { private List getAnalyzers(List phases) { final List analyzers = new ArrayList<>(); final Iterator iterator = service.iterator(); + boolean experimentalEnabled = false; + boolean retiredEnabled = false; + try { + experimentalEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false); + retiredEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_RETIRED_ENABLED, false); + } catch (InvalidSettingException ex) { + LOGGER.error("invalid experimental or retired setting", ex); + } while (iterator.hasNext()) { final Analyzer a = iterator.next(); if (!phases.contains(a.getAnalysisPhase())) { continue; } - if (!loadExperimental && a.getClass().isAnnotationPresent(Experimental.class)) { + if (!experimentalEnabled && a.getClass().isAnnotationPresent(Experimental.class)) { + continue; + } + if (!retiredEnabled && a.getClass().isAnnotationPresent(Retired.class)) { continue; } LOGGER.debug("Loaded Analyzer {}", a.getName()); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index 7145ef550..6f737a2b2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -47,8 +47,8 @@ import org.owasp.dependencycheck.dependency.EvidenceType; * * @author Dale Visser */ -@Experimental @ThreadSafe +@Retired public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Retired.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Retired.java new file mode 100644 index 000000000..7f60e9a37 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Retired.java @@ -0,0 +1,34 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +/** + * Annotation used to flag an analyzer as retired. + * + * @author Steve Springett + */ +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.TYPE) +public @interface Retired { + +} diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index 083293b2b..4a88ed962 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -88,7 +88,10 @@ archive.scan.depth=3 downloader.quick.query.timestamp=true downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 +# defines if the experimental and retired analyzers can be enabled analyzer.experimental.enabled=false +analyzer.retired.enabled=false + analyzer.jar.enabled=true analyzer.archive.enabled=true analyzer.node.package.enabled=true diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java index 7561eb0bb..00063719a 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java @@ -40,7 +40,7 @@ public class AnalyzerServiceTest extends BaseDBTestCase { */ @Test public void testGetAnalyzers() { - AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), false); + AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings()); List result = instance.getAnalyzers(); boolean found = false; @@ -58,7 +58,7 @@ public class AnalyzerServiceTest extends BaseDBTestCase { */ @Test public void testGetAnalyzers_SpecificPhases() throws Exception { - AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), false); + AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings()); List result = instance.getAnalyzers(INITIAL, FINAL); for (Analyzer a : result) { @@ -73,25 +73,54 @@ public class AnalyzerServiceTest extends BaseDBTestCase { */ @Test public void testGetExperimentalAnalyzers() { - AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), false); + AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings()); List result = instance.getAnalyzers(); String experimental = "CMake Analyzer"; + String retired = "Node.js Package Analyzer"; boolean found = false; + boolean retiredFound = false; for (Analyzer a : result) { if (experimental.equals(a.getName())) { found = true; } + if (retired.equals(a.getName())) { + retiredFound = true; + } } assertFalse("Experimental analyzer loaded when set to false", found); + assertFalse("Retired analyzer loaded when set to false", retiredFound); - instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), true); + getSettings().setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, true); + instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings()); result = instance.getAnalyzers(); found = false; + retiredFound = false; for (Analyzer a : result) { if (experimental.equals(a.getName())) { found = true; } + if (retired.equals(a.getName())) { + retiredFound = true; + } } assertTrue("Experimental analyzer not loaded when set to true", found); + assertFalse("Retired analyzer loaded when set to false", retiredFound); + + getSettings().setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false); + getSettings().setBoolean(Settings.KEYS.ANALYZER_RETIRED_ENABLED, true); + instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings()); + result = instance.getAnalyzers(); + found = false; + retiredFound = false; + for (Analyzer a : result) { + if (experimental.equals(a.getName())) { + found = true; + } + if (retired.equals(a.getName())) { + retiredFound = true; + } + } + assertFalse("Experimental analyzer loaded when set to false", found); + assertTrue("Retired analyzer not loaded when set to true", retiredFound); } } diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index d48120fa1..e64ebe81a 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -83,7 +83,10 @@ archive.scan.depth=3 downloader.quick.query.timestamp=true downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -analyzer.experimental.enabled=true +# defines if the experimental and retired analyzers can be enabled +analyzer.experimental.enabled=false +analyzer.retired.enabled=false + analyzer.jar.enabled=true analyzer.archive.enabled=true analyzer.node.package.enabled=true diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index a009dd1af..247d39557 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -253,6 +253,10 @@ public final class Settings { * The properties key for whether experimental analyzers are loaded. */ public static final String ANALYZER_EXPERIMENTAL_ENABLED = "analyzer.experimental.enabled"; + /** + * The properties key for whether experimental analyzers are loaded. + */ + public static final String ANALYZER_RETIRED_ENABLED = "analyzer.retired.enabled"; /** * The properties key for whether the Archive analyzer is enabled. */