Add ability to flag analyzers as experimental so that they are not always enabled

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -126,9 +126,8 @@ public class Engine implements FileFilter {
         }
 
         final AnalyzerService service = new AnalyzerService(serviceClassLoader);
-        final Iterator<Analyzer> iterator = service.getAnalyzers();
-        while (iterator.hasNext()) {
-            final Analyzer a = iterator.next();
+        final List<Analyzer> iterator = service.getAnalyzers();
+        for (Analyzer a : iterator) {
             analyzers.get(a.getAnalysisPhase()).add(a);
             if (a instanceof FileTypeAnalyzer) {
                 this.fileTypeAnalyzers.add((FileTypeAnalyzer) a);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -17,8 +17,13 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.util.ArrayList;
 import java.util.Iterator;
+import java.util.List;
 import java.util.ServiceLoader;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.LoggerFactory;
 
 /**
  * The Analyzer Service Loader. This class loads all services that implement
@@ -27,11 +32,15 @@ import java.util.ServiceLoader;
  * @author Jeremy Long
  */
 public class AnalyzerService {
+    /**
+     * The Logger for use throughout the class.
+     */
+    private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(AnalyzerService.class);
 
     /**
      * The service loader for analyzers.
      */
-    private final ServiceLoader<Analyzer> loader;
+    private final ServiceLoader<Analyzer> service;
 
     /**
      * Creates a new instance of AnalyzerService.
@@ -39,15 +48,31 @@ public class AnalyzerService {
      * @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
      */
     public AnalyzerService(ClassLoader classLoader) {
-        loader = ServiceLoader.load(Analyzer.class, classLoader);
+        service = ServiceLoader.load(Analyzer.class, classLoader);
     }
 
     /**
-     * Returns an Iterator for all instances of the Analyzer interface.
+     * Returns a list of all instances of the Analyzer interface.
      *
-     * @return an iterator of Analyzers.
+     * @return a list of Analyzers.
      */
-    public Iterator<Analyzer> getAnalyzers() {
-        return loader.iterator();
+    public List<Analyzer> getAnalyzers() {
+        List<Analyzer> analyzers = new ArrayList<Analyzer>();
+        final Iterator<Analyzer> iterator = service.iterator();
+        boolean experimentalEnabled = false;
+        try {
+            experimentalEnabled = Settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
+        } catch (InvalidSettingException ex) {
+            LOGGER.error("invalide experimental setting", ex);
+        }
+        while (iterator.hasNext()) {
+            final Analyzer a = iterator.next();
+            if (!experimentalEnabled && a.getClass().isAnnotationPresent(Experimental.class)) {
+                continue;
+            }
+            LOGGER.debug("Loaded Analyzer {}", a.getName());
+            analyzers.add(a);
+        }
+        return analyzers;
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java

@@ -42,6 +42,7 @@ import java.util.regex.Pattern;
  * @author Dale Visser
  * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project - Free Software Foundation (FSF)</a>
  */
+@Experimental
 public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -49,6 +49,7 @@ import java.util.regex.Pattern;
  *
  * @author Dale Visser
  */
+@Experimental
 public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Experimental.java

@@ -0,0 +1,34 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Annotation used to flag an analyzer as experimental.
+ *
+ * @author jeremy long
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.TYPE)
+public @interface Experimental {
+
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -45,6 +45,7 @@ import javax.json.JsonValue;
  *
  * @author Dale Visser
  */
+@Experimental
 public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -63,13 +63,6 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 cpe.validfordays=30
 cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
 
-# file type analyzer settings:
-analyzer.archive.enabled=true
-analyzer.jar.enabled=true
-analyzer.nuspec.enabled=true
-analyzer.assembly.enabled=true
-analyzer.composer.lock.enabled=true
-
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
 analyzer.nexus.url=https://repository.sonatype.org/service/local/
@@ -87,7 +80,7 @@ archive.scan.depth=3
 # use HEAD (default) or GET as HTTP request method for query timestamp
 downloader.quick.query.timestamp=true
 
-
+analyzer.experimental.enabled=false
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java

@@ -18,9 +18,12 @@
 package org.owasp.dependencycheck.analyzer;
 
 import java.util.Iterator;
+import java.util.List;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
@@ -34,15 +37,42 @@ public class AnalyzerServiceTest extends BaseDBTestCase {
     @Test
     public void testGetAnalyzers() {
         AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
-        Iterator<Analyzer> result = instance.getAnalyzers();
+        List<Analyzer> result = instance.getAnalyzers();
 
         boolean found = false;
-        while (result.hasNext()) {
-            Analyzer a = result.next();
+        for (Analyzer a : result) {
             if ("Jar Analyzer".equals(a.getName())) {
                 found = true;
             }
         }
         assertTrue("JarAnalyzer loaded", found);
     }
+    
+    /**
+     * Test of getAnalyzers method, of class AnalyzerService.
+     */
+    @Test
+    public void testGetExperimentalAnalyzers() {
+        Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
+        AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
+        List<Analyzer> result = instance.getAnalyzers();
+        String experimental = "CMake Analyzer";
+        boolean found = false;
+        for (Analyzer a : result) {
+            if (experimental.equals(a.getName())) {
+                found = true;
+            }
+        }
+        assertFalse("Experimental analyzer loaded when set to false", found);
+        
+        Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, true);
+        result = instance.getAnalyzers();
+        found = false;
+        for (Analyzer a : result) {
+            if (experimental.equals(a.getName())) {
+                found = true;
+            }
+        }
+        assertTrue("Experimental analyzer not loaded when set to true", found);
+    }
 }

dependency-check-core/src/test/resources/dependencycheck.properties

@@ -58,12 +58,6 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 cpe.validfordays=30
 cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
 
-# file type analyzer settings:
-analyzer.archive.enabled=true
-analyzer.jar.enabled=true
-analyzer.nuspec.enabled=true
-analyzer.assembly.enabled=true
-analyzer.composer.lock.enabled=true
 
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
@@ -82,7 +76,7 @@ archive.scan.depth=3
 # use HEAD (default) or GET as HTTP request method for query timestamp
 downloader.quick.query.timestamp=true
 
-
+analyzer.experimental.enabled=true
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true