mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 07:43:40 +01:00
checkstyle recommended updates
Former-commit-id: 17e3e4580553c07b33533f1e9f6cb5f33177f78e
This commit is contained in:
Jeremy Long
@@ -51,7 +51,7 @@ import java.util.Set;
|
||||
*
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
public class Engine implements FileFilter{
|
||||
public class Engine implements FileFilter {
|
||||
|
||||
/**
|
||||
* The list of dependencies.
|
||||
@@ -331,8 +331,8 @@ public class Engine implements FileFilter{
|
||||
/**
|
||||
* Runs the analyzers against all of the dependencies. Since the mutable dependencies list is exposed via
|
||||
* {@link #getDependencies()}, this method iterates over a copy of the dependencies list. Thus, the potential for
|
||||
* {@link java.util.ConcurrentModificationException}s is avoided, and analyzers may safely add or remove entries
|
||||
* from the dependencies list.
|
||||
* {@link java.util.ConcurrentModificationException}s is avoided, and analyzers may safely add or remove entries from the
|
||||
* dependencies list.
|
||||
*/
|
||||
public void analyzeDependencies() {
|
||||
boolean autoUpdate = true;
|
||||
@@ -511,7 +511,7 @@ public class Engine implements FileFilter{
|
||||
/**
|
||||
* Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown.
|
||||
*
|
||||
* @throws NoDataException thrown if no data exists in the CPE Index
|
||||
* @throws NoDataException thrown if no data exists in the CPE Index
|
||||
* @throws DatabaseException thrown if there is an exception opening the database
|
||||
*/
|
||||
private void ensureDataExists() throws NoDataException, DatabaseException {
|
||||
|
||||
@@ -872,7 +872,7 @@ public class DependencyCheckScanAgent {
|
||||
r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
|
||||
} catch (IOException ex) {
|
||||
LOGGER.error(
|
||||
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
|
||||
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
|
||||
LOGGER.debug("", ex);
|
||||
} catch (Throwable ex) {
|
||||
LOGGER.error(
|
||||
@@ -1058,8 +1058,9 @@ public class DependencyCheckScanAgent {
|
||||
}
|
||||
}
|
||||
if (summary.length() > 0) {
|
||||
LOGGER.warn("\n\nOne or more dependencies were identified with known vulnerabilities:\n\n{}\n\nSee the dependency-check report for more details.\n\n",
|
||||
summary.toString());
|
||||
LOGGER.warn("\n\nOne or more dependencies were identified with known vulnerabilities:\n\n{}\n\n"
|
||||
+ "See the dependency-check report for more details.\n\n",
|
||||
summary.toString());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -39,10 +39,8 @@ import java.util.Set;
|
||||
public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer {
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="Constructor">
|
||||
|
||||
/**
|
||||
* Base constructor that all children must call. This checks the configuration to determine if the analyzer is
|
||||
* enabled.
|
||||
* Base constructor that all children must call. This checks the configuration to determine if the analyzer is enabled.
|
||||
*/
|
||||
public AbstractFileTypeAnalyzer() {
|
||||
reset();
|
||||
@@ -102,18 +100,16 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
//</editor-fold>
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="Abstract methods children must implement">
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed.
|
||||
* An example would be an analyzer that inspected Java jar files. Implementors may use
|
||||
* {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
|
||||
* Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. An example would be an analyzer
|
||||
* that inspected Java jar files. Implementors may use {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
|
||||
*
|
||||
* @return the file filter used to determine which files are to be analyzed
|
||||
* <p/>
|
||||
* <p>
|
||||
* If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against
|
||||
* every file loaded.</p>
|
||||
* If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file
|
||||
* loaded.</p>
|
||||
*/
|
||||
protected abstract FileFilter getFileFilter();
|
||||
|
||||
@@ -125,11 +121,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
protected abstract void initializeFileTypeAnalyzer() throws Exception;
|
||||
|
||||
/**
|
||||
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
|
||||
* scanned, and added to the list of dependencies within the engine.
|
||||
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned,
|
||||
* and added to the list of dependencies within the engine.
|
||||
*
|
||||
* @param dependency the dependency to analyze
|
||||
* @param engine the engine scanning
|
||||
* @param engine the engine scanning
|
||||
* @throws AnalysisException thrown if there is an analysis exception
|
||||
*/
|
||||
protected abstract void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException;
|
||||
@@ -144,7 +140,6 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
|
||||
//</editor-fold>
|
||||
//<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
|
||||
|
||||
/**
|
||||
* Initializes the analyzer.
|
||||
*
|
||||
@@ -175,11 +170,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
}
|
||||
|
||||
/**
|
||||
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
|
||||
* scanned, and added to the list of dependencies within the engine.
|
||||
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned,
|
||||
* and added to the list of dependencies within the engine.
|
||||
*
|
||||
* @param dependency the dependency to analyze
|
||||
* @param engine the engine scanning
|
||||
* @param engine the engine scanning
|
||||
* @throws AnalysisException thrown if there is an analysis exception
|
||||
*/
|
||||
@Override
|
||||
@@ -191,7 +186,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
|
||||
@Override
|
||||
public boolean accept(File pathname) {
|
||||
FileFilter filter = getFileFilter();
|
||||
final FileFilter filter = getFileFilter();
|
||||
boolean accepted = false;
|
||||
if (null == filter) {
|
||||
LOGGER.error("The '{}' analyzer is misconfigured and does not have a file filter; it will be disabled", getName());
|
||||
@@ -205,13 +200,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
}
|
||||
|
||||
//</editor-fold>
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="Static utility methods">
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a
|
||||
* final static declaration.</p>
|
||||
* Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a final static
|
||||
* declaration.</p>
|
||||
* <p/>
|
||||
* <p>
|
||||
* This implementation was copied from
|
||||
@@ -226,6 +219,5 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
return set;
|
||||
}
|
||||
|
||||
|
||||
//</editor-fold>
|
||||
}
|
||||
|
||||
@@ -17,7 +17,14 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.analyzer;
|
||||
|
||||
import java.io.*;
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.BufferedOutputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileFilter;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
@@ -47,8 +54,8 @@ import org.slf4j.LoggerFactory;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* An analyzer that extracts files from archives and ensures any supported files contained within the archive are added
|
||||
* to the dependency list.</p>
|
||||
* An analyzer that extracts files from archives and ensures any supported files contained within the archive are added to the
|
||||
* dependency list.</p>
|
||||
*
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
@@ -93,8 +100,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
*/
|
||||
private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
|
||||
/**
|
||||
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
|
||||
* to be explicitly handled in extractFiles().
|
||||
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need to be
|
||||
* explicitly handled in extractFiles().
|
||||
*/
|
||||
private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");
|
||||
|
||||
@@ -186,11 +193,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
|
||||
* scanned, and added to the list of dependencies within the engine.
|
||||
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned,
|
||||
* and added to the list of dependencies within the engine.
|
||||
*
|
||||
* @param dependency the dependency to analyze
|
||||
* @param engine the engine scanning
|
||||
* @param engine the engine scanning
|
||||
* @throws AnalysisException thrown if there is an analysis exception
|
||||
*/
|
||||
@Override
|
||||
@@ -288,9 +295,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/**
|
||||
* Extracts the contents of an archive into the specified directory.
|
||||
*
|
||||
* @param archive an archive file such as a WAR or EAR
|
||||
* @param archive an archive file such as a WAR or EAR
|
||||
* @param destination a directory to extract the contents to
|
||||
* @param engine the scanning engine
|
||||
* @param engine the scanning engine
|
||||
* @throws AnalysisException thrown if the archive is not found
|
||||
*/
|
||||
private void extractFiles(File archive, File destination, Engine engine) throws AnalysisException {
|
||||
@@ -336,9 +343,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/**
|
||||
* Extracts files from an archive.
|
||||
*
|
||||
* @param input the archive to extract files from
|
||||
* @param input the archive to extract files from
|
||||
* @param destination the location to write the files too
|
||||
* @param engine the dependency-check engine
|
||||
* @param engine the dependency-check engine
|
||||
* @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive
|
||||
*/
|
||||
private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException {
|
||||
@@ -421,7 +428,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* Decompresses a file.
|
||||
*
|
||||
* @param inputStream the compressed file
|
||||
* @param outputFile the location to write the decompressed file
|
||||
* @param outputFile the location to write the decompressed file
|
||||
* @throws ArchiveExtractionException thrown if there is an exception decompressing the file
|
||||
*/
|
||||
private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
|
||||
|
||||
@@ -19,6 +19,13 @@ package org.owasp.dependencycheck.analyzer;
|
||||
|
||||
import ch.qos.cal10n.IMessageConveyor;
|
||||
import ch.qos.cal10n.MessageConveyor;
|
||||
import java.io.BufferedReader;
|
||||
import java.io.File;
|
||||
import java.io.FileFilter;
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.InputStreamReader;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
@@ -37,7 +44,6 @@ import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.xpath.XPath;
|
||||
import javax.xml.xpath.XPathExpressionException;
|
||||
import javax.xml.xpath.XPathFactory;
|
||||
import java.io.*;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
@@ -73,15 +79,15 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/**
|
||||
* Message Conveyer
|
||||
*/
|
||||
private final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault());
|
||||
private static final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault());
|
||||
/**
|
||||
* LocLoggerFactory for localized logger
|
||||
*/
|
||||
private final LocLoggerFactory LLFACTORY = new LocLoggerFactory(MESSAGE_CONVERYOR);
|
||||
private static final LocLoggerFactory LLFACTORY = new LocLoggerFactory(MESSAGE_CONVERYOR);
|
||||
/**
|
||||
* Logger
|
||||
*/
|
||||
private final LocLogger LOGGER = LLFACTORY.getLocLogger(AssemblyAnalyzer.class);
|
||||
private static final LocLogger LOGGER = LLFACTORY.getLocLogger(AssemblyAnalyzer.class);
|
||||
|
||||
/**
|
||||
* Builds the beginnings of a List for ProcessBuilder
|
||||
@@ -279,6 +285,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes resources used from the local file system.
|
||||
*
|
||||
* @throws Exception thrown if there is a problem closing the analyzer
|
||||
*/
|
||||
@Override
|
||||
public void close() throws Exception {
|
||||
super.close();
|
||||
|
||||
@@ -103,9 +103,17 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
| Pattern.CASE_INSENSITIVE);
|
||||
}
|
||||
|
||||
/**
|
||||
* The file filter used to determine which files this analyzer supports.
|
||||
*/
|
||||
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames(CONFIGURE).addExtensions(
|
||||
EXTENSIONS).build();
|
||||
|
||||
/**
|
||||
* Returns the FileFilter
|
||||
*
|
||||
* @return the FileFilter
|
||||
*/
|
||||
@Override
|
||||
protected FileFilter getFileFilter() {
|
||||
return FILTER;
|
||||
@@ -126,6 +134,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
*
|
||||
* @return the phase that the analyzer is intended to run in.
|
||||
*/
|
||||
@Override
|
||||
public AnalysisPhase getAnalysisPhase() {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
|
||||
@@ -25,7 +25,6 @@ import org.owasp.dependencycheck.data.nexus.MavenArtifact;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.utils.*;
|
||||
import org.owasp.dependencycheck.xml.pom.PomUtils;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
@@ -36,6 +35,11 @@ import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.URL;
|
||||
import java.util.List;
|
||||
import org.owasp.dependencycheck.utils.DownloadFailedException;
|
||||
import org.owasp.dependencycheck.utils.Downloader;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.InvalidSettingException;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
|
||||
@@ -161,6 +165,9 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
|
||||
/**
|
||||
* The file filter used to determine which files this analyzer supports.
|
||||
*/
|
||||
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
|
||||
|
||||
@Override
|
||||
@@ -201,7 +208,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
pomFile = File.createTempFile("pom", ".xml", baseDir);
|
||||
if (!pomFile.delete()) {
|
||||
LOGGER.warn("Unable to fetch pom.xml for {} from Central; "
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
LOGGER.debug("Unable to delete temp file");
|
||||
}
|
||||
LOGGER.debug("Downloading {}", ma.getPomUrl());
|
||||
@@ -210,7 +217,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
} catch (DownloadFailedException ex) {
|
||||
LOGGER.warn("Unable to download pom.xml for {} from Central; "
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
} finally {
|
||||
if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
|
||||
pomFile.deleteOnExit();
|
||||
@@ -228,5 +235,4 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
errorFlag = true;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -164,8 +164,16 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
*/
|
||||
private static final String[] EXTENSIONS = {"jar", "war"};
|
||||
|
||||
/**
|
||||
* The file filter used to determine which files this analyzer supports.
|
||||
*/
|
||||
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
|
||||
|
||||
/**
|
||||
* Returns the FileFilter.
|
||||
*
|
||||
* @return the FileFilter
|
||||
*/
|
||||
@Override
|
||||
protected FileFilter getFileFilter() {
|
||||
return FILTER;
|
||||
|
||||
@@ -25,7 +25,6 @@ import org.owasp.dependencycheck.data.nexus.NexusSearch;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.utils.*;
|
||||
import org.owasp.dependencycheck.xml.pom.PomUtils;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
@@ -36,6 +35,11 @@ import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.MalformedURLException;
|
||||
import java.net.URL;
|
||||
import org.owasp.dependencycheck.utils.DownloadFailedException;
|
||||
import org.owasp.dependencycheck.utils.Downloader;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.InvalidSettingException;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
* Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
|
||||
@@ -181,8 +185,16 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
|
||||
/**
|
||||
* The file filter used to determine which files this analyzer supports.
|
||||
*/
|
||||
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
|
||||
|
||||
/**
|
||||
* Returns the FileFilter
|
||||
*
|
||||
* @return the FileFilter
|
||||
*/
|
||||
@Override
|
||||
protected FileFilter getFileFilter() {
|
||||
return FILTER;
|
||||
@@ -218,7 +230,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
pomFile = File.createTempFile("pom", ".xml", baseDir);
|
||||
if (!pomFile.delete()) {
|
||||
LOGGER.warn("Unable to fetch pom.xml for {} from Nexus repository; "
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
LOGGER.debug("Unable to delete temp file");
|
||||
}
|
||||
LOGGER.debug("Downloading {}", ma.getPomUrl());
|
||||
@@ -226,7 +238,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
PomUtils.analyzePOM(dependency, pomFile);
|
||||
} catch (DownloadFailedException ex) {
|
||||
LOGGER.warn("Unable to download pom.xml for {} from Nexus repository; "
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
} finally {
|
||||
if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
|
||||
pomFile.deleteOnExit();
|
||||
|
||||
@@ -101,9 +101,17 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
|
||||
/**
|
||||
* The file filter used to determine which files this analyzer supports.
|
||||
*/
|
||||
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(
|
||||
SUPPORTED_EXTENSIONS).build();
|
||||
|
||||
/**
|
||||
* Returns the FileFilter
|
||||
*
|
||||
* @return the FileFilter
|
||||
*/
|
||||
@Override
|
||||
protected FileFilter getFileFilter() {
|
||||
return FILTER;
|
||||
|
||||
@@ -26,7 +26,6 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.utils.*;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
@@ -34,6 +33,12 @@ import javax.mail.MessagingException;
|
||||
import javax.mail.internet.InternetHeaders;
|
||||
import java.io.*;
|
||||
import java.util.regex.Pattern;
|
||||
import org.owasp.dependencycheck.utils.ExtractionException;
|
||||
import org.owasp.dependencycheck.utils.ExtractionUtil;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.FileUtils;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.owasp.dependencycheck.utils.UrlStringUtils;
|
||||
|
||||
/**
|
||||
* Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
|
||||
@@ -112,9 +117,17 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
private static final NameFileFilter PKG_INFO_FILTER = new NameFileFilter(
|
||||
PKG_INFO);
|
||||
|
||||
/**
|
||||
* The file filter used to determine which files this analyzer supports.
|
||||
*/
|
||||
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFileFilters(
|
||||
METADATA_FILTER, PKG_INFO_FILTER).addExtensions(EXTENSIONS).build();
|
||||
|
||||
/**
|
||||
* Returns the FileFilter
|
||||
*
|
||||
* @return the FileFilter
|
||||
*/
|
||||
@Override
|
||||
protected FileFilter getFileFilter() {
|
||||
return FILTER;
|
||||
@@ -181,13 +194,13 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/**
|
||||
* Collects the meta data from an archive.
|
||||
*
|
||||
* @param dependency the archive being scanned
|
||||
* @param folderFilter the filter to apply to the folder
|
||||
* @param dependency the archive being scanned
|
||||
* @param folderFilter the filter to apply to the folder
|
||||
* @param metadataFilter the filter to apply to the meta data
|
||||
* @throws AnalysisException thrown when there is a problem analyzing the dependency
|
||||
*/
|
||||
private void collectMetadataFromArchiveFormat(Dependency dependency,
|
||||
FilenameFilter folderFilter, FilenameFilter metadataFilter)
|
||||
FilenameFilter folderFilter, FilenameFilter metadataFilter)
|
||||
throws AnalysisException {
|
||||
final File temp = getNextTempDirectory();
|
||||
LOGGER.debug("{} exists? {}", temp, temp.exists());
|
||||
@@ -247,7 +260,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* Gathers evidence from the METADATA file.
|
||||
*
|
||||
* @param dependency the dependency being analyzed
|
||||
* @param file a reference to the manifest/properties file
|
||||
* @param file a reference to the manifest/properties file
|
||||
* @throws AnalysisException thrown when there is an error
|
||||
*/
|
||||
private static void collectWheelMetadata(Dependency dependency, File file)
|
||||
@@ -277,13 +290,13 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/**
|
||||
* Adds a value to the evidence collection.
|
||||
*
|
||||
* @param headers the properties collection
|
||||
* @param evidence the evidence collection to add the value
|
||||
* @param property the property name
|
||||
* @param headers the properties collection
|
||||
* @param evidence the evidence collection to add the value
|
||||
* @param property the property name
|
||||
* @param confidence the confidence of the evidence
|
||||
*/
|
||||
private static void addPropertyToEvidence(InternetHeaders headers,
|
||||
EvidenceCollection evidence, String property, Confidence confidence) {
|
||||
EvidenceCollection evidence, String property, Confidence confidence) {
|
||||
final String value = headers.getHeader(property, null);
|
||||
LOGGER.debug("Property: {}, Value: {}", property, value);
|
||||
if (StringUtils.isNotBlank(value)) {
|
||||
|
||||
@@ -132,8 +132,16 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
return AnalysisPhase.INFORMATION_COLLECTION;
|
||||
}
|
||||
|
||||
/**
|
||||
* The file filter used to determine which files this analyzer supports.
|
||||
*/
|
||||
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
|
||||
|
||||
/**
|
||||
* Returns the FileFilter
|
||||
*
|
||||
* @return the FileFilter
|
||||
*/
|
||||
@Override
|
||||
protected FileFilter getFileFilter() {
|
||||
return FILTER;
|
||||
|
||||
@@ -278,6 +278,15 @@ public final class ConnectionFactory {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Updates the database schema by loading the upgrade script for the version specified. The intended use is that if the
|
||||
* current schema version is 2.9 then we would call updateSchema(conn, "2.9"). This would load the upgrade_2.9.sql file and
|
||||
* execute it against the database. The upgrade script must update the 'version' in the properties table.
|
||||
*
|
||||
* @param conn the database connection object
|
||||
* @param schema the current schema version that is being upgraded
|
||||
* @throws DatabaseException thrown if there is an exception upgrading the database schema
|
||||
*/
|
||||
private static void updateSchema(Connection conn, String schema) throws DatabaseException {
|
||||
LOGGER.debug("Updating database structure");
|
||||
InputStream is;
|
||||
|
||||
@@ -34,7 +34,6 @@ import java.util.Map.Entry;
|
||||
import java.util.Properties;
|
||||
import java.util.ResourceBundle;
|
||||
import java.util.Set;
|
||||
import java.util.logging.Level;
|
||||
import org.owasp.dependencycheck.data.cwe.CweDB;
|
||||
import org.owasp.dependencycheck.dependency.Reference;
|
||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||
|
||||
@@ -64,7 +64,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
|
||||
if (updateNeeded()) {
|
||||
LOGGER.info("Updating the Common Platform Enumeration (CPE)");
|
||||
final File xml = downloadCpe();
|
||||
List<Cpe> cpes = processXML(xml);
|
||||
final List<Cpe> cpes = processXML(xml);
|
||||
getCveDB().deleteUnusedCpe();
|
||||
for (Cpe cpe : cpes) {
|
||||
getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct());
|
||||
@@ -116,7 +116,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
|
||||
try {
|
||||
final SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
final SAXParser saxParser = factory.newSAXParser();
|
||||
CPEHandler handler = new CPEHandler();
|
||||
final CPEHandler handler = new CPEHandler();
|
||||
saxParser.parse(xml, handler);
|
||||
return handler.getData();
|
||||
} catch (ParserConfigurationException ex) {
|
||||
@@ -137,7 +137,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
|
||||
final Date now = new Date();
|
||||
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30);
|
||||
long timestamp = 0;
|
||||
String ts = getProperties().getProperty(LAST_CPE_UPDATE);
|
||||
final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
|
||||
if (ts != null && ts.matches("^[0-9]+$")) {
|
||||
timestamp = Long.parseLong(ts);
|
||||
}
|
||||
|
||||
@@ -67,7 +67,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
|
||||
public void update() throws UpdateException {
|
||||
try {
|
||||
openDataStores();
|
||||
UpdateableNvdCve updateable = getUpdatesNeeded();
|
||||
final UpdateableNvdCve updateable = getUpdatesNeeded();
|
||||
if (updateable.isUpdateNeeded()) {
|
||||
performUpdate(updateable);
|
||||
}
|
||||
@@ -233,7 +233,8 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
|
||||
} else {
|
||||
long currentTimestamp = 0;
|
||||
try {
|
||||
currentTimestamp = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE + entry.getId(), "0"));
|
||||
currentTimestamp = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE
|
||||
+ entry.getId(), "0"));
|
||||
} catch (NumberFormatException ex) {
|
||||
LOGGER.debug("Error parsing '{}' '{}' from nvdcve.lastupdated",
|
||||
DatabaseProperties.LAST_UPDATED_BASE, entry.getId(), ex);
|
||||
|
||||
@@ -19,7 +19,6 @@ package org.owasp.dependencycheck.data.update;
|
||||
|
||||
import java.util.Iterator;
|
||||
import java.util.ServiceLoader;
|
||||
import org.owasp.dependencycheck.data.update.CachedWebDataSource;
|
||||
|
||||
/**
|
||||
* The CachedWebDataSource Service Loader. This class loads all services that implement
|
||||
|
||||
@@ -18,7 +18,6 @@
|
||||
package org.owasp.dependencycheck.data.update.cpe;
|
||||
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.net.URLDecoder;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import org.owasp.dependencycheck.data.update.NvdCveUpdater;
|
||||
@@ -43,11 +42,11 @@ public class CPEHandler extends DefaultHandler {
|
||||
/**
|
||||
* The text content of the node being processed. This can be used during the end element event.
|
||||
*/
|
||||
StringBuilder nodeText = null;
|
||||
private StringBuilder nodeText = null;
|
||||
/**
|
||||
* A reference to the current element.
|
||||
*/
|
||||
Element current = new Element();
|
||||
private Element current = new Element();
|
||||
/**
|
||||
* The logger.
|
||||
*/
|
||||
@@ -55,7 +54,7 @@ public class CPEHandler extends DefaultHandler {
|
||||
/**
|
||||
* The list of CPE values.
|
||||
*/
|
||||
List<Cpe> data = new ArrayList<Cpe>();
|
||||
private List<Cpe> data = new ArrayList<Cpe>();
|
||||
|
||||
/**
|
||||
* Returns the list of CPE values.
|
||||
@@ -67,7 +66,7 @@ public class CPEHandler extends DefaultHandler {
|
||||
}
|
||||
|
||||
/**
|
||||
* Handles the start element event
|
||||
* Handles the start element event.
|
||||
*
|
||||
* @param uri the elements uri
|
||||
* @param localName the local name
|
||||
@@ -80,12 +79,12 @@ public class CPEHandler extends DefaultHandler {
|
||||
nodeText = null;
|
||||
current.setNode(qName);
|
||||
if (current.isCpeItemNode()) {
|
||||
String temp = attributes.getValue("deprecated");
|
||||
String value = attributes.getValue("name");
|
||||
boolean delete = (temp != null && temp.equalsIgnoreCase("true"));
|
||||
final String temp = attributes.getValue("deprecated");
|
||||
final String value = attributes.getValue("name");
|
||||
final boolean delete = "true".equalsIgnoreCase(temp);
|
||||
if (!delete && value.startsWith("cpe:/a:") && value.length() > 7) {
|
||||
try {
|
||||
Cpe cpe = new Cpe(value);
|
||||
final Cpe cpe = new Cpe(value);
|
||||
data.add(cpe);
|
||||
} catch (UnsupportedEncodingException ex) {
|
||||
LOGGER.debug("Unable to parse the CPE", ex);
|
||||
@@ -230,6 +229,9 @@ public class CPEHandler extends DefaultHandler {
|
||||
* A node type in the CPE Schema 2.2
|
||||
*/
|
||||
public static final String TIMESTAMP = "timestamp";
|
||||
/**
|
||||
* A reference to the current node.
|
||||
*/
|
||||
private String node = null;
|
||||
|
||||
/**
|
||||
|
||||
@@ -27,6 +27,13 @@ import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
|
||||
*/
|
||||
public class Cpe {
|
||||
|
||||
/**
|
||||
* Constructs a new Cpe Object by parsing the vendor and product from the CPE identifier value.
|
||||
*
|
||||
* @param value the cpe identifier (cpe:/a:vendor:product:version:....)
|
||||
* @throws UnsupportedEncodingException thrown if UTF-8 is not supported
|
||||
* @throws InvalidDataException thrown if the CPE provided is not the correct format
|
||||
*/
|
||||
public Cpe(String value) throws UnsupportedEncodingException, InvalidDataException {
|
||||
this.value = value;
|
||||
final String[] data = value.substring(7).split(":");
|
||||
@@ -66,7 +73,7 @@ public class Cpe {
|
||||
private String vendor;
|
||||
|
||||
/**
|
||||
* Get the value of vendor
|
||||
* Get the value of vendor.
|
||||
*
|
||||
* @return the value of vendor
|
||||
*/
|
||||
@@ -75,7 +82,7 @@ public class Cpe {
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of vendor
|
||||
* Set the value of vendor.
|
||||
*
|
||||
* @param vendor new value of vendor
|
||||
*/
|
||||
@@ -89,7 +96,7 @@ public class Cpe {
|
||||
private String product;
|
||||
|
||||
/**
|
||||
* Get the value of product
|
||||
* Get the value of product.
|
||||
*
|
||||
* @return the value of product
|
||||
*/
|
||||
@@ -98,7 +105,7 @@ public class Cpe {
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of product
|
||||
* Set the value of product.
|
||||
*
|
||||
* @param product new value of product
|
||||
*/
|
||||
@@ -106,9 +113,13 @@ public class Cpe {
|
||||
this.product = product;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the full CPE identifier.
|
||||
*
|
||||
* @return the full CPE identifier
|
||||
*/
|
||||
@Override
|
||||
public String toString() {
|
||||
return value;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -31,8 +31,6 @@ import org.owasp.dependencycheck.data.nvdcve.CveDB;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
|
||||
import org.owasp.dependencycheck.data.update.exception.UpdateException;
|
||||
import org.owasp.dependencycheck.data.update.nvd.NvdCve12Handler;
|
||||
import org.owasp.dependencycheck.data.update.nvd.NvdCve20Handler;
|
||||
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.slf4j.Logger;
|
||||
@@ -94,8 +92,8 @@ public class ProcessTask implements Callable<ProcessTask> {
|
||||
*
|
||||
* @param cveDB the data store object
|
||||
* @param filePair the download task that contains the URL references to download
|
||||
* @param settings a reference to the global settings object; this is necessary so that when the thread is started
|
||||
* the dependencies have a correct reference to the global settings.
|
||||
* @param settings a reference to the global settings object; this is necessary so that when the thread is started the
|
||||
* dependencies have a correct reference to the global settings.
|
||||
*/
|
||||
public ProcessTask(final CveDB cveDB, final DownloadTask filePair, Settings settings) {
|
||||
this.cveDB = cveDB;
|
||||
@@ -108,8 +106,8 @@ public class ProcessTask implements Callable<ProcessTask> {
|
||||
* Implements the callable interface.
|
||||
*
|
||||
* @return this object
|
||||
* @throws Exception thrown if there is an exception; note that any UpdateExceptions are simply added to the tasks
|
||||
* exception collection
|
||||
* @throws Exception thrown if there is an exception; note that any UpdateExceptions are simply added to the tasks exception
|
||||
* collection
|
||||
*/
|
||||
@Override
|
||||
public ProcessTask call() throws Exception {
|
||||
|
||||
@@ -22,7 +22,7 @@ import ch.qos.cal10n.Locale;
|
||||
import ch.qos.cal10n.LocaleData;
|
||||
|
||||
/**
|
||||
* Created by colezlaw on 6/13/15.
|
||||
* @author colezlaw
|
||||
*/
|
||||
@BaseName("dependencycheck-resources")
|
||||
@LocaleData(defaultCharset = "UTF-8",
|
||||
|
||||
@@ -17,8 +17,6 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
import static org.owasp.dependencycheck.utils.FileUtils.getFileExtension;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.BufferedOutputStream;
|
||||
import java.io.Closeable;
|
||||
@@ -226,7 +224,7 @@ public final class ExtractionUtil {
|
||||
final File file = new File(destination, entry.getName());
|
||||
if (filter.accept(file.getParentFile(), file.getName())) {
|
||||
LOGGER.debug("Extracting '{}'",
|
||||
file.getPath());
|
||||
file.getPath());
|
||||
BufferedOutputStream bos = null;
|
||||
FileOutputStream fos = null;
|
||||
try {
|
||||
@@ -302,5 +300,4 @@ public final class ExtractionUtil {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -15,7 +15,6 @@
|
||||
*
|
||||
* Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
|
||||
*/
|
||||
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
import org.apache.commons.io.IOCase;
|
||||
@@ -25,12 +24,17 @@ import org.apache.commons.io.filefilter.OrFileFilter;
|
||||
import org.apache.commons.io.filefilter.SuffixFileFilter;
|
||||
|
||||
import java.io.FileFilter;
|
||||
import java.util.*;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
/**
|
||||
* <p>Utility class for building useful {@link FileFilter} instances for
|
||||
* {@link org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer} implementations. The built filter uses
|
||||
* {@link OrFileFilter} to logically OR the given filter conditions. Example usage:</p>
|
||||
* <p>
|
||||
* Utility class for building useful {@link FileFilter} instances for
|
||||
* {@link org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer} implementations. The built filter uses {@link OrFileFilter}
|
||||
* to logically OR the given filter conditions. Example usage:</p>
|
||||
*
|
||||
* <pre>
|
||||
* FileFilter filter = FileFilterBuilder.newInstance().addExtensions("jar", "war").build();
|
||||
@@ -41,13 +45,21 @@ import java.util.*;
|
||||
*/
|
||||
public class FileFilterBuilder {
|
||||
|
||||
private Set<String> filenames = new HashSet<String>();
|
||||
private Set<String> extensions = new HashSet<String>();
|
||||
private List<IOFileFilter> fileFilters = new ArrayList<IOFileFilter>();
|
||||
/**
|
||||
* A set of filenames to filter.
|
||||
*/
|
||||
private final Set<String> filenames = new HashSet<String>();
|
||||
/**
|
||||
* A set of extensions to filter.
|
||||
*/
|
||||
private final Set<String> extensions = new HashSet<String>();
|
||||
/**
|
||||
* An array list of file filters.
|
||||
*/
|
||||
private final List<IOFileFilter> fileFilters = new ArrayList<IOFileFilter>();
|
||||
|
||||
/**
|
||||
* Create a new instance and return it. This method is for convenience in using the builder pattern within a single
|
||||
* statement.
|
||||
* Create a new instance and return it. This method is for convenience in using the builder pattern within a single statement.
|
||||
*
|
||||
* @return a new builder instance
|
||||
*/
|
||||
@@ -111,7 +123,7 @@ public class FileFilterBuilder {
|
||||
if (filenames.isEmpty() && extensions.isEmpty() && fileFilters.isEmpty()) {
|
||||
throw new IllegalStateException("May only be invoked after at least one add... method has been invoked.");
|
||||
}
|
||||
OrFileFilter filter = new OrFileFilter();
|
||||
final OrFileFilter filter = new OrFileFilter();
|
||||
if (!filenames.isEmpty()) {
|
||||
filter.addFileFilter(new NameFileFilter(new ArrayList<String>(filenames)));
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user