github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-27 11:31:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

node.js: Added package.json eveidence gathering, using json.org package for the parsing.

Browse Source
This commit is contained in:
Dale Visser
2015-08-07 15:41:01 -04:00
parent 2441b92bc6
commit b4c3046ab5
3 changed files with 46 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
dependency-check-core/pom.xml
View File

@@ -434,6 +434,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<groupId>com.h2database</groupId> <groupId>com.h2database</groupId>
<artifactId>h2</artifactId> <artifactId>h2</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.json</groupId>
<artifactId>json</artifactId>
</dependency>
<dependency> <dependency>
<groupId>org.jsoup</groupId> <groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId> <artifactId>jsoup</artifactId>

40
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
View File

@@ -17,13 +17,18 @@
*/ */
package org.owasp.dependencycheck.analyzer; package org.owasp.dependencycheck.analyzer;
import org.apache.commons.io.FileUtils;
import org.json.JSONObject;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.Settings;
import java.io.FileFilter; import java.io.FileFilter;
import java.io.IOException;
/** /**
* Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine
@@ -43,11 +48,12 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
*/ */
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
public static final String PACKAGE_JSON = "package.json";
/** /**
* Filter that detects files named "package.json". * Filter that detects files named "package.json".
*/ */
private static final FileFilter PACKAGE_JSON_FILTER = private static final FileFilter PACKAGE_JSON_FILTER =
FileFilterBuilder.newInstance().addFilenames("package.json").build(); FileFilterBuilder.newInstance().addFilenames(PACKAGE_JSON).build();
/** /**
* Returns the FileFilter * Returns the FileFilter
@@ -61,7 +67,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
@Override @Override
protected void initializeFileTypeAnalyzer() throws Exception { protected void initializeFileTypeAnalyzer() throws Exception {
// TODO anaything? // NO-OP
} }
/** /**
@@ -97,6 +103,34 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
@Override @Override
protected void analyzeFileType(Dependency dependency, Engine engine) protected void analyzeFileType(Dependency dependency, Engine engine)
throws AnalysisException { throws AnalysisException {
// TODO implement String contents;
try {
contents = FileUtils.readFileToString(dependency.getActualFile()).trim();
} catch (IOException e) {
throw new AnalysisException(
"Problem occurred while reading dependency file.", e);
}
JSONObject json = new JSONObject(contents);
final EvidenceCollection productEvidence = dependency.getProductEvidence();
addToEvidence(json, productEvidence, "name");
addToEvidence(json, productEvidence, "description");
addToEvidence(json, dependency.getVendorEvidence(), "author");
addToEvidence(json, dependency.getVersionEvidence(), "version");
}
private void addToEvidence(JSONObject json, EvidenceCollection productEvidence, String key) {
if (json.has(key)) {
Object value = json.get(key);
if (value instanceof String) {
productEvidence.addEvidence(PACKAGE_JSON, key, (String) value, Confidence.HIGHEST);
} else if (value instanceof JSONObject) {
for (String property : ((JSONObject) value).keySet()) {
productEvidence.addEvidence(PACKAGE_JSON,
String.format("%s.%s", key, property),
((JSONObject) value).getString(property),
Confidence.HIGHEST);
}
}
}
} }
} }

5
pom.xml
View File

@@ -521,6 +521,11 @@ Copyright (c) 2012 - Jeremy Long
<artifactId>velocity</artifactId> <artifactId>velocity</artifactId>
<version>1.7</version> <version>1.7</version>
</dependency> </dependency>
<dependency>
<groupId>org.json</groupId>
<artifactId>json</artifactId>
<version>20141113</version>
</dependency>
<dependency> <dependency>
<groupId>org.hamcrest</groupId> <groupId>org.hamcrest</groupId>
<artifactId>hamcrest-core</artifactId> <artifactId>hamcrest-core</artifactId>