github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 07:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Checkin of the NexusAnalyzer and its tests

Browse Source 
Former-commit-id: d9c29602efeaf923feb941ec38c8fc704eb99c11
This commit is contained in:
Will Stranathan
2014-01-13 10:22:40 -05:00
parent 000f382143
commit d58e2aa701
6 changed files with 282 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

154
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java Normal file
View File

@@ -0,0 +1,154 @@
/*
* This file is part of dependency-check-core.
*
* Dependency-check-core is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-check-core is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* dependency-check-core. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.nexus;
/**
* Simple bean representing a Maven Artifact.
*
* @author colezlaw
*/
public class MavenArtifact {
/**
* The groupId
*/
private String groupId;
/**
* The artifactId
*/
private String artifactId;
/**
* The version
*/
private String version;
/**
* The artifact url. This may change depending on which Nexus
* server the search took place.
*/
private String artifactUrl;
/**
* Creates an empty MavenArtifact.
*/
public MavenArtifact() {
}
/**
* Creates a MavenArtifact with the given attributes.
*
* @param groupId the groupId
* @param artifactId the artifactId
* @param version the version
*/
public MavenArtifact(String groupId, String artifactId, String version) {
setGroupId(groupId);
setArtifactId(artifactId);
setVersion(version);
}
/**
* Creates a MavenArtifact with the given attributes.
*
* @param groupId the groupId
* @param artifactId the artifactId
* @param version the version
* @param url the artifactLink url
*/
public MavenArtifact(String groupId, String artifactId, String version, String url) {
setGroupId(groupId);
setArtifactId(artifactId);
setVersion(version);
setArtifactUrl(url);
}
/**
* Returns the Artifact coordinates as a String.
*
* @return the String representation of the artifact coordinates
*/
@Override
public String toString() {
return String.format("%s:%s:%s", groupId, artifactId, version);
}
/**
* Sets the groupId.
*
* @param groupId the groupId
*/
public void setGroupId(String groupId) { this.groupId = groupId; }
/**
* Gets the groupId.
*
* @return the groupId
*/
public String getGroupId() { return groupId; }
/**
* Sets the artifactId.
*
* @param artifactId the artifactId
*/
public void setArtifactId(String artifactId) { this.artifactId = artifactId; }
/**
* Gets the artifactId.
*
* @return the artifactId
*/
public String getArtifactId() { return artifactId; }
/**
* Sets the version.
*
* @param version the version
*/
public void setVersion(String version) { this.version = version; }
/**
* Gets the version.
*
* @return the version
*/
public String getVersion() { return version; }
/**
* Sets the artifactUrl.
*
* @param artifactUrl the artifactUrl
*/
public void setArtifactUrl(String artifactUrl) {
this.artifactUrl = artifactUrl;
}
/**
* Gets the artifactUrl.
*
* @return the artifactUrl
*/
public String getArtifactUrl() {
return artifactUrl;
}
}
// vim: cc=120:sw=4:ts=4:sts=4

105
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java Normal file
View File

@@ -0,0 +1,105 @@
/*
* This file is part of dependency-check-core.
*
* Dependency-check-core is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-check-core is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* dependency-check-core. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.nexus;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URL;
import java.net.URLConnection;
import java.util.logging.Logger;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Document;
/**
* Class of methods to search Nexus repositories.
*
* @author colezlaw
*/
public class NexusSearch {
/**
* The root URL for the Nexus repository service
*/
private final URL rootURL;
/**
* Used for logging.
*/
private static final Logger LOGGER = Logger.getLogger(NexusSearch.class.getName());
/**
* Creates a NexusSearch for the given repository URL.
*
* @param rootURL the root URL of the repository on which searches should execute.
* full URL's are calculated relative to this URL, so it should end with a /
*/
public NexusSearch(URL rootURL) {
this.rootURL = rootURL;
}
/**
* Searches the configured Nexus repository for the given sha1
* hash. If the artifact is found, a <code>MavenArtifact</code> is populated
* with the coordinate information.
*
* @param sha1 The SHA-1 hash string for which to search
* @return the populated Maven coordinates
* @throws IOException if it's unable to connect to the specified repositor or
* if the specified artifact is not found.
*/
public MavenArtifact searchSha1(String sha1) throws IOException {
if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
throw new IllegalArgumentException("Invalid SHA1 format");
}
final URL url = new URL(rootURL, String.format("identify/sha1/%s", sha1.toLowerCase()));
LOGGER.fine(String.format("Searching Nexus url %s", url.toString()));
final URLConnection conn = url.openConnection();
conn.setDoOutput(true);
// JSON would be more elegant, but there's not currently a dependency
// on JSON, so don't want to add one just for this
conn.addRequestProperty("Accept", "application/xml");
conn.connect();
try {
final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String groupId = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/groupId", doc);
final String artifactId = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/artifactId", doc);
final String version = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/version", doc);
final String link = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink", doc);
return new MavenArtifact(groupId, artifactId, version, link);
} catch (FileNotFoundException fnfe) {
// This is what we get when the SHA1 they sent doesn't exist in Nexus. This
// is useful upstream for recovery, so we just re-throw it
throw fnfe;
} catch (Exception e) {
// Anything else is jacked-up XML stuff that we really can't recover from well
throw new IOException(e.getMessage(), e);
}
}
}
// vim: cc=120:sw=4:ts=4:sts=4

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java Normal file
View File

@@ -0,0 +1,12 @@
/**
* <html>
* <head>
* <title>org.owasp.dependencycheck.data.nexus</title>
* </head>
* <body>
* <p>Contains classes related to searching a Nexus repository.</p>
* <p>These are used to abstract Nexus searching away from
* OWASP Dependency Check so they can be reused elsewhere.</p>
* </body>
* </html>
*/

3
dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
View File

@@ -7,4 +7,5 @@ org.owasp.dependencycheck.analyzer.FalsePositiveAnalyzer
org.owasp.dependencycheck.analyzer.CpeSuppressionAnalyzer
org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer
org.owasp.dependencycheck.analyzer.NvdCveAnalyzer
org.owasp.dependencycheck.analyzer.VulnerabilitySuppressionAnalyzer
org.owasp.dependencycheck.analyzer.VulnerabilitySuppressionAnalyzer
org.owasp.dependencycheck.analyzer.NexusAnalyzer

5
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -46,3 +46,8 @@ cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modifie
cve.startyear=2002
cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true
analyzer.nexus.url=http://repository.sonatype.org/service/local/

4
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -46,3 +46,7 @@ cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modifie
cve.startyear=2013
cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=false
analyzer.nexus.url=http://repository.sonatype.org/service/local/