github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-18 17:47:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

checkstyle updates

Browse Source 
Former-commit-id: ab27a76b429996a66a4964d6d52aab97dd1f1bd1
This commit is contained in:
Jeremy Long
2013-03-30 22:11:04 -04:00
parent 00a35ce93f
commit d6e387a29b
45 changed files with 743 additions and 503 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/main/java/org/owasp/dependencycheck/data/UpdateException.java
View File

@@ -27,6 +27,9 @@ import java.io.IOException;
*/
public class UpdateException extends IOException {
/**
* The serial version uid.
*/
private static final long serialVersionUID = 1L;
/**

8
src/main/java/org/owasp/dependencycheck/data/UpdateService.java
View File

@@ -25,9 +25,15 @@ import java.util.ServiceLoader;
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class UpdateService {
public final class UpdateService {
/**
* the singleton reference to the service.
*/
private static UpdateService service;
/**
* the service loader for CachedWebDataSource.
*/
private final ServiceLoader<CachedWebDataSource> loader;
/**

51
src/main/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzer.java
View File

@@ -60,7 +60,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
* utilized within the CPE Names.
*/
static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
/*
/**
* A string representation of a regular expression used to remove all but
* alpha characters.
*/
@@ -73,7 +73,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
/**
* The CPE Index.
*/
protected Index cpe = null;
private Index cpe;
/**
* Opens the data source.
@@ -137,7 +137,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
boolean found = false;
int ctr = 0;
do {
List<Entry> entries = searchCPE(vendors, products, versions, dependency.getProductEvidence().getWeighting(),
final List<Entry> entries = searchCPE(vendors, products, versions, dependency.getProductEvidence().getWeighting(),
dependency.getVendorEvidence().getWeighting());
@@ -197,8 +197,8 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
* @return the new evidence text
*/
private String addEvidenceWithoutDuplicateTerms(final String text, final EvidenceCollection ec, Confidence confidenceFilter) {
String txt = (text == null) ? "" : text;
StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
final String txt = (text == null) ? "" : text;
final StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
sb.append(txt);
for (Evidence e : ec.iterator(confidenceFilter)) {
String value = e.getValue();
@@ -255,17 +255,17 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
protected List<Entry> searchCPE(String vendor, String product, String version,
Set<String> vendorWeightings, Set<String> productWeightings)
throws CorruptIndexException, IOException, ParseException {
ArrayList<Entry> ret = new ArrayList<Entry>(MAX_QUERY_RESULTS);
final ArrayList<Entry> ret = new ArrayList<Entry>(MAX_QUERY_RESULTS);
String searchString = buildSearch(vendor, product, version, vendorWeightings, productWeightings);
final String searchString = buildSearch(vendor, product, version, vendorWeightings, productWeightings);
if (searchString == null) {
return ret;
}
TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
for (ScoreDoc d : docs.scoreDocs) {
Document doc = cpe.getDocument(d.doc);
Entry entry = Entry.parse(doc);
final Document doc = cpe.getDocument(d.doc);
final Entry entry = Entry.parse(doc);
entry.setSearchScore(d.score);
if (!ret.contains(entry)) {
ret.add(entry);
@@ -294,7 +294,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
protected String buildSearch(String vendor, String product, String version,
Set<String> vendorWeighting, Set<String> productWeightings) {
StringBuilder sb = new StringBuilder(vendor.length() + product.length()
final StringBuilder sb = new StringBuilder(vendor.length() + product.length()
+ version.length() + Fields.PRODUCT.length() + Fields.VERSION.length()
+ Fields.VENDOR.length() + STRING_BUILDER_BUFFER);
@@ -349,7 +349,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
//TODO add a mutator or special analyzer that combines words next to each other and adds them as a key.
sb.append(" ").append(field).append(":( ");
String cleanText = cleanseText(searchText);
final String cleanText = cleanseText(searchText);
if ("".equals(cleanText)) {
return false;
@@ -358,12 +358,12 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
if (weightedText == null || weightedText.isEmpty()) {
LuceneUtils.appendEscapedLuceneQuery(sb, cleanText);
} else {
StringTokenizer tokens = new StringTokenizer(cleanText);
final StringTokenizer tokens = new StringTokenizer(cleanText);
while (tokens.hasMoreElements()) {
String word = tokens.nextToken();
final String word = tokens.nextToken();
String temp = null;
for (String weighted : weightedText) {
String weightedStr = cleanseText(weighted);
final String weightedStr = cleanseText(weighted);
if (equalsIgnoreCaseAndNonAlpha(word, weightedStr)) {
temp = LuceneUtils.escapeLuceneQuery(word) + WEIGHTING_BOOST;
if (!word.equalsIgnoreCase(weightedStr)) {
@@ -405,8 +405,8 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
return false;
}
String left = l.replaceAll(CLEANSE_NONALPHA_RX, "");
String right = r.replaceAll(CLEANSE_NONALPHA_RX, "");
final String left = l.replaceAll(CLEANSE_NONALPHA_RX, "");
final String right = r.replaceAll(CLEANSE_NONALPHA_RX, "");
return left.equalsIgnoreCase(right);
}
@@ -422,16 +422,23 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
private boolean verifyEntry(final Entry entry, final Dependency dependency) {
boolean isValid = false;
if (collectionContainsStrings(dependency.getProductEvidence(), entry.getProduct())
&& collectionContainsStrings(dependency.getVendorEvidence(), entry.getVendor())
&& collectionContainsStrings(dependency.getVersionEvidence(), entry.getVersion())) {
if (collectionContainsString(dependency.getProductEvidence(), entry.getProduct())
&& collectionContainsString(dependency.getVendorEvidence(), entry.getVendor())
&& collectionContainsString(dependency.getVersionEvidence(), entry.getVersion())) {
isValid = true;
}
return isValid;
}
private boolean collectionContainsStrings(EvidenceCollection ec, String text) {
String[] words = text.split("[\\s_-]");
/**
* Used to determine if the EvidenceCollection contains a specific string.
*
* @param ec an EvidenceCollection
* @param text the text to search for
* @return whether or not the EvidenceCollection contains the string
*/
private boolean collectionContainsString(EvidenceCollection ec, String text) {
final String[] words = text.split("[\\s_-]");
boolean contains = true;
for (String word : words) {
contains &= ec.containsUsedString(word);

43
src/main/java/org/owasp/dependencycheck/data/cpe/Entry.java
View File

@@ -32,6 +32,9 @@ import org.apache.lucene.document.Document;
*/
public class Entry implements Serializable {
/**
* the serial version uid.
*/
static final long serialVersionUID = 8011924485946326934L;
/**
@@ -42,7 +45,7 @@ public class Entry implements Serializable {
* @return a CPE Entry.
*/
public static Entry parse(Document doc) {
Entry entry = new Entry();
final Entry entry = new Entry();
try {
entry.parseName(doc.get(Fields.NAME));
} catch (UnsupportedEncodingException ex) {
@@ -54,10 +57,10 @@ public class Entry implements Serializable {
/**
* The name of the CPE entry.
*/
protected String name;
private String name;
/**
* Get the value of name
* Get the value of name.
*
* @return the value of name
*/
@@ -66,7 +69,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of name
* Set the value of name.
*
* @param name new value of name
*/
@@ -76,10 +79,10 @@ public class Entry implements Serializable {
/**
* The vendor name.
*/
protected String vendor;
private String vendor;
/**
* Get the value of vendor
* Get the value of vendor.
*
* @return the value of vendor
*/
@@ -88,7 +91,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of vendor
* Set the value of vendor.
*
* @param vendor new value of vendor
*/
@@ -98,10 +101,10 @@ public class Entry implements Serializable {
/**
* The product name.
*/
protected String product;
private String product;
/**
* Get the value of product
* Get the value of product.
*
* @return the value of product
*/
@@ -110,7 +113,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of product
* Set the value of product.
*
* @param product new value of product
*/
@@ -120,10 +123,10 @@ public class Entry implements Serializable {
/**
* The product version.
*/
protected String version;
private String version;
/**
* Get the value of version
* Get the value of version.
*
* @return the value of version
*/
@@ -132,7 +135,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of version
* Set the value of version.
*
* @param version new value of version
*/
@@ -142,10 +145,10 @@ public class Entry implements Serializable {
/**
* The product revision.
*/
protected String revision;
private String revision;
/**
* Get the value of revision
* Get the value of revision.
*
* @return the value of revision
*/
@@ -154,7 +157,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of revision
* Set the value of revision.
*
* @param revision new value of revision
*/
@@ -164,10 +167,10 @@ public class Entry implements Serializable {
/**
* The search score.
*/
protected float searchScore;
private float searchScore;
/**
* Get the value of searchScore
* Get the value of searchScore.
*
* @return the value of searchScore
*/
@@ -176,7 +179,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of searchScore
* Set the value of searchScore.
*
* @param searchScore new value of searchScore
*/
@@ -199,7 +202,7 @@ public class Entry implements Serializable {
public void parseName(String cpeName) throws UnsupportedEncodingException {
this.name = cpeName;
if (cpeName != null && cpeName.length() > 7) {
String[] data = cpeName.substring(7).split(":");
final String[] data = cpeName.substring(7).split(":");
if (data.length >= 1) {
vendor = URLDecoder.decode(data[0], "UTF-8").replaceAll("[_-]", " ");
if (data.length >= 2) {

46
src/main/java/org/owasp/dependencycheck/data/cpe/Index.java
View File

@@ -57,9 +57,8 @@ public class Index extends AbstractIndex {
* @throws IOException is thrown if an IOException occurs.
*/
public Directory getDirectory() throws IOException {
File path = getDataDirectory();
Directory dir = FSDirectory.open(path);
final File path = getDataDirectory();
final Directory dir = FSDirectory.open(path);
return dir;
}
@@ -71,9 +70,9 @@ public class Index extends AbstractIndex {
* @throws IOException is thrown if an IOException occurs of course...
*/
public File getDataDirectory() throws IOException {
String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
String decodedPath = URLDecoder.decode(filePath, "UTF-8");
final String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
final String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
exePath = exePath.getParentFile();
@@ -97,19 +96,25 @@ public class Index extends AbstractIndex {
*/
@SuppressWarnings("unchecked")
public Analyzer createIndexingAnalyzer() {
Map fieldAnalyzers = new HashMap();
final Map fieldAnalyzers = new HashMap();
//fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
fieldAnalyzers.put(Fields.VERSION, new VersionAnalyzer(Version.LUCENE_40));
fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
return wrapper;
}
private SearchFieldAnalyzer productSearchFieldAnalyzer = null;
private SearchFieldAnalyzer vendorSearchFieldAnalyzer = null;
/**
* The search field analyzer for the product field.
*/
private SearchFieldAnalyzer productSearchFieldAnalyzer;
/**
* The search field analyzer for the vendor field.
*/
private SearchFieldAnalyzer vendorSearchFieldAnalyzer;
/**
* Creates an Analyzer for searching the CPE Index.
@@ -118,7 +123,7 @@ public class Index extends AbstractIndex {
*/
@SuppressWarnings("unchecked")
public Analyzer createSearchingAnalyzer() {
Map fieldAnalyzers = new HashMap();
final Map fieldAnalyzers = new HashMap();
fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
//fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
@@ -128,14 +133,15 @@ public class Index extends AbstractIndex {
fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);
fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer);
PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
return wrapper;
}
/**
* Creates the Lucene QueryParser used when querying the index
* Creates the Lucene QueryParser used when querying the index.
*
* @return a QueryParser.
*/
public QueryParser createQueryParser() {
@@ -162,10 +168,10 @@ public class Index extends AbstractIndex {
* @throws IOException is thrown if an IOException occurs.
*/
public void saveEntry(Entry entry) throws CorruptIndexException, IOException {
Document doc = convertEntryToDoc(entry);
final Document doc = convertEntryToDoc(entry);
//Term term = new Term(Fields.NVDID, LuceneUtils.escapeLuceneQuery(entry.getNvdId()));
Term term = new Term(Fields.NAME, entry.getName());
indexWriter.updateDocument(term, doc);
final Term term = new Term(Fields.NAME, entry.getName());
getIndexWriter().updateDocument(term, doc);
}
/**
@@ -175,16 +181,16 @@ public class Index extends AbstractIndex {
* @return a Lucene Document containing a CPE Entry.
*/
protected Document convertEntryToDoc(Entry entry) {
Document doc = new Document();
final Document doc = new Document();
Field name = new StoredField(Fields.NAME, entry.getName());
final Field name = new StoredField(Fields.NAME, entry.getName());
doc.add(name);
Field vendor = new TextField(Fields.VENDOR, entry.getVendor(), Field.Store.NO);
final Field vendor = new TextField(Fields.VENDOR, entry.getVendor(), Field.Store.NO);
vendor.setBoost(5.0F);
doc.add(vendor);
Field product = new TextField(Fields.PRODUCT, entry.getProduct(), Field.Store.NO);
final Field product = new TextField(Fields.PRODUCT, entry.getProduct(), Field.Store.NO);
product.setBoost(5.0F);
doc.add(product);

23
src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
View File

@@ -29,21 +29,32 @@ import java.util.logging.Logger;
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class CweDB {
public final class CweDB {
/**
* Empty private constructor as this is a utility class.
*/
private CweDB() {
//empty constructor for utility class
//empty
}
/**
* A hashmap of the CWE data.
*/
private static final HashMap<String, String> CWE = loadData();
/**
* Loads a hashmap containing the CWE data from a resource found in the jar.
*
* @return a hashmap of CWE data
*/
private static HashMap<String, String> loadData() {
ObjectInputStream oin = null;
try {
String filePath = "data/cwe.hashmap.serialized";
InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
final String filePath = "data/cwe.hashmap.serialized";
final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
oin = new ObjectInputStream(input);
@SuppressWarnings("unchecked")
HashMap<String, String> data = (HashMap<String, String>) oin.readObject();
final HashMap<String, String> data = (HashMap<String, String>) oin.readObject();
return data;
} catch (ClassNotFoundException ex) {
Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
@@ -63,7 +74,7 @@ public class CweDB {
/**
* <p>Returns the full CWE name from the CWE ID.</p>
* @param cweId te CWE ID
* @param cweId the CWE ID
* @return the full name of the CWE
*/
public static String getCweName(String cweId) {

7
src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java
View File

@@ -30,6 +30,9 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class CweHandler extends DefaultHandler {
/**
* a hashmap containing the CWE data.
*/
private HashMap<String, String> cwe = new HashMap<String, String>();
/**
@@ -44,8 +47,8 @@ public class CweHandler extends DefaultHandler {
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
if ("Weakness".equals(qName) || "Category".equals(qName)) {
String id = "CWE-" + attributes.getValue("ID");
String name = attributes.getValue("Name");
final String id = "CWE-" + attributes.getValue("ID");
final String name = attributes.getValue("Name");
cwe.put(id, name);
}
}

53
src/main/java/org/owasp/dependencycheck/data/lucene/AbstractIndex.java
View File

@@ -48,31 +48,31 @@ public abstract class AbstractIndex {
/**
* The Lucene directory containing the index.
*/
protected Directory directory = null;
private Directory directory;
/**
* The IndexWriter for the Lucene index.
*/
protected IndexWriter indexWriter = null;
private IndexWriter indexWriter;
/**
* The Lucene IndexReader.
*/
private IndexReader indexReader = null;
private IndexReader indexReader;
/**
* The Lucene IndexSearcher.
*/
private IndexSearcher indexSearcher = null;
private IndexSearcher indexSearcher;
/**
* The Lucene Analyzer used for Indexing.
*/
private Analyzer indexingAnalyzer = null;
private Analyzer indexingAnalyzer;
/**
* The Lucene Analyzer used for Searching
* The Lucene Analyzer used for Searching.
*/
private Analyzer searchingAnalyzer = null;
private Analyzer searchingAnalyzer;
/**
* The Lucene QueryParser used for Searching
* The Lucene QueryParser used for Searching.
*/
private QueryParser queryParser = null;
private QueryParser queryParser;
/**
* Indicates whether or not the Lucene Index is open.
*/
@@ -155,7 +155,7 @@ public abstract class AbstractIndex {
if (!isOpen()) {
open();
}
IndexWriterConfig conf = new IndexWriterConfig(Version.LUCENE_40, indexingAnalyzer);
final IndexWriterConfig conf = new IndexWriterConfig(Version.LUCENE_40, indexingAnalyzer);
indexWriter = new IndexWriter(directory, conf);
}
@@ -241,7 +241,8 @@ public abstract class AbstractIndex {
}
/**
* Searches the index using the given search string
* Searches the index using the given search string.
*
* @param searchString the query text
* @param maxQueryResults the maximum number of documents to return
* @return the TopDocs found by the search
@@ -250,21 +251,18 @@ public abstract class AbstractIndex {
*/
public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
QueryParser parser = getQueryParser();
Query query = parser.parse(searchString);
final QueryParser parser = getQueryParser();
final Query query = parser.parse(searchString);
resetSearchingAnalyzer();
IndexSearcher is = getIndexSearcher();
TopDocs docs = is.search(query, maxQueryResults);
final IndexSearcher is = getIndexSearcher();
final TopDocs docs = is.search(query, maxQueryResults);
return docs;
}
/**
* Searches the index using the given query
* Searches the index using the given query.
*
* @param query the query used to search the index
* @param maxQueryResults the max number of results to return
* @return the TopDocs found be the query
@@ -272,23 +270,24 @@ public abstract class AbstractIndex {
* @throws IOException thrown if there is an IOException
*/
public TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException {
IndexSearcher is = getIndexSearcher();
final IndexSearcher is = getIndexSearcher();
return is.search(query, maxQueryResults);
}
/**
* Retrieves a document from the Index
* Retrieves a document from the Index.
*
* @param documentId the id of the document to retrieve
* @return the Document
* @throws IOException thrown if there is an IOException
*/
public Document getDocument(int documentId) throws IOException {
IndexSearcher is = getIndexSearcher();
final IndexSearcher is = getIndexSearcher();
return is.doc(documentId);
}
/**
* Gets the directory that contains the Lucene Index
* Gets the directory that contains the Lucene Index.
*
* @return a Lucene Directory
* @throws IOException is thrown when an IOException occurs
@@ -296,21 +295,21 @@ public abstract class AbstractIndex {
public abstract Directory getDirectory() throws IOException;
/**
* Creates the Lucene Analyzer used when indexing
* Creates the Lucene Analyzer used when indexing.
*
* @return a Lucene Analyzer
*/
public abstract Analyzer createIndexingAnalyzer();
/**
* Creates the Lucene Analyzer used when querying the index
* Creates the Lucene Analyzer used when querying the index.
*
* @return a Lucene Analyzer
*/
public abstract Analyzer createSearchingAnalyzer();
/**
* Creates the Lucene QueryParser used when querying the index
* Creates the Lucene QueryParser used when querying the index.
* @return a QueryParser
*/
public abstract QueryParser createQueryParser();

3
src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java
View File

@@ -26,6 +26,9 @@ import org.apache.lucene.search.similarities.DefaultSimilarity;
*/
public class DependencySimilarity extends DefaultSimilarity {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L;
/**

9
src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java
View File

@@ -39,12 +39,13 @@ import org.apache.lucene.util.Version;
public class FieldAnalyzer extends Analyzer {
/**
* The Lucene Version used
* The Lucene Version used.
*/
private Version version = null;
private Version version;
/**
* Creates a new FieldAnalyzer
* Creates a new FieldAnalyzer.
*
* @param version the Lucene version
*/
public FieldAnalyzer(Version version) {
@@ -60,7 +61,7 @@ public class FieldAnalyzer extends Analyzer {
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader);
final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;

4
src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
View File

@@ -48,7 +48,7 @@ public final class LuceneUtils {
}
for (int i = 0; i < text.length(); i++) {
char c = text.charAt(i);
final char c = text.charAt(i);
switch (c) {
case '+':
case '-':
@@ -91,7 +91,7 @@ public final class LuceneUtils {
int size = text.length();
size = size >> 1;
StringBuilder buf = new StringBuilder(size);
final StringBuilder buf = new StringBuilder(size);
appendEscapedLuceneQuery(buf, text);

11
src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java
View File

@@ -37,17 +37,18 @@ import org.apache.lucene.util.Version;
public class SearchFieldAnalyzer extends Analyzer {
/**
* The Lucene Version used
* The Lucene Version used.
*/
private Version version = null;
private Version version;
/**
* A local reference to the TokenPairConcatenatingFilter so that we
* can clear any left over state if this analyzer is re-used.
*/
private TokenPairConcatenatingFilter concatenatingFilter = null;
private TokenPairConcatenatingFilter concatenatingFilter;
/**
* Constructs a new SearchFieldAnalyzer
* Constructs a new SearchFieldAnalyzer.
*
* @param version the Lucene version
*/
public SearchFieldAnalyzer(Version version) {
@@ -62,7 +63,7 @@ public class SearchFieldAnalyzer extends Analyzer {
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader);
final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;

9
src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java
View File

@@ -40,12 +40,13 @@ public class SearchVersionAnalyzer extends Analyzer {
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
/**
* The Lucene Version used
* The Lucene Version used.
*/
private Version version = null;
private Version version;
/**
* Creates a new SearchVersionAnalyzer
* Creates a new SearchVersionAnalyzer.
*
* @param version the Lucene version
*/
public SearchVersionAnalyzer(Version version) {
@@ -61,7 +62,7 @@ public class SearchVersionAnalyzer extends Analyzer {
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader);
final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;
stream = new LowerCaseFilter(version, stream);
stream = new VersionTokenizingFilter(stream);

38
src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java
View File

@@ -26,20 +26,35 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
import org.apache.lucene.analysis.tokenattributes.PositionIncrementAttribute;
/**
* <p>Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
* <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
* <p>Takes a TokenStream and adds additional tokens by concatenating pairs of
* words.</p>
* <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework
* Framework FrameworkCore Core".</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public final class TokenPairConcatenatingFilter extends TokenFilter {
/**
* The char term attribute.
*/
private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
/**
* The position increment attribute.
*/
private final PositionIncrementAttribute posIncAtt = addAttribute(PositionIncrementAttribute.class);
private String previousWord = null;
private LinkedList<String> words = null;
/**
* The previous word parsed.
*/
private String previousWord;
/**
* A list of words parsed.
*/
private LinkedList<String> words;
/**
* Constructs a new TokenPairConcatenatingFilter
* Constructs a new TokenPairConcatenatingFilter.
*
* @param stream the TokenStream that this filter will process
*/
public TokenPairConcatenatingFilter(TokenStream stream) {
@@ -60,14 +75,14 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
//collect all the terms into the words collection
while (input.incrementToken()) {
String word = new String(termAtt.buffer(), 0, termAtt.length());
final String word = new String(termAtt.buffer(), 0, termAtt.length());
words.add(word);
}
//if we have a previousTerm - write it out as its own token concatenated
// with the current word (if one is available).
if (previousWord != null && words.size() > 0) {
String word = words.getFirst();
final String word = words.getFirst();
clearAttributes();
termAtt.append(previousWord).append(word);
posIncAtt.setPositionIncrement(0);
@@ -76,7 +91,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
}
//if we have words, write it out as a single token
if (words.size() > 0) {
String word = words.removeFirst();
final String word = words.removeFirst();
clearAttributes();
termAtt.append(word);
previousWord = word;
@@ -86,9 +101,10 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
}
/**
* <p>Resets the Filter and clears any internal state data that may
* have been left-over from previous uses of the Filter.</p>
* <p><b>If this Filter is re-used this method must be called between uses.</b></p>
* <p>Resets the Filter and clears any internal state data that may have
* been left-over from previous uses of the Filter.</p>
* <p><b>If this Filter is re-used this method must be called between
* uses.</b></p>
*/
public void clear() {
previousWord = null;

9
src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java
View File

@@ -40,12 +40,13 @@ public class VersionAnalyzer extends Analyzer {
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
/**
* The Lucene Version used
* The Lucene Version used.
*/
private Version version = null;
private Version version;
/**
* Creates a new VersionAnalyzer
* Creates a new VersionAnalyzer.
*
* @param version the Lucene version
*/
public VersionAnalyzer(Version version) {
@@ -61,7 +62,7 @@ public class VersionAnalyzer extends Analyzer {
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader);
final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;
stream = new LowerCaseFilter(version, stream);
return new TokenStreamComponents(source, stream);

37
src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java
View File

@@ -25,21 +25,27 @@ import org.apache.lucene.analysis.TokenStream;
import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
/**
* <p>Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
* <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
* <p>Takes a TokenStream and splits or adds tokens to correctly index version
* numbers.</p>
* <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
* 3.0.0.RELEASE".</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public final class VersionTokenizingFilter extends TokenFilter {
/**
* The char term attribute.
*/
private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
/**
* A collection of tokens to add to the stream.
*/
protected LinkedList<String> tokens = null;
private LinkedList<String> tokens;
/**
* Constructs a new VersionTokenizingFilter
* Constructs a new VersionTokenizingFilter.
*
* @param stream the TokenStream that this filter will process
*/
public VersionTokenizingFilter(TokenStream stream) {
@@ -58,8 +64,8 @@ public final class VersionTokenizingFilter extends TokenFilter {
@Override
public boolean incrementToken() throws IOException {
if (tokens.size() == 0 && input.incrementToken()) {
String version = new String(termAtt.buffer(), 0, termAtt.length());
String[] toAnalyze = version.split("[_-]");
final String version = new String(termAtt.buffer(), 0, termAtt.length());
final String[] toAnalyze = version.split("[_-]");
if (toAnalyze.length > 1) { //ensure we analyze the whole string as one too
analyzeVersion(version);
}
@@ -72,23 +78,34 @@ public final class VersionTokenizingFilter extends TokenFilter {
/**
* Adds a term, if one exists, from the tokens collection.
*
* @return whether or not a new term was added
*/
private boolean addTerm() {
boolean termAdded = tokens.size() > 0;
final boolean termAdded = tokens.size() > 0;
if (termAdded) {
String version = tokens.pop();
final String version = tokens.pop();
clearAttributes();
termAtt.append(version);
}
return termAdded;
}
//major.minor[.maintenance[.build]]
/**
* <p>Analyzes the version and adds several copies of the version as
* different tokens. For example, the version 1.2.7 would create the tokens
* 1 1.2 1.2.7. This is useful in discovering the correct version -
* sometimes a maintenance or build number will throw off the version
* identification.</p>
*
* <p>expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
*
* @param version the version to analyze
*/
private void analyzeVersion(String version) {
//todo should we also be splitting on dash or underscore? we would need
// to incorporate the dash or underscore back in...
String[] versionParts = version.split("\\.");
final String[] versionParts = version.split("\\.");
String dottedVersion = null;
for (String current : versionParts) {
if (!current.matches("^/d+$")) {

4
src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java
View File

@@ -25,6 +25,10 @@ package org.owasp.dependencycheck.data.nvdcve;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
class CorruptDatabaseException extends DatabaseException {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L;
/**

109
src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -48,131 +48,131 @@ public class CveDB {
//<editor-fold defaultstate="collapsed" desc="Constants to create, maintain, and retrieve data from the CVE Database">
/**
* SQL Statement to create an index on the reference table
* SQL Statement to create an index on the reference table.
*/
public static final String CREATE_INDEX_IDXREFERENCE = "CREATE INDEX IF NOT EXISTS idxReference ON reference(cveid)";
/**
* SQL Statement to create an index on the software for finding CVE entries based on CPE data
* SQL Statement to create an index on the software for finding CVE entries based on CPE data.
*/
public static final String CREATE_INDEX_IDXSOFTWARE = "CREATE INDEX IF NOT EXISTS idxSoftware ON software(product, vendor, version)";
/**
* SQL Statement to create an index for retrieving software by CVEID
* SQL Statement to create an index for retrieving software by CVEID.
*/
public static final String CREATE_INDEX_IDXSOFTWARECVE = "CREATE INDEX IF NOT EXISTS idxSoftwareCve ON software(cveid)";
/**
* SQL Statement to create an index on the vulnerability table
* SQL Statement to create an index on the vulnerability table.
*/
public static final String CREATE_INDEX_IDXVULNERABILITY = "CREATE INDEX IF NOT EXISTS idxVulnerability ON vulnerability(cveid)";
/**
* SQL Statement to create the reference table
* SQL Statement to create the reference table.
*/
public static final String CREATE_TABLE_REFERENCE = "CREATE TABLE IF NOT EXISTS reference (cveid CHAR(13), "
+ "name varchar(1000), url varchar(1000), source varchar(255))";
/**
* SQL Statement to create the software table
* SQL Statement to create the software table.
*/
public static final String CREATE_TABLE_SOFTWARE = "CREATE TABLE IF NOT EXISTS software (cveid CHAR(13), cpe varchar(500), "
+ "vendor varchar(255), product varchar(255), version varchar(50), previousVersion varchar(50))";
/**
* SQL Statement to create the vulnerability table
* SQL Statement to create the vulnerability table.
*/
public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability (cveid CHAR(13) PRIMARY KEY, "
+ "description varchar(8000), cwe varchar(10), cvssScore DECIMAL(3,1), cvssAccessVector varchar(20), "
+ "cvssAccessComplexity varchar(20), cvssAuthentication varchar(20), cvssConfidentialityImpact varchar(20), "
+ "cvssIntegrityImpact varchar(20), cvssAvailabilityImpact varchar(20))";
/**
* SQL Statement to delete references by CVEID
* SQL Statement to delete references by CVEID.
*/
public static final String DELETE_REFERENCE = "DELETE FROM reference WHERE cveid = ?";
/**
* SQL Statement to delete software by CVEID
* SQL Statement to delete software by CVEID.
*/
public static final String DELETE_SOFTWARE = "DELETE FROM software WHERE cveid = ?";
/**
* SQL Statement to delete a vulnerability by CVEID
* SQL Statement to delete a vulnerability by CVEID.
*/
public static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE cveid = ?";
/**
* SQL Statement to insert a new reference
* SQL Statement to insert a new reference.
*/
public static final String INSERT_REFERENCE = "INSERT INTO reference (cveid, name, url, source) VALUES (?, ?, ?, ?)";
/**
* SQL Statement to insert a new software
* SQL Statement to insert a new software.
*/
public static final String INSERT_SOFTWARE = "INSERT INTO software (cveid, cpe, vendor, product, version, previousVersion) "
+ "VALUES (?, ?, ?, ?, ?, ?)";
/**
* SQL Statement to insert a new vulnerability
* SQL Statement to insert a new vulnerability.
*/
public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description, cwe, cvssScore, cvssAccessVector, "
+ "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
+ "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
/**
* SQL Statement to find CVE entries based on CPE data
* SQL Statement to find CVE entries based on CPE data.
*/
public static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cveid FROM software WHERE Vendor = ? AND Product = ? AND "
+ "(version = '-' OR previousVersion IS NOT NULL OR version=?)";
/**
* SQL Statement to select references by CVEID
* SQL Statement to select references by CVEID.
*/
public static final String SELECT_REFERENCE = "SELECT source, name, url FROM reference WHERE cveid = ?";
/**
* SQL Statement to select software by CVEID
* SQL Statement to select software by CVEID.
*/
public static final String SELECT_SOFTWARE = "SELECT cpe, previousVersion FROM software WHERE cveid = ?";
/**
* SQL Statement to select a vulnerability by CVEID
* SQL Statement to select a vulnerability by CVEID.
*/
public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, "
+ "cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Collection of CallableStatements to work with the DB">
/**
* delete reference - parameters (cveid)
* delete reference - parameters (cveid).
*/
private CallableStatement deleteReferences = null;
private CallableStatement deleteReferences;
/**
* delete software - parameters (cveid)
* delete software - parameters (cveid).
*/
private CallableStatement deleteSoftware = null;
private CallableStatement deleteSoftware;
/**
* delete vulnerability - parameters (cveid)
* delete vulnerability - parameters (cveid).
*/
private CallableStatement deleteVulnerabilities = null;
private CallableStatement deleteVulnerabilities;
/**
* insert reference - parameters (cveid, name, url, source)
* insert reference - parameters (cveid, name, url, source).
*/
private CallableStatement insertReference = null;
private CallableStatement insertReference;
/**
* insert software - parameters (cveid, cpe, vendor, product, version, previousVersion)
* insert software - parameters (cveid, cpe, vendor, product, version, previousVersion).
*/
private CallableStatement insertSoftware = null;
private CallableStatement insertSoftware;
/**
* insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector,
* cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
* cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact).
*/
private CallableStatement insertVulnerability = null;
private CallableStatement insertVulnerability;
/**
* select cve from software - parameters (vendor, product, version)
* select cve from software - parameters (vendor, product, version).
*/
private CallableStatement selectCveFromSoftware = null;
private CallableStatement selectCveFromSoftware;
/**
* select vulnerability - parameters (cveid)
* select vulnerability - parameters (cveid).
*/
private CallableStatement selectVulnerability = null;
private CallableStatement selectVulnerability;
/**
* select reference - parameters (cveid)
* select reference - parameters (cveid).
*/
private CallableStatement selectReferences = null;
private CallableStatement selectReferences;
/**
* select software - parameters (cveid)
* select software - parameters (cveid).
*/
private CallableStatement selectSoftware = null;
private CallableStatement selectSoftware;
//</editor-fold>
/**
* Database connection
*/
protected Connection conn = null;
private Connection conn;
/**
* Opens the database connection. If the database does not exist, it will
@@ -183,12 +183,12 @@ public class CveDB {
* @throws DatabaseException thrown if there is an error initializing a new database
*/
public void open() throws IOException, SQLException, DatabaseException {
String fileName = CveDB.getDataDirectory().getCanonicalPath()
final String fileName = CveDB.getDataDirectory().getCanonicalPath()
+ File.separator
+ "cve";
File f = new File(fileName);
boolean createTables = !f.exists();
String connStr = "jdbc:h2:file:" + fileName;
final File f = new File(fileName);
final boolean createTables = !f.exists();
final String connStr = "jdbc:h2:file:" + fileName;
conn = DriverManager.getConnection(connStr, "sa", "");
if (createTables) {
createTables();
@@ -236,7 +236,7 @@ public class CveDB {
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
}
List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
try {
selectCveFromSoftware.setString(1, cpe.getVendor());
@@ -244,7 +244,7 @@ public class CveDB {
selectCveFromSoftware.setString(3, cpe.getVersion());
rs = selectCveFromSoftware.executeQuery();
while (rs.next()) {
Vulnerability v = getVulnerability(rs.getString("cveid"));
final Vulnerability v = getVulnerability(rs.getString("cveid"));
vulnerabilities.add(v);
}
} catch (SQLException ex) {
@@ -261,6 +261,13 @@ public class CveDB {
return vulnerabilities;
}
/**
* Gets a vulnerability for the provided CVE.
*
* @param cve the CVE to lookup
* @return a vulnerability object
* @throws DatabaseException if an exception occurs
*/
private Vulnerability getVulnerability(String cve) throws DatabaseException {
ResultSet rsV = null;
ResultSet rsR = null;
@@ -275,7 +282,7 @@ public class CveDB {
vuln.setDescription(rsV.getString(2));
String cwe = rsV.getString(3);
if (cwe != null) {
String name = CweDB.getCweName(cwe);
final String name = CweDB.getCweName(cwe);
if (name != null) {
cwe += " " + name;
}
@@ -297,8 +304,8 @@ public class CveDB {
selectSoftware.setString(1, cve);
rsS = selectSoftware.executeQuery();
while (rsS.next()) {
String cpe = rsS.getString(1);
String prevVers = rsS.getString(2);
final String cpe = rsS.getString(1);
final String prevVers = rsS.getString(2);
if (prevVers == null) {
vuln.addVulnerableSoftware(cpe);
} else {
@@ -399,9 +406,9 @@ public class CveDB {
* @throws IOException is thrown if an IOException occurs of course...
*/
public static File getDataDirectory() throws IOException {
String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath();
String decodedPath = URLDecoder.decode(filePath, "UTF-8");
final String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
final String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath();
final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
@@ -450,7 +457,7 @@ public class CveDB {
/**
* Builds the CallableStatements used by the application.
* @throws DatabaseException
* @throws DatabaseException thrown if there is a database exception
*/
private void buildStatements() throws DatabaseException {
try {

8
src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java
View File

@@ -24,9 +24,13 @@ package org.owasp.dependencycheck.data.nvdcve;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class DatabaseException extends Exception {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L;
/**
* Creates an DatabaseException
* Creates an DatabaseException.
*
* @param msg the exception message
*/
@@ -35,7 +39,7 @@ public class DatabaseException extends Exception {
}
/**
* Creates an DatabaseException
* Creates an DatabaseException.
*
* @param msg the exception message
* @param ex the cause of the exception

6
src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
View File

@@ -45,7 +45,7 @@ public class NvdCveAnalyzer implements org.owasp.dependencycheck.analyzer.Analyz
/**
* The CVE Index.
*/
protected CveDB cveDB = null;
private CveDB cveDB;
/**
* Opens the data source.
@@ -102,8 +102,8 @@ public class NvdCveAnalyzer implements org.owasp.dependencycheck.analyzer.Analyz
for (Identifier id : dependency.getIdentifiers()) {
if ("cpe".equals(id.getType())) {
try {
String value = id.getValue();
List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
final String value = id.getValue();
final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
for (Vulnerability v : vulns) {
dependency.addVulnerability(v);
}

75
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
View File

@@ -75,7 +75,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
*/
private static final String LAST_UPDATED_BASE = "lastupdated.";
/**
* The current version of the database
* The current version of the database.
*/
public static final String DATABASE_VERSION = "2.2";
@@ -87,7 +87,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
*/
public void update() throws UpdateException {
try {
Map<String, NvdCveUrl> update = updateNeeded();
final Map<String, NvdCveUrl> update = updateNeeded();
int maxUpdates = 0;
for (NvdCveUrl cve : update.values()) {
if (cve.getNeedsUpdate()) {
@@ -164,6 +164,11 @@ public class DatabaseUpdater implements CachedWebDataSource {
*
* @param file the file containing the NVD CVE XML
* @param oldVersion contains the file containing the NVD CVE XML 1.2
* @throws ParserConfigurationException is thrown if there is a parserconfigurationexception
* @throws SAXException is thrown if there is a saxexception
* @throws IOException is thrown if there is a ioexception
* @throws SQLException is thrown if there is a sql exception
* @throws DatabaseException is thrown if there is a database exception
*/
private void importXML(File file, File oldVersion)
throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException {
@@ -177,12 +182,12 @@ public class DatabaseUpdater implements CachedWebDataSource {
cpeIndex = new Index();
cpeIndex.openIndexWriter();
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
final SAXParserFactory factory = SAXParserFactory.newInstance();
final SAXParser saxParser = factory.newSAXParser();
NvdCve12Handler cve12Handler = new NvdCve12Handler();
saxParser.parse(oldVersion, cve12Handler);
Map<String, List<VulnerableSoftware>> prevVersionVulnMap = cve12Handler.getVulnerabilities();
final Map<String, List<VulnerableSoftware>> prevVersionVulnMap = cve12Handler.getVulnerabilities();
cve12Handler = null;
NvdCve20Handler cve20Handler = new NvdCve20Handler();
@@ -209,19 +214,19 @@ public class DatabaseUpdater implements CachedWebDataSource {
* Writes a properties file containing the last updated date to the
* VULNERABLE_CPE directory.
*
* @param updated a map of the updated nvdcve.
* @param updated a map of the updated nvdcve
* @throws UpdateException is thrown if there is an update exception
*/
private void writeLastUpdatedPropertyFile(Map<String, NvdCveUrl> updated) throws UpdateException {
String dir;
try {
dir = CveDB.getDataDirectory().getCanonicalPath();
} catch (IOException ex) {
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
throw new UpdateException("Unable to locate last updated properties file.", ex);
}
File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
Properties prop = new Properties();
final File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
final Properties prop = new Properties();
prop.put("version", DATABASE_VERSION);
for (NvdCveUrl cve : updated.values()) {
prop.put(LAST_UPDATED_BASE + cve.id, String.valueOf(cve.getTimestamp()));
@@ -288,11 +293,11 @@ public class DatabaseUpdater implements CachedWebDataSource {
throw new UpdateException("Unable to locate last updated properties file.", ex);
}
File f = new File(dir);
final File f = new File(dir);
if (f.exists()) {
File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
final File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
if (cveProp.exists()) {
Properties prop = new Properties();
final Properties prop = new Properties();
InputStream is = null;
try {
is = new FileInputStream(cveProp);
@@ -306,7 +311,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} else {
try {
version = Float.parseFloat(prop.getProperty("version"));
float currentVersion = Float.parseFloat(DATABASE_VERSION);
final float currentVersion = Float.parseFloat(DATABASE_VERSION);
if (currentVersion > version) {
deleteAndRecreate = true;
}
@@ -321,16 +326,16 @@ public class DatabaseUpdater implements CachedWebDataSource {
FileUtils.delete(f);
//this importer also updates the CPE index and it is also using an old version
org.owasp.dependencycheck.data.cpe.Index cpeid = new org.owasp.dependencycheck.data.cpe.Index();
File cpeDir = cpeid.getDataDirectory();
final org.owasp.dependencycheck.data.cpe.Index cpeid = new org.owasp.dependencycheck.data.cpe.Index();
final File cpeDir = cpeid.getDataDirectory();
FileUtils.delete(cpeDir);
return currentlyPublished;
}
long lastUpdated = Long.parseLong(prop.getProperty(LAST_UPDATED_MODIFIED));
Date now = new Date();
int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS);
int maxEntries = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
final long lastUpdated = Long.parseLong(prop.getProperty(LAST_UPDATED_MODIFIED));
final Date now = new Date();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS);
final int maxEntries = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
if (lastUpdated == currentlyPublished.get("modified").timestamp) {
currentlyPublished.clear(); //we don't need to update anything.
} else if (withinRange(lastUpdated, now.getTime(), days)) {
@@ -341,7 +346,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} else { //we figure out which of the several XML files need to be downloaded.
currentlyPublished.get("modified").setNeedsUpdate(false);
for (int i = 1; i <= maxEntries; i++) {
NvdCveUrl cve = currentlyPublished.get(String.valueOf(i));
final NvdCveUrl cve = currentlyPublished.get(String.valueOf(i));
long currentTimestamp = 0;
try {
currentTimestamp = Long.parseLong(prop.getProperty(LAST_UPDATED_BASE + String.valueOf(i), "0"));
@@ -386,7 +391,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
* @return whether or not the date is within the range.
*/
private boolean withinRange(long date, long compareTo, int range) {
double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
return differenceInDays < range;
}
@@ -405,7 +410,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
protected Map<String, NvdCveUrl> retrieveCurrentTimestampsFromWeb()
throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException {
Map<String, NvdCveUrl> map = new HashMap<String, NvdCveUrl>();
final Map<String, NvdCveUrl> map = new HashMap<String, NvdCveUrl>();
String retrieveUrl = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
NvdCveUrl item = new NvdCveUrl();
@@ -417,7 +422,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
item.timestamp = Downloader.getLastModified(new URL(retrieveUrl));
map.put("modified", item);
int max = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
final int max = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
for (int i = 1; i <= max; i++) {
retrieveUrl = Settings.getString(Settings.KEYS.CVE_BASE_URL + Settings.KEYS.CVE_SCHEMA_2_0 + i);
item = new NvdCveUrl();
@@ -442,7 +447,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private String id;
/**
* Get the value of id
* Get the value of id.
*
* @return the value of id
*/
@@ -451,7 +456,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
* Set the value of id
* Set the value of id.
*
* @param id new value of id
*/
@@ -464,7 +469,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private String url;
/**
* Get the value of url
* Get the value of url.
*
* @return the value of url
*/
@@ -473,7 +478,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
* Set the value of url
* Set the value of url.
*
* @param url new value of url
*/
@@ -481,12 +486,12 @@ public class DatabaseUpdater implements CachedWebDataSource {
this.url = url;
}
/**
* The 1.2 schema URL
* The 1.2 schema URL.
*/
protected String oldSchemaVersionUrl;
private String oldSchemaVersionUrl;
/**
* Get the value of oldSchemaVersionUrl
* Get the value of oldSchemaVersionUrl.
*
* @return the value of oldSchemaVersionUrl
*/
@@ -495,7 +500,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
* Set the value of oldSchemaVersionUrl
* Set the value of oldSchemaVersionUrl.
*
* @param oldSchemaVersionUrl new value of oldSchemaVersionUrl
*/
@@ -510,7 +515,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private long timestamp;
/**
* Get the value of timestamp - epoch time
* Get the value of timestamp - epoch time.
*
* @return the value of timestamp - epoch time
*/
@@ -519,7 +524,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
* Set the value of timestamp - epoch time
* Set the value of timestamp - epoch time.
*
* @param timestamp new value of timestamp - epoch time
*/
@@ -532,7 +537,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private boolean needsUpdate = true;
/**
* Get the value of needsUpdate
* Get the value of needsUpdate.
*
* @return the value of needsUpdate
*/
@@ -541,7 +546,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
* Set the value of needsUpdate
* Set the value of needsUpdate.
*
* @param needsUpdate new value of needsUpdate
*/

7
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/InvalidDataException.java
View File

@@ -25,10 +25,13 @@ package org.owasp.dependencycheck.data.nvdcve.xml;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class InvalidDataException extends Exception {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L;
/**
* Creates an InvalidDataException
* Creates an InvalidDataException.
*
* @param msg the exception message
*/
@@ -37,7 +40,7 @@ public class InvalidDataException extends Exception {
}
/**
* Creates an InvalidDataException
* Creates an InvalidDataException.
*
* @param msg the exception message
* @param ex the cause of the exception

82
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java
View File

@@ -38,18 +38,45 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class NvdCve12Handler extends DefaultHandler {
/**
* the supported schema version.
*/
private static final String CURRENT_SCHEMA_VERSION = "1.2";
private String vulnerability = null;
private List<VulnerableSoftware> software = null;
private String vendor = null;
private String product = null;
/**
* the current vulnerability.
*/
private String vulnerability;
/**
* a list of vulnerable software.
*/
private List<VulnerableSoftware> software;
/**
* the vendor name.
*/
private String vendor;
/**
* the product name.
*/
private String product;
/**
* if the nvd cve should be skipped because it was rejected.
*/
private boolean skip = false;
/**
* flag indicating if there is a previous version.
*/
private boolean hasPreviousVersion = false;
/**
* The current element.
*/
private Element current = new Element();
private Map<String, List<VulnerableSoftware>> vulnerabilities = null;
/**
* a map of vulnerabilities.
*/
private Map<String, List<VulnerableSoftware>> vulnerabilities;
/**
* Get the value of vulnerabilities
* Get the value of vulnerabilities.
*
* @return the value of vulnerabilities
*/
@@ -64,8 +91,8 @@ public class NvdCve12Handler extends DefaultHandler {
vendor = null;
product = null;
hasPreviousVersion = false;
String reject = attributes.getValue("reject");
skip = (reject != null && reject.equals("1"));
final String reject = attributes.getValue("reject");
skip = "1".equals(reject);
if (!skip) {
vulnerability = attributes.getValue("name");
software = new ArrayList<VulnerableSoftware>();
@@ -78,11 +105,11 @@ public class NvdCve12Handler extends DefaultHandler {
vendor = attributes.getValue("vendor");
product = attributes.getValue("name");
} else if (!skip && current.isVersNode()) {
String prev = attributes.getValue("prev");
final String prev = attributes.getValue("prev");
if (prev != null && "1".equals(prev)) {
hasPreviousVersion = true;
String edition = attributes.getValue("edition");
String num = attributes.getValue("num");
final String edition = attributes.getValue("edition");
final String num = attributes.getValue("num");
/*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
purposes this is good enough as we won't use this if we don't find a corresponding "a"
@@ -94,13 +121,13 @@ public class NvdCve12Handler extends DefaultHandler {
if (edition != null) {
cpe += ":" + edition;
}
VulnerableSoftware vs = new VulnerableSoftware();
final VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe(cpe);
vs.setPreviousVersion(prev);
software.add(vs);
}
} else if (current.isNVDNode()) {
String nvdVer = attributes.getValue("nvd_xml_version");
final String nvdVer = attributes.getValue("nvd_xml_version");
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
}
@@ -128,29 +155,32 @@ public class NvdCve12Handler extends DefaultHandler {
protected static class Element {
/**
* A node type in the NVD CVE Schema 1.2
* A node type in the NVD CVE Schema 1.2.
*/
public static final String NVD = "nvd";
/**
* A node type in the NVD CVE Schema 1.2
* A node type in the NVD CVE Schema 1.2.
*/
public static final String ENTRY = "entry";
/**
* A node type in the NVD CVE Schema 1.2
* A node type in the NVD CVE Schema 1.2.
*/
public static final String VULN_SOFTWARE = "vuln_soft";
/**
* A node type in the NVD CVE Schema 1.2
* A node type in the NVD CVE Schema 1.2.
*/
public static final String PROD = "prod";
/**
* A node type in the NVD CVE Schema 1.2
* A node type in the NVD CVE Schema 1.2.
*/
public static final String VERS = "vers";
private String node = null;
/**
* The name of the current node.
*/
private String node;
/**
* Gets the value of node
* Gets the value of node.
*
* @return the value of node
*/
@@ -159,7 +189,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Sets the value of node
* Sets the value of node.
*
* @param node new value of node
*/
@@ -168,7 +198,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the NVD node
* Checks if the handler is at the NVD node.
*
* @return true or false
*/
@@ -177,7 +207,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the ENTRY node
* Checks if the handler is at the ENTRY node.
*
* @return true or false
*/
@@ -186,7 +216,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VULN_SOFTWARE node
* Checks if the handler is at the VULN_SOFTWARE node.
*
* @return true or false
*/
@@ -195,7 +225,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the PROD node
* Checks if the handler is at the PROD node.
*
* @return true or false
*/
@@ -204,7 +234,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VERS node
* Checks if the handler is at the VERS node.
*
* @return true or false
*/

96
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
View File

@@ -42,12 +42,30 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class NvdCve20Handler extends DefaultHandler {
/**
* the current supported schema version.
*/
private static final String CURRENT_SCHEMA_VERSION = "2.0";
/**
* the current element.
*/
private Element current = new Element();
StringBuilder nodeText = null;
Vulnerability vulnerability = null;
Reference reference = null;
boolean hasApplicationCpe = false;
/**
* the text of the node.
*/
private StringBuilder nodeText;
/**
* the vulnerability.
*/
private Vulnerability vulnerability;
/**
* a reference for the cve.
*/
private Reference reference;
/**
* flag indicating whether the application has a cpe.
*/
private boolean hasApplicationCpe = false;
@Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
@@ -59,7 +77,7 @@ public class NvdCve20Handler extends DefaultHandler {
} else if (current.isVulnProductNode()) {
nodeText = new StringBuilder(100);
} else if (current.isVulnReferencesNode()) {
String lang = attributes.getValue("xml:lang");
final String lang = attributes.getValue("xml:lang");
if ("en".equals(lang)) {
reference = new Reference();
} else {
@@ -73,7 +91,7 @@ public class NvdCve20Handler extends DefaultHandler {
} else if (current.isVulnSummaryNode()) {
nodeText = new StringBuilder(500);
} else if (current.isNVDNode()) {
String nvdVer = attributes.getValue("nvd_xml_version");
final String nvdVer = attributes.getValue("nvd_xml_version");
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
}
@@ -121,7 +139,7 @@ public class NvdCve20Handler extends DefaultHandler {
vulnerability = null;
} else if (current.isCVSSScoreNode()) {
try {
float score = Float.parseFloat(nodeText.toString());
final float score = Float.parseFloat(nodeText.toString());
vulnerability.setCvssScore(score);
} catch (NumberFormatException ex) {
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
@@ -146,7 +164,7 @@ public class NvdCve20Handler extends DefaultHandler {
vulnerability.setCvssIntegrityImpact(nodeText.toString());
nodeText = null;
} else if (current.isVulnProductNode()) {
String cpe = nodeText.toString();
final String cpe = nodeText.toString();
if (cpe.startsWith("cpe:/a:")) {
hasApplicationCpe = true;
vulnerability.addVulnerableSoftware(cpe);
@@ -166,10 +184,14 @@ public class NvdCve20Handler extends DefaultHandler {
nodeText = null;
}
}
private CveDB cveDB = null;
/**
* the cve database.
*/
private CveDB cveDB;
/**
* Sets the cveDB
* Sets the cveDB.
*
* @param db a reference to the CveDB
*/
public void setCveDB(CveDB db) {
@@ -179,7 +201,7 @@ public class NvdCve20Handler extends DefaultHandler {
* A list of CVE entries and associated VulnerableSoftware entries that contain
* previous entries.
*/
private Map<String, List<VulnerableSoftware>> prevVersionVulnMap = null;
private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
/**
* Sets the prevVersionVulnMap.
@@ -202,9 +224,9 @@ public class NvdCve20Handler extends DefaultHandler {
if (cveDB == null) {
return;
}
String cveName = vuln.getName();
final String cveName = vuln.getName();
if (prevVersionVulnMap.containsKey(cveName)) {
List<VulnerableSoftware> vulnSoftware = prevVersionVulnMap.get(cveName);
final List<VulnerableSoftware> vulnSoftware = prevVersionVulnMap.get(cveName);
for (VulnerableSoftware vs : vulnSoftware) {
vuln.updateVulnerableSoftware(vs);
}
@@ -216,10 +238,14 @@ public class NvdCve20Handler extends DefaultHandler {
}
cveDB.updateVulnerability(vuln);
}
private Index cpeIndex = null;
/**
* the cpe index.
*/
private Index cpeIndex;
/**
* Sets the cpe index
* Sets the cpe index.
*
* @param index the CPE Lucene Index
*/
void setCpeIndex(Index index) {
@@ -261,7 +287,6 @@ public class NvdCve20Handler extends DefaultHandler {
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_SUMMARY = "vuln:summary";
/**
* A node type in the NVD CVE Schema 2.0
*/
@@ -295,10 +320,13 @@ public class NvdCve20Handler extends DefaultHandler {
*/
public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
private String node = null;
/**
* The current node.
*/
private String node;
/**
* Gets the value of node
* Gets the value of node.
*
* @return the value of node
*/
@@ -307,7 +335,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Sets the value of node
* Sets the value of node.
*
* @param node new value of node
*/
@@ -316,7 +344,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the NVD node
* Checks if the handler is at the NVD node.
*
* @return true or false
*/
@@ -325,7 +353,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the ENTRY node
* Checks if the handler is at the ENTRY node.
*
* @return true or false
*/
@@ -334,7 +362,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VULN_PRODUCT node
* Checks if the handler is at the VULN_PRODUCT node.
*
* @return true or false
*/
@@ -343,7 +371,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the REFERENCES node
* Checks if the handler is at the REFERENCES node.
*
* @return true or false
*/
@@ -352,7 +380,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the REFERENCE node
* Checks if the handler is at the REFERENCE node.
*
* @return true or false
*/
@@ -361,7 +389,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VULN_SOURCE node
* Checks if the handler is at the VULN_SOURCE node.
*
* @return true or false
*/
@@ -370,7 +398,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VULN_SUMMARY node
* Checks if the handler is at the VULN_SUMMARY node.
*
* @return true or false
*/
@@ -379,7 +407,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VULN_CWE node
* Checks if the handler is at the VULN_CWE node.
*
* @return true or false
*/
@@ -387,7 +415,7 @@ public class NvdCve20Handler extends DefaultHandler {
return VULN_CWE.equals(node);
}
/**
* Checks if the handler is at the CVSS_SCORE node
* Checks if the handler is at the CVSS_SCORE node.
*
* @return true or false
*/
@@ -395,7 +423,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_SCORE.equals(node);
}
/**
* Checks if the handler is at the CVSS_ACCESS_VECTOR node
* Checks if the handler is at the CVSS_ACCESS_VECTOR node.
*
* @return true or false
*/
@@ -403,7 +431,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_ACCESS_VECTOR.equals(node);
}
/**
* Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node
* Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node.
*
* @return true or false
*/
@@ -411,7 +439,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_ACCESS_COMPLEXITY.equals(node);
}
/**
* Checks if the handler is at the CVSS_AUTHENTICATION node
* Checks if the handler is at the CVSS_AUTHENTICATION node.
*
* @return true or false
*/
@@ -419,7 +447,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_AUTHENTICATION.equals(node);
}
/**
* Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node
* Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node.
*
* @return true or false
*/
@@ -427,7 +455,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
}
/**
* Checks if the handler is at the CVSS_INTEGRITY_IMPACT node
* Checks if the handler is at the CVSS_INTEGRITY_IMPACT node.
*
* @return true or false
*/
@@ -435,7 +463,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_INTEGRITY_IMPACT.equals(node);
}
/**
* Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node
* Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node.
*
* @return true or false
*/