externalized central search query so future changes can be handled via a properties change - issue #978

2026-01-15 00:03:43 +01:00 · 2017-11-14 06:37:41 -05:00
parent 49d14d1272
commit dea9fa1145
4 changed files with 30 additions and 7 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
@@ -51,12 +51,17 @@ import org.xml.sax.SAXException;
 public class CentralSearch {

    /**
-     * The URL for the Central service
+     * The URL for the Central service.
     */
    private final String rootURL;

    /**
-     * Whether to use the Proxy when making requests
+     * The Central Search Query.
+     */
+    private final String query;
+
+    /**
+     * Whether to use the Proxy when making requests.
     */
    private final boolean useProxy;

@@ -84,6 +89,14 @@ public class CentralSearch {
            throw new MalformedURLException(String.format("The configured central analyzer URL is invalid: %s", searchUrl));
        }
        this.rootURL = searchUrl;
+        final String queryStr = settings.getString(Settings.KEYS.ANALYZER_CENTRAL_QUERY);
+        LOGGER.debug("Central Search Query: {}", queryStr);
+        if (!queryStr.matches("^%s.*%s.*$")) {
+            final String msg = String.format("The configured central analyzer query parameter is invalid (it must have two %%s): %s", queryStr);
+            throw new MalformedURLException(msg);
+        }
+        this.query = queryStr;
+        LOGGER.debug("Central Search Full URL: {}", String.format(query, rootURL, "[SHA1]"));
        if (null != settings.getString(Settings.KEYS.PROXY_SERVER)) {
            useProxy = true;
            LOGGER.debug("Using proxy");
@@ -94,7 +107,7 @@ public class CentralSearch {
    }

    /**
-     * Searches the configured Central URL for the given sha1 hash. If the
+     * Searches the configured Central URL for the given SHA1 hash. If the
     * artifact is found, a <code>MavenArtifact</code> is populated with the
     * GAV.
     *
@@ -108,7 +121,7 @@ public class CentralSearch {
            throw new IllegalArgumentException("Invalid SHA1 format");
        }
        List<MavenArtifact> result = null;
-        final URL url = new URL(String.format("%s?q=1:%%22%s%%22&wt=xml", rootURL, sha1));
+        final URL url = new URL(String.format(query, rootURL, sha1));

        LOGGER.debug("Searching Central url {}", url);

@@ -184,10 +197,10 @@ public class CentralSearch {
    }

    /**
-     * Tests to determine if the gien URL is <b>invalid</b>.
+     * Tests to determine if the given URL is <b>invalid</b>.
     *
-     * @param url the url to evaluate
-     * @return true if the url is malformed; otherwise false
+     * @param url the URL to evaluate
+     * @return true if the URL is malformed; otherwise false
     */
    private boolean isInvalidURL(String url) {
        try {
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -77,6 +77,9 @@ analyzer.nexus.proxy=true
 # the URL for searching search.maven.org for SHA-1 and whether it's enabled
 analyzer.central.enabled=true
 analyzer.central.url=https://search.maven.org/solrsearch/select
+# Note - the central query is used in a String.format(query, url, sha1)).
+# As such, it must have two %s and any other % must be escapped by doubling it
+analyzer.central.query=%s?q=1:%%22%s%%22&wt=xml

 # the URL for searching api.nodesecurity.io
 analyzer.nsp.url=https://api.nodesecurity.io/check
--- a/dependency-check-core/src/test/resources/dependencycheck.properties
+++ b/dependency-check-core/src/test/resources/dependencycheck.properties
@@ -72,6 +72,9 @@ analyzer.nexus.proxy=true
 # the URL for searching search.maven.org for SHA-1 and whether it's enabled
 analyzer.central.enabled=true
 analyzer.central.url=https://search.maven.org/solrsearch/select
+# Note - the central query is used in a String.format(query, url, sha1)).
+# As such, it must have two %s and any other % must be escapped by doubling it
+analyzer.central.query=%s?q=1:%%22%s%%22&wt=xml

 # the URL for searching api.nodesecurity.io
 analyzer.nsp.url=https://api.nodesecurity.io/check
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -348,6 +348,10 @@ public final class Settings {
         * The properties key for the Central search URL.
         */
        public static final String ANALYZER_CENTRAL_URL = "analyzer.central.url";
+        /**
+         * The properties key for the Central search query.
+         */
+        public static final String ANALYZER_CENTRAL_QUERY = "analyzer.central.query";
        /**
         * The path to mono, if available.
         */