From def78a3cfdc911c927e96df5804b5dfee17b1839 Mon Sep 17 00:00:00 2001 From: Henning Schmiedehausen Date: Wed, 28 Dec 2016 16:39:25 -0800 Subject: [PATCH] rework the enabled / disabled logic If an analyzer is disabled from the configuration, it should not be initialized (because some of the may actually fail during that process nor should the engine log in any way that those exist. With these changes, it is possible for me to turn off unwanted analyzers (e.g. Ruby analyzers for a java project) from the maven plugin and not confuse my users with spurious misleading messages. --- .../org/owasp/dependencycheck/Engine.java | 13 +++++--- .../analyzer/AbstractAnalyzer.java | 33 ++++++++++++++++--- .../analyzer/AbstractFileTypeAnalyzer.java | 3 +- .../analyzer/AbstractSuppressionAnalyzer.java | 3 +- .../analyzer/ArchiveAnalyzer.java | 2 +- .../analyzer/AssemblyAnalyzer.java | 3 +- .../dependencycheck/analyzer/CPEAnalyzer.java | 5 ++- .../analyzer/HintAnalyzer.java | 3 +- .../dependencycheck/analyzer/JarAnalyzer.java | 2 +- .../analyzer/NvdCveAnalyzer.java | 5 ++- .../analyzer/PythonDistributionAnalyzer.java | 2 +- 11 files changed, 49 insertions(+), 25 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index 7f836538d..79b744a27 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -522,11 +522,16 @@ public class Engine implements FileFilter { continue; } - executeAnalysisTasks(analyzer, exceptions); + if (analyzer.isEnabled()) { + executeAnalysisTasks(analyzer, exceptions); - final long analyzerDurationMillis = System.currentTimeMillis() - analyzerStart; - final long analyzerDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(analyzerDurationMillis); - LOGGER.info("Finished {} ({} seconds)", analyzer.getName(), analyzerDurationSeconds); + final long analyzerDurationMillis = System.currentTimeMillis() - analyzerStart; + final long analyzerDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(analyzerDurationMillis); + LOGGER.info("Finished {} ({} seconds)", analyzer.getName(), analyzerDurationSeconds); + } + else { + LOGGER.debug("Skipping {} (not enabled)", analyzer.getName()); + } } } for (AnalysisPhase phase : AnalysisPhase.values()) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java index d3a7201e9..5ec83de53 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java @@ -81,6 +81,23 @@ public abstract class AbstractAnalyzer implements Analyzer { */ protected abstract void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException; + /** + * Initializes a given Analyzer. This will be skipped if the analyzer is disabled. + * + * @throws InitializationException thrown if there is an exception + */ + protected void initializeAnalyzer() throws InitializationException { + } + + /** + * Closes a given Analyzer. This will be skipped if the analyzer is disabled. + * + * @throws Exception thrown if there is an exception + */ + protected void closeAnalyzer() throws Exception { + } + + /** * Analyzes a given dependency. If the dependency is an archive, such as a * WAR or EAR, the contents are extracted, scanned, and added to the list of @@ -103,14 +120,19 @@ public abstract class AbstractAnalyzer implements Analyzer { * @throws InitializationException thrown if there is an exception */ @Override - public void initialize() throws InitializationException { + public final void initialize() throws InitializationException { final String key = getAnalyzerEnabledSettingKey(); try { this.setEnabled(Settings.getBoolean(key, true)); } catch (InvalidSettingException ex) { LOGGER.warn("Invalid setting for property '{}'", key); LOGGER.debug("", ex); - LOGGER.warn("{} has been disabled", getName()); + } + + if (isEnabled()) { + initializeAnalyzer(); + } else { + LOGGER.debug("{} has been disabled", getName()); } } @@ -120,10 +142,13 @@ public abstract class AbstractAnalyzer implements Analyzer { * @throws Exception thrown if there is an exception */ @Override - public void close() throws Exception { - //do nothing + public final void close() throws Exception { + if (isEnabled()) { + closeAnalyzer(); + } } + /** * The default is to support parallel processing. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java index 4ebcc6b68..e55cf0307 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java @@ -74,8 +74,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen * initialization */ @Override - public final void initialize() throws InitializationException { - super.initialize(); + protected final void initializeAnalyzer() throws InitializationException { if (filesMatched) { initializeFileTypeAnalyzer(); } else { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java index f670c0094..0b2906f81 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java @@ -67,8 +67,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { * @throws InitializationException thrown if there is an exception */ @Override - public void initialize() throws InitializationException { - super.initialize(); + public void initializeAnalyzer() throws InitializationException { try { loadSuppressionData(); } catch (SuppressionParseException ex) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 8cbdc9f0b..a7008ef06 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -204,7 +204,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * files */ @Override - public void close() throws Exception { + public void closeAnalyzer() throws Exception { if (tempFileLocation != null && tempFileLocation.exists()) { LOGGER.debug("Attempting to delete temporary files"); final boolean success = FileUtils.delete(tempFileLocation); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 6d1e21ce7..75284a833 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -288,8 +288,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { * @throws Exception thrown if there is a problem closing the analyzer */ @Override - public void close() throws Exception { - super.close(); + public void closeAnalyzer() throws Exception { try { if (grokAssemblyExe != null && !grokAssemblyExe.delete()) { LOGGER.debug("Unable to delete temporary GrokAssembly.exe; attempting delete on exit"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index cea9beffc..b2ff57026 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -138,8 +138,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { * the index. */ @Override - public void initialize() throws InitializationException { - super.initialize(); + public void initializeAnalyzer() throws InitializationException { try { this.open(); } catch (IOException ex) { @@ -180,7 +179,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { * Closes the data sources. */ @Override - public void close() { + public void closeAnalyzer() { if (cpe != null) { cpe.close(); cpe = null; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java index a0a8b00d0..588c99d84 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java @@ -99,8 +99,7 @@ public class HintAnalyzer extends AbstractAnalyzer { * @throws InitializationException thrown if there is an exception */ @Override - public void initialize() throws InitializationException { - super.initialize(); + public void initializeAnalyzer() throws InitializationException { try { loadHintRules(); } catch (HintParseException ex) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 58d396b83..7e4d1c5dc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -912,7 +912,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * Deletes any files extracted from the JAR during analysis. */ @Override - public void close() { + public void closeAnalyzer() { if (tempFileLocation != null && tempFileLocation.exists()) { LOGGER.debug("Attempting to delete temporary files"); final boolean success = FileUtils.delete(tempFileLocation); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java index 4b7c55619..be9d0ed31 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java @@ -71,7 +71,7 @@ public class NvdCveAnalyzer extends AbstractAnalyzer { * Closes the data source. */ @Override - public void close() { + public void closeAnalyzer() { cveDB.close(); cveDB = null; } @@ -171,8 +171,7 @@ public class NvdCveAnalyzer extends AbstractAnalyzer { * the index. */ @Override - public void initialize() throws InitializationException { - super.initialize(); + public void initializeAnalyzer() throws InitializationException { try { this.open(); } catch (SQLException ex) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 8fa73202e..578c8d8f4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -273,7 +273,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { * Deletes any files extracted from the Wheel during analysis. */ @Override - public void close() { + public void closeAnalyzer() { if (tempFileLocation != null && tempFileLocation.exists()) { LOGGER.debug("Attempting to delete temporary files"); final boolean success = FileUtils.delete(tempFileLocation);