mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 15:53:36 +01:00
Compare commits
18 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
cc6f4803b9 | ||
|
|
080ccbe7a0 | ||
|
|
657891055b | ||
|
|
ce1c097136 | ||
|
|
f18827614d | ||
|
|
a49a4ea059 | ||
|
|
cb50651764 | ||
|
|
5a6a3dc17f | ||
|
|
d179b7bf3f | ||
|
|
31e6d1e0c1 | ||
|
|
13c239c9d4 | ||
|
|
e985ebff3f | ||
|
|
3d00927033 | ||
|
|
8bdb7e239d | ||
|
|
a5b0136897 | ||
|
|
41ea697483 | ||
|
|
fb0f4dd2cf | ||
|
|
8eb373a612 |
4
.gitignore
vendored
4
.gitignore
vendored
@@ -6,4 +6,6 @@
|
||||
.idea/
|
||||
# Eclipse project files
|
||||
.classpath
|
||||
.project
|
||||
.project
|
||||
# Netbeans configuration
|
||||
nb-configuration.xml
|
||||
@@ -5,6 +5,11 @@ Dependency-Check is a utility that attempts to detect publicly disclosed vulnera
|
||||
|
||||
More information can be found on the [wiki].
|
||||
|
||||
Notice
|
||||
-
|
||||
|
||||
A very big release of new functionality and plugins will be made available during the BlackHat Arsenal on July 31st, 2013. If you are at BlackHat stop by and see the demos!
|
||||
|
||||
Usage
|
||||
-
|
||||
|
||||
|
||||
2
pom.xml
2
pom.xml
@@ -22,7 +22,7 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses />.
|
||||
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check</artifactId>
|
||||
<version>0.3.2.3</version>
|
||||
<version>0.3.2.4</version>
|
||||
<packaging>jar</packaging>
|
||||
|
||||
<name>DependencyCheck</name>
|
||||
|
||||
@@ -81,16 +81,16 @@ public class App {
|
||||
LogManager.getLogManager().reset();
|
||||
LogManager.getLogManager().readConfiguration(in);
|
||||
} catch (IOException ex) {
|
||||
System.err.println(ex.toString());
|
||||
Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(App.class.getName()).log(Level.FINE, "IO Error preparing the logger", ex);
|
||||
} catch (SecurityException ex) {
|
||||
Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(App.class.getName()).log(Level.FINE, "Error preparing the logger", ex);
|
||||
} finally {
|
||||
try {
|
||||
in.close();
|
||||
} catch (Exception ex) {
|
||||
//ignore
|
||||
in = null;
|
||||
if (in != null) {
|
||||
try {
|
||||
in.close();
|
||||
} catch (Exception ex) {
|
||||
Logger.getLogger(App.class.getName()).log(Level.FINEST, "Error closing resource stream", ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -108,12 +108,10 @@ public class App {
|
||||
} catch (FileNotFoundException ex) {
|
||||
System.err.println(ex.getMessage());
|
||||
cli.printHelp();
|
||||
Logger.getLogger(App.class.getName()).log(Level.WARNING, null, ex);
|
||||
return;
|
||||
} catch (ParseException ex) {
|
||||
System.err.println(ex.getMessage());
|
||||
cli.printHelp();
|
||||
Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -151,9 +149,11 @@ public class App {
|
||||
try {
|
||||
report.generateReports(reportDirectory, outputFormat);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
|
||||
Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
|
||||
} catch (Exception ex) {
|
||||
Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
|
||||
Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -71,7 +71,7 @@ public class Engine {
|
||||
try {
|
||||
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
|
||||
} catch (InvalidSettingException ex) {
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, "Invalid setting for auto-update.");
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.FINE, "Invalid setting for auto-update; using true.");
|
||||
}
|
||||
if (autoUpdate) {
|
||||
doUpdates();
|
||||
@@ -83,8 +83,9 @@ public class Engine {
|
||||
* Creates a new Engine.
|
||||
*
|
||||
* @param autoUpdate indicates whether or not data should be updated from
|
||||
* the Internet.
|
||||
* @deprecated this function should no longer be used; the autoupdate flag should be set using
|
||||
* the Internet
|
||||
* @deprecated This function should no longer be used;
|
||||
* the autoupdate flag should be set using:
|
||||
* <code>Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, value);</code>
|
||||
*/
|
||||
@Deprecated
|
||||
@@ -144,6 +145,18 @@ public class Engine {
|
||||
*/
|
||||
public void scan(String path) {
|
||||
final File file = new File(path);
|
||||
scan(file);
|
||||
}
|
||||
/**
|
||||
* Scans a given file or directory. If a directory is specified, it will be
|
||||
* scanned recursively. Any dependencies identified are added to the
|
||||
* dependency collection.
|
||||
*
|
||||
* @since v0.3.2.4
|
||||
*
|
||||
* @param file the path to a file or directory to be analyzed.
|
||||
*/
|
||||
public void scan(File file) {
|
||||
if (file.exists()) {
|
||||
if (file.isDirectory()) {
|
||||
scanDirectory(file);
|
||||
@@ -152,7 +165,6 @@ public class Engine {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Recursively scans files and directories. Any dependencies identified are
|
||||
* added to the dependency collection.
|
||||
@@ -180,8 +192,9 @@ public class Engine {
|
||||
*/
|
||||
protected void scanFile(File file) {
|
||||
if (!file.isFile()) {
|
||||
final String msg = String.format("Path passed to scanFile(File) is not a file: %s.", file.toString());
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, msg);
|
||||
final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
|
||||
return;
|
||||
}
|
||||
final String fileName = file.getName();
|
||||
final String extension = FileUtils.getFileExtension(fileName);
|
||||
@@ -208,12 +221,13 @@ public class Engine {
|
||||
try {
|
||||
a.initialize();
|
||||
} catch (Exception ex) {
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE,
|
||||
"Exception occurred initializing " + a.getName() + ".", ex);
|
||||
final String msg = String.format("\"Exception occurred initializing \"%s\".\"", a.getName());
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.INFO, msg, ex);
|
||||
try {
|
||||
a.close();
|
||||
} catch (Exception ex1) {
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.FINER, null, ex1);
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -224,8 +238,10 @@ public class Engine {
|
||||
final List<Analyzer> analyzerList = analyzers.get(phase);
|
||||
|
||||
for (Analyzer a : analyzerList) {
|
||||
//need to create a copy of the collection because some of the
|
||||
// analyzers may modify it. This prevents ConcurrentModificationExceptions.
|
||||
/* need to create a copy of the collection because some of the
|
||||
* analyzers may modify it. This prevents ConcurrentModificationExceptions.
|
||||
* This is okay for adds/deletes because it happens per analyzer.
|
||||
*/
|
||||
final Set<Dependency> dependencySet = new HashSet<Dependency>();
|
||||
dependencySet.addAll(dependencies);
|
||||
for (Dependency d : dependencySet) {
|
||||
@@ -247,7 +263,7 @@ public class Engine {
|
||||
try {
|
||||
a.close();
|
||||
} catch (Exception ex) {
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, null, ex);
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -266,9 +282,8 @@ public class Engine {
|
||||
} catch (UpdateException ex) {
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.WARNING,
|
||||
"Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.INFO,
|
||||
String.format("Unable to update details for %s",
|
||||
source.getClass().getName()), ex);
|
||||
Logger.getLogger(Engine.class.getName()).log(Level.FINE,
|
||||
String.format("Unable to update details for %s", source.getClass().getName()), ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -47,15 +47,17 @@ public abstract class AbstractAnalyzer implements Analyzer {
|
||||
|
||||
/**
|
||||
* The initialize method does nothing for this Analyzer.
|
||||
* @throws Exception thrown if there is an exception
|
||||
*/
|
||||
public void initialize() {
|
||||
public void initialize() throws Exception {
|
||||
//do nothing
|
||||
}
|
||||
|
||||
/**
|
||||
* The close method does nothing for this Analyzer.
|
||||
* @throws Exception thrown if there is an exception
|
||||
*/
|
||||
public void close() {
|
||||
public void close() throws Exception {
|
||||
//do nothing
|
||||
}
|
||||
}
|
||||
|
||||
@@ -43,6 +43,18 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
|
||||
*/
|
||||
public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
|
||||
/**
|
||||
* A pattern for obtaining the first part of a filename.
|
||||
*/
|
||||
private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
|
||||
/**
|
||||
* a flag indicating if this analyzer has run. This analyzer only runs once.
|
||||
*/
|
||||
private boolean analyzed = false;
|
||||
//</editor-fold>
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
|
||||
/**
|
||||
* The set of file extensions supported by this analyzer.
|
||||
*/
|
||||
@@ -55,14 +67,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
* The phase that this analyzer is intended to run in.
|
||||
*/
|
||||
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
|
||||
/**
|
||||
* A pattern for obtaining the first part of a filename.
|
||||
*/
|
||||
private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
|
||||
|
||||
/**
|
||||
* Returns a list of file EXTENSIONS supported by this analyzer.
|
||||
*
|
||||
* @return a list of file EXTENSIONS supported by this analyzer.
|
||||
*/
|
||||
public Set<String> getSupportedExtensions() {
|
||||
@@ -71,7 +77,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
|
||||
/**
|
||||
* Returns the name of the analyzer.
|
||||
*
|
||||
* @return the name of the analyzer.
|
||||
*/
|
||||
public String getName() {
|
||||
@@ -80,7 +85,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
|
||||
/**
|
||||
* Returns whether or not this analyzer can process the given extension.
|
||||
*
|
||||
* @param extension the file extension to test for support
|
||||
* @return whether or not the specified file extension is supported by this
|
||||
* analyzer.
|
||||
@@ -91,16 +95,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
|
||||
/**
|
||||
* Returns the phase that the analyzer is intended to run in.
|
||||
*
|
||||
* @return the phase that the analyzer is intended to run in.
|
||||
*/
|
||||
public AnalysisPhase getAnalysisPhase() {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
/**
|
||||
* a flag indicating if this analyzer has run. This analyzer only runs once.
|
||||
*/
|
||||
private boolean analyzed = false;
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* Analyzes a set of dependencies. If they have been found to have the same
|
||||
|
||||
@@ -41,6 +41,7 @@ import org.owasp.dependencycheck.utils.Settings;
|
||||
*/
|
||||
public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
|
||||
/**
|
||||
* The set of file extensions supported by this analyzer.
|
||||
*/
|
||||
@@ -56,7 +57,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|
||||
|
||||
/**
|
||||
* Returns a list of file EXTENSIONS supported by this analyzer.
|
||||
*
|
||||
* @return a list of file EXTENSIONS supported by this analyzer.
|
||||
*/
|
||||
public Set<String> getSupportedExtensions() {
|
||||
@@ -65,7 +65,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|
||||
|
||||
/**
|
||||
* Returns the name of the analyzer.
|
||||
*
|
||||
* @return the name of the analyzer.
|
||||
*/
|
||||
public String getName() {
|
||||
@@ -74,27 +73,26 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|
||||
|
||||
/**
|
||||
* Returns whether or not this analyzer can process the given extension.
|
||||
*
|
||||
* @param extension the file extension to test for support
|
||||
* @return whether or not the specified file extension is supported by this
|
||||
* analyzer.
|
||||
*/
|
||||
public boolean supportsExtension(String extension) {
|
||||
return true; //EXTENSIONS.contains(extension);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the phase that the analyzer is intended to run in.
|
||||
*
|
||||
* @return the phase that the analyzer is intended to run in.
|
||||
*/
|
||||
public AnalysisPhase getAnalysisPhase() {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
*
|
||||
*
|
||||
* Analyzes the dependencies and removes bad/incorrect CPE associations
|
||||
* based on various heuristics.
|
||||
* @param dependency the dependency to analyze.
|
||||
* @param engine the engine that is scanning the dependencies
|
||||
* @throws AnalysisException is thrown if there is an error reading the JAR
|
||||
@@ -107,7 +105,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|
||||
try {
|
||||
deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
|
||||
} catch (InvalidSettingException ex) {
|
||||
Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.INFO, "deepscan setting is incorrect; expected a boolean.", ex);
|
||||
}
|
||||
if (!deepScan) {
|
||||
removeSpuriousCPE(dependency);
|
||||
@@ -232,6 +230,5 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|
||||
itr.remove();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -31,6 +31,7 @@ import org.owasp.dependencycheck.Engine;
|
||||
*/
|
||||
public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
|
||||
/**
|
||||
* The name of the analyzer.
|
||||
*/
|
||||
@@ -46,7 +47,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
/**
|
||||
* Returns a list of file EXTENSIONS supported by this analyzer.
|
||||
*
|
||||
* @return a list of file EXTENSIONS supported by this analyzer.
|
||||
*/
|
||||
public Set<String> getSupportedExtensions() {
|
||||
@@ -55,7 +55,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
/**
|
||||
* Returns the name of the analyzer.
|
||||
*
|
||||
* @return the name of the analyzer.
|
||||
*/
|
||||
public String getName() {
|
||||
@@ -64,7 +63,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
/**
|
||||
* Returns whether or not this analyzer can process the given extension.
|
||||
*
|
||||
* @param extension the file extension to test for support.
|
||||
* @return whether or not the specified file extension is supported by this
|
||||
* analyzer.
|
||||
@@ -75,12 +73,12 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
/**
|
||||
* Returns the phase that the analyzer is intended to run in.
|
||||
*
|
||||
* @return the phase that the analyzer is intended to run in.
|
||||
*/
|
||||
public AnalysisPhase getAnalysisPhase() {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* Collects information about the file name.
|
||||
|
||||
@@ -29,6 +29,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
|
||||
*/
|
||||
public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
|
||||
/**
|
||||
* The name of the analyzer.
|
||||
*/
|
||||
@@ -41,10 +42,8 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
* The set of file extensions supported by this analyzer.
|
||||
*/
|
||||
private static final Set<String> EXTENSIONS = null;
|
||||
|
||||
/**
|
||||
* Returns a list of file EXTENSIONS supported by this analyzer.
|
||||
*
|
||||
* @return a list of file EXTENSIONS supported by this analyzer.
|
||||
*/
|
||||
public Set<String> getSupportedExtensions() {
|
||||
@@ -53,7 +52,6 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
/**
|
||||
* Returns the name of the analyzer.
|
||||
*
|
||||
* @return the name of the analyzer.
|
||||
*/
|
||||
public String getName() {
|
||||
@@ -62,7 +60,6 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
/**
|
||||
* Returns whether or not this analyzer can process the given extension.
|
||||
*
|
||||
* @param extension the file extension to test for support.
|
||||
* @return whether or not the specified file extension is supported by this
|
||||
* analyzer.
|
||||
@@ -73,12 +70,12 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
/**
|
||||
* Returns the phase that the analyzer is intended to run in.
|
||||
*
|
||||
* @return the phase that the analyzer is intended to run in.
|
||||
*/
|
||||
public AnalysisPhase getAnalysisPhase() {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* The HintAnalyzer uses knowledge about a dependency to add additional information
|
||||
|
||||
@@ -71,18 +71,11 @@ import org.xml.sax.XMLReader;
|
||||
*/
|
||||
public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
|
||||
/**
|
||||
* The system independent newline character.
|
||||
*/
|
||||
private static final String NEWLINE = System.getProperty("line.separator");
|
||||
/**
|
||||
* The name of the analyzer.
|
||||
*/
|
||||
private static final String ANALYZER_NAME = "Jar Analyzer";
|
||||
/**
|
||||
* The phase that this analyzer is intended to run in.
|
||||
*/
|
||||
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
|
||||
/**
|
||||
* A list of elements in the manifest to ignore.
|
||||
*/
|
||||
@@ -110,10 +103,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
"bundle-manifestversion",
|
||||
"bundlemanifestversion",
|
||||
"include-resource");
|
||||
/**
|
||||
* The set of file extensions supported by this analyzer.
|
||||
*/
|
||||
private static final Set<String> EXTENSIONS = newHashSet("jar");
|
||||
|
||||
/**
|
||||
* item in some manifest, should be considered medium confidence.
|
||||
*/
|
||||
@@ -130,10 +120,15 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
* item in some manifest, should be considered medium confidence.
|
||||
*/
|
||||
private static final String BUNDLE_VENDOR = "Bundle-Vendor"; //: Apache Software Foundation
|
||||
/**
|
||||
* A pattern to detect HTML within text.
|
||||
*/
|
||||
private static final Pattern HTML_DETECTION_PATTERN = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE);
|
||||
/**
|
||||
* The unmarshaller used to parse the pom.xml from a JAR file.
|
||||
*/
|
||||
private Unmarshaller pomUnmarshaller;
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* Constructs a new JarAnalyzer.
|
||||
@@ -143,31 +138,40 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.analyzer.pom.generated");
|
||||
pomUnmarshaller = jaxbContext.createUnmarshaller();
|
||||
} catch (JAXBException ex) { //guess we will just have a null pointer exception later...
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, "Unable to load parser. See the log for more details.");
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
|
||||
}
|
||||
}
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
|
||||
/**
|
||||
* The name of the analyzer.
|
||||
*/
|
||||
private static final String ANALYZER_NAME = "Jar Analyzer";
|
||||
/**
|
||||
* The phase that this analyzer is intended to run in.
|
||||
*/
|
||||
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
|
||||
/**
|
||||
* The set of file extensions supported by this analyzer.
|
||||
*/
|
||||
private static final Set<String> EXTENSIONS = newHashSet("jar");
|
||||
/**
|
||||
* Returns a list of file EXTENSIONS supported by this analyzer.
|
||||
*
|
||||
* @return a list of file EXTENSIONS supported by this analyzer.
|
||||
*/
|
||||
public Set<String> getSupportedExtensions() {
|
||||
return EXTENSIONS;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the name of the analyzer.
|
||||
*
|
||||
* @return the name of the analyzer.
|
||||
*/
|
||||
public String getName() {
|
||||
return ANALYZER_NAME;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns whether or not this analyzer can process the given extension.
|
||||
*
|
||||
* @param extension the file extension to test for support.
|
||||
* @return whether or not the specified file extension is supported by this
|
||||
* analyzer.
|
||||
@@ -175,7 +179,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
public boolean supportsExtension(String extension) {
|
||||
return EXTENSIONS.contains(extension);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the phase that the analyzer is intended to run in.
|
||||
*
|
||||
@@ -184,6 +187,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
public AnalysisPhase getAnalysisPhase() {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* Loads a specified JAR file and collects information from the manifest and
|
||||
@@ -217,10 +221,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
throw new AnalysisException("Exception occurred reading the JAR file.", ex);
|
||||
}
|
||||
}
|
||||
/**
|
||||
* A pattern to detect HTML within text.
|
||||
*/
|
||||
private static final Pattern HTML_DETECTION_PATTERN = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE);
|
||||
|
||||
/**
|
||||
* Attempts to find a pom.xml within the JAR file. If found it extracts
|
||||
@@ -240,17 +240,19 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
final String msg = String.format("Unable to read JarFile '%s'.", dependency.getActualFilePath());
|
||||
final AnalysisException ax = new AnalysisException(msg, ex);
|
||||
dependency.getAnalysisExceptions().add(ax);
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg, ex);
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
|
||||
return foundSomething;
|
||||
}
|
||||
List<String> pomEntries;
|
||||
try {
|
||||
pomEntries = retrievePomListing(jar);
|
||||
} catch (IOException ex) {
|
||||
final String msg = String.format("Unable to read JarEntries in '%s'.", dependency.getActualFilePath());
|
||||
final String msg = String.format("Unable to read Jar file entries in '%s'.", dependency.getActualFilePath());
|
||||
final AnalysisException ax = new AnalysisException(msg, ex);
|
||||
dependency.getAnalysisExceptions().add(ax);
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg, ex);
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.INFO, msg, ex);
|
||||
return foundSomething;
|
||||
}
|
||||
|
||||
@@ -269,10 +271,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
path, dependency.getFilePath());
|
||||
final AnalysisException ax = new AnalysisException(msg, ex);
|
||||
dependency.getAnalysisExceptions().add(ax);
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, msg, ax);
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ax);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = String.format("Unable to retrieve POM '%s' in '%s'",
|
||||
path, dependency.getFilePath());
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ex);
|
||||
}
|
||||
foundSomething = setPomEvidence(dependency, pom, pomProperties) || foundSomething;
|
||||
}
|
||||
@@ -343,14 +346,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
final JAXBElement<Model> el = pomUnmarshaller.unmarshal(source, Model.class);
|
||||
m = el.getValue();
|
||||
} catch (ParserConfigurationException ex) {
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = String.format("Unable to parse pom '%s' in jar '%s'", path, jar.getName());
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ex);
|
||||
} catch (SAXException ex) {
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
|
||||
} catch (JAXBException ex) {
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, "failure reading pom via jaxb path:'"
|
||||
+ path + "' jar:'" + jar.getName() + "'", ex);
|
||||
final String msg = String.format("Unable to parse pom '%s' in jar '%s'", path, jar.getName());
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ex);
|
||||
}
|
||||
|
||||
return m;
|
||||
}
|
||||
return null;
|
||||
@@ -365,6 +366,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
*/
|
||||
private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties) {
|
||||
boolean foundSomething = false;
|
||||
if (pom == null) {
|
||||
return foundSomething;
|
||||
}
|
||||
//group id
|
||||
final String groupid = interpolateString(pom.getGroupId(), pomProperties);
|
||||
if (groupid != null) {
|
||||
@@ -600,7 +604,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
&& !dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
|
||||
&& !dependency.getFileName().toLowerCase().endsWith("-src.jar")
|
||||
&& !dependency.getFileName().toLowerCase().endsWith("-doc.jar")) {
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE,
|
||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.INFO,
|
||||
String.format("Jar file '%s' does not contain a manifest.",
|
||||
dependency.getFileName()));
|
||||
}
|
||||
|
||||
@@ -32,10 +32,7 @@ import java.util.regex.Pattern;
|
||||
*/
|
||||
public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
/**
|
||||
* The system independent newline character.
|
||||
*/
|
||||
private static final String NEWLINE = System.getProperty("line.separator");
|
||||
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
|
||||
/**
|
||||
* The name of the analyzer.
|
||||
*/
|
||||
@@ -86,6 +83,7 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
public AnalysisPhase getAnalysisPhase() {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* Loads a specified JAR file and collects information from the manifest and
|
||||
@@ -101,32 +99,23 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds license information to the given dependency.
|
||||
*
|
||||
* @param d the dependency
|
||||
* @param license the license
|
||||
*/
|
||||
private void addLicense(Dependency d, String license) {
|
||||
if (d.getLicense() == null) {
|
||||
d.setLicense(license);
|
||||
} else if (!d.getLicense().contains(license)) {
|
||||
d.setLicense(d.getLicense() + NEWLINE + license);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The initialize method does nothing for this Analyzer.
|
||||
*
|
||||
* @throws Exception thrown if there is an exception
|
||||
*/
|
||||
public void initialize() {
|
||||
@Override
|
||||
public void initialize() throws Exception {
|
||||
//do nothing
|
||||
}
|
||||
|
||||
/**
|
||||
* The close method does nothing for this Analyzer.
|
||||
*
|
||||
* @throws Exception thrown if there is an exception
|
||||
*/
|
||||
public void close() {
|
||||
@Override
|
||||
public void close() throws Exception {
|
||||
//do nothing
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -49,7 +49,7 @@ public class Entry implements Serializable {
|
||||
try {
|
||||
entry.parseName(doc.get(Fields.NAME));
|
||||
} catch (UnsupportedEncodingException ex) {
|
||||
Logger.getLogger(Entry.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(Entry.class.getName()).log(Level.FINE, null, ex);
|
||||
entry.name = doc.get(Fields.NAME);
|
||||
}
|
||||
return entry;
|
||||
|
||||
@@ -55,15 +55,17 @@ public final class CweDB {
|
||||
oin = new ObjectInputStream(input);
|
||||
return (HashMap<String, String>) oin.readObject();
|
||||
} catch (ClassNotFoundException ex) {
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
|
||||
} finally {
|
||||
if (oin != null) {
|
||||
try {
|
||||
oin.close();
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.FINEST, null, ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -98,16 +98,24 @@ public abstract class AbstractIndex {
|
||||
try {
|
||||
indexWriter.commit();
|
||||
} catch (CorruptIndexException ex) {
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = "Unable to update database, there is a corrupt index.";
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, msg);
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.FINE, null, ex);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = "Unable to update database due to an IO error.";
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, msg);
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.FINE, null, ex);
|
||||
}
|
||||
try {
|
||||
indexWriter.close(true);
|
||||
} catch (CorruptIndexException ex) {
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = "Unable to update database, there is a corrupt index.";
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, msg);
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.FINE, null, ex);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = "Unable to update database due to an IO error.";
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, msg);
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.FINE, null, ex);
|
||||
} finally {
|
||||
indexWriter = null;
|
||||
}
|
||||
@@ -129,7 +137,9 @@ public abstract class AbstractIndex {
|
||||
try {
|
||||
directory.close();
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = "Unable to update database due to an IO error.";
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, msg);
|
||||
Logger.getLogger(AbstractIndex.class.getName()).log(Level.FINE, null, ex);
|
||||
} finally {
|
||||
directory = null;
|
||||
}
|
||||
|
||||
@@ -220,7 +220,9 @@ public class CveDB {
|
||||
try {
|
||||
conn.close();
|
||||
} catch (SQLException ex) {
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = "There was an error attempting to close the CveDB, see the log for more details.";
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg, ex);
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
|
||||
}
|
||||
conn = null;
|
||||
}
|
||||
@@ -239,7 +241,9 @@ public class CveDB {
|
||||
try {
|
||||
cpe.parseName(cpeStr);
|
||||
} catch (UnsupportedEncodingException ex) {
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = "There was an encoding error parsing a vulerability, see the log for more details.";
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, String.format("Error parsing '%s'", cpeStr), ex);
|
||||
}
|
||||
final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
|
||||
|
||||
@@ -259,7 +263,7 @@ public class CveDB {
|
||||
try {
|
||||
rs.close();
|
||||
} catch (SQLException ex) {
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Error closing RecordSet", ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -325,21 +329,21 @@ public class CveDB {
|
||||
try {
|
||||
rsV.close();
|
||||
} catch (SQLException ex) {
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Error closing RecordSet", ex);
|
||||
}
|
||||
}
|
||||
if (rsR != null) {
|
||||
try {
|
||||
rsR.close();
|
||||
} catch (SQLException ex) {
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Error closing RecordSet", ex);
|
||||
}
|
||||
}
|
||||
if (rsS != null) {
|
||||
try {
|
||||
rsS.close();
|
||||
} catch (SQLException ex) {
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Error closing RecordSet", ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -398,8 +402,9 @@ public class CveDB {
|
||||
}
|
||||
|
||||
} catch (SQLException ex) {
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
throw new DatabaseException("Error updating '" + vuln.getName() + "'", ex);
|
||||
final String msg = String.format("Error updating '%s'", vuln.getName());
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
|
||||
throw new DatabaseException(msg, ex);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -443,7 +448,7 @@ public class CveDB {
|
||||
try {
|
||||
statement.close();
|
||||
} catch (SQLException ex) {
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Error closing Statement", ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -96,20 +96,20 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
}
|
||||
}
|
||||
if (maxUpdates > 3) {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO,
|
||||
"NVD CVE requires several updates; this could take a couple of minutes.");
|
||||
}
|
||||
int count = 0;
|
||||
for (NvdCveUrl cve : update.values()) {
|
||||
if (cve.getNeedsUpdate()) {
|
||||
count += 1;
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO,
|
||||
"Updating NVD CVE ({0} of {1})", new Object[]{count, maxUpdates});
|
||||
URL url = new URL(cve.getUrl());
|
||||
File outputPath = null;
|
||||
File outputPath12 = null;
|
||||
try {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO,
|
||||
"Downloading {0}", cve.getUrl());
|
||||
|
||||
outputPath = File.createTempFile("cve" + cve.getId() + "_", ".xml");
|
||||
@@ -119,11 +119,11 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
outputPath12 = File.createTempFile("cve_1_2_" + cve.getId() + "_", ".xml");
|
||||
Downloader.fetchFile(url, outputPath12, false);
|
||||
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO,
|
||||
"Processing {0}", cve.getUrl());
|
||||
importXML(outputPath, outputPath12);
|
||||
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO,
|
||||
"Completed updated {0} of {1}", new Object[]{count, maxUpdates});
|
||||
} catch (FileNotFoundException ex) {
|
||||
throw new UpdateException(ex);
|
||||
@@ -210,12 +210,6 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
cve20Handler.setPrevVersionVulnMap(prevVersionVulnMap);
|
||||
cve20Handler.setCpeIndex(cpeIndex);
|
||||
saxParser.parse(file, cve20Handler);
|
||||
|
||||
// Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
|
||||
// String.format("%d out of %d entries processed were application specific CVEs.",
|
||||
// cve20Handler.getTotalNumberOfApplicationEntries(),
|
||||
// cve20Handler.getTotalNumberOfEntries()));
|
||||
|
||||
cve20Handler = null;
|
||||
} finally {
|
||||
if (cpeIndex != null) {
|
||||
@@ -242,7 +236,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
try {
|
||||
dir = CveDB.getDataDirectory().getCanonicalPath();
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, "Error updating the databases propterty file.", ex);
|
||||
throw new UpdateException("Unable to locate last updated properties file.", ex);
|
||||
}
|
||||
final File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
|
||||
@@ -259,10 +253,10 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
out = new OutputStreamWriter(os, "UTF-8");
|
||||
prop.store(out, dir);
|
||||
} catch (FileNotFoundException ex) {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, null, ex);
|
||||
throw new UpdateException("Unable to find last updated properties file.", ex);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, null, ex);
|
||||
throw new UpdateException("Unable to update last updated properties file.", ex);
|
||||
} finally {
|
||||
if (out != null) {
|
||||
@@ -302,11 +296,12 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
try {
|
||||
currentlyPublished = retrieveCurrentTimestampsFromWeb();
|
||||
} catch (InvalidDataException ex) {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
|
||||
throw new DownloadFailedException("Unable to retrieve valid timestamp from nvd cve downloads page", ex);
|
||||
final String msg = "Unable to retrieve valid timestamp from nvd cve downloads page";
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, msg, ex);
|
||||
throw new DownloadFailedException(msg, ex);
|
||||
|
||||
} catch (InvalidSettingException ex) {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, "Invalid setting found when retrieving timestamps", ex);
|
||||
throw new DownloadFailedException("Invalid settings", ex);
|
||||
}
|
||||
|
||||
@@ -317,7 +312,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
try {
|
||||
dir = CveDB.getDataDirectory().getCanonicalPath();
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, "CveDB data directory doesn't exist?", ex);
|
||||
throw new UpdateException("Unable to locate last updated properties file.", ex);
|
||||
}
|
||||
|
||||
@@ -348,7 +343,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
}
|
||||
}
|
||||
if (deleteAndRecreate) {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING, "Index version is old. Rebuilding the index.");
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO, "The database version is old. Rebuilding the database.");
|
||||
is.close();
|
||||
//this is an old version of the lucene index - just delete it
|
||||
FileUtils.delete(f);
|
||||
@@ -379,8 +374,8 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
try {
|
||||
currentTimestamp = Long.parseLong(prop.getProperty(LAST_UPDATED_BASE + String.valueOf(i), "0"));
|
||||
} catch (NumberFormatException ex) {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, "Error parsing " + LAST_UPDATED_BASE
|
||||
+ String.valueOf(i) + " from nvdcve.lastupdated", ex);
|
||||
final String msg = String.format("Error parsing '%s' '%s' from nvdcve.lastupdated", LAST_UPDATED_BASE, String.valueOf(i));
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, msg, ex);
|
||||
}
|
||||
if (currentTimestamp == cve.getTimestamp()) {
|
||||
cve.setNeedsUpdate(false); //they default to true.
|
||||
@@ -398,7 +393,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
try {
|
||||
is.close();
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, null, ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -172,7 +172,8 @@ public class NvdCve20Handler extends DefaultHandler {
|
||||
final float score = Float.parseFloat(nodeText.toString());
|
||||
vulnerability.setCvssScore(score);
|
||||
} catch (NumberFormatException ex) {
|
||||
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, "Error parsing CVSS Score.");
|
||||
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.FINE, null, ex);
|
||||
}
|
||||
nodeText = null;
|
||||
} else if (current.isCVSSAccessVectorNode()) {
|
||||
|
||||
@@ -427,9 +427,13 @@ public class Dependency implements Comparable<Dependency> {
|
||||
md5 = Checksum.getMD5Checksum(file);
|
||||
sha1 = Checksum.getSHA1Checksum(file);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(Dependency.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = String.format("Unable to read '%s' to determine hashes.", file.getName());
|
||||
Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
|
||||
Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
|
||||
} catch (NoSuchAlgorithmException ex) {
|
||||
Logger.getLogger(Dependency.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = "Unable to use MD5 of SHA1 checksums.";
|
||||
Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
|
||||
Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
|
||||
}
|
||||
this.setMd5sum(md5);
|
||||
this.setSha1sum(sha1);
|
||||
|
||||
@@ -46,7 +46,9 @@ public class VulnerableSoftware extends Entry implements Serializable, Comparabl
|
||||
try {
|
||||
parseName(cpe);
|
||||
} catch (UnsupportedEncodingException ex) {
|
||||
Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = String.format("Character encoding is unsupported for CPE '%s'.", cpe);
|
||||
Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.WARNING, msg);
|
||||
Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.FINE, null, ex);
|
||||
setName(cpe);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -194,7 +194,9 @@ public class ReportGenerator {
|
||||
templatePath = templateName;
|
||||
input = new FileInputStream(f);
|
||||
} catch (FileNotFoundException ex) {
|
||||
Logger.getLogger(ReportGenerator.class.getName()).log(Level.SEVERE, null, ex);
|
||||
final String msg = "Unable to generate the report, the report template file could not be found.";
|
||||
Logger.getLogger(ReportGenerator.class.getName()).log(Level.SEVERE, msg);
|
||||
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINE, null, ex);
|
||||
}
|
||||
} else {
|
||||
templatePath = "templates/" + templateName + ".vsl";
|
||||
|
||||
@@ -51,7 +51,7 @@ public class Checksum {
|
||||
try {
|
||||
fis.close();
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(Checksum.class.getName()).log(Level.SEVERE, null, ex);
|
||||
Logger.getLogger(Checksum.class.getName()).log(Level.FINEST, "Error closing file '" + file.getName() + "'.", ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -37,19 +37,19 @@ public final class Settings {
|
||||
* The collection of keys used within the properties file.
|
||||
*/
|
||||
public static final class KEYS {
|
||||
|
||||
/**
|
||||
* private constructor because this is a "utility" class containing constants
|
||||
* private constructor because this is a "utility" class containing
|
||||
* constants
|
||||
*/
|
||||
private KEYS() {
|
||||
//do nothing
|
||||
}
|
||||
|
||||
/**
|
||||
* The properties key indicating whether or not the cached data sources
|
||||
* should be updated.
|
||||
*/
|
||||
public static final String AUTO_UPDATE = "autoupdate";
|
||||
|
||||
/**
|
||||
* The properties key for the path where the CPE Lucene Index will be
|
||||
* stored.
|
||||
@@ -107,8 +107,6 @@ public final class Settings {
|
||||
* The properties key for the CVE schema version 2.0.
|
||||
*/
|
||||
public static final String CVE_SCHEMA_2_0 = "2.0.";
|
||||
|
||||
|
||||
/**
|
||||
* The properties key for the proxy url.
|
||||
*/
|
||||
@@ -126,6 +124,10 @@ public final class Settings {
|
||||
* The properties key indicating a deep scan should be performed.
|
||||
*/
|
||||
public static final String PERFORM_DEEP_SCAN = "perform.deepscan";
|
||||
/**
|
||||
* The location of the temporary directory.
|
||||
*/
|
||||
public static final String TEMP_DIRECTORY = "temp.directory";
|
||||
}
|
||||
/**
|
||||
* The properties file location.
|
||||
@@ -150,24 +152,26 @@ public final class Settings {
|
||||
try {
|
||||
props.load(in);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(Settings.class.getName()).log(Level.SEVERE, "Unable to load default settings.", ex);
|
||||
Logger.getLogger(Settings.class.getName()).log(Level.SEVERE, "Unable to load default settings.");
|
||||
Logger.getLogger(Settings.class.getName()).log(Level.FINE, null, ex);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets a property value.
|
||||
*
|
||||
* @param key the key for the property.
|
||||
* @param value the value for the property.
|
||||
* @param key the key for the property
|
||||
* @param value the value for the property
|
||||
*/
|
||||
public static void setString(String key, String value) {
|
||||
INSTANCE.props.setProperty(key, value);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets a property value.
|
||||
*
|
||||
* @param key the key for the property.
|
||||
* @param value the value for the property.
|
||||
* @param key the key for the property
|
||||
* @param value the value for the property
|
||||
*/
|
||||
public static void setBoolean(String key, boolean value) {
|
||||
if (value) {
|
||||
@@ -185,9 +189,9 @@ public final class Settings {
|
||||
*
|
||||
* @param filePath the path to the properties file to merge.
|
||||
* @throws FileNotFoundException is thrown when the filePath points to a
|
||||
* non-existent file.
|
||||
* non-existent file
|
||||
* @throws IOException is thrown when there is an exception loading/merging
|
||||
* the properties.
|
||||
* the properties
|
||||
*/
|
||||
public static void mergeProperties(String filePath) throws FileNotFoundException, IOException {
|
||||
final FileInputStream fis = new FileInputStream(filePath);
|
||||
@@ -200,7 +204,7 @@ public final class Settings {
|
||||
* Note: even if using this method - system properties will be loaded before
|
||||
* properties loaded from files.
|
||||
*
|
||||
* @param stream an Input Stream pointing at a properties file to merge.
|
||||
* @param stream an Input Stream pointing at a properties file to merge
|
||||
* @throws IOException is thrown when there is an exception loading/merging
|
||||
* the properties
|
||||
*/
|
||||
@@ -214,9 +218,9 @@ public final class Settings {
|
||||
* will return the value from the system properties before the values in the
|
||||
* contained configuration file.
|
||||
*
|
||||
* @param key the key to lookup within the properties file.
|
||||
* @param defaultValue the default value for the requested property.
|
||||
* @return the property from the properties file.
|
||||
* @param key the key to lookup within the properties file
|
||||
* @param defaultValue the default value for the requested property
|
||||
* @return the property from the properties file
|
||||
*/
|
||||
public static String getString(String key, String defaultValue) {
|
||||
String str = System.getProperty(key, INSTANCE.props.getProperty(key));
|
||||
@@ -232,8 +236,8 @@ public final class Settings {
|
||||
* will return the value from the system properties before the values in the
|
||||
* contained configuration file.
|
||||
*
|
||||
* @param key the key to lookup within the properties file.
|
||||
* @return the property from the properties file.
|
||||
* @param key the key to lookup within the properties file
|
||||
* @return the property from the properties file
|
||||
*/
|
||||
public static String getString(String key) {
|
||||
return System.getProperty(key, INSTANCE.props.getProperty(key));
|
||||
@@ -245,10 +249,10 @@ public final class Settings {
|
||||
* method will return the value from the system properties before the values
|
||||
* in the contained configuration file.
|
||||
*
|
||||
* @param key the key to lookup within the properties file.
|
||||
* @return the property from the properties file.
|
||||
* @param key the key to lookup within the properties file
|
||||
* @return the property from the properties file
|
||||
* @throws InvalidSettingException is thrown if there is an error retrieving
|
||||
* the setting.
|
||||
* the setting
|
||||
*/
|
||||
public static int getInt(String key) throws InvalidSettingException {
|
||||
int value;
|
||||
@@ -260,16 +264,39 @@ public final class Settings {
|
||||
return value;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns an int value from the properties file. If the value was specified
|
||||
* as a system property or passed in via the -Dprop=value argument - this
|
||||
* method will return the value from the system properties before the values
|
||||
* in the contained configuration file.
|
||||
*
|
||||
* @param key the key to lookup within the properties file
|
||||
* @param defaultValue the default value to return
|
||||
* @return the property from the properties file or the defaultValue if the
|
||||
* property does not exist or cannot be converted to an integer
|
||||
*/
|
||||
public static int getInt(String key, int defaultValue) {
|
||||
int value;
|
||||
try {
|
||||
value = Integer.parseInt(Settings.getString(key));
|
||||
} catch (NumberFormatException ex) {
|
||||
final String msg = String.format("Could not convert property '%s' to an int.", key);
|
||||
Logger.getLogger(Settings.class.getName()).log(Level.FINEST, msg, ex);
|
||||
value = defaultValue;
|
||||
}
|
||||
return value;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a long value from the properties file. If the value was specified
|
||||
* as a system property or passed in via the -Dprop=value argument - this
|
||||
* method will return the value from the system properties before the values
|
||||
* in the contained configuration file.
|
||||
*
|
||||
* @param key the key to lookup within the properties file.
|
||||
* @return the property from the properties file.
|
||||
* @param key the key to lookup within the properties file
|
||||
* @return the property from the properties file
|
||||
* @throws InvalidSettingException is thrown if there is an error retrieving
|
||||
* the setting.
|
||||
* the setting
|
||||
*/
|
||||
public static long getLong(String key) throws InvalidSettingException {
|
||||
long value;
|
||||
@@ -283,14 +310,15 @@ public final class Settings {
|
||||
|
||||
/**
|
||||
* Returns a boolean value from the properties file. If the value was
|
||||
* specified as a system property or passed in via the -Dprop=value argument
|
||||
* - this method will return the value from the system properties before the
|
||||
* values in the contained configuration file.
|
||||
* specified as a system property or passed in via the
|
||||
* <code>-Dprop=value</code> argument this method will return the value from
|
||||
* the system properties before the values in the contained configuration
|
||||
* file.
|
||||
*
|
||||
* @param key the key to lookup within the properties file.
|
||||
* @return the property from the properties file.
|
||||
* @param key the key to lookup within the properties file
|
||||
* @return the property from the properties file
|
||||
* @throws InvalidSettingException is thrown if there is an error retrieving
|
||||
* the setting.
|
||||
* the setting
|
||||
*/
|
||||
public static boolean getBoolean(String key) throws InvalidSettingException {
|
||||
boolean value;
|
||||
|
||||
@@ -2,6 +2,9 @@ application.name=${pom.name}
|
||||
application.version=${pom.version}
|
||||
autoupdate=true
|
||||
|
||||
#temp.directory defaults to System.getProperty("java.io.tmpdir")
|
||||
#temp.directory=[path to temp directory]
|
||||
|
||||
# the path to the lucene index to store the cpe data
|
||||
cpe=data/cpe
|
||||
# the path to the cpe xml file
|
||||
|
||||
@@ -5,13 +5,13 @@ handlers=java.util.logging.ConsoleHandler
|
||||
# FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE.
|
||||
|
||||
# Configure the ConsoleHandler.
|
||||
java.util.logging.ConsoleHandler.level=WARNING
|
||||
java.util.logging.ConsoleHandler.level=INFO
|
||||
|
||||
org.owasp.dependencycheck.data.nvdcve.xml
|
||||
|
||||
# Configure the FileHandler.
|
||||
#java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
|
||||
#java.util.logging.FileHandler.level=FINEST
|
||||
java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
|
||||
java.util.logging.FileHandler.level=FINE
|
||||
|
||||
# The following special tokens can be used in the pattern property
|
||||
# which specifies the location and name of the log file.
|
||||
@@ -21,4 +21,4 @@ org.owasp.dependencycheck.data.nvdcve.xml
|
||||
# %g - generation number for rotating logs
|
||||
# %u - unique number to avoid conflicts
|
||||
# FileHandler writes to %h/demo0.log by default.
|
||||
#java.util.logging.FileHandler.pattern=./logs/DependencyCheck%u.log
|
||||
java.util.logging.FileHandler.pattern=./logs/DependencyCheck.log
|
||||
@@ -116,7 +116,7 @@ public class FileNameAnalyzerTest {
|
||||
* Test of initialize method, of class FileNameAnalyzer.
|
||||
*/
|
||||
@Test
|
||||
public void testInitialize() {
|
||||
public void testInitialize() throws Exception {
|
||||
FileNameAnalyzer instance = new FileNameAnalyzer();
|
||||
instance.initialize();
|
||||
assertTrue(true); //initialize does nothing.
|
||||
@@ -126,7 +126,7 @@ public class FileNameAnalyzerTest {
|
||||
* Test of close method, of class FileNameAnalyzer.
|
||||
*/
|
||||
@Test
|
||||
public void testClose() {
|
||||
public void testClose() throws Exception {
|
||||
FileNameAnalyzer instance = new FileNameAnalyzer();
|
||||
instance.close();
|
||||
assertTrue(true); //close does nothing.
|
||||
|
||||
Reference in New Issue
Block a user