Coverage Report - org.owasp.dependencycheck.analyzer.NvdCveAnalyzer
 
Classes in this File Line Coverage Branch Coverage Complexity
NvdCveAnalyzer
54%
27/50
50%
6/12
2.889
 
 1   
 /*
 2   
  * This file is part of dependency-check-core.
 3   
  *
 4   
  * Licensed under the Apache License, Version 2.0 (the "License");
 5   
  * you may not use this file except in compliance with the License.
 6   
  * You may obtain a copy of the License at
 7   
  *
 8   
  *     http://www.apache.org/licenses/LICENSE-2.0
 9   
  *
 10   
  * Unless required by applicable law or agreed to in writing, software
 11   
  * distributed under the License is distributed on an "AS IS" BASIS,
 12   
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13   
  * See the License for the specific language governing permissions and
 14   
  * limitations under the License.
 15   
  *
 16   
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 17   
  */
 18   
 package org.owasp.dependencycheck.analyzer;
 19   
 
 20   
 import java.io.IOException;
 21   
 import java.sql.SQLException;
 22   
 import java.util.List;
 23   
 import org.owasp.dependencycheck.Engine;
 24   
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 25   
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 26   
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 27   
 import org.owasp.dependencycheck.dependency.Dependency;
 28   
 import org.owasp.dependencycheck.dependency.Identifier;
 29   
 import org.owasp.dependencycheck.dependency.Vulnerability;
 30   
 import org.owasp.dependencycheck.exception.InitializationException;
 31   
 import org.owasp.dependencycheck.utils.Settings;
 32   
 import org.slf4j.LoggerFactory;
 33   
 
 34   
 /**
 35   
  * NvdCveAnalyzer is a utility class that takes a project dependency and
 36   
  * attempts to discern if there is an associated CVEs. It uses the the
 37   
  * identifiers found by other analyzers to lookup the CVE data.
 38   
  *
 39   
  * @author Jeremy Long
 40   
  */
 41  8 
 public class NvdCveAnalyzer extends AbstractAnalyzer {
 42   
 
 43   
     /**
 44   
      * The Logger for use throughout the class
 45   
      */
 46  1 
     private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(NvdCveAnalyzer.class);
 47   
     /**
 48   
      * The maximum number of query results to return.
 49   
      */
 50   
     static final int MAX_QUERY_RESULTS = 100;
 51   
     /**
 52   
      * The CVE Index.
 53   
      */
 54   
     private CveDB cveDB;
 55   
 
 56   
     /**
 57   
      * Opens the data source.
 58   
      *
 59   
      * @throws SQLException thrown when there is a SQL Exception
 60   
      * @throws IOException thrown when there is an IO Exception
 61   
      * @throws DatabaseException thrown when there is a database exceptions
 62   
      * @throws ClassNotFoundException thrown if the h2 database driver cannot be
 63   
      * loaded
 64   
      */
 65   
     public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
 66  2 
         cveDB = new CveDB();
 67  2 
         cveDB.open();
 68  2 
     }
 69   
 
 70   
     /**
 71   
      * Closes the data source.
 72   
      */
 73   
     @Override
 74   
     public void closeAnalyzer() {
 75  2 
         cveDB.close();
 76  2 
         cveDB = null;
 77  2 
     }
 78   
 
 79   
     /**
 80   
      * Returns the status of the data source - is the database open.
 81   
      *
 82   
      * @return true or false.
 83   
      */
 84   
     public boolean isOpen() {
 85  6 
         return cveDB != null;
 86   
     }
 87   
 
 88   
     /**
 89   
      * Ensures that the CVE Database is closed.
 90   
      *
 91   
      * @throws Throwable an exception raised by this method
 92   
      */
 93   
     @Override
 94   
     protected void finalize() throws Throwable {
 95  6 
         super.finalize();
 96  6 
         if (isOpen()) {
 97  0 
             close();
 98   
         }
 99  6 
     }
 100   
 
 101   
     /**
 102   
      * Analyzes a dependency and attempts to determine if there are any CPE
 103   
      * identifiers for this dependency.
 104   
      *
 105   
      * @param dependency The Dependency to analyze
 106   
      * @param engine The analysis engine
 107   
      * @throws AnalysisException thrown if there is an issue analyzing the
 108   
      * dependency
 109   
      */
 110   
     @Override
 111   
     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
 112  4 
         for (Identifier id : dependency.getIdentifiers()) {
 113  4 
             if ("cpe".equals(id.getType())) {
 114   
                 try {
 115  4 
                     final String value = id.getValue();
 116  4 
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
 117  4 
                     dependency.getVulnerabilities().addAll(vulns);
 118  0 
                 } catch (DatabaseException ex) {
 119  0 
                     throw new AnalysisException(ex);
 120  4 
                 }
 121   
             }
 122  4 
         }
 123  4 
         for (Identifier id : dependency.getSuppressedIdentifiers()) {
 124  0 
             if ("cpe".equals(id.getType())) {
 125   
                 try {
 126  0 
                     final String value = id.getValue();
 127  0 
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
 128  0 
                     dependency.getSuppressedVulnerabilities().addAll(vulns);
 129  0 
                 } catch (DatabaseException ex) {
 130  0 
                     throw new AnalysisException(ex);
 131  0 
                 }
 132   
             }
 133  0 
         }
 134  4 
     }
 135   
 
 136   
     /**
 137   
      * Returns the name of this analyzer.
 138   
      *
 139   
      * @return the name of this analyzer.
 140   
      */
 141   
     @Override
 142   
     public String getName() {
 143  26 
         return "NVD CVE Analyzer";
 144   
     }
 145   
 
 146   
     /**
 147   
      * Returns the analysis phase that this analyzer should run in.
 148   
      *
 149   
      * @return the analysis phase that this analyzer should run in.
 150   
      */
 151   
     @Override
 152   
     public AnalysisPhase getAnalysisPhase() {
 153  6 
         return AnalysisPhase.FINDING_ANALYSIS;
 154   
     }
 155   
 
 156   
     /**
 157   
      * <p>
 158   
      * Returns the setting key to determine if the analyzer is enabled.</p>
 159   
      *
 160   
      * @return the key for the analyzer's enabled property
 161   
      */
 162   
     @Override
 163   
     protected String getAnalyzerEnabledSettingKey() {
 164  2 
         return Settings.KEYS.ANALYZER_NVD_CVE_ENABLED;
 165   
     }
 166   
 
 167   
     /**
 168   
      * Opens the database used to gather NVD CVE data.
 169   
      *
 170   
      * @throws InitializationException is thrown if there is an issue opening
 171   
      * the index.
 172   
      */
 173   
     @Override
 174   
     public void initializeAnalyzer() throws InitializationException {
 175   
         try {
 176  2 
             this.open();
 177  0 
         } catch (SQLException ex) {
 178  0 
             LOGGER.debug("SQL Exception initializing NvdCveAnalyzer", ex);
 179  0 
             throw new InitializationException(ex);
 180  0 
         } catch (IOException ex) {
 181  0 
             LOGGER.debug("IO Exception initializing NvdCveAnalyzer", ex);
 182  0 
             throw new InitializationException(ex);
 183  0 
         } catch (DatabaseException ex) {
 184  0 
             LOGGER.debug("Database Exception initializing NvdCveAnalyzer", ex);
 185  0 
             throw new InitializationException(ex);
 186  0 
         } catch (ClassNotFoundException ex) {
 187  0 
             LOGGER.debug("Exception initializing NvdCveAnalyzer", ex);
 188  0 
             throw new InitializationException(ex);
 189  2 
         }
 190  2 
     }
 191   
 }
Report generated by Cobertura 2.1.1 on 1/22/17 4:19 PM.