View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import org.apache.commons.io.FileUtils;
21  import org.owasp.dependencycheck.Engine;
22  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
23  import org.owasp.dependencycheck.data.central.CentralSearch;
24  import org.owasp.dependencycheck.data.nexus.MavenArtifact;
25  import org.owasp.dependencycheck.dependency.Confidence;
26  import org.owasp.dependencycheck.dependency.Dependency;
27  import org.owasp.dependencycheck.dependency.Evidence;
28  import org.owasp.dependencycheck.xml.pom.PomUtils;
29  import org.slf4j.Logger;
30  import org.slf4j.LoggerFactory;
31  
32  import java.io.File;
33  import java.io.FileFilter;
34  import java.io.FileNotFoundException;
35  import java.io.IOException;
36  import java.net.MalformedURLException;
37  import java.net.URL;
38  import java.util.List;
39  import org.owasp.dependencycheck.exception.InitializationException;
40  import org.owasp.dependencycheck.utils.DownloadFailedException;
41  import org.owasp.dependencycheck.utils.Downloader;
42  import org.owasp.dependencycheck.utils.FileFilterBuilder;
43  import org.owasp.dependencycheck.utils.InvalidSettingException;
44  import org.owasp.dependencycheck.utils.Settings;
45  
46  /**
47   * Analyzer which will attempt to locate a dependency, and the GAV information,
48   * by querying Central for the dependency's SHA-1 digest.
49   *
50   * @author colezlaw
51   */
52  public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
53  
54      /**
55       * The logger.
56       */
57      private static final Logger LOGGER = LoggerFactory.getLogger(CentralAnalyzer.class);
58  
59      /**
60       * The name of the analyzer.
61       */
62      private static final String ANALYZER_NAME = "Central Analyzer";
63  
64      /**
65       * The phase in which this analyzer runs.
66       */
67      private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
68  
69      /**
70       * The types of files on which this will work.
71       */
72      private static final String SUPPORTED_EXTENSIONS = "jar";
73  
74      /**
75       * The analyzer should be disabled if there are errors, so this is a flag to
76       * determine if such an error has occurred.
77       */
78      private volatile boolean errorFlag = false;
79  
80      /**
81       * The searcher itself.
82       */
83      private CentralSearch searcher;
84      /**
85       * Field indicating if the analyzer is enabled.
86       */
87      private final boolean enabled = checkEnabled();
88  
89      /**
90       * Determine whether to enable this analyzer or not.
91       *
92       * @return whether the analyzer should be enabled
93       */
94      @Override
95      public boolean isEnabled() {
96          return enabled;
97      }
98  
99      /**
100      * Determines if this analyzer is enabled.
101      *
102      * @return <code>true</code> if the analyzer is enabled; otherwise
103      * <code>false</code>
104      */
105     private boolean checkEnabled() {
106         boolean retval = false;
107 
108         try {
109             if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
110                 if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
111                         || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
112                     LOGGER.debug("Enabling the Central analyzer");
113                     retval = true;
114                 } else {
115                     LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
116                 }
117             } else {
118                 LOGGER.info("Central analyzer disabled");
119             }
120         } catch (InvalidSettingException ise) {
121             LOGGER.warn("Invalid setting. Disabling the Central analyzer");
122         }
123         return retval;
124     }
125 
126     /**
127      * Initializes the analyzer once before any analysis is performed.
128      *
129      * @throws InitializationException if there's an error during initialization
130      */
131     @Override
132     public void initializeFileTypeAnalyzer() throws InitializationException {
133         LOGGER.debug("Initializing Central analyzer");
134         LOGGER.debug("Central analyzer enabled: {}", isEnabled());
135         if (isEnabled()) {
136             final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
137             LOGGER.debug("Central Analyzer URL: {}", searchUrl);
138             try {
139                 searcher = new CentralSearch(new URL(searchUrl));
140             } catch (MalformedURLException ex) {
141                 setEnabled(false);
142                 throw new InitializationException("The configured URL to Maven Central is malformed: " + searchUrl, ex);
143             }
144         }
145     }
146 
147     /**
148      * Returns the analyzer's name.
149      *
150      * @return the name of the analyzer
151      */
152     @Override
153     public String getName() {
154         return ANALYZER_NAME;
155     }
156 
157     /**
158      * Returns the key used in the properties file to to reference the
159      * analyzer's enabled property.
160      *
161      * @return the analyzer's enabled property setting key.
162      */
163     @Override
164     protected String getAnalyzerEnabledSettingKey() {
165         return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
166     }
167 
168     /**
169      * Returns the analysis phase under which the analyzer runs.
170      *
171      * @return the phase under which the analyzer runs
172      */
173     @Override
174     public AnalysisPhase getAnalysisPhase() {
175         return ANALYSIS_PHASE;
176     }
177 
178     /**
179      * The file filter used to determine which files this analyzer supports.
180      */
181     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
182 
183     @Override
184     protected FileFilter getFileFilter() {
185         return FILTER;
186     }
187 
188     /**
189      * Performs the analysis.
190      *
191      * @param dependency the dependency to analyze
192      * @param engine the engine
193      * @throws AnalysisException when there's an exception during analysis
194      */
195     @Override
196     public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
197         if (errorFlag || !isEnabled()) {
198             return;
199         }
200 
201         try {
202             final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
203             final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
204             for (MavenArtifact ma : mas) {
205                 LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma, dependency.getFileName());
206                 dependency.addAsEvidence("central", ma, confidence);
207                 boolean pomAnalyzed = false;
208                 for (Evidence e : dependency.getVendorEvidence()) {
209                     if ("pom".equals(e.getSource())) {
210                         pomAnalyzed = true;
211                         break;
212                     }
213                 }
214                 if (!pomAnalyzed && ma.getPomUrl() != null) {
215                     File pomFile = null;
216                     try {
217                         final File baseDir = Settings.getTempDirectory();
218                         pomFile = File.createTempFile("pom", ".xml", baseDir);
219                         if (!pomFile.delete()) {
220                             LOGGER.warn("Unable to fetch pom.xml for {} from Central; "
221                                     + "this could result in undetected CPE/CVEs.", dependency.getFileName());
222                             LOGGER.debug("Unable to delete temp file");
223                         }
224                         LOGGER.debug("Downloading {}", ma.getPomUrl());
225                         Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
226                         PomUtils.analyzePOM(dependency, pomFile);
227 
228                     } catch (DownloadFailedException ex) {
229                         LOGGER.warn("Unable to download pom.xml for {} from Central; "
230                                 + "this could result in undetected CPE/CVEs.", dependency.getFileName());
231                     } finally {
232                         if (pomFile != null && pomFile.exists() && !FileUtils.deleteQuietly(pomFile)) {
233                             LOGGER.debug("Failed to delete temporary pom file {}", pomFile.toString());
234                             pomFile.deleteOnExit();
235                         }
236                     }
237                 }
238 
239             }
240         } catch (IllegalArgumentException iae) {
241             LOGGER.info("invalid sha1-hash on {}", dependency.getFileName());
242         } catch (FileNotFoundException fnfe) {
243             LOGGER.debug("Artifact not found in repository: '{}", dependency.getFileName());
244         } catch (IOException ioe) {
245             LOGGER.debug("Could not connect to Central search", ioe);
246             errorFlag = true;
247         }
248     }
249 }