View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
21  import org.owasp.dependencycheck.Engine;
22  import org.owasp.dependencycheck.dependency.Dependency;
23  import org.owasp.dependencycheck.utils.Settings;
24  import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
25  
26  /**
27   * The suppression analyzer processes an externally defined XML document that
28   * complies with the suppressions.xsd schema. Any identified Vulnerability
29   * entries within the dependencies that match will be removed.
30   *
31   * @author Jeremy Long
32   */
33  public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyzer {
34  
35      //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
36      /**
37       * The name of the analyzer.
38       */
39      private static final String ANALYZER_NAME = "Vulnerability Suppression Analyzer";
40      /**
41       * The phase that this analyzer is intended to run in.
42       */
43      private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_FINDING_ANALYSIS;
44  
45      /**
46       * Returns the name of the analyzer.
47       *
48       * @return the name of the analyzer.
49       */
50      @Override
51      public String getName() {
52          return ANALYZER_NAME;
53      }
54  
55      /**
56       * Returns the phase that the analyzer is intended to run in.
57       *
58       * @return the phase that the analyzer is intended to run in.
59       */
60      @Override
61      public AnalysisPhase getAnalysisPhase() {
62          return ANALYSIS_PHASE;
63      }
64  
65      /**
66       * <p>
67       * Returns the setting key to determine if the analyzer is enabled.</p>
68       *
69       * @return the key for the analyzer's enabled property
70       */
71      @Override
72      protected String getAnalyzerEnabledSettingKey() {
73          return Settings.KEYS.ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED;
74      }
75      //</editor-fold>
76  
77      /**
78       * Analyzes a dependency's vulnerabilities against the configured CVE
79       * suppressions.
80       *
81       * @param dependency the dependency being analyzed
82       * @param engine a reference to the engine orchestrating the analysis
83       * @throws AnalysisException thrown if there is an error during analysis
84       */
85      @Override
86      protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
87  
88          if (getRules() == null || getRules().size() <= 0) {
89              return;
90          }
91  
92          for (final SuppressionRule rule : getRules()) {
93              rule.process(dependency);
94          }
95      }
96  }