Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.NvdCveAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

NvdCveAnalyzer

68%

24/35

50%

6/12

2.125

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 
 /**
  * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
  * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
  *
  * @author Jeremy Long
  */
 public class NvdCveAnalyzer implements Analyzer {
 
     /**
      * The maximum number of query results to return.
      */
     static final int MAX_QUERY_RESULTS = 100;
     /**
      * The CVE Index.
      */
     private CveDB cveDB;
 
     /**
      * Opens the data source.
      *
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
      * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
      */
     public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
         cveDB = new CveDB();
         cveDB.open();
     }
 
     /**
      * Closes the data source.
      */
     @Override
     public void close() {
         cveDB.close();
         cveDB = null;
     }
 
     /**
      * Returns the status of the data source - is the database open.
      *
      * @return true or false.
      */
     public boolean isOpen() {
         return (cveDB != null);
     }
 
     /**
      * Ensures that the CVE Database is closed.
      *
      * @throws Throwable when a throwable is thrown.
      */
     @Override
     protected void finalize() throws Throwable {
         super.finalize();
         if (isOpen()) {
             close();
         }
     }
 
     /**
      * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze
      * @param engine The analysis engine
      * @throws AnalysisException is thrown if there is an issue analyzing the dependency
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {
             if ("cpe".equals(id.getType())) {
                 try {
                     final String value = id.getValue();
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
                     dependency.getVulnerabilities().addAll(vulns);
                 } catch (DatabaseException ex) {
                     throw new AnalysisException(ex);
                 }
             }
         }
         for (Identifier id : dependency.getSuppressedIdentifiers()) {
             if ("cpe".equals(id.getType())) {
                 try {
                     final String value = id.getValue();
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
                     dependency.getSuppressedVulnerabilities().addAll(vulns);
                 } catch (DatabaseException ex) {
                     throw new AnalysisException(ex);
                 }
             }
         }
     }
 
     /**
      * Returns the name of this analyzer.
      *
      * @return the name of this analyzer.
      */
     @Override
     public String getName() {
         return "NVD CVE Analyzer";
     }
 
     /**
      * Returns the analysis phase that this analyzer should run in.
      *
      * @return the analysis phase that this analyzer should run in.
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.FINDING_ANALYSIS;
     }
 
     /**
      * Opens the database used to gather NVD CVE data.
      *
      * @throws Exception is thrown if there is an issue opening the index.
      */
     @Override
     public void initialize() throws Exception {
         this.open();
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.IOException;
21		import java.sql.SQLException;
22		import java.util.List;
23		import org.owasp.dependencycheck.Engine;
24		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
25		import org.owasp.dependencycheck.data.nvdcve.CveDB;
26		import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
27		import org.owasp.dependencycheck.dependency.Dependency;
28		import org.owasp.dependencycheck.dependency.Identifier;
29		import org.owasp.dependencycheck.dependency.Vulnerability;
30
31		/**
32		* NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
33		* CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
34		*
35		* @author Jeremy Long
36		*/
37	4	public class NvdCveAnalyzer implements Analyzer {
38
39		/**
40		* The maximum number of query results to return.
41		*/
42		static final int MAX_QUERY_RESULTS = 100;
43		/**
44		* The CVE Index.
45		*/
46		private CveDB cveDB;
47
48		/**
49		* Opens the data source.
50		*
51		* @throws SQLException thrown when there is a SQL Exception
52		* @throws IOException thrown when there is an IO Exception
53		* @throws DatabaseException thrown when there is a database exceptions
54		* @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
55		*/
56		public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
57	1	cveDB = new CveDB();
58	1	cveDB.open();
59	1	}
60
61		/**
62		* Closes the data source.
63		*/
64		@Override
65		public void close() {
66	1	cveDB.close();
67	1	cveDB = null;
68	1	}
69
70		/**
71		* Returns the status of the data source - is the database open.
72		*
73		* @return true or false.
74		*/
75		public boolean isOpen() {
76	3	return (cveDB != null);
77		}
78
79		/**
80		* Ensures that the CVE Database is closed.
81		*
82		* @throws Throwable when a throwable is thrown.
83		*/
84		@Override
85		protected void finalize() throws Throwable {
86	3	super.finalize();
87	3	if (isOpen()) {
88	0	close();
89		}
90	3	}
91
92		/**
93		* Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
94		*
95		* @param dependency The Dependency to analyze
96		* @param engine The analysis engine
97		* @throws AnalysisException is thrown if there is an issue analyzing the dependency
98		*/
99		@Override
100		public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
101	2	for (Identifier id : dependency.getIdentifiers()) {
102	3	if ("cpe".equals(id.getType())) {
103		try {
104	3	final String value = id.getValue();
105	3	final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
106	3	dependency.getVulnerabilities().addAll(vulns);
107	0	} catch (DatabaseException ex) {
108	0	throw new AnalysisException(ex);
109	3	}
110		}
111	3	}
112	2	for (Identifier id : dependency.getSuppressedIdentifiers()) {
113	0	if ("cpe".equals(id.getType())) {
114		try {
115	0	final String value = id.getValue();
116	0	final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
117	0	dependency.getSuppressedVulnerabilities().addAll(vulns);
118	0	} catch (DatabaseException ex) {
119	0	throw new AnalysisException(ex);
120	0	}
121		}
122	0	}
123	2	}
124
125		/**
126		* Returns the name of this analyzer.
127		*
128		* @return the name of this analyzer.
129		*/
130		@Override
131		public String getName() {
132	4	return "NVD CVE Analyzer";
133		}
134
135		/**
136		* Returns the analysis phase that this analyzer should run in.
137		*
138		* @return the analysis phase that this analyzer should run in.
139		*/
140		@Override
141		public AnalysisPhase getAnalysisPhase() {
142	3	return AnalysisPhase.FINDING_ANALYSIS;
143		}
144
145		/**
146		* Opens the database used to gather NVD CVE data.
147		*
148		* @throws Exception is thrown if there is an issue opening the index.
149		*/
150		@Override
151		public void initialize() throws Exception {
152	1	this.open();
153	1	}
154		}