Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.NexusAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

NexusAnalyzer

41%

15/36

10%

2/20

3.5

 /*
  * This file is part of dependency-check-core.
  *
  * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
  * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
  * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Set;
 import java.util.logging.Logger;
 
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Analyzer which will attempt to locate a dependency on a Nexus service
  * by SHA-1 digest of the dependency.
  *
  * There are two settings which govern this behavior:
  *
  * <ul>
  *   <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED}
  * determines whether this analyzer is even enabled. This can be overridden by
  * setting the system property.</li>
  *   <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL}
  * the URL to a Nexus service to search by SHA-1. There is an expected <code>%s</code>
  * in this where the SHA-1 will get entered.</li>
  * </ul>
  *
  * @author colezlaw
  */
 public class NexusAnalyzer extends AbstractAnalyzer {
     /**
      * The logger
      */
     private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
 
     /**
      * The name of the analyzer
      */
     private static final String ANALYZER_NAME = "Nexus Analyzer";
 
     /**
      * The phase in which the analyzer runs
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
     /**
      * The types of files on which this will work.
      */
     private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
 
     /**
      * Whether this is actually enabled. Will get set during initialization
      */
     private boolean enabled = false;
 
     /**
      * The Nexus Search to be set up for this analyzer.
      */
     private NexusSearch searcher;
 
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
      * @throws Exception if there's an error during initialization.
      */
     public void initialize() throws Exception {
         enabled = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
 
         final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
 
         if (enabled) {
             try {
                 searcher = new NexusSearch(new URL(searchUrl));
             } catch (MalformedURLException mue) {
                 // I know that initialize can throw an exception, but we'll
                 // just disable the analyzer if the URL isn't valid
                 LOGGER.warning(String.format("Property %s not a valid URL. Nexus searching disabled",
                             searchUrl));
             }
         }
     }
 
     /**
      * Returns the analyzer's name.
      *
      * @return the name of the analyzer
      */
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns the analysis phase under which the analyzer runs.
      *
      * @return the phase under which this analyzer runs
      */
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
 
     /**
      * Returns the extensions for which this Analyzer runs.
      *
      * @return the extensions for which this Analyzer runs
      */
     public Set<String> getSupportedExtensions() {
         return SUPPORTED_EXTENSIONS;
     }
 
     /**
      * Determines whether the incoming extension is supported.
      *
      * @param extension the extension to check for support
      * @return whether the extension is supported
      */
     public boolean supportsExtension(String extension) {
         return SUPPORTED_EXTENSIONS.contains(extension);
     }
 
     /**
      * Performs the analysis.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine
      * @throws AnalysisException when there's an exception during analysis
      */
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         // Make a quick exit if this analyzer is disabled
         if (!enabled) {
             return;
         }
 
         try {
             final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
             if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
                 dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(),
                         Evidence.Confidence.HIGH);
             }
             if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
                 dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(),
                         Evidence.Confidence.HIGH);
             }
             if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
                 dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(),
                         Evidence.Confidence.HIGH);
             }
             if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
                 dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl());
             }
         } catch (IllegalArgumentException iae) {
             dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
         } catch (FileNotFoundException fnfe) {
             dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
         } catch (IOException ioe) {
             dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
         }
     }
 }
 
 // vim: cc=120:sw=4:ts=4:sts=4

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Dependency-check-core is free software: you can redistribute it and/or modify it
5		* under the terms of the GNU General Public License as published by the Free
6		* Software Foundation, either version 3 of the License, or (at your option) any
7		* later version.
8		*
9		* Dependency-check-core is distributed in the hope that it will be useful, but
10		* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11		* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
12		* details.
13		*
14		* You should have received a copy of the GNU General Public License along with
15		* dependency-check-core. If not, see http://www.gnu.org/licenses/.
16		*
17		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
18		*/
19		package org.owasp.dependencycheck.analyzer;
20
21		import java.io.FileNotFoundException;
22		import java.io.IOException;
23		import java.net.MalformedURLException;
24		import java.net.URL;
25		import java.util.Set;
26		import java.util.logging.Logger;
27
28		import org.owasp.dependencycheck.Engine;
29		import org.owasp.dependencycheck.data.nexus.MavenArtifact;
30		import org.owasp.dependencycheck.data.nexus.NexusSearch;
31		import org.owasp.dependencycheck.dependency.Dependency;
32		import org.owasp.dependencycheck.dependency.Evidence;
33		import org.owasp.dependencycheck.utils.Settings;
34
35		/**
36		* Analyzer which will attempt to locate a dependency on a Nexus service
37		* by SHA-1 digest of the dependency.
38		*
39		* There are two settings which govern this behavior:
40		*
41		* <ul>
42		* <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED}
43		* determines whether this analyzer is even enabled. This can be overridden by
44		* setting the system property.</li>
45		* <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL}
46		* the URL to a Nexus service to search by SHA-1. There is an expected <code>%s</code>
47		* in this where the SHA-1 will get entered.</li>
48		* </ul>
49		*
50		* @author colezlaw
51		*/
52	1	public class NexusAnalyzer extends AbstractAnalyzer {
53		/**
54		* The logger
55		*/
56	1	private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
57
58		/**
59		* The name of the analyzer
60		*/
61		private static final String ANALYZER_NAME = "Nexus Analyzer";
62
63		/**
64		* The phase in which the analyzer runs
65		*/
66	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
67
68		/**
69		* The types of files on which this will work.
70		*/
71	1	private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
72
73		/**
74		* Whether this is actually enabled. Will get set during initialization
75		*/
76	1	private boolean enabled = false;
77
78		/**
79		* The Nexus Search to be set up for this analyzer.
80		*/
81		private NexusSearch searcher;
82
83		/**
84		* Initializes the analyzer once before any analysis is performed.
85		*
86		* @throws Exception if there's an error during initialization.
87		*/
88		public void initialize() throws Exception {
89	3	enabled = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
90
91	3	final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
92
93	3	if (enabled) {
94		try {
95	0	searcher = new NexusSearch(new URL(searchUrl));
96	0	} catch (MalformedURLException mue) {
97		// I know that initialize can throw an exception, but we'll
98		// just disable the analyzer if the URL isn't valid
99	0	LOGGER.warning(String.format("Property %s not a valid URL. Nexus searching disabled",
100		searchUrl));
101	0	}
102		}
103	3	}
104
105		/**
106		* Returns the analyzer's name.
107		*
108		* @return the name of the analyzer
109		*/
110		public String getName() {
111	9	return ANALYZER_NAME;
112		}
113
114		/**
115		* Returns the analysis phase under which the analyzer runs.
116		*
117		* @return the phase under which this analyzer runs
118		*/
119		public AnalysisPhase getAnalysisPhase() {
120	6	return ANALYSIS_PHASE;
121		}
122
123		/**
124		* Returns the extensions for which this Analyzer runs.
125		*
126		* @return the extensions for which this Analyzer runs
127		*/
128		public Set<String> getSupportedExtensions() {
129	138	return SUPPORTED_EXTENSIONS;
130		}
131
132		/**
133		* Determines whether the incoming extension is supported.
134		*
135		* @param extension the extension to check for support
136		* @return whether the extension is supported
137		*/
138		public boolean supportsExtension(String extension) {
139	134	return SUPPORTED_EXTENSIONS.contains(extension);
140		}
141
142		/**
143		* Performs the analysis.
144		*
145		* @param dependency the dependency to analyze
146		* @param engine the engine
147		* @throws AnalysisException when there's an exception during analysis
148		*/
149		public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
150		// Make a quick exit if this analyzer is disabled
151	5	if (!enabled) {
152	5	return;
153		}
154
155		try {
156	0	final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
157	0	if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
158	0	dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(),
159		Evidence.Confidence.HIGH);
160		}
161	0	if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
162	0	dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(),
163		Evidence.Confidence.HIGH);
164		}
165	0	if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
166	0	dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(),
167		Evidence.Confidence.HIGH);
168		}
169	0	if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
170	0	dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl());
171		}
172	0	} catch (IllegalArgumentException iae) {
173	0	dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
174	0	} catch (FileNotFoundException fnfe) {
175	0	dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
176	0	} catch (IOException ioe) {
177	0	dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
178	0	}
179	0	}
180		}
181
182		// vim: cc=120:sw=4:ts=4:sts=4