Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.NvdCveAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

NvdCveAnalyzer

75%

21/28

37%

3/8

1.5

 /*
  * This file is part of dependency-check-core.
  *
  * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
  * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
  * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 
 /**
  * NvdCveAnalyzer is a utility class that takes a project dependency and
  * attempts to discern if there is an associated CVEs. It uses the the
  * identifiers found by other analyzers to lookup the CVE data.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class NvdCveAnalyzer implements Analyzer {
 
     /**
      * The maximum number of query results to return.
      */
     static final int MAX_QUERY_RESULTS = 100;
     /**
      * The CVE Index.
      */
     private CveDB cveDB;
 
     /**
      * Opens the data source.
      *
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
      * @throws ClassNotFoundException thrown if the h2 database driver cannot be
      * loaded
      */
     public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
         cveDB = new CveDB();
         cveDB.open();
     }
 
     /**
      * Closes the data source.
      */
     public void close() {
         cveDB.close();
         cveDB = null;
     }
 
     /**
      * Returns the status of the data source - is the database open.
      *
      * @return true or false.
      */
     public boolean isOpen() {
         return (cveDB != null);
     }
 
     /**
      * Ensures that the CVE Database is closed.
      *
      * @throws Throwable when a throwable is thrown.
      */
     @Override
     protected void finalize() throws Throwable {
         super.finalize();
         if (isOpen()) {
             close();
         }
     }
 
     /**
      * Analyzes a dependency and attempts to determine if there are any CPE
      * identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze
      * @param engine The analysis engine
      * @throws AnalysisException is thrown if there is an issue analyzing the
      * dependency
      */
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {
             if ("cpe".equals(id.getType())) {
                 try {
                     final String value = id.getValue();
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
                     dependency.getVulnerabilities().addAll(vulns);
                 } catch (DatabaseException ex) {
                     throw new AnalysisException(ex);
                 }
             }
         }
     }
 
     /**
      * Returns true because this analyzer supports all dependency types.
      *
      * @return true.
      */
     public Set<String> getSupportedExtensions() {
         return null;
     }
 
     /**
      * Returns the name of this analyzer.
      *
      * @return the name of this analyzer.
      */
     public String getName() {
         return "NVD CVE Analyzer";
     }
 
     /**
      * Returns true because this analyzer supports all dependency types.
      *
      * @param extension the file extension of the dependency being analyzed.
      * @return true.
      */
     public boolean supportsExtension(String extension) {
         return true;
     }
 
     /**
      * Returns the analysis phase that this analyzer should run in.
      *
      * @return the analysis phase that this analyzer should run in.
      */
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.FINDING_ANALYSIS;
     }
 
     /**
      * Opens the NVD CVE Lucene Index.
      *
      * @throws Exception is thrown if there is an issue opening the index.
      */
     public void initialize() throws Exception {
         this.open();
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Dependency-check-core is free software: you can redistribute it and/or modify it
5		* under the terms of the GNU General Public License as published by the Free
6		* Software Foundation, either version 3 of the License, or (at your option) any
7		* later version.
8		*
9		* Dependency-check-core is distributed in the hope that it will be useful, but
10		* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11		* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
12		* details.
13		*
14		* You should have received a copy of the GNU General Public License along with
15		* dependency-check-core. If not, see http://www.gnu.org/licenses/.
16		*
17		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
18		*/
19		package org.owasp.dependencycheck.analyzer;
20
21		import java.io.IOException;
22		import java.sql.SQLException;
23		import java.util.List;
24		import java.util.Set;
25		import org.owasp.dependencycheck.Engine;
26		import org.owasp.dependencycheck.dependency.Dependency;
27		import org.owasp.dependencycheck.dependency.Vulnerability;
28		import org.owasp.dependencycheck.dependency.Identifier;
29		import org.owasp.dependencycheck.data.nvdcve.CveDB;
30		import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
31
32		/**
33		* NvdCveAnalyzer is a utility class that takes a project dependency and
34		* attempts to discern if there is an associated CVEs. It uses the the
35		* identifiers found by other analyzers to lookup the CVE data.
36		*
37		* @author Jeremy Long <jeremy.long@owasp.org>
38		*/
39	1	public class NvdCveAnalyzer implements Analyzer {
40
41		/**
42		* The maximum number of query results to return.
43		*/
44		static final int MAX_QUERY_RESULTS = 100;
45		/**
46		* The CVE Index.
47		*/
48		private CveDB cveDB;
49
50		/**
51		* Opens the data source.
52		*
53		* @throws SQLException thrown when there is a SQL Exception
54		* @throws IOException thrown when there is an IO Exception
55		* @throws DatabaseException thrown when there is a database exceptions
56		* @throws ClassNotFoundException thrown if the h2 database driver cannot be
57		* loaded
58		*/
59		public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
60	3	cveDB = new CveDB();
61	3	cveDB.open();
62	3	}
63
64		/**
65		* Closes the data source.
66		*/
67		public void close() {
68	3	cveDB.close();
69	3	cveDB = null;
70	3	}
71
72		/**
73		* Returns the status of the data source - is the database open.
74		*
75		* @return true or false.
76		*/
77		public boolean isOpen() {
78	0	return (cveDB != null);
79		}
80
81		/**
82		* Ensures that the CVE Database is closed.
83		*
84		* @throws Throwable when a throwable is thrown.
85		*/
86		@Override
87		protected void finalize() throws Throwable {
88	0	super.finalize();
89	0	if (isOpen()) {
90	0	close();
91		}
92	0	}
93
94		/**
95		* Analyzes a dependency and attempts to determine if there are any CPE
96		* identifiers for this dependency.
97		*
98		* @param dependency The Dependency to analyze
99		* @param engine The analysis engine
100		* @throws AnalysisException is thrown if there is an issue analyzing the
101		* dependency
102		*/
103		public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
104	9	for (Identifier id : dependency.getIdentifiers()) {
105	11	if ("cpe".equals(id.getType())) {
106		try {
107	11	final String value = id.getValue();
108	11	final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
109	11	dependency.getVulnerabilities().addAll(vulns);
110	0	} catch (DatabaseException ex) {
111	0	throw new AnalysisException(ex);
112	11	}
113		}
114	11	}
115	9	}
116
117		/**
118		* Returns true because this analyzer supports all dependency types.
119		*
120		* @return true.
121		*/
122		public Set<String> getSupportedExtensions() {
123	132	return null;
124		}
125
126		/**
127		* Returns the name of this analyzer.
128		*
129		* @return the name of this analyzer.
130		*/
131		public String getName() {
132	9	return "NVD CVE Analyzer";
133		}
134
135		/**
136		* Returns true because this analyzer supports all dependency types.
137		*
138		* @param extension the file extension of the dependency being analyzed.
139		* @return true.
140		*/
141		public boolean supportsExtension(String extension) {
142	9	return true;
143		}
144
145		/**
146		* Returns the analysis phase that this analyzer should run in.
147		*
148		* @return the analysis phase that this analyzer should run in.
149		*/
150		public AnalysisPhase getAnalysisPhase() {
151	6	return AnalysisPhase.FINDING_ANALYSIS;
152		}
153
154		/**
155		* Opens the NVD CVE Lucene Index.
156		*
157		* @throws Exception is thrown if there is an issue opening the index.
158		*/
159		public void initialize() throws Exception {
160	3	this.open();
161	3	}
162		}