Coverage Report - org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer
 
Classes in this File Line Coverage Branch Coverage Complexity
ComposerLockAnalyzer
83%
31/37
75%
3/4
1.833
 
 1  
 /*
 2  
  * This file is part of dependency-check-core.
 3  
  *
 4  
  * Licensed under the Apache License, Version 2.0 (the "License");
 5  
  * you may not use this file except in compliance with the License.
 6  
  * You may obtain a copy of the License at
 7  
  *
 8  
  *     http://www.apache.org/licenses/LICENSE-2.0
 9  
  *
 10  
  * Unless required by applicable law or agreed to in writing, software
 11  
  * distributed under the License is distributed on an "AS IS" BASIS,
 12  
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13  
  * See the License for the specific language governing permissions and
 14  
  * limitations under the License.
 15  
  *
 16  
  * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved.
 17  
  */
 18  
 package org.owasp.dependencycheck.analyzer;
 19  
 
 20  
 import org.owasp.dependencycheck.Engine;
 21  
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 22  
 import org.owasp.dependencycheck.data.composer.ComposerDependency;
 23  
 import org.owasp.dependencycheck.data.composer.ComposerException;
 24  
 import org.owasp.dependencycheck.data.composer.ComposerLockParser;
 25  
 import org.owasp.dependencycheck.dependency.Confidence;
 26  
 import org.owasp.dependencycheck.dependency.Dependency;
 27  
 import org.owasp.dependencycheck.utils.Checksum;
 28  
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 29  
 import org.owasp.dependencycheck.utils.Settings;
 30  
 import org.slf4j.Logger;
 31  
 import org.slf4j.LoggerFactory;
 32  
 
 33  
 import java.io.FileFilter;
 34  
 import java.io.FileInputStream;
 35  
 import java.io.FileNotFoundException;
 36  
 import java.nio.charset.Charset;
 37  
 import java.security.MessageDigest;
 38  
 
 39  
 /**
 40  
  * Used to analyze a composer.lock file for a composer PHP app.
 41  
  *
 42  
  * @author colezlaw
 43  
  */
 44  7
 public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
 45  
 
 46  
     /**
 47  
      * The logger.
 48  
      */
 49  1
     private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class);
 50  
 
 51  
     /**
 52  
      * The analyzer name.
 53  
      */
 54  
     private static final String ANALYZER_NAME = "Composer.lock analyzer";
 55  
 
 56  
     /**
 57  
      * composer.json.
 58  
      */
 59  
     private static final String COMPOSER_LOCK = "composer.lock";
 60  
 
 61  
     /**
 62  
      * The FileFilter.
 63  
      */
 64  1
     private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build();
 65  
 
 66  
     /**
 67  
      * Returns the FileFilter.
 68  
      *
 69  
      * @return the FileFilter
 70  
      */
 71  
     @Override
 72  
     protected FileFilter getFileFilter() {
 73  854
         return FILE_FILTER;
 74  
     }
 75  
 
 76  
     /**
 77  
      * Initializes the analyzer.
 78  
      *
 79  
      * @throws Exception thrown if an exception occurs getting an instance of SHA1
 80  
      */
 81  
     @Override
 82  
     protected void initializeFileTypeAnalyzer() throws Exception {
 83  3
         sha1 = MessageDigest.getInstance("SHA1");
 84  3
     }
 85  
 
 86  
     /**
 87  
      * The MessageDigest for calculating a new digest for the new dependencies added.
 88  
      */
 89  7
     private MessageDigest sha1 = null;
 90  
 
 91  
     /**
 92  
      * Entry point for the analyzer.
 93  
      *
 94  
      * @param dependency the dependency to analyze
 95  
      * @param engine the engine scanning
 96  
      * @throws AnalysisException if there's a failure during analysis
 97  
      */
 98  
     @Override
 99  
     protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
 100  1
         FileInputStream fis = null;
 101  
         try {
 102  1
             fis = new FileInputStream(dependency.getActualFile());
 103  1
             final ComposerLockParser clp = new ComposerLockParser(fis);
 104  1
             LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath());
 105  1
             clp.process();
 106  1
             for (ComposerDependency dep : clp.getDependencies()) {
 107  30
                 final Dependency d = new Dependency(dependency.getActualFile());
 108  30
                 d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject()));
 109  30
                 final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject());
 110  30
                 d.setFilePath(filePath);
 111  30
                 d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset()))));
 112  30
                 d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
 113  30
                 d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
 114  30
                 d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
 115  30
                 LOGGER.info("Adding dependency {}", d);
 116  30
                 engine.getDependencies().add(d);
 117  30
             }
 118  0
         } catch (FileNotFoundException fnfe) {
 119  0
             LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath());
 120  0
         } catch (ComposerException ce) {
 121  0
             LOGGER.warn("Error parsing composer.json {}", dependency.getActualFilePath(), ce);
 122  
         } finally {
 123  1
             if (fis != null) {
 124  
                 try {
 125  1
                     fis.close();
 126  0
                 } catch (Exception e) {
 127  0
                     LOGGER.debug("Unable to close file", e);
 128  1
                 }
 129  
             }
 130  
         }
 131  1
     }
 132  
 
 133  
     /**
 134  
      * Gets the key to determine whether the analyzer is enabled.
 135  
      *
 136  
      * @return the key specifying whether the analyzer is enabled
 137  
      */
 138  
     @Override
 139  
     protected String getAnalyzerEnabledSettingKey() {
 140  7
         return Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED;
 141  
     }
 142  
 
 143  
     /**
 144  
      * Returns the analyzer's name.
 145  
      *
 146  
      * @return the analyzer's name
 147  
      */
 148  
     @Override
 149  
     public String getName() {
 150  5
         return ANALYZER_NAME;
 151  
     }
 152  
 
 153  
     /**
 154  
      * Returns the phase this analyzer should run under.
 155  
      *
 156  
      * @return the analysis phase
 157  
      */
 158  
     @Override
 159  
     public AnalysisPhase getAnalysisPhase() {
 160  3
         return AnalysisPhase.INFORMATION_COLLECTION;
 161  
     }
 162  
 }