Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

OpenSSLAnalyzer

91%

34/37

71%

10/14

2.125

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
  * Used to analyze OpenSSL source code present in the file system.
  *
  * @author Dale Visser
  */
 public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
 
     private static final int HEXADECIMAL = 16;
     /**
      * Filename to analyze. All other .h files get removed from consideration.
      */
     private static final String OPENSSLV_H = "opensslv.h";
 
     /**
      * Filter that detects files named "__init__.py".
      */
     private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build();
     private static final Pattern VERSION_PATTERN = Pattern.compile(
             "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL
             | Pattern.CASE_INSENSITIVE);
     private static final int MAJOR_OFFSET = 28;
     private static final long MINOR_MASK = 0x0ff00000L;
     private static final int MINOR_OFFSET = 20;
     private static final long FIX_MASK = 0x000ff000L;
     private static final int FIX_OFFSET = 12;
     private static final long PATCH_MASK = 0x00000ff0L;
     private static final int PATCH_OFFSET = 4;
     private static final int NUM_LETTERS = 26;
     private static final int STATUS_MASK = 0x0000000f;
 
     /**
      * Returns the open SSL version as a string.
      *
      * @param openSSLVersionConstant The open SSL version
      * @return the version of openssl
      */
     static String getOpenSSLVersion(long openSSLVersionConstant) {
         final long major = openSSLVersionConstant >>> MAJOR_OFFSET;
         final long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
         final long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
         final long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET;
         final String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" : String.valueOf((char) (patchLevel + 'a' - 1));
         final int statusCode = (int) (openSSLVersionConstant & STATUS_MASK);
         final String status = 0xf == statusCode ? "" : (0 == statusCode ? "-dev" : "-beta" + statusCode);
         return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status);
     }
 
     /**
      * Returns the name of the Python Package Analyzer.
      *
      * @return the name of the analyzer
      */
     @Override
     public String getName() {
         return "OpenSSL Source Analyzer";
     }
 
     /**
      * Tell that we are used for information collection.
      *
      * @return INFORMATION_COLLECTION
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.INFORMATION_COLLECTION;
     }
 
     /**
      * Returns the set of supported file extensions.
      *
      * @return the set of supported file extensions
      */
     @Override
     protected FileFilter getFileFilter() {
         return OPENSSLV_FILTER;
     }
 
     /**
      * No-op initializer implementation.
      *
      * @throws Exception never thrown
      */
     @Override
     protected void initializeFileTypeAnalyzer() throws Exception {
         // Nothing to do here.
     }
 
     /**
      * Analyzes python packages and adds evidence to the dependency.
      *
      * @param dependency the dependency being analyzed
      * @param engine the engine being used to perform the scan
      * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
      */
     @Override
     protected void analyzeFileType(Dependency dependency, Engine engine)
             throws AnalysisException {
         final File file = dependency.getActualFile();
         final String parentName = file.getParentFile().getName();
         boolean found = false;
         final String contents = getFileContents(file);
         if (!contents.isEmpty()) {
             final Matcher matcher = VERSION_PATTERN.matcher(contents);
             if (matcher.find()) {
                 dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant",
                         getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH);
                 found = true;
             }
         }
         if (found) {
             dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H);
             dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST);
             dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST);
         } else {
             engine.getDependencies().remove(dependency);
         }
     }
 
     /**
      * Retrieves the contents of a given file.
      *
      * @param actualFile the file to read
      * @return the contents of the file
      * @throws AnalysisException thrown if there is an IO Exception
      */
     private String getFileContents(final File actualFile)
             throws AnalysisException {
         String contents;
         try {
             contents = FileUtils.readFileToString(actualFile).trim();
         } catch (IOException e) {
             throw new AnalysisException(
                     "Problem occurred while reading dependency file.", e);
         }
         return contents;
     }
 
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_OPENSSL_ENABLED;
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import org.apache.commons.io.FileUtils;
21		import org.owasp.dependencycheck.Engine;
22		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
23		import org.owasp.dependencycheck.dependency.Confidence;
24		import org.owasp.dependencycheck.dependency.Dependency;
25		import org.owasp.dependencycheck.utils.FileFilterBuilder;
26		import org.owasp.dependencycheck.utils.Settings;
27
28		import java.io.File;
29		import java.io.FileFilter;
30		import java.io.IOException;
31		import java.util.regex.Matcher;
32		import java.util.regex.Pattern;
33
34		/**
35		* Used to analyze OpenSSL source code present in the file system.
36		*
37		* @author Dale Visser
38		*/
39	8	public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
40
41		private static final int HEXADECIMAL = 16;
42		/**
43		* Filename to analyze. All other .h files get removed from consideration.
44		*/
45		private static final String OPENSSLV_H = "opensslv.h";
46
47		/**
48		* Filter that detects files named "__init__.py".
49		*/
50	1	private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build();
51	1	private static final Pattern VERSION_PATTERN = Pattern.compile(
52		"define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL
53		\| Pattern.CASE_INSENSITIVE);
54		private static final int MAJOR_OFFSET = 28;
55		private static final long MINOR_MASK = 0x0ff00000L;
56		private static final int MINOR_OFFSET = 20;
57		private static final long FIX_MASK = 0x000ff000L;
58		private static final int FIX_OFFSET = 12;
59		private static final long PATCH_MASK = 0x00000ff0L;
60		private static final int PATCH_OFFSET = 4;
61		private static final int NUM_LETTERS = 26;
62		private static final int STATUS_MASK = 0x0000000f;
63
64		/**
65		* Returns the open SSL version as a string.
66		*
67		* @param openSSLVersionConstant The open SSL version
68		* @return the version of openssl
69		*/
70		static String getOpenSSLVersion(long openSSLVersionConstant) {
71	9	final long major = openSSLVersionConstant >>> MAJOR_OFFSET;
72	9	final long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
73	9	final long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
74	9	final long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET;
75	9	final String patch = 0 == patchLevel \|\| patchLevel > NUM_LETTERS ? "" : String.valueOf((char) (patchLevel + 'a' - 1));
76	9	final int statusCode = (int) (openSSLVersionConstant & STATUS_MASK);
77	9	final String status = 0xf == statusCode ? "" : (0 == statusCode ? "-dev" : "-beta" + statusCode);
78	9	return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status);
79		}
80
81		/**
82		* Returns the name of the Python Package Analyzer.
83		*
84		* @return the name of the analyzer
85		*/
86		@Override
87		public String getName() {
88	5	return "OpenSSL Source Analyzer";
89		}
90
91		/**
92		* Tell that we are used for information collection.
93		*
94		* @return INFORMATION_COLLECTION
95		*/
96		@Override
97		public AnalysisPhase getAnalysisPhase() {
98	3	return AnalysisPhase.INFORMATION_COLLECTION;
99		}
100
101		/**
102		* Returns the set of supported file extensions.
103		*
104		* @return the set of supported file extensions
105		*/
106		@Override
107		protected FileFilter getFileFilter() {
108	854	return OPENSSLV_FILTER;
109		}
110
111		/**
112		* No-op initializer implementation.
113		*
114		* @throws Exception never thrown
115		*/
116		@Override
117		protected void initializeFileTypeAnalyzer() throws Exception {
118		// Nothing to do here.
119	4	}
120
121		/**
122		* Analyzes python packages and adds evidence to the dependency.
123		*
124		* @param dependency the dependency being analyzed
125		* @param engine the engine being used to perform the scan
126		* @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
127		*/
128		@Override
129		protected void analyzeFileType(Dependency dependency, Engine engine)
130		throws AnalysisException {
131	1	final File file = dependency.getActualFile();
132	1	final String parentName = file.getParentFile().getName();
133	1	boolean found = false;
134	1	final String contents = getFileContents(file);
135	1	if (!contents.isEmpty()) {
136	1	final Matcher matcher = VERSION_PATTERN.matcher(contents);
137	1	if (matcher.find()) {
138	2	dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant",
139	1	getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH);
140	1	found = true;
141		}
142		}
143	1	if (found) {
144	1	dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H);
145	1	dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST);
146	1	dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST);
147		} else {
148	0	engine.getDependencies().remove(dependency);
149		}
150	1	}
151
152		/**
153		* Retrieves the contents of a given file.
154		*
155		* @param actualFile the file to read
156		* @return the contents of the file
157		* @throws AnalysisException thrown if there is an IO Exception
158		*/
159		private String getFileContents(final File actualFile)
160		throws AnalysisException {
161		String contents;
162		try {
163	1	contents = FileUtils.readFileToString(actualFile).trim();
164	0	} catch (IOException e) {
165	0	throw new AnalysisException(
166		"Problem occurred while reading dependency file.", e);
167	1	}
168	1	return contents;
169		}
170
171		@Override
172		protected String getAnalyzerEnabledSettingKey() {
173	8	return Settings.KEYS.ANALYZER_OPENSSL_ENABLED;
174		}
175		}