View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import org.owasp.dependencycheck.Engine;
21  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
22  import org.owasp.dependencycheck.data.nuget.NugetPackage;
23  import org.owasp.dependencycheck.data.nuget.NuspecParseException;
24  import org.owasp.dependencycheck.data.nuget.NuspecParser;
25  import org.owasp.dependencycheck.data.nuget.XPathNuspecParser;
26  import org.owasp.dependencycheck.dependency.Confidence;
27  import org.owasp.dependencycheck.dependency.Dependency;
28  import org.owasp.dependencycheck.utils.FileFilterBuilder;
29  import org.owasp.dependencycheck.utils.Settings;
30  import org.slf4j.Logger;
31  import org.slf4j.LoggerFactory;
32  
33  import java.io.FileFilter;
34  import java.io.FileInputStream;
35  import java.io.FileNotFoundException;
36  import java.io.IOException;
37  
38  /**
39   * Analyzer which will parse a Nuspec file to gather module information.
40   *
41   * @author colezlaw
42   */
43  public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
44  
45      /**
46       * The logger.
47       */
48      private static final Logger LOGGER = LoggerFactory.getLogger(NuspecAnalyzer.class);
49  
50      /**
51       * The name of the analyzer.
52       */
53      private static final String ANALYZER_NAME = "Nuspec Analyzer";
54  
55      /**
56       * The phase in which the analyzer runs.
57       */
58      private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
59  
60      /**
61       * The types of files on which this will work.
62       */
63      private static final String SUPPORTED_EXTENSIONS = "nuspec";
64  
65      /**
66       * Initializes the analyzer once before any analysis is performed.
67       *
68       * @throws Exception if there's an error during initialization
69       */
70      @Override
71      public void initializeFileTypeAnalyzer() throws Exception {
72      }
73  
74      /**
75       * Returns the analyzer's name.
76       *
77       * @return the name of the analyzer
78       */
79      @Override
80      public String getName() {
81          return ANALYZER_NAME;
82      }
83  
84      /**
85       * Returns the key used in the properties file to reference the analyzer's enabled property.
86       *
87       * @return the analyzer's enabled property setting key
88       */
89      @Override
90      protected String getAnalyzerEnabledSettingKey() {
91          return Settings.KEYS.ANALYZER_NUSPEC_ENABLED;
92      }
93  
94      /**
95       * Returns the analysis phase under which the analyzer runs.
96       *
97       * @return the phase under which this analyzer runs
98       */
99      @Override
100     public AnalysisPhase getAnalysisPhase() {
101         return ANALYSIS_PHASE;
102     }
103 
104     /**
105      * The file filter used to determine which files this analyzer supports.
106      */
107     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(
108             SUPPORTED_EXTENSIONS).build();
109 
110     /**
111      * Returns the FileFilter
112      *
113      * @return the FileFilter
114      */
115     @Override
116     protected FileFilter getFileFilter() {
117         return FILTER;
118     }
119 
120     /**
121      * Performs the analysis.
122      *
123      * @param dependency the dependency to analyze
124      * @param engine the engine
125      * @throws AnalysisException when there's an exception during analysis
126      */
127     @Override
128     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
129         LOGGER.debug("Checking Nuspec file {}", dependency);
130         try {
131             final NuspecParser parser = new XPathNuspecParser();
132             NugetPackage np = null;
133             FileInputStream fis = null;
134             try {
135                 fis = new FileInputStream(dependency.getActualFilePath());
136                 np = parser.parse(fis);
137             } catch (NuspecParseException ex) {
138                 throw new AnalysisException(ex);
139             } catch (FileNotFoundException ex) {
140                 throw new AnalysisException(ex);
141             } finally {
142                 if (fis != null) {
143                     try {
144                         fis.close();
145                     } catch (IOException e) {
146                         LOGGER.debug("Error closing input stream");
147                     }
148                 }
149             }
150 
151             if (np.getOwners() != null) {
152                 dependency.getVendorEvidence().addEvidence("nuspec", "owners", np.getOwners(), Confidence.HIGHEST);
153             }
154             dependency.getVendorEvidence().addEvidence("nuspec", "authors", np.getAuthors(), Confidence.HIGH);
155             dependency.getVersionEvidence().addEvidence("nuspec", "version", np.getVersion(), Confidence.HIGHEST);
156             dependency.getProductEvidence().addEvidence("nuspec", "id", np.getId(), Confidence.HIGHEST);
157             if (np.getTitle() != null) {
158                 dependency.getProductEvidence().addEvidence("nuspec", "title", np.getTitle(), Confidence.MEDIUM);
159             }
160         } catch (Throwable e) {
161             throw new AnalysisException(e);
162         }
163     }
164 }