Coverage Report

Coverage Report - org.owasp.dependencycheck.data.central.CentralSearch

Classes in this File

Line Coverage

Branch Coverage

Complexity

CentralSearch

83%

51/61

83%

20/24

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.central;
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.logging.Logger;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathFactory;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.URLConnectionFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.NodeList;
 
 /**
  * Class of methods to search Maven Central via Central.
  *
  * @author colezlaw
  */
 public class CentralSearch {
 
     /**
      * The URL for the Central service
      */
     private final URL rootURL;
 
     /**
      * Whether to use the Proxy when making requests
      */
     private boolean useProxy;
 
     /**
      * Used for logging.
      */
     private static final Logger LOGGER = Logger.getLogger(CentralSearch.class.getName());
 
     /**
      * Creates a NexusSearch for the given repository URL.
      *
      * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should
      * end in /select)
      */
     public CentralSearch(URL rootURL) {
         this.rootURL = rootURL;
         if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)) {
             useProxy = true;
             LOGGER.fine("Using proxy");
         } else {
             useProxy = false;
             LOGGER.fine("Not using proxy");
         }
     }
 
     /**
      * Searches the configured Central URL for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
      * populated with the GAV.
      *
      * @param sha1 the SHA-1 hash string for which to search
      * @return the populated Maven GAV.
      * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
      */
     public List<MavenArtifact> searchSha1(String sha1) throws IOException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
             throw new IllegalArgumentException("Invalid SHA1 format");
         }
 
         final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
 
         LOGGER.fine(String.format("Searching Central url %s", url.toString()));
 
         // Determine if we need to use a proxy. The rules:
         // 1) If the proxy is set, AND the setting is set to true, use the proxy
         // 2) Otherwise, don't use the proxy (either the proxy isn't configured,
         // or proxy is specifically set to false)
         final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
 
         conn.setDoOutput(true);
 
         // JSON would be more elegant, but there's not currently a dependency
         // on JSON, so don't want to add one just for this
         conn.addRequestProperty("Accept", "application/xml");
         conn.connect();
 
         if (conn.getResponseCode() == 200) {
             boolean missing = false;
             try {
                 final DocumentBuilder builder = DocumentBuilderFactory
                         .newInstance().newDocumentBuilder();
                 final Document doc = builder.parse(conn.getInputStream());
                 final XPath xpath = XPathFactory.newInstance().newXPath();
                 final String numFound = xpath.evaluate("/response/result/@numFound", doc);
                 if ("0".equals(numFound)) {
                     missing = true;
                 } else {
                     final ArrayList<MavenArtifact> result = new ArrayList<MavenArtifact>();
                     final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
                     for (int i = 0; i < docs.getLength(); i++) {
                         final String g = xpath.evaluate("./str[@name='g']", docs.item(i));
                         LOGGER.finest(String.format("GroupId: %s", g));
                         final String a = xpath.evaluate("./str[@name='a']", docs.item(i));
                         LOGGER.finest(String.format("ArtifactId: %s", a));
                         final String v = xpath.evaluate("./str[@name='v']", docs.item(i));
                         NodeList atts = (NodeList) xpath.evaluate("./arr[@name='ec']/str", docs.item(i), XPathConstants.NODESET);
                         boolean pomAvailable = false;
                         boolean jarAvailable = false;
                         for (int x = 0; x < atts.getLength(); x++) {
                             final String tmp = xpath.evaluate(".", atts.item(x));
                             if (".pom".equals(tmp)) {
                                 pomAvailable = true;
                             } else if (".jar".equals(tmp)) {
                                 jarAvailable = true;
                             }
                         }
 
                         atts = (NodeList) xpath.evaluate("./arr[@name='tags']/str", docs.item(i), XPathConstants.NODESET);
                         boolean useHTTPS = false;
                         for (int x = 0; x < atts.getLength(); x++) {
                             final String tmp = xpath.evaluate(".", atts.item(x));
                             if ("https".equals(tmp)) {
                                 useHTTPS = true;
                             }
                         }
 
                         LOGGER.finest(String.format("Version: %s", v));
                         result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable, useHTTPS));
                     }
 
                     return result;
                 }
             } catch (Throwable e) {
                 // Anything else is jacked up XML stuff that we really can't recover
                 // from well
                 throw new IOException(e.getMessage(), e);
             }
 
             if (missing) {
                 throw new FileNotFoundException("Artifact not found in Central");
             }
         } else {
             final String msg = String.format("Could not connect to Central received response code: %d %s",
                     conn.getResponseCode(), conn.getResponseMessage());
             LOGGER.fine(msg);
             throw new IOException(msg);
         }
 
         return null;
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.data.central;
19
20		import java.io.FileNotFoundException;
21		import java.io.IOException;
22		import java.net.HttpURLConnection;
23		import java.net.URL;
24		import java.util.ArrayList;
25		import java.util.List;
26		import java.util.logging.Logger;
27		import javax.xml.parsers.DocumentBuilder;
28		import javax.xml.parsers.DocumentBuilderFactory;
29		import javax.xml.xpath.XPath;
30		import javax.xml.xpath.XPathConstants;
31		import javax.xml.xpath.XPathFactory;
32		import org.owasp.dependencycheck.data.nexus.MavenArtifact;
33		import org.owasp.dependencycheck.utils.Settings;
34		import org.owasp.dependencycheck.utils.URLConnectionFactory;
35		import org.w3c.dom.Document;
36		import org.w3c.dom.NodeList;
37
38		/**
39		* Class of methods to search Maven Central via Central.
40		*
41		* @author colezlaw
42		*/
43		public class CentralSearch {
44
45		/**
46		* The URL for the Central service
47		*/
48		private final URL rootURL;
49
50		/**
51		* Whether to use the Proxy when making requests
52		*/
53		private boolean useProxy;
54
55		/**
56		* Used for logging.
57		*/
58	1	private static final Logger LOGGER = Logger.getLogger(CentralSearch.class.getName());
59
60		/**
61		* Creates a NexusSearch for the given repository URL.
62		*
63		* @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should
64		* end in /select)
65		*/
66	5	public CentralSearch(URL rootURL) {
67	5	this.rootURL = rootURL;
68	5	if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)) {
69	0	useProxy = true;
70	0	LOGGER.fine("Using proxy");
71		} else {
72	5	useProxy = false;
73	5	LOGGER.fine("Not using proxy");
74		}
75	5	}
76
77		/**
78		* Searches the configured Central URL for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
79		* populated with the GAV.
80		*
81		* @param sha1 the SHA-1 hash string for which to search
82		* @return the populated Maven GAV.
83		* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
84		*/
85		public List<MavenArtifact> searchSha1(String sha1) throws IOException {
86	5	if (null == sha1 \|\| !sha1.matches("^[0-9A-Fa-f]{40}$")) {
87	2	throw new IllegalArgumentException("Invalid SHA1 format");
88		}
89
90	3	final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
91
92	3	LOGGER.fine(String.format("Searching Central url %s", url.toString()));
93
94		// Determine if we need to use a proxy. The rules:
95		// 1) If the proxy is set, AND the setting is set to true, use the proxy
96		// 2) Otherwise, don't use the proxy (either the proxy isn't configured,
97		// or proxy is specifically set to false)
98	3	final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
99
100	3	conn.setDoOutput(true);
101
102		// JSON would be more elegant, but there's not currently a dependency
103		// on JSON, so don't want to add one just for this
104	3	conn.addRequestProperty("Accept", "application/xml");
105	3	conn.connect();
106
107	3	if (conn.getResponseCode() == 200) {
108	3	boolean missing = false;
109		try {
110	3	final DocumentBuilder builder = DocumentBuilderFactory
111		.newInstance().newDocumentBuilder();
112	3	final Document doc = builder.parse(conn.getInputStream());
113	3	final XPath xpath = XPathFactory.newInstance().newXPath();
114	3	final String numFound = xpath.evaluate("/response/result/@numFound", doc);
115	3	if ("0".equals(numFound)) {
116	1	missing = true;
117		} else {
118	2	final ArrayList<MavenArtifact> result = new ArrayList<MavenArtifact>();
119	2	final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
120	5	for (int i = 0; i < docs.getLength(); i++) {
121	3	final String g = xpath.evaluate("./str[@name='g']", docs.item(i));
122	3	LOGGER.finest(String.format("GroupId: %s", g));
123	3	final String a = xpath.evaluate("./str[@name='a']", docs.item(i));
124	3	LOGGER.finest(String.format("ArtifactId: %s", a));
125	3	final String v = xpath.evaluate("./str[@name='v']", docs.item(i));
126	3	NodeList atts = (NodeList) xpath.evaluate("./arr[@name='ec']/str", docs.item(i), XPathConstants.NODESET);
127	3	boolean pomAvailable = false;
128	3	boolean jarAvailable = false;
129	14	for (int x = 0; x < atts.getLength(); x++) {
130	11	final String tmp = xpath.evaluate(".", atts.item(x));
131	11	if (".pom".equals(tmp)) {
132	3	pomAvailable = true;
133	8	} else if (".jar".equals(tmp)) {
134	3	jarAvailable = true;
135		}
136		}
137
138	3	atts = (NodeList) xpath.evaluate("./arr[@name='tags']/str", docs.item(i), XPathConstants.NODESET);
139	3	boolean useHTTPS = false;
140	21	for (int x = 0; x < atts.getLength(); x++) {
141	18	final String tmp = xpath.evaluate(".", atts.item(x));
142	18	if ("https".equals(tmp)) {
143	0	useHTTPS = true;
144		}
145		}
146
147	3	LOGGER.finest(String.format("Version: %s", v));
148	3	result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable, useHTTPS));
149		}
150
151	2	return result;
152		}
153	0	} catch (Throwable e) {
154		// Anything else is jacked up XML stuff that we really can't recover
155		// from well
156	0	throw new IOException(e.getMessage(), e);
157	1	}
158
159	1	if (missing) {
160	1	throw new FileNotFoundException("Artifact not found in Central");
161		}
162	0	} else {
163	0	final String msg = String.format("Could not connect to Central received response code: %d %s",
164		conn.getResponseCode(), conn.getResponseMessage());
165	0	LOGGER.fine(msg);
166	0	throw new IOException(msg);
167		}
168
169	0	return null;
170		}
171		}