Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.NexusAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

NexusAnalyzer

39%

16/41

10%

2/20

3.5

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
  *
  * There are two settings which govern this behavior:
  *
  * <ul>
  * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
  * even enabled. This can be overridden by setting the system property.</li>
  * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
  * SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
  * </ul>
  *
  * @author colezlaw
  */
 public class NexusAnalyzer extends AbstractAnalyzer {
 
     /**
      * The logger
      */
     private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
 
     /**
      * The name of the analyzer
      */
     private static final String ANALYZER_NAME = "Nexus Analyzer";
 
     /**
      * The phase in which the analyzer runs
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
     /**
      * The types of files on which this will work.
      */
     private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
 
     /**
      * Whether this is actually enabled. Will get set during initialization.
      */
     private boolean enabled = false;
 
     /**
      * The Nexus Search to be set up for this analyzer.
      */
     private NexusSearch searcher;
 
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
      * @throws Exception if there's an error during initialization
      */
     @Override
     public void initialize() throws Exception {
         enabled = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
         LOGGER.fine("Initializing Nexus Analyzer");
         LOGGER.fine(String.format("Nexus Analyzer enabled: %s", enabled));
         if (enabled) {
             final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
             LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
             try {
                 searcher = new NexusSearch(new URL(searchUrl));
             } catch (MalformedURLException mue) {
                 // I know that initialize can throw an exception, but we'll
                 // just disable the analyzer if the URL isn't valid
                 LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
                 enabled = false;
             }
         }
     }
 
     /**
      * Returns the analyzer's name.
      *
      * @return the name of the analyzer
      */
     @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns the analysis phase under which the analyzer runs.
      *
      * @return the phase under which this analyzer runs
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
 
     /**
      * Returns the extensions for which this Analyzer runs.
      *
      * @return the extensions for which this Analyzer runs
      */
     @Override
     public Set<String> getSupportedExtensions() {
         return SUPPORTED_EXTENSIONS;
     }
 
     /**
      * Determines whether the incoming extension is supported.
      *
      * @param extension the extension to check for support
      * @return whether the extension is supported
      */
     @Override
     public boolean supportsExtension(String extension) {
         return SUPPORTED_EXTENSIONS.contains(extension);
     }
 
     /**
      * Performs the analysis.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         // Make a quick exit if this analyzer is disabled
         if (!enabled) {
             return;
         }
 
         try {
             final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
             if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
                 dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
             }
             if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
                 dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
             }
             if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
                 dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
             }
             if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
                 dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
             }
         } catch (IllegalArgumentException iae) {
             //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
             LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
         } catch (FileNotFoundException fnfe) {
             //dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
             LOGGER.fine(String.format("Artificat not found in repository '%s'", dependency.getFileName()));
             LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
         } catch (IOException ioe) {
             //dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
             LOGGER.log(Level.FINE, "Could not connect to nexus repository", ioe);
         }
     }
 }
 
 // vim: cc=120:sw=4:ts=4:sts=4

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.FileNotFoundException;
21		import java.io.IOException;
22		import java.net.MalformedURLException;
23		import java.net.URL;
24		import java.util.Set;
25		import java.util.logging.Level;
26		import java.util.logging.Logger;
27		import org.owasp.dependencycheck.Engine;
28		import org.owasp.dependencycheck.data.nexus.MavenArtifact;
29		import org.owasp.dependencycheck.data.nexus.NexusSearch;
30		import org.owasp.dependencycheck.dependency.Confidence;
31		import org.owasp.dependencycheck.dependency.Dependency;
32		import org.owasp.dependencycheck.utils.Settings;
33
34		/**
35		* Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
36		*
37		* There are two settings which govern this behavior:
38		*
39		* <ul>
40		* <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
41		* even enabled. This can be overridden by setting the system property.</li>
42		* <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
43		* SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
44		* </ul>
45		*
46		* @author colezlaw
47		*/
48	1	public class NexusAnalyzer extends AbstractAnalyzer {
49
50		/**
51		* The logger
52		*/
53	1	private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
54
55		/**
56		* The name of the analyzer
57		*/
58		private static final String ANALYZER_NAME = "Nexus Analyzer";
59
60		/**
61		* The phase in which the analyzer runs
62		*/
63	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
64
65		/**
66		* The types of files on which this will work.
67		*/
68	1	private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
69
70		/**
71		* Whether this is actually enabled. Will get set during initialization.
72		*/
73	1	private boolean enabled = false;
74
75		/**
76		* The Nexus Search to be set up for this analyzer.
77		*/
78		private NexusSearch searcher;
79
80		/**
81		* Initializes the analyzer once before any analysis is performed.
82		*
83		* @throws Exception if there's an error during initialization
84		*/
85		@Override
86		public void initialize() throws Exception {
87	3	enabled = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
88	3	LOGGER.fine("Initializing Nexus Analyzer");
89	3	LOGGER.fine(String.format("Nexus Analyzer enabled: %s", enabled));
90	3	if (enabled) {
91	0	final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
92	0	LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
93		try {
94	0	searcher = new NexusSearch(new URL(searchUrl));
95	0	} catch (MalformedURLException mue) {
96		// I know that initialize can throw an exception, but we'll
97		// just disable the analyzer if the URL isn't valid
98	0	LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
99	0	enabled = false;
100	0	}
101		}
102	3	}
103
104		/**
105		* Returns the analyzer's name.
106		*
107		* @return the name of the analyzer
108		*/
109		@Override
110		public String getName() {
111	9	return ANALYZER_NAME;
112		}
113
114		/**
115		* Returns the analysis phase under which the analyzer runs.
116		*
117		* @return the phase under which this analyzer runs
118		*/
119		@Override
120		public AnalysisPhase getAnalysisPhase() {
121	6	return ANALYSIS_PHASE;
122		}
123
124		/**
125		* Returns the extensions for which this Analyzer runs.
126		*
127		* @return the extensions for which this Analyzer runs
128		*/
129		@Override
130		public Set<String> getSupportedExtensions() {
131	138	return SUPPORTED_EXTENSIONS;
132		}
133
134		/**
135		* Determines whether the incoming extension is supported.
136		*
137		* @param extension the extension to check for support
138		* @return whether the extension is supported
139		*/
140		@Override
141		public boolean supportsExtension(String extension) {
142	134	return SUPPORTED_EXTENSIONS.contains(extension);
143		}
144
145		/**
146		* Performs the analysis.
147		*
148		* @param dependency the dependency to analyze
149		* @param engine the engine
150		* @throws AnalysisException when there's an exception during analysis
151		*/
152		@Override
153		public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
154		// Make a quick exit if this analyzer is disabled
155	5	if (!enabled) {
156	5	return;
157		}
158
159		try {
160	0	final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
161	0	if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
162	0	dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
163		}
164	0	if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
165	0	dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
166		}
167	0	if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
168	0	dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
169		}
170	0	if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
171	0	dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
172		}
173	0	} catch (IllegalArgumentException iae) {
174		//dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
175	0	LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
176	0	} catch (FileNotFoundException fnfe) {
177		//dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
178	0	LOGGER.fine(String.format("Artificat not found in repository '%s'", dependency.getFileName()));
179	0	LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
180	0	} catch (IOException ioe) {
181		//dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
182	0	LOGGER.log(Level.FINE, "Could not connect to nexus repository", ioe);
183	0	}
184	0	}
185		}
186
187		// vim: cc=120:sw=4:ts=4:sts=4