Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.NvdCveAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

NvdCveAnalyzer

75%

21/28

37%

3/8

1.5

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 
 /**
  * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
  * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class NvdCveAnalyzer implements Analyzer {
 
     /**
      * The maximum number of query results to return.
      */
     static final int MAX_QUERY_RESULTS = 100;
     /**
      * The CVE Index.
      */
     private CveDB cveDB;
 
     /**
      * Opens the data source.
      *
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
      * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
      */
     public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
         cveDB = new CveDB();
         cveDB.open();
     }
 
     /**
      * Closes the data source.
      */
     public void close() {
         cveDB.close();
         cveDB = null;
     }
 
     /**
      * Returns the status of the data source - is the database open.
      *
      * @return true or false.
      */
     public boolean isOpen() {
         return (cveDB != null);
     }
 
     /**
      * Ensures that the CVE Database is closed.
      *
      * @throws Throwable when a throwable is thrown.
      */
     @Override
     protected void finalize() throws Throwable {
         super.finalize();
         if (isOpen()) {
             close();
         }
     }
 
     /**
      * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze
      * @param engine The analysis engine
      * @throws AnalysisException is thrown if there is an issue analyzing the dependency
      */
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {
             if ("cpe".equals(id.getType())) {
                 try {
                     final String value = id.getValue();
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
                     dependency.getVulnerabilities().addAll(vulns);
                 } catch (DatabaseException ex) {
                     throw new AnalysisException(ex);
                 }
             }
         }
     }
 
     /**
      * Returns true because this analyzer supports all dependency types.
      *
      * @return true.
      */
     public Set<String> getSupportedExtensions() {
         return null;
     }
 
     /**
      * Returns the name of this analyzer.
      *
      * @return the name of this analyzer.
      */
     public String getName() {
         return "NVD CVE Analyzer";
     }
 
     /**
      * Returns true because this analyzer supports all dependency types.
      *
      * @param extension the file extension of the dependency being analyzed.
      * @return true.
      */
     public boolean supportsExtension(String extension) {
         return true;
     }
 
     /**
      * Returns the analysis phase that this analyzer should run in.
      *
      * @return the analysis phase that this analyzer should run in.
      */
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.FINDING_ANALYSIS;
     }
 
     /**
      * Opens the NVD CVE Lucene Index.
      *
      * @throws Exception is thrown if there is an issue opening the index.
      */
     public void initialize() throws Exception {
         this.open();
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.IOException;
21		import java.sql.SQLException;
22		import java.util.List;
23		import java.util.Set;
24		import org.owasp.dependencycheck.Engine;
25		import org.owasp.dependencycheck.data.nvdcve.CveDB;
26		import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
27		import org.owasp.dependencycheck.dependency.Dependency;
28		import org.owasp.dependencycheck.dependency.Identifier;
29		import org.owasp.dependencycheck.dependency.Vulnerability;
30
31		/**
32		* NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
33		* CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
34		*
35		* @author Jeremy Long <jeremy.long@owasp.org>
36		*/
37	1	public class NvdCveAnalyzer implements Analyzer {
38
39		/**
40		* The maximum number of query results to return.
41		*/
42		static final int MAX_QUERY_RESULTS = 100;
43		/**
44		* The CVE Index.
45		*/
46		private CveDB cveDB;
47
48		/**
49		* Opens the data source.
50		*
51		* @throws SQLException thrown when there is a SQL Exception
52		* @throws IOException thrown when there is an IO Exception
53		* @throws DatabaseException thrown when there is a database exceptions
54		* @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
55		*/
56		public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
57	3	cveDB = new CveDB();
58	3	cveDB.open();
59	3	}
60
61		/**
62		* Closes the data source.
63		*/
64		public void close() {
65	3	cveDB.close();
66	3	cveDB = null;
67	3	}
68
69		/**
70		* Returns the status of the data source - is the database open.
71		*
72		* @return true or false.
73		*/
74		public boolean isOpen() {
75	0	return (cveDB != null);
76		}
77
78		/**
79		* Ensures that the CVE Database is closed.
80		*
81		* @throws Throwable when a throwable is thrown.
82		*/
83		@Override
84		protected void finalize() throws Throwable {
85	0	super.finalize();
86	0	if (isOpen()) {
87	0	close();
88		}
89	0	}
90
91		/**
92		* Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
93		*
94		* @param dependency The Dependency to analyze
95		* @param engine The analysis engine
96		* @throws AnalysisException is thrown if there is an issue analyzing the dependency
97		*/
98		public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
99	9	for (Identifier id : dependency.getIdentifiers()) {
100	11	if ("cpe".equals(id.getType())) {
101		try {
102	11	final String value = id.getValue();
103	11	final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
104	11	dependency.getVulnerabilities().addAll(vulns);
105	0	} catch (DatabaseException ex) {
106	0	throw new AnalysisException(ex);
107	11	}
108		}
109	11	}
110	9	}
111
112		/**
113		* Returns true because this analyzer supports all dependency types.
114		*
115		* @return true.
116		*/
117		public Set<String> getSupportedExtensions() {
118	132	return null;
119		}
120
121		/**
122		* Returns the name of this analyzer.
123		*
124		* @return the name of this analyzer.
125		*/
126		public String getName() {
127	9	return "NVD CVE Analyzer";
128		}
129
130		/**
131		* Returns true because this analyzer supports all dependency types.
132		*
133		* @param extension the file extension of the dependency being analyzed.
134		* @return true.
135		*/
136		public boolean supportsExtension(String extension) {
137	9	return true;
138		}
139
140		/**
141		* Returns the analysis phase that this analyzer should run in.
142		*
143		* @return the analysis phase that this analyzer should run in.
144		*/
145		public AnalysisPhase getAnalysisPhase() {
146	6	return AnalysisPhase.FINDING_ANALYSIS;
147		}
148
149		/**
150		* Opens the NVD CVE Lucene Index.
151		*
152		* @throws Exception is thrown if there is an issue opening the index.
153		*/
154		public void initialize() throws Exception {
155	3	this.open();
156	3	}
157		}