View Javadoc
1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.maven;
19  
20  import java.util.List;
21  import java.util.logging.Logger;
22  import org.apache.maven.project.MavenProject;
23  import org.owasp.dependencycheck.analyzer.Analyzer;
24  import org.owasp.dependencycheck.analyzer.CPEAnalyzer;
25  import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
26  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
27  import org.owasp.dependencycheck.utils.Settings;
28  
29  /**
30   * A modified version of the core engine specifically designed to persist some data between multiple executions of a
31   * multi-module Maven project.
32   *
33   * @author Jeremy Long <jeremy.long@owasp.org>
34   */
35  public class Engine extends org.owasp.dependencycheck.Engine {
36  
37      /**
38       * The logger.
39       */
40      private static final transient Logger LOGGER = Logger.getLogger(Engine.class.getName());
41      /**
42       * A key used to persist an object in the MavenProject.
43       */
44      private static final String CPE_ANALYZER_KEY = "dependency-check-CPEAnalyzer";
45      /**
46       * The current MavenProject.
47       */
48      private MavenProject currentProject;
49      /**
50       * The list of MavenProjects that are part of the current build.
51       */
52      private List<MavenProject> reactorProjects;
53      /**
54       * Key used in the MavenProject context values to note whether or not an update has been executed.
55       */
56      public static final String UPDATE_EXECUTED_FLAG = "dependency-check-update-executed";
57  
58      /**
59       * Creates a new Engine to perform anyalsis on dependencies.
60       *
61       * @param project the current Maven project
62       * @param reactorProjects the reactor projects for the current Maven execution
63       * @throws DatabaseException thrown if there is an issue connecting to the database
64       */
65      public Engine(MavenProject project, List<MavenProject> reactorProjects) throws DatabaseException {
66          this.currentProject = project;
67          this.reactorProjects = reactorProjects;
68          final MavenProject root = getExecutionRoot();
69          if (root != null) {
70              LOGGER.fine(String.format("Checking root project, %s, if updates have already been completed", root.getArtifactId()));
71          } else {
72              LOGGER.fine("Checking root project, null, if updates have already been completed");
73          }
74          if (root != null && root.getContextValue(UPDATE_EXECUTED_FLAG) != null) {
75              System.setProperty(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE.toString());
76          }
77          initializeEngine();
78          if (root != null) {
79              root.setContextValue(UPDATE_EXECUTED_FLAG, Boolean.TRUE);
80          }
81      }
82  
83      /**
84       * This constructor should not be called. Use Engine(MavenProject) instead.
85       *
86       * @throws DatabaseException thrown if there is an issue connecting to the database
87       */
88      private Engine() throws DatabaseException {
89      }
90  
91      /**
92       * Initializes the given analyzer. This skips the initialization of the CPEAnalyzer if it has been initialized by a
93       * previous execution.
94       *
95       * @param analyzer the analyzer to initialize
96       * @return the initialized analyzer
97       */
98      @Override
99      protected Analyzer initializeAnalyzer(Analyzer analyzer) {
100         if ((analyzer instanceof CPEAnalyzer)) {
101             CPEAnalyzer cpe = getPreviouslyLoadedCPEAnalyzer();
102             if (cpe != null) {
103                 return cpe;
104             }
105             cpe = (CPEAnalyzer) super.initializeAnalyzer(analyzer);
106             storeCPEAnalyzer(cpe);
107         }
108         return super.initializeAnalyzer(analyzer);
109     }
110 
111     /**
112      * Releases resources used by the analyzers by calling close() on each analyzer.
113      */
114     @Override
115     public void cleanup() {
116         super.cleanup();
117         if (currentProject == null || reactorProjects == null) {
118             return;
119         }
120         if (this.currentProject == reactorProjects.get(reactorProjects.size() - 1)) {
121             final CPEAnalyzer cpe = getPreviouslyLoadedCPEAnalyzer();
122             if (cpe != null) {
123                 cpe.close();
124             }
125         }
126     }
127 
128     /**
129      * Closes the given analyzer. This skips closing the CPEAnalyzer.
130      *
131      * @param analyzer the analyzer to close
132      */
133     @Override
134     protected void closeAnalyzer(Analyzer analyzer) {
135         if ((analyzer instanceof CPEAnalyzer)) {
136             if (getPreviouslyLoadedCPEAnalyzer() == null) {
137                 super.closeAnalyzer(analyzer);
138             }
139         } else {
140             super.closeAnalyzer(analyzer);
141         }
142     }
143 
144     /**
145      * Gets the CPEAnalyzer from the root Maven Project.
146      *
147      * @return an initialized CPEAnalyzer
148      */
149     private CPEAnalyzer getPreviouslyLoadedCPEAnalyzer() {
150         CPEAnalyzer cpe = null;
151         final MavenProject project = getExecutionRoot();
152         if (project != null) {
153             final Object obj = project.getContextValue(CPE_ANALYZER_KEY);
154             if (obj != null && obj instanceof CPEAnalyzer) {
155                 cpe = (CPEAnalyzer) project.getContextValue(CPE_ANALYZER_KEY);
156             }
157         }
158         return cpe;
159     }
160 
161     /**
162      * Stores a CPEAnalyzer in the root Maven Project.
163      *
164      * @param cpe the CPEAnalyzer to store
165      */
166     private void storeCPEAnalyzer(CPEAnalyzer cpe) {
167         final MavenProject p = getExecutionRoot();
168         if (p != null) {
169             p.setContextValue(CPE_ANALYZER_KEY, cpe);
170         }
171     }
172 
173     /**
174      * Returns the root Maven Project.
175      *
176      * @return the root Maven Project
177      */
178     private MavenProject getExecutionRoot() {
179         if (reactorProjects == null) {
180             return null;
181         }
182         for (MavenProject p : reactorProjects) {
183             if (p.isExecutionRoot()) {
184                 return p;
185             }
186         }
187         //the following should  never run, but leaving it as a failsafe.
188         if (this.currentProject == null) {
189             return null;
190         }
191         MavenProject p = this.currentProject;
192         while (p.getParent() != null) {
193             p = p.getParent();
194         }
195         return p;
196     }
197 
198     /**
199      * Resets the file type analyzers so that they can be re-used to scan additional directories. Without the reset the
200      * analyzer might be disabled because the first scan/analyze did not identify any files that could be processed by
201      * the analyzer.
202      */
203     public void resetFileTypeAnalyzers() {
204         for (FileTypeAnalyzer a : getFileTypeAnalyzers()) {
205             a.reset();
206         }
207     }
208 }