Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.CentralAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

CentralAnalyzer

25%

17/68

13%

4/30

3.625

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URL;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.central.CentralSearch;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.xml.pom.PomUtils;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
  * digest.
  *
  * @author colezlaw
  */
 public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * The logger.
      */
     private static final Logger LOGGER = Logger.getLogger(CentralAnalyzer.class.getName());
 
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Central Analyzer";
 
     /**
      * The phase in which this analyzer runs.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
     /**
      * The types of files on which this will work.
      */
     private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
 
     /**
      * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
      */
     private boolean errorFlag = false;
 
     /**
      * The searcher itself.
      */
     private CentralSearch searcher;
     /**
      * Field indicating if the analyzer is enabled.
      */
     private final boolean enabled = checkEnabled();
 
     /**
      * Determine whether to enable this analyzer or not.
      *
      * @return whether the analyzer should be enabled
      */
     @Override
     public boolean isEnabled() {
         return enabled;
     }
 
     /**
      * Determines if this analyzer is enabled.
      *
      * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
      */
     private boolean checkEnabled() {
         boolean retval = false;
 
         try {
             if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
                 if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
                         || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
                     LOGGER.fine("Enabling the Central analyzer");
                     retval = true;
                 } else {
                     LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
                 }
             } else {
                 LOGGER.info("Central analyzer disabled");
             }
         } catch (InvalidSettingException ise) {
             LOGGER.warning("Invalid setting. Disabling the Central analyzer");
         }
         return retval;
     }
 
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
      * @throws Exception if there's an error during initialization
      */
     @Override
     public void initializeFileTypeAnalyzer() throws Exception {
         LOGGER.fine("Initializing Central analyzer");
         LOGGER.fine(String.format("Central analyzer enabled: %s", isEnabled()));
         if (isEnabled()) {
             final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
             LOGGER.fine(String.format("Central Analyzer URL: %s", searchUrl));
             searcher = new CentralSearch(new URL(searchUrl));
         }
     }
 
     /**
      * Returns the analyzer's name.
      *
      * @return the name of the analyzer
      */
     @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns the key used in the properties file to to reference the analyzer's enabled property.
      *
      * @return the analyzer's enabled property setting key.
      */
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
     }
 
     /**
      * Returns the analysis phase under which the analyzer runs.
      *
      * @return the phase under which the analyzer runs
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
 
     /**
      * Returns the extensions for which this Analyzer runs.
      *
      * @return the extensions for which this Analyzer runs
      */
     @Override
     public Set<String> getSupportedExtensions() {
         return SUPPORTED_EXTENSIONS;
     }
 
     /**
      * Performs the analysis.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         if (errorFlag || !isEnabled()) {
             return;
         }
 
         try {
             final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
             final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
             for (MavenArtifact ma : mas) {
                 LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
                 dependency.addAsEvidence("central", ma, confidence);
                 boolean pomAnalyzed = false;
                 for (Evidence e : dependency.getVendorEvidence()) {
                     if ("pom".equals(e.getSource())) {
                         pomAnalyzed = true;
                         break;
                     }
                 }
                 if (!pomAnalyzed && ma.getPomUrl() != null) {
                     File pomFile = null;
                     try {
                         final File baseDir = Settings.getTempDirectory();
                         pomFile = File.createTempFile("pom", ".xml", baseDir);
                         if (!pomFile.delete()) {
                             final String msg = String.format("Unable to fetch pom.xml for %s from Central; "
                                     + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                             LOGGER.warning(msg);
                             LOGGER.fine("Unable to delete temp file");
                         }
                         LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
                         Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
                         PomUtils.analyzePOM(dependency, pomFile);
 
                     } catch (DownloadFailedException ex) {
                         final String msg = String.format("Unable to download pom.xml for %s from Central; "
                                 + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                         LOGGER.warning(msg);
                     } finally {
                         if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
                             pomFile.deleteOnExit();
                         }
                     }
                 }
 
             }
         } catch (IllegalArgumentException iae) {
             LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
         } catch (FileNotFoundException fnfe) {
             LOGGER.fine(String.format("Artifact not found in repository: '%s", dependency.getFileName()));
         } catch (IOException ioe) {
             LOGGER.log(Level.FINE, "Could not connect to Central search", ioe);
             errorFlag = true;
         }
     }
 
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.File;
21		import java.io.FileNotFoundException;
22		import java.io.IOException;
23		import java.net.URL;
24		import java.util.List;
25		import java.util.Set;
26		import java.util.logging.Level;
27		import java.util.logging.Logger;
28		import org.apache.commons.io.FileUtils;
29		import org.owasp.dependencycheck.Engine;
30		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
31		import org.owasp.dependencycheck.data.central.CentralSearch;
32		import org.owasp.dependencycheck.data.nexus.MavenArtifact;
33		import org.owasp.dependencycheck.dependency.Confidence;
34		import org.owasp.dependencycheck.dependency.Dependency;
35		import org.owasp.dependencycheck.dependency.Evidence;
36		import org.owasp.dependencycheck.xml.pom.PomUtils;
37		import org.owasp.dependencycheck.utils.DownloadFailedException;
38		import org.owasp.dependencycheck.utils.Downloader;
39		import org.owasp.dependencycheck.utils.InvalidSettingException;
40		import org.owasp.dependencycheck.utils.Settings;
41
42		/**
43		* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
44		* digest.
45		*
46		* @author colezlaw
47		*/
48	2	public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
49
50		/**
51		* The logger.
52		*/
53	1	private static final Logger LOGGER = Logger.getLogger(CentralAnalyzer.class.getName());
54
55		/**
56		* The name of the analyzer.
57		*/
58		private static final String ANALYZER_NAME = "Central Analyzer";
59
60		/**
61		* The phase in which this analyzer runs.
62		*/
63	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
64
65		/**
66		* The types of files on which this will work.
67		*/
68	1	private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
69
70		/**
71		* The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
72		*/
73	2	private boolean errorFlag = false;
74
75		/**
76		* The searcher itself.
77		*/
78		private CentralSearch searcher;
79		/**
80		* Field indicating if the analyzer is enabled.
81		*/
82	2	private final boolean enabled = checkEnabled();
83
84		/**
85		* Determine whether to enable this analyzer or not.
86		*
87		* @return whether the analyzer should be enabled
88		*/
89		@Override
90		public boolean isEnabled() {
91	0	return enabled;
92		}
93
94		/**
95		* Determines if this analyzer is enabled.
96		*
97		* @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
98		*/
99		private boolean checkEnabled() {
100	2	boolean retval = false;
101
102		try {
103	2	if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
104	1	if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
105		\|\| NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
106	1	LOGGER.fine("Enabling the Central analyzer");
107	1	retval = true;
108		} else {
109	0	LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
110		}
111		} else {
112	1	LOGGER.info("Central analyzer disabled");
113		}
114	0	} catch (InvalidSettingException ise) {
115	0	LOGGER.warning("Invalid setting. Disabling the Central analyzer");
116	2	}
117	2	return retval;
118		}
119
120		/**
121		* Initializes the analyzer once before any analysis is performed.
122		*
123		* @throws Exception if there's an error during initialization
124		*/
125		@Override
126		public void initializeFileTypeAnalyzer() throws Exception {
127	0	LOGGER.fine("Initializing Central analyzer");
128	0	LOGGER.fine(String.format("Central analyzer enabled: %s", isEnabled()));
129	0	if (isEnabled()) {
130	0	final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
131	0	LOGGER.fine(String.format("Central Analyzer URL: %s", searchUrl));
132	0	searcher = new CentralSearch(new URL(searchUrl));
133		}
134	0	}
135
136		/**
137		* Returns the analyzer's name.
138		*
139		* @return the name of the analyzer
140		*/
141		@Override
142		public String getName() {
143	4	return ANALYZER_NAME;
144		}
145
146		/**
147		* Returns the key used in the properties file to to reference the analyzer's enabled property.
148		*
149		* @return the analyzer's enabled property setting key.
150		*/
151		@Override
152		protected String getAnalyzerEnabledSettingKey() {
153	2	return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
154		}
155
156		/**
157		* Returns the analysis phase under which the analyzer runs.
158		*
159		* @return the phase under which the analyzer runs
160		*/
161		@Override
162		public AnalysisPhase getAnalysisPhase() {
163	1	return ANALYSIS_PHASE;
164		}
165
166		/**
167		* Returns the extensions for which this Analyzer runs.
168		*
169		* @return the extensions for which this Analyzer runs
170		*/
171		@Override
172		public Set<String> getSupportedExtensions() {
173	0	return SUPPORTED_EXTENSIONS;
174		}
175
176		/**
177		* Performs the analysis.
178		*
179		* @param dependency the dependency to analyze
180		* @param engine the engine
181		* @throws AnalysisException when there's an exception during analysis
182		*/
183		@Override
184		public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
185	0	if (errorFlag \|\| !isEnabled()) {
186	0	return;
187		}
188
189		try {
190	0	final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
191	0	final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
192	0	for (MavenArtifact ma : mas) {
193	0	LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
194	0	dependency.addAsEvidence("central", ma, confidence);
195	0	boolean pomAnalyzed = false;
196	0	for (Evidence e : dependency.getVendorEvidence()) {
197	0	if ("pom".equals(e.getSource())) {
198	0	pomAnalyzed = true;
199	0	break;
200		}
201	0	}
202	0	if (!pomAnalyzed && ma.getPomUrl() != null) {
203	0	File pomFile = null;
204		try {
205	0	final File baseDir = Settings.getTempDirectory();
206	0	pomFile = File.createTempFile("pom", ".xml", baseDir);
207	0	if (!pomFile.delete()) {
208	0	final String msg = String.format("Unable to fetch pom.xml for %s from Central; "
209		+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
210	0	LOGGER.warning(msg);
211	0	LOGGER.fine("Unable to delete temp file");
212		}
213	0	LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
214	0	Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
215	0	PomUtils.analyzePOM(dependency, pomFile);
216
217	0	} catch (DownloadFailedException ex) {
218	0	final String msg = String.format("Unable to download pom.xml for %s from Central; "
219		+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
220	0	LOGGER.warning(msg);
221		} finally {
222	0	if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
223	0	pomFile.deleteOnExit();
224		}
225		}
226		}
227
228	0	}
229	0	} catch (IllegalArgumentException iae) {
230	0	LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
231	0	} catch (FileNotFoundException fnfe) {
232	0	LOGGER.fine(String.format("Artifact not found in repository: '%s", dependency.getFileName()));
233	0	} catch (IOException ioe) {
234	0	LOGGER.log(Level.FINE, "Could not connect to Central search", ioe);
235	0	errorFlag = true;
236	0	}
237	0	}
238
239		}