Coverage Report - org.owasp.dependencycheck.data.nvdcve.CveDB
 
Classes in this File Line Coverage Branch Coverage Complexity
CveDB
45%
193/425
53%
70/132
5.714
 
 1   
 /*
 2   
  * This file is part of dependency-check-core.
 3   
  *
 4   
  * Licensed under the Apache License, Version 2.0 (the "License");
 5   
  * you may not use this file except in compliance with the License.
 6   
  * You may obtain a copy of the License at
 7   
  *
 8   
  *     http://www.apache.org/licenses/LICENSE-2.0
 9   
  *
 10   
  * Unless required by applicable law or agreed to in writing, software
 11   
  * distributed under the License is distributed on an "AS IS" BASIS,
 12   
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13   
  * See the License for the specific language governing permissions and
 14   
  * limitations under the License.
 15   
  *
 16   
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 17   
  */
 18   
 package org.owasp.dependencycheck.data.nvdcve;
 19   
 
 20   
 import java.io.IOException;
 21   
 import java.io.UnsupportedEncodingException;
 22   
 import java.sql.Connection;
 23   
 import java.sql.PreparedStatement;
 24   
 import java.sql.ResultSet;
 25   
 import java.sql.SQLException;
 26   
 import java.sql.Statement;
 27   
 import java.util.ArrayList;
 28   
 import java.util.HashMap;
 29   
 import java.util.HashSet;
 30   
 import java.util.List;
 31   
 import java.util.Map;
 32   
 import java.util.Map.Entry;
 33   
 import java.util.Properties;
 34   
 import java.util.ResourceBundle;
 35   
 import java.util.Set;
 36   
 import java.util.logging.Level;
 37   
 import java.util.logging.Logger;
 38   
 import org.owasp.dependencycheck.data.cwe.CweDB;
 39   
 import org.owasp.dependencycheck.dependency.Reference;
 40   
 import org.owasp.dependencycheck.dependency.Vulnerability;
 41   
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 42   
 import org.owasp.dependencycheck.utils.DBUtils;
 43   
 import org.owasp.dependencycheck.utils.DependencyVersion;
 44   
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 45   
 import org.owasp.dependencycheck.utils.Pair;
 46   
 import org.owasp.dependencycheck.utils.Settings;
 47   
 
 48   
 /**
 49   
  * The database holding information about the NVD CVE data.
 50   
  *
 51   
  * @author Jeremy Long
 52   
  */
 53   
 public class CveDB {
 54   
 
 55   
     /**
 56   
      * The logger.
 57   
      */
 58  1 
     private static final Logger LOGGER = Logger.getLogger(CveDB.class.getName());
 59   
     /**
 60   
      * Database connection
 61   
      */
 62   
     private Connection conn;
 63   
     /**
 64   
      * The bundle of statements used when accessing the database.
 65   
      */
 66  3 
     private ResourceBundle statementBundle = null;
 67   
 
 68   
     /**
 69   
      * Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling
 70   
      * the close method.
 71   
      *
 72   
      * @throws DatabaseException thrown if there is an exception opening the database.
 73   
      */
 74   
     public CveDB() throws DatabaseException {
 75  3 
         super();
 76  3 
         statementBundle = java.util.ResourceBundle.getBundle("data/dbStatements");
 77   
         try {
 78  3 
             open();
 79  3 
             databaseProperties = new DatabaseProperties(this);
 80  0 
         } catch (DatabaseException ex) {
 81  0 
             throw ex;
 82  3 
         }
 83  3 
     }
 84   
 
 85   
     /**
 86   
      * Returns the database connection.
 87   
      *
 88   
      * @return the database connection
 89   
      */
 90   
     protected Connection getConnection() {
 91  32 
         return conn;
 92   
     }
 93   
 
 94   
     /**
 95   
      * Opens the database connection. If the database does not exist, it will create a new one.
 96   
      *
 97   
      * @throws DatabaseException thrown if there is an error opening the database connection
 98   
      */
 99   
     public final void open() throws DatabaseException {
 100  6 
         if (!isOpen()) {
 101  3 
             conn = ConnectionFactory.getConnection();
 102   
         }
 103  6 
     }
 104   
 
 105   
     /**
 106   
      * Closes the DB4O database. Close should be called on this object when it is done being used.
 107   
      */
 108   
     public void close() {
 109  5 
         if (conn != null) {
 110   
             try {
 111  3 
                 conn.close();
 112  0 
             } catch (SQLException ex) {
 113  0 
                 final String msg = "There was an error attempting to close the CveDB, see the log for more details.";
 114  0 
                 LOGGER.log(Level.SEVERE, msg);
 115  0 
                 LOGGER.log(Level.FINE, null, ex);
 116  0 
             } catch (Throwable ex) {
 117  0 
                 final String msg = "There was an exception attempting to close the CveDB, see the log for more details.";
 118  0 
                 LOGGER.log(Level.SEVERE, msg);
 119  0 
                 LOGGER.log(Level.FINE, null, ex);
 120  3 
             }
 121  3 
             conn = null;
 122   
         }
 123  5 
     }
 124   
 
 125   
     /**
 126   
      * Returns whether the database connection is open or closed.
 127   
      *
 128   
      * @return whether the database connection is open or closed
 129   
      */
 130   
     public boolean isOpen() {
 131  6 
         return conn != null;
 132   
     }
 133   
 
 134   
     /**
 135   
      * Commits all completed transactions.
 136   
      *
 137   
      * @throws SQLException thrown if a SQL Exception occurs
 138   
      */
 139   
     public void commit() throws SQLException {
 140   
         //temporary remove this as autocommit is on.
 141   
         //if (conn != null) {
 142   
         //    conn.commit();
 143   
         //}
 144  0 
     }
 145   
 
 146   
     /**
 147   
      * Cleans up the object and ensures that "close" has been called.
 148   
      *
 149   
      * @throws Throwable thrown if there is a problem
 150   
      */
 151   
     @Override
 152   
     @SuppressWarnings("FinalizeDeclaration")
 153   
     protected void finalize() throws Throwable {
 154  2 
         LOGGER.log(Level.FINE, "Entering finalize");
 155  2 
         close();
 156  2 
         super.finalize();
 157  2 
     }
 158   
     /**
 159   
      * Database properties object containing the 'properties' from the database table.
 160   
      */
 161   
     private DatabaseProperties databaseProperties;
 162   
 
 163   
     /**
 164   
      * Get the value of databaseProperties.
 165   
      *
 166   
      * @return the value of databaseProperties
 167   
      */
 168   
     public DatabaseProperties getDatabaseProperties() {
 169  0 
         return databaseProperties;
 170   
     }
 171   
 
 172   
     /**
 173   
      * Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned
 174   
      * list will include all versions of the product that are registered in the NVD CVE data.
 175   
      *
 176   
      * @param vendor the identified vendor name of the dependency being analyzed
 177   
      * @param product the identified name of the product of the dependency being analyzed
 178   
      * @return a set of vulnerable software
 179   
      */
 180   
     public Set<VulnerableSoftware> getCPEs(String vendor, String product) {
 181  2 
         final Set<VulnerableSoftware> cpe = new HashSet<VulnerableSoftware>();
 182  2 
         ResultSet rs = null;
 183  2 
         PreparedStatement ps = null;
 184   
         try {
 185  2 
             ps = getConnection().prepareStatement(statementBundle.getString("SELECT_CPE_ENTRIES"));
 186  2 
             ps.setString(1, vendor);
 187  2 
             ps.setString(2, product);
 188  2 
             rs = ps.executeQuery();
 189   
 
 190  80 
             while (rs.next()) {
 191  78 
                 final VulnerableSoftware vs = new VulnerableSoftware();
 192  78 
                 vs.setCpe(rs.getString(1));
 193  78 
                 cpe.add(vs);
 194  78 
             }
 195  0 
         } catch (SQLException ex) {
 196  0 
             final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
 197  0 
             LOGGER.log(Level.SEVERE, msg);
 198  0 
             LOGGER.log(Level.FINE, null, ex);
 199   
         } finally {
 200  2 
             DBUtils.closeResultSet(rs);
 201  2 
             DBUtils.closeStatement(ps);
 202  2 
         }
 203  2 
         return cpe;
 204   
     }
 205   
 
 206   
     /**
 207   
      * Returns the entire list of vendor/product combinations.
 208   
      *
 209   
      * @return the entire list of vendor/product combinations
 210   
      * @throws DatabaseException thrown when there is an error retrieving the data from the DB
 211   
      */
 212   
     public Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
 213  1 
         final Set<Pair<String, String>> data = new HashSet<Pair<String, String>>();
 214  1 
         ResultSet rs = null;
 215  1 
         PreparedStatement ps = null;
 216   
         try {
 217  1 
             ps = getConnection().prepareStatement(statementBundle.getString("SELECT_VENDOR_PRODUCT_LIST"));
 218  1 
             rs = ps.executeQuery();
 219  24880 
             while (rs.next()) {
 220  24879 
                 data.add(new Pair<String, String>(rs.getString(1), rs.getString(2)));
 221   
             }
 222  0 
         } catch (SQLException ex) {
 223  0 
             final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
 224  0 
             throw new DatabaseException(msg, ex);
 225   
         } finally {
 226  1 
             DBUtils.closeResultSet(rs);
 227  1 
             DBUtils.closeStatement(ps);
 228  1 
         }
 229  1 
         return data;
 230   
     }
 231   
 
 232   
     /**
 233   
      * Returns a set of properties.
 234   
      *
 235   
      * @return the properties from the database
 236   
      */
 237   
     Properties getProperties() {
 238  3 
         final Properties prop = new Properties();
 239  3 
         PreparedStatement ps = null;
 240  3 
         ResultSet rs = null;
 241   
         try {
 242  3 
             ps = getConnection().prepareStatement(statementBundle.getString("SELECT_PROPERTIES"));
 243  3 
             rs = ps.executeQuery();
 244  60 
             while (rs.next()) {
 245  57 
                 prop.setProperty(rs.getString(1), rs.getString(2));
 246   
             }
 247  0 
         } catch (SQLException ex) {
 248  0 
             final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
 249  0 
             LOGGER.log(Level.SEVERE, msg);
 250  0 
             LOGGER.log(Level.FINE, null, ex);
 251   
         } finally {
 252  3 
             DBUtils.closeStatement(ps);
 253  3 
             DBUtils.closeResultSet(rs);
 254  3 
         }
 255  3 
         return prop;
 256   
     }
 257   
 
 258   
     /**
 259   
      * Saves a set of properties to the database.
 260   
      *
 261   
      * @param props a collection of properties
 262   
      */
 263   
     void saveProperties(Properties props) {
 264  0 
         PreparedStatement updateProperty = null;
 265  0 
         PreparedStatement insertProperty = null;
 266   
         try {
 267   
             try {
 268  0 
                 updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
 269  0 
                 insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
 270  0 
             } catch (SQLException ex) {
 271  0 
                 LOGGER.log(Level.WARNING, "Unable to save properties to the database");
 272  0 
                 LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
 273   
                 return;
 274  0 
             }
 275  0 
             for (Entry<Object, Object> entry : props.entrySet()) {
 276  0 
                 final String key = entry.getKey().toString();
 277  0 
                 final String value = entry.getValue().toString();
 278   
                 try {
 279  0 
                     updateProperty.setString(1, value);
 280  0 
                     updateProperty.setString(2, key);
 281  0 
                     if (updateProperty.executeUpdate() == 0) {
 282  0 
                         insertProperty.setString(1, key);
 283  0 
                         insertProperty.setString(2, value);
 284   
                     }
 285  0 
                 } catch (SQLException ex) {
 286  0 
                     final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
 287  0 
                     LOGGER.log(Level.WARNING, msg);
 288  0 
                     LOGGER.log(Level.FINE, null, ex);
 289  0 
                 }
 290  0 
             }
 291   
         } finally {
 292  0 
             DBUtils.closeStatement(updateProperty);
 293  0 
             DBUtils.closeStatement(insertProperty);
 294  0 
         }
 295  0 
     }
 296   
 
 297   
     /**
 298   
      * Saves a property to the database.
 299   
      *
 300   
      * @param key the property key
 301   
      * @param value the property value
 302   
      */
 303   
     void saveProperty(String key, String value) {
 304  0 
         PreparedStatement updateProperty = null;
 305  0 
         PreparedStatement insertProperty = null;
 306   
         try {
 307   
             try {
 308  0 
                 updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
 309  0 
             } catch (SQLException ex) {
 310  0 
                 LOGGER.log(Level.WARNING, "Unable to save properties to the database");
 311  0 
                 LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
 312   
                 return;
 313  0 
             }
 314   
             try {
 315  0 
                 updateProperty.setString(1, value);
 316  0 
                 updateProperty.setString(2, key);
 317  0 
                 if (updateProperty.executeUpdate() == 0) {
 318   
                     try {
 319  0 
                         insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
 320  0 
                     } catch (SQLException ex) {
 321  0 
                         LOGGER.log(Level.WARNING, "Unable to save properties to the database");
 322  0 
                         LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
 323   
                         return;
 324  0 
                     }
 325  0 
                     insertProperty.setString(1, key);
 326  0 
                     insertProperty.setString(2, value);
 327  0 
                     insertProperty.execute();
 328   
                 }
 329  0 
             } catch (SQLException ex) {
 330  0 
                 final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
 331  0 
                 LOGGER.log(Level.WARNING, msg);
 332  0 
                 LOGGER.log(Level.FINE, null, ex);
 333  0 
             }
 334   
         } finally {
 335  0 
             DBUtils.closeStatement(updateProperty);
 336  0 
             DBUtils.closeStatement(insertProperty);
 337  0 
         }
 338  0 
     }
 339   
 
 340   
     /**
 341   
      * Retrieves the vulnerabilities associated with the specified CPE.
 342   
      *
 343   
      * @param cpeStr the CPE name
 344   
      * @return a list of Vulnerabilities
 345   
      * @throws DatabaseException thrown if there is an exception retrieving data
 346   
      */
 347   
     public List<Vulnerability> getVulnerabilities(String cpeStr) throws DatabaseException {
 348  2 
         ResultSet rs = null;
 349  2 
         final VulnerableSoftware cpe = new VulnerableSoftware();
 350   
         try {
 351  2 
             cpe.parseName(cpeStr);
 352  0 
         } catch (UnsupportedEncodingException ex) {
 353  0 
             LOGGER.log(Level.FINEST, null, ex);
 354  2 
         }
 355  2 
         final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
 356  2 
         final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
 357   
 
 358   
         PreparedStatement ps;
 359   
         try {
 360  2 
             ps = getConnection().prepareStatement(statementBundle.getString("SELECT_CVE_FROM_SOFTWARE"));
 361  2 
             ps.setString(1, cpe.getVendor());
 362  2 
             ps.setString(2, cpe.getProduct());
 363  2 
             rs = ps.executeQuery();
 364  2 
             String currentCVE = "";
 365   
 
 366  2 
             final Map<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
 367  225 
             while (rs.next()) {
 368  223 
                 final String cveId = rs.getString(1);
 369  223 
                 if (!currentCVE.equals(cveId)) { //check for match and add
 370  8 
                     final Entry<String, Boolean> matchedCPE = getMatchingSoftware(vulnSoftware, cpe.getVendor(), cpe.getProduct(), detectedVersion);
 371  8 
                     if (matchedCPE != null) {
 372  6 
                         final Vulnerability v = getVulnerability(currentCVE);
 373  6 
                         v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
 374  6 
                         vulnerabilities.add(v);
 375   
                     }
 376  8 
                     vulnSoftware.clear();
 377  8 
                     currentCVE = cveId;
 378   
                 }
 379   
 
 380  223 
                 final String cpeId = rs.getString(2);
 381  223 
                 final String previous = rs.getString(3);
 382  223 
                 final Boolean p = previous != null && !previous.isEmpty();
 383  223 
                 vulnSoftware.put(cpeId, p);
 384  223 
             }
 385   
             //remember to process the last set of CVE/CPE entries
 386  2 
             final Entry<String, Boolean> matchedCPE = getMatchingSoftware(vulnSoftware, cpe.getVendor(), cpe.getProduct(), detectedVersion);
 387  2 
             if (matchedCPE != null) {
 388  2 
                 final Vulnerability v = getVulnerability(currentCVE);
 389  2 
                 v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
 390  2 
                 vulnerabilities.add(v);
 391   
             }
 392  2 
             DBUtils.closeResultSet(rs);
 393  2 
             DBUtils.closeStatement(ps);
 394  0 
         } catch (SQLException ex) {
 395  0 
             throw new DatabaseException("Exception retrieving vulnerability for " + cpeStr, ex);
 396   
         } finally {
 397  2 
             DBUtils.closeResultSet(rs);
 398  2 
         }
 399  2 
         return vulnerabilities;
 400   
     }
 401   
 
 402   
     /**
 403   
      * Gets a vulnerability for the provided CVE.
 404   
      *
 405   
      * @param cve the CVE to lookup
 406   
      * @return a vulnerability object
 407   
      * @throws DatabaseException if an exception occurs
 408   
      */
 409   
     private Vulnerability getVulnerability(String cve) throws DatabaseException {
 410  8 
         PreparedStatement psV = null;
 411  8 
         PreparedStatement psR = null;
 412  8 
         PreparedStatement psS = null;
 413  8 
         ResultSet rsV = null;
 414  8 
         ResultSet rsR = null;
 415  8 
         ResultSet rsS = null;
 416  8 
         Vulnerability vuln = null;
 417   
         try {
 418  8 
             psV = getConnection().prepareStatement(statementBundle.getString("SELECT_VULNERABILITY"));
 419  8 
             psV.setString(1, cve);
 420  8 
             rsV = psV.executeQuery();
 421  8 
             if (rsV.next()) {
 422  8 
                 vuln = new Vulnerability();
 423  8 
                 vuln.setName(cve);
 424  8 
                 vuln.setDescription(rsV.getString(2));
 425  8 
                 String cwe = rsV.getString(3);
 426  8 
                 if (cwe != null) {
 427  8 
                     final String name = CweDB.getCweName(cwe);
 428  8 
                     if (name != null) {
 429  7 
                         cwe += " " + name;
 430   
                     }
 431   
                 }
 432  8 
                 final int cveId = rsV.getInt(1);
 433  8 
                 vuln.setCwe(cwe);
 434  8 
                 vuln.setCvssScore(rsV.getFloat(4));
 435  8 
                 vuln.setCvssAccessVector(rsV.getString(5));
 436  8 
                 vuln.setCvssAccessComplexity(rsV.getString(6));
 437  8 
                 vuln.setCvssAuthentication(rsV.getString(7));
 438  8 
                 vuln.setCvssConfidentialityImpact(rsV.getString(8));
 439  8 
                 vuln.setCvssIntegrityImpact(rsV.getString(9));
 440  8 
                 vuln.setCvssAvailabilityImpact(rsV.getString(10));
 441   
 
 442  8 
                 psR = getConnection().prepareStatement(statementBundle.getString("SELECT_REFERENCES"));
 443  8 
                 psR.setInt(1, cveId);
 444  8 
                 rsR = psR.executeQuery();
 445  74 
                 while (rsR.next()) {
 446  66 
                     vuln.addReference(rsR.getString(1), rsR.getString(2), rsR.getString(3));
 447   
                 }
 448  8 
                 psS = getConnection().prepareStatement(statementBundle.getString("SELECT_SOFTWARE"));
 449  8 
                 psS.setInt(1, cveId);
 450  8 
                 rsS = psS.executeQuery();
 451  244 
                 while (rsS.next()) {
 452  236 
                     final String cpe = rsS.getString(1);
 453  236 
                     final String prevVersion = rsS.getString(2);
 454  236 
                     if (prevVersion == null) {
 455  228 
                         vuln.addVulnerableSoftware(cpe);
 456   
                     } else {
 457  8 
                         vuln.addVulnerableSoftware(cpe, prevVersion);
 458   
                     }
 459  236 
                 }
 460   
             }
 461  0 
         } catch (SQLException ex) {
 462  0 
             throw new DatabaseException("Error retrieving " + cve, ex);
 463   
         } finally {
 464  8 
             DBUtils.closeResultSet(rsV);
 465  8 
             DBUtils.closeResultSet(rsR);
 466  8 
             DBUtils.closeResultSet(rsS);
 467  8 
             DBUtils.closeStatement(psV);
 468  8 
             DBUtils.closeStatement(psR);
 469  8 
             DBUtils.closeStatement(psS);
 470  8 
         }
 471  8 
         return vuln;
 472   
     }
 473   
 
 474   
     /**
 475   
      * Updates the vulnerability within the database. If the vulnerability does not exist it will be added.
 476   
      *
 477   
      * @param vuln the vulnerability to add to the database
 478   
      * @throws DatabaseException is thrown if the database
 479   
      */
 480   
     public void updateVulnerability(Vulnerability vuln) throws DatabaseException {
 481  0 
         PreparedStatement selectVulnerabilityId = null;
 482  0 
         PreparedStatement deleteVulnerability = null;
 483  0 
         PreparedStatement deleteReferences = null;
 484  0 
         PreparedStatement deleteSoftware = null;
 485  0 
         PreparedStatement updateVulnerability = null;
 486  0 
         PreparedStatement insertVulnerability = null;
 487  0 
         PreparedStatement insertReference = null;
 488  0 
         PreparedStatement selectCpeId = null;
 489  0 
         PreparedStatement insertCpe = null;
 490  0 
         PreparedStatement insertSoftware = null;
 491   
 
 492   
         try {
 493  0 
             selectVulnerabilityId = getConnection().prepareStatement(statementBundle.getString("SELECT_VULNERABILITY_ID"));
 494  0 
             deleteVulnerability = getConnection().prepareStatement(statementBundle.getString("DELETE_VULNERABILITY"));
 495  0 
             deleteReferences = getConnection().prepareStatement(statementBundle.getString("DELETE_REFERENCE"));
 496  0 
             deleteSoftware = getConnection().prepareStatement(statementBundle.getString("DELETE_SOFTWARE"));
 497  0 
             updateVulnerability = getConnection().prepareStatement(statementBundle.getString("UPDATE_VULNERABILITY"));
 498  0 
             insertVulnerability = getConnection().prepareStatement(statementBundle.getString("INSERT_VULNERABILITY"),
 499   
                     Statement.RETURN_GENERATED_KEYS);
 500  0 
             insertReference = getConnection().prepareStatement(statementBundle.getString("INSERT_REFERENCE"));
 501  0 
             selectCpeId = getConnection().prepareStatement(statementBundle.getString("SELECT_CPE_ID"));
 502  0 
             insertCpe = getConnection().prepareStatement(statementBundle.getString("INSERT_CPE"),
 503   
                     Statement.RETURN_GENERATED_KEYS);
 504  0 
             insertSoftware = getConnection().prepareStatement(statementBundle.getString("INSERT_SOFTWARE"));
 505  0 
             int vulnerabilityId = 0;
 506  0 
             selectVulnerabilityId.setString(1, vuln.getName());
 507  0 
             ResultSet rs = selectVulnerabilityId.executeQuery();
 508  0 
             if (rs.next()) {
 509  0 
                 vulnerabilityId = rs.getInt(1);
 510   
                 // first delete any existing vulnerability info. We don't know what was updated. yes, slower but atm easier.
 511  0 
                 deleteReferences.setInt(1, vulnerabilityId);
 512  0 
                 deleteReferences.execute();
 513  0 
                 deleteSoftware.setInt(1, vulnerabilityId);
 514  0 
                 deleteSoftware.execute();
 515   
             }
 516  0 
             DBUtils.closeResultSet(rs);
 517  0 
             rs = null;
 518  0 
             if (vulnerabilityId != 0) {
 519  0 
                 if (vuln.getDescription().contains("** REJECT **")) {
 520  0 
                     deleteVulnerability.setInt(1, vulnerabilityId);
 521  0 
                     deleteVulnerability.executeUpdate();
 522   
                 } else {
 523  0 
                     updateVulnerability.setString(1, vuln.getDescription());
 524  0 
                     updateVulnerability.setString(2, vuln.getCwe());
 525  0 
                     updateVulnerability.setFloat(3, vuln.getCvssScore());
 526  0 
                     updateVulnerability.setString(4, vuln.getCvssAccessVector());
 527  0 
                     updateVulnerability.setString(5, vuln.getCvssAccessComplexity());
 528  0 
                     updateVulnerability.setString(6, vuln.getCvssAuthentication());
 529  0 
                     updateVulnerability.setString(7, vuln.getCvssConfidentialityImpact());
 530  0 
                     updateVulnerability.setString(8, vuln.getCvssIntegrityImpact());
 531  0 
                     updateVulnerability.setString(9, vuln.getCvssAvailabilityImpact());
 532  0 
                     updateVulnerability.setInt(10, vulnerabilityId);
 533  0 
                     updateVulnerability.executeUpdate();
 534   
                 }
 535   
             } else {
 536  0 
                 insertVulnerability.setString(1, vuln.getName());
 537  0 
                 insertVulnerability.setString(2, vuln.getDescription());
 538  0 
                 insertVulnerability.setString(3, vuln.getCwe());
 539  0 
                 insertVulnerability.setFloat(4, vuln.getCvssScore());
 540  0 
                 insertVulnerability.setString(5, vuln.getCvssAccessVector());
 541  0 
                 insertVulnerability.setString(6, vuln.getCvssAccessComplexity());
 542  0 
                 insertVulnerability.setString(7, vuln.getCvssAuthentication());
 543  0 
                 insertVulnerability.setString(8, vuln.getCvssConfidentialityImpact());
 544  0 
                 insertVulnerability.setString(9, vuln.getCvssIntegrityImpact());
 545  0 
                 insertVulnerability.setString(10, vuln.getCvssAvailabilityImpact());
 546  0 
                 insertVulnerability.execute();
 547   
                 try {
 548  0 
                     rs = insertVulnerability.getGeneratedKeys();
 549  0 
                     rs.next();
 550  0 
                     vulnerabilityId = rs.getInt(1);
 551  0 
                 } catch (SQLException ex) {
 552  0 
                     final String msg = String.format("Unable to retrieve id for new vulnerability for '%s'", vuln.getName());
 553  0 
                     throw new DatabaseException(msg, ex);
 554   
                 } finally {
 555  0 
                     DBUtils.closeResultSet(rs);
 556  0 
                     rs = null;
 557  0 
                 }
 558   
             }
 559  0 
             insertReference.setInt(1, vulnerabilityId);
 560  0 
             for (Reference r : vuln.getReferences()) {
 561  0 
                 insertReference.setString(2, r.getName());
 562  0 
                 insertReference.setString(3, r.getUrl());
 563  0 
                 insertReference.setString(4, r.getSource());
 564  0 
                 insertReference.execute();
 565  0 
             }
 566  0 
             for (VulnerableSoftware s : vuln.getVulnerableSoftware()) {
 567  0 
                 int cpeProductId = 0;
 568  0 
                 selectCpeId.setString(1, s.getName());
 569   
                 try {
 570  0 
                     rs = selectCpeId.executeQuery();
 571  0 
                     if (rs.next()) {
 572  0 
                         cpeProductId = rs.getInt(1);
 573   
                     }
 574  0 
                 } catch (SQLException ex) {
 575  0 
                     throw new DatabaseException("Unable to get primary key for new cpe: " + s.getName(), ex);
 576   
                 } finally {
 577  0 
                     DBUtils.closeResultSet(rs);
 578  0 
                     rs = null;
 579  0 
                 }
 580   
 
 581  0 
                 if (cpeProductId == 0) {
 582  0 
                     insertCpe.setString(1, s.getName());
 583  0 
                     insertCpe.setString(2, s.getVendor());
 584  0 
                     insertCpe.setString(3, s.getProduct());
 585  0 
                     insertCpe.executeUpdate();
 586  0 
                     cpeProductId = DBUtils.getGeneratedKey(insertCpe);
 587   
                 }
 588  0 
                 if (cpeProductId == 0) {
 589  0 
                     throw new DatabaseException("Unable to retrieve cpeProductId - no data returned");
 590   
                 }
 591   
 
 592  0 
                 insertSoftware.setInt(1, vulnerabilityId);
 593  0 
                 insertSoftware.setInt(2, cpeProductId);
 594  0 
                 if (s.getPreviousVersion() == null) {
 595  0 
                     insertSoftware.setNull(3, java.sql.Types.VARCHAR);
 596   
                 } else {
 597  0 
                     insertSoftware.setString(3, s.getPreviousVersion());
 598   
                 }
 599  0 
                 insertSoftware.execute();
 600  0 
             }
 601   
 
 602  0 
         } catch (SQLException ex) {
 603  0 
             final String msg = String.format("Error updating '%s'", vuln.getName());
 604  0 
             LOGGER.log(Level.FINE, null, ex);
 605  0 
             throw new DatabaseException(msg, ex);
 606   
         } finally {
 607  0 
             DBUtils.closeStatement(selectVulnerabilityId);
 608  0 
             DBUtils.closeStatement(deleteReferences);
 609  0 
             DBUtils.closeStatement(deleteSoftware);
 610  0 
             DBUtils.closeStatement(updateVulnerability);
 611  0 
             DBUtils.closeStatement(deleteVulnerability);
 612  0 
             DBUtils.closeStatement(insertVulnerability);
 613  0 
             DBUtils.closeStatement(insertReference);
 614  0 
             DBUtils.closeStatement(selectCpeId);
 615  0 
             DBUtils.closeStatement(insertCpe);
 616  0 
             DBUtils.closeStatement(insertSoftware);
 617  0 
         }
 618  0 
     }
 619   
 
 620   
     /**
 621   
      * Checks to see if data exists so that analysis can be performed.
 622   
      *
 623   
      * @return <code>true</code> if data exists; otherwise <code>false</code>
 624   
      */
 625   
     public boolean dataExists() {
 626  1 
         Statement cs = null;
 627  1 
         ResultSet rs = null;
 628   
         try {
 629  1 
             cs = conn.createStatement();
 630  1 
             rs = cs.executeQuery("SELECT COUNT(*) records FROM cpeEntry");
 631  1 
             if (rs.next()) {
 632  1 
                 if (rs.getInt(1) > 0) {
 633  1 
                     return true;
 634   
                 }
 635   
             }
 636  0 
         } catch (SQLException ex) {
 637   
             String dd;
 638   
             try {
 639  0 
                 dd = Settings.getDataDirectory().getAbsolutePath();
 640  0 
             } catch (IOException ex1) {
 641  0 
                 dd = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
 642  0 
             }
 643  0 
             final String msg = String.format("Unable to access the local database.%n%nEnsure that '%s' is a writable directory. "
 644   
                     + "If the problem persist try deleting the files in '%s' and running %s again. If the problem continues, please "
 645   
                     + "create a log file (see documentation at http://jeremylong.github.io/DependencyCheck/) and open a ticket at "
 646   
                     + "https://github.com/jeremylong/DependencyCheck/issues and include the log file.%n%n",
 647   
                     dd, dd, Settings.getString(Settings.KEYS.APPLICATION_VAME));
 648  0 
             LOGGER.log(Level.SEVERE, msg);
 649  0 
             LOGGER.log(Level.FINE, "", ex);
 650   
         } finally {
 651  1 
             DBUtils.closeResultSet(rs);
 652  1 
             DBUtils.closeStatement(cs);
 653  0 
         }
 654  0 
         return false;
 655   
     }
 656   
 
 657   
     /**
 658   
      * It is possible that orphaned rows may be generated during database updates. This should be called after all updates have
 659   
      * been completed to ensure orphan entries are removed.
 660   
      */
 661   
     public void cleanupDatabase() {
 662  0 
         PreparedStatement ps = null;
 663   
         try {
 664  0 
             ps = getConnection().prepareStatement(statementBundle.getString("CLEANUP_ORPHANS"));
 665  0 
             if (ps != null) {
 666  0 
                 ps.executeUpdate();
 667   
             }
 668  0 
         } catch (SQLException ex) {
 669  0 
             final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
 670  0 
             LOGGER.log(Level.SEVERE, msg);
 671  0 
             LOGGER.log(Level.FINE, null, ex);
 672   
         } finally {
 673  0 
             DBUtils.closeStatement(ps);
 674  0 
         }
 675  0 
     }
 676   
 
 677   
     /**
 678   
      * Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null, non-empty
 679   
      * string passed to the previous version argument indicates that all previous versions are affected.
 680   
      *
 681   
      * @param vendor the vendor of the dependency being analyzed
 682   
      * @param product the product name of the dependency being analyzed
 683   
      * @param vulnerableSoftware a map of the vulnerable software with a boolean indicating if all previous versions are affected
 684   
      * @param identifiedVersion the identified version of the dependency being analyzed
 685   
      * @return true if the identified version is affected, otherwise false
 686   
      */
 687   
     Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
 688   
             DependencyVersion identifiedVersion) {
 689   
 
 690  10 
         final boolean isVersionTwoADifferentProduct = "apache".equals(vendor) && "struts".equals(product);
 691   
 
 692  10 
         final Set<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
 693  10 
         final boolean matchesAnyPrevious = identifiedVersion == null || "-".equals(identifiedVersion.toString());
 694  10 
         String majorVersionMatch = null;
 695  10 
         for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
 696  223 
             final DependencyVersion v = parseDependencyVersion(entry.getKey());
 697  223 
             if (v == null || "-".equals(v.toString())) { //all versions
 698  0 
                 return entry;
 699   
             }
 700  223 
             if (entry.getValue()) {
 701  8 
                 if (matchesAnyPrevious) {
 702  0 
                     return entry;
 703   
                 }
 704  8 
                 if (identifiedVersion != null && identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
 705  6 
                     majorVersionMatch = v.getVersionParts().get(0);
 706   
                 }
 707  8 
                 majorVersionsAffectingAllPrevious.add(v.getVersionParts().get(0));
 708   
             }
 709  223 
         }
 710  10 
         if (matchesAnyPrevious) {
 711  0 
             return null;
 712   
         }
 713   
 
 714  10 
         final boolean canSkipVersions = majorVersionMatch != null && majorVersionsAffectingAllPrevious.size() > 1;
 715   
         //yes, we are iterating over this twice. The first time we are skipping versions those that affect all versions
 716   
         //then later we process those that affect all versions. This could be done with sorting...
 717  10 
         for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
 718  176 
             if (!entry.getValue()) {
 719  169 
                 final DependencyVersion v = parseDependencyVersion(entry.getKey());
 720   
                 //this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
 721  169 
                 if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
 722  10 
                     continue;
 723   
                 }
 724   
                 //this can't dereference a null 'identifiedVersion' because if it was null we would have exited
 725   
                 //in the above loop or just after loop (if matchesAnyPrevious return null).
 726  159 
                 if (identifiedVersion.equals(v)) {
 727  8 
                     return entry;
 728   
                 }
 729   
             }
 730  158 
         }
 731  2 
         for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
 732  0 
             if (entry.getValue()) {
 733  0 
                 final DependencyVersion v = parseDependencyVersion(entry.getKey());
 734   
                 //this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
 735  0 
                 if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
 736  0 
                     continue;
 737   
                 }
 738   
                 //this can't dereference a null 'identifiedVersion' because if it was null we would have exited
 739   
                 //in the above loop or just after loop (if matchesAnyPrevious return null).
 740  0 
                 if (entry.getValue() && identifiedVersion.compareTo(v) <= 0) {
 741  0 
                     if (!(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) {
 742  0 
                         return entry;
 743   
                     }
 744   
                 }
 745   
             }
 746  0 
         }
 747  2 
         return null;
 748   
     }
 749   
 
 750   
     /**
 751   
      * Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is returned.
 752   
      *
 753   
      * @param cpeStr a cpe identifier
 754   
      * @return a dependency version
 755   
      */
 756   
     private DependencyVersion parseDependencyVersion(String cpeStr) {
 757  392 
         final VulnerableSoftware cpe = new VulnerableSoftware();
 758   
         try {
 759  392 
             cpe.parseName(cpeStr);
 760  0 
         } catch (UnsupportedEncodingException ex) {
 761   
             //never going to happen.
 762  0 
             LOGGER.log(Level.FINEST, null, ex);
 763  392 
         }
 764  392 
         return parseDependencyVersion(cpe);
 765   
     }
 766   
 
 767   
     /**
 768   
      * Takes a CPE and parses out the version number. If no version is identified then a '-' is returned.
 769   
      *
 770   
      * @param cpe a cpe object
 771   
      * @return a dependency version
 772   
      */
 773   
     private DependencyVersion parseDependencyVersion(VulnerableSoftware cpe) {
 774   
         DependencyVersion cpeVersion;
 775  394 
         if (cpe.getVersion() != null && !cpe.getVersion().isEmpty()) {
 776   
             String versionText;
 777  394 
             if (cpe.getRevision() != null && !cpe.getRevision().isEmpty()) {
 778  130 
                 versionText = String.format("%s.%s", cpe.getVersion(), cpe.getRevision());
 779   
             } else {
 780  264 
                 versionText = cpe.getVersion();
 781   
             }
 782  394 
             cpeVersion = DependencyVersionUtil.parseVersion(versionText);
 783  394 
         } else {
 784  0 
             cpeVersion = new DependencyVersion("-");
 785   
         }
 786  394 
         return cpeVersion;
 787   
     }
 788   
 }
Report generated by Cobertura 2.0.3 on 5/11/15 8:40 PM.