Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.CentralAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

CentralAnalyzer

73%

33/45

62%

10/16

2.625

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URL;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.central.CentralSearch;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's
  * SHA-1 digest.
  *
  * @author colezlaw
  */
 public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * The logger.
      */
     private static final Logger LOGGER = Logger.getLogger(CentralAnalyzer.class.getName());
 
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Central Analyzer";
 
     /**
      * The phase in which this analyzer runs.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
     /**
      * The types of files on which this will work.
      */
     private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
 
     /**
      * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has
      * occurred.
      */
     private boolean errorFlag = false;
 
     /**
      * The searcher itself.
      */
     private CentralSearch searcher;
 
     /**
      * Field indicating if the analyzer is enabled.
      */
     private final boolean enabled = checkEnabled();
 
     /**
      * Determine whether to enable this analyzer or not.
      *
      * @return whether the analyzer should be enabled
      */
     @Override
     public boolean isEnabled() {
         return enabled;
     }
 
     /**
      * Determines if this analyzer is enabled.
      *
      * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
      */
     private boolean checkEnabled() {
         boolean retval = false;
 
         try {
             if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
                 if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
                         || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
                     LOGGER.info("Enabling the Central analyzer");
                     retval = true;
                 } else {
                     LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
                 }
             } else {
                 LOGGER.info("Central analyzer disabled");
             }
         } catch (InvalidSettingException ise) {
             LOGGER.warning("Invalid setting. Disabling the Central analyzer");
         }
         return retval;
     }
 
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
      * @throws Exception if there's an error during initialization
      */
     @Override
     public void initializeFileTypeAnalyzer() throws Exception {
         LOGGER.fine("Initializing Central analyzer");
         LOGGER.fine(String.format("Central analyzer enabled: %s", isEnabled()));
         if (isEnabled()) {
             final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
             LOGGER.fine(String.format("Central Analyzer URL: %s", searchUrl));
             searcher = new CentralSearch(new URL(searchUrl));
         }
     }
 
     /**
      * Returns the analyzer's name.
      *
      * @return the name of the analyzer
      */
     @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns the key used in the properties file to to reference the analyzer's enabled property.
      *
      * @return the analyzer's enabled property setting key.
      */
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
     }
 
     /**
      * Returns the analysis phase under which the analyzer runs.
      *
      * @return the phase under which the analyzer runs
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
 
     /**
      * Returns the extensions for which this Analyzer runs.
      *
      * @return the extensions for which this Analyzer runs
      */
     @Override
     public Set<String> getSupportedExtensions() {
         return SUPPORTED_EXTENSIONS;
     }
 
     /**
      * Performs the analysis.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         if (errorFlag || !isEnabled()) {
             return;
         }
 
         try {
             final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
             final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
             for (MavenArtifact ma : mas) {
                 LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
                 dependency.addAsEvidence("central", ma, confidence);
             }
         } catch (IllegalArgumentException iae) {
             LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
         } catch (FileNotFoundException fnfe) {
             LOGGER.fine(String.format("Artifact not found in repository: '%s", dependency.getFileName()));
         } catch (IOException ioe) {
             LOGGER.log(Level.FINE, "Could not connect to Central search", ioe);
             errorFlag = true;
         }
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.FileNotFoundException;
21		import java.io.IOException;
22		import java.net.URL;
23		import java.util.List;
24		import java.util.Set;
25		import java.util.logging.Level;
26		import java.util.logging.Logger;
27		import org.owasp.dependencycheck.Engine;
28		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
29		import org.owasp.dependencycheck.data.central.CentralSearch;
30		import org.owasp.dependencycheck.data.nexus.MavenArtifact;
31		import org.owasp.dependencycheck.dependency.Confidence;
32		import org.owasp.dependencycheck.dependency.Dependency;
33		import org.owasp.dependencycheck.utils.InvalidSettingException;
34		import org.owasp.dependencycheck.utils.Settings;
35
36		/**
37		* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's
38		* SHA-1 digest.
39		*
40		* @author colezlaw
41		*/
42	2	public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
43
44		/**
45		* The logger.
46		*/
47	1	private static final Logger LOGGER = Logger.getLogger(CentralAnalyzer.class.getName());
48
49		/**
50		* The name of the analyzer.
51		*/
52		private static final String ANALYZER_NAME = "Central Analyzer";
53
54		/**
55		* The phase in which this analyzer runs.
56		*/
57	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
58
59		/**
60		* The types of files on which this will work.
61		*/
62	1	private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
63
64		/**
65		* The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has
66		* occurred.
67		*/
68	2	private boolean errorFlag = false;
69
70		/**
71		* The searcher itself.
72		*/
73		private CentralSearch searcher;
74
75		/**
76		* Field indicating if the analyzer is enabled.
77		*/
78	2	private final boolean enabled = checkEnabled();
79
80		/**
81		* Determine whether to enable this analyzer or not.
82		*
83		* @return whether the analyzer should be enabled
84		*/
85		@Override
86		public boolean isEnabled() {
87		return enabled;
88		}
89
90		/**
91		* Determines if this analyzer is enabled.
92		*
93		* @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
94		*/
95		private boolean checkEnabled() {
96	2	boolean retval = false;
97
98		try {
99	2	if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
100	2	if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
101		\|\| NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
102	2	LOGGER.info("Enabling the Central analyzer");
103	2	retval = true;
104		} else {
105	0	LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
106		}
107		} else {
108	0	LOGGER.info("Central analyzer disabled");
109		}
110	0	} catch (InvalidSettingException ise) {
111	0	LOGGER.warning("Invalid setting. Disabling the Central analyzer");
112	2	}
113	2	return retval;
114		}
115
116		/**
117		* Initializes the analyzer once before any analysis is performed.
118		*
119		* @throws Exception if there's an error during initialization
120		*/
121		@Override
122		public void initializeFileTypeAnalyzer() throws Exception {
123	1	LOGGER.fine("Initializing Central analyzer");
124	1	LOGGER.fine(String.format("Central analyzer enabled: %s", isEnabled()));
125	1	if (isEnabled()) {
126	1	final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
127	1	LOGGER.fine(String.format("Central Analyzer URL: %s", searchUrl));
128	1	searcher = new CentralSearch(new URL(searchUrl));
129		}
130	1	}
131
132		/**
133		* Returns the analyzer's name.
134		*
135		* @return the name of the analyzer
136		*/
137		@Override
138		public String getName() {
139	4	return ANALYZER_NAME;
140		}
141
142		/**
143		* Returns the key used in the properties file to to reference the analyzer's enabled property.
144		*
145		* @return the analyzer's enabled property setting key.
146		*/
147		@Override
148		protected String getAnalyzerEnabledSettingKey() {
149	2	return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
150		}
151
152		/**
153		* Returns the analysis phase under which the analyzer runs.
154		*
155		* @return the phase under which the analyzer runs
156		*/
157		@Override
158		public AnalysisPhase getAnalysisPhase() {
159	1	return ANALYSIS_PHASE;
160		}
161
162		/**
163		* Returns the extensions for which this Analyzer runs.
164		*
165		* @return the extensions for which this Analyzer runs
166		*/
167		@Override
168		public Set<String> getSupportedExtensions() {
169	850	return SUPPORTED_EXTENSIONS;
170		}
171
172		/**
173		* Performs the analysis.
174		*
175		* @param dependency the dependency to analyze
176		* @param engine the engine
177		* @throws AnalysisException when there's an exception during analysis
178		*/
179		@Override
180		public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
181	2	if (errorFlag \|\| !isEnabled()) {
182	0	return;
183		}
184
185		try {
186	2	final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
187	2	final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
188	2	for (MavenArtifact ma : mas) {
189	2	LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
190	2	dependency.addAsEvidence("central", ma, confidence);
191	2	}
192	0	} catch (IllegalArgumentException iae) {
193	0	LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
194	0	} catch (FileNotFoundException fnfe) {
195	0	LOGGER.fine(String.format("Artifact not found in repository: '%s", dependency.getFileName()));
196	0	} catch (IOException ioe) {
197	0	LOGGER.log(Level.FINE, "Could not connect to Central search", ioe);
198	0	errorFlag = true;
199	2	}
200	2	}
201		}