Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.NexusAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

NexusAnalyzer

28%

13/45

10%

1/10

2.375

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
  *
  * There are two settings which govern this behavior:
  *
  * <ul>
  * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
  * even enabled. This can be overridden by setting the system property.</li>
  * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
  * SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
  * </ul>
  *
  * @author colezlaw
  */
 public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * The default URL - this will be used by the CentralAnalyzer to determine whether to enable this.
      */
     public static final String DEFAULT_URL = "https://repository.sonatype.org/service/local/";
 
     /**
      * The logger.
      */
     private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
 
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Nexus Analyzer";
 
     /**
      * The phase in which the analyzer runs.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
     /**
      * The types of files on which this will work.
      */
     private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
 
     /**
      * The Nexus Search to be set up for this analyzer.
      */
     private NexusSearch searcher;
 
     /**
      * Field indicating if the analyzer is enabled.
      */
     private final boolean enabled = checkEnabled();
 
     /**
      * Determines if this analyzer is enabled
      *
      * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
      */
     private boolean checkEnabled() {
         /* Enable this analyzer ONLY if the Nexus URL has been set to something
          other than the default one (if it's the default one, we'll use the
          central one) and it's enabled by the user.
          */
         boolean retval = false;
         try {
             if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
                     && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
                 LOGGER.info("Enabling Nexus analyzer");
                 retval = true;
             } else {
                 LOGGER.info("Nexus analyzer disabled, using Central instead");
             }
         } catch (InvalidSettingException ise) {
             LOGGER.warning("Invalid setting. Disabling Nexus analyzer");
         }
 
         return retval;
     }
 
     /**
      * Determine whether to enable this analyzer or not.
      *
      * @return whether the analyzer should be enabled
      */
     @Override
     public boolean isEnabled() {
         return enabled;
     }
 
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
      * @throws Exception if there's an error during initialization
      */
     @Override
     public void initializeFileTypeAnalyzer() throws Exception {
         LOGGER.fine("Initializing Nexus Analyzer");
         LOGGER.fine(String.format("Nexus Analyzer enabled: %s", isEnabled()));
         if (isEnabled()) {
             final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
             LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
             try {
                 searcher = new NexusSearch(new URL(searchUrl));
                 if (!searcher.preflightRequest()) {
                     LOGGER.warning("There was an issue getting Nexus status. Disabling analyzer.");
                     setEnabled(false);
                 }
             } catch (MalformedURLException mue) {
                 // I know that initialize can throw an exception, but we'll
                 // just disable the analyzer if the URL isn't valid
                 LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
                 setEnabled(false);
             }
         }
     }
 
     /**
      * Returns the analyzer's name.
      *
      * @return the name of the analyzer
      */
     @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns the key used in the properties file to reference the analyzer's enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_NEXUS_ENABLED;
     }
 
     /**
      * Returns the analysis phase under which the analyzer runs.
      *
      * @return the phase under which this analyzer runs
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
 
     /**
      * Returns the extensions for which this Analyzer runs.
      *
      * @return the extensions for which this Analyzer runs
      */
     @Override
     public Set<String> getSupportedExtensions() {
         return SUPPORTED_EXTENSIONS;
     }
 
     /**
      * Performs the analysis.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         if (!isEnabled()) {
             return;
         }
         try {
             final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
             dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
         } catch (IllegalArgumentException iae) {
             //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
             LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
         } catch (FileNotFoundException fnfe) {
             //dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
             LOGGER.fine(String.format("Artifact not found in repository '%s'", dependency.getFileName()));
             LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
         } catch (IOException ioe) {
             //dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
             LOGGER.log(Level.FINE, "Could not connect to nexus repository", ioe);
         }
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.FileNotFoundException;
21		import java.io.IOException;
22		import java.net.MalformedURLException;
23		import java.net.URL;
24		import java.util.Set;
25		import java.util.logging.Level;
26		import java.util.logging.Logger;
27		import org.owasp.dependencycheck.Engine;
28		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
29		import org.owasp.dependencycheck.data.nexus.MavenArtifact;
30		import org.owasp.dependencycheck.data.nexus.NexusSearch;
31		import org.owasp.dependencycheck.dependency.Confidence;
32		import org.owasp.dependencycheck.dependency.Dependency;
33		import org.owasp.dependencycheck.utils.InvalidSettingException;
34		import org.owasp.dependencycheck.utils.Settings;
35
36		/**
37		* Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
38		*
39		* There are two settings which govern this behavior:
40		*
41		* <ul>
42		* <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
43		* even enabled. This can be overridden by setting the system property.</li>
44		* <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
45		* SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
46		* </ul>
47		*
48		* @author colezlaw
49		*/
50	2	public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
51
52		/**
53		* The default URL - this will be used by the CentralAnalyzer to determine whether to enable this.
54		*/
55		public static final String DEFAULT_URL = "https://repository.sonatype.org/service/local/";
56
57		/**
58		* The logger.
59		*/
60	1	private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
61
62		/**
63		* The name of the analyzer.
64		*/
65		private static final String ANALYZER_NAME = "Nexus Analyzer";
66
67		/**
68		* The phase in which the analyzer runs.
69		*/
70	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
71
72		/**
73		* The types of files on which this will work.
74		*/
75	1	private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
76
77		/**
78		* The Nexus Search to be set up for this analyzer.
79		*/
80		private NexusSearch searcher;
81
82		/**
83		* Field indicating if the analyzer is enabled.
84		*/
85	2	private final boolean enabled = checkEnabled();
86
87		/**
88		* Determines if this analyzer is enabled
89		*
90		* @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
91		*/
92		private boolean checkEnabled() {
93		/* Enable this analyzer ONLY if the Nexus URL has been set to something
94		other than the default one (if it's the default one, we'll use the
95		central one) and it's enabled by the user.
96		*/
97	2	boolean retval = false;
98		try {
99	2	if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
100		&& Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
101	0	LOGGER.info("Enabling Nexus analyzer");
102	0	retval = true;
103		} else {
104	2	LOGGER.info("Nexus analyzer disabled, using Central instead");
105		}
106	0	} catch (InvalidSettingException ise) {
107	0	LOGGER.warning("Invalid setting. Disabling Nexus analyzer");
108	2	}
109
110	2	return retval;
111		}
112
113		/**
114		* Determine whether to enable this analyzer or not.
115		*
116		* @return whether the analyzer should be enabled
117		*/
118		@Override
119		public boolean isEnabled() {
120		return enabled;
121		}
122
123		/**
124		* Initializes the analyzer once before any analysis is performed.
125		*
126		* @throws Exception if there's an error during initialization
127		*/
128		@Override
129		public void initializeFileTypeAnalyzer() throws Exception {
130	0	LOGGER.fine("Initializing Nexus Analyzer");
131	0	LOGGER.fine(String.format("Nexus Analyzer enabled: %s", isEnabled()));
132	0	if (isEnabled()) {
133	0	final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
134	0	LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
135		try {
136	0	searcher = new NexusSearch(new URL(searchUrl));
137	0	if (!searcher.preflightRequest()) {
138	0	LOGGER.warning("There was an issue getting Nexus status. Disabling analyzer.");
139	0	setEnabled(false);
140		}
141	0	} catch (MalformedURLException mue) {
142		// I know that initialize can throw an exception, but we'll
143		// just disable the analyzer if the URL isn't valid
144	0	LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
145	0	setEnabled(false);
146	0	}
147		}
148	0	}
149
150		/**
151		* Returns the analyzer's name.
152		*
153		* @return the name of the analyzer
154		*/
155		@Override
156		public String getName() {
157	4	return ANALYZER_NAME;
158		}
159
160		/**
161		* Returns the key used in the properties file to reference the analyzer's enabled property.
162		*
163		* @return the analyzer's enabled property setting key
164		*/
165		@Override
166		protected String getAnalyzerEnabledSettingKey() {
167	2	return Settings.KEYS.ANALYZER_NEXUS_ENABLED;
168		}
169
170		/**
171		* Returns the analysis phase under which the analyzer runs.
172		*
173		* @return the phase under which this analyzer runs
174		*/
175		@Override
176		public AnalysisPhase getAnalysisPhase() {
177	1	return ANALYSIS_PHASE;
178		}
179
180		/**
181		* Returns the extensions for which this Analyzer runs.
182		*
183		* @return the extensions for which this Analyzer runs
184		*/
185		@Override
186		public Set<String> getSupportedExtensions() {
187	0	return SUPPORTED_EXTENSIONS;
188		}
189
190		/**
191		* Performs the analysis.
192		*
193		* @param dependency the dependency to analyze
194		* @param engine the engine
195		* @throws AnalysisException when there's an exception during analysis
196		*/
197		@Override
198		public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
199	0	if (!isEnabled()) {
200	0	return;
201		}
202		try {
203	0	final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
204	0	dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
205	0	} catch (IllegalArgumentException iae) {
206		//dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
207	0	LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
208	0	} catch (FileNotFoundException fnfe) {
209		//dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
210	0	LOGGER.fine(String.format("Artifact not found in repository '%s'", dependency.getFileName()));
211	0	LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
212	0	} catch (IOException ioe) {
213		//dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
214	0	LOGGER.log(Level.FINE, "Could not connect to nexus repository", ioe);
215	0	}
216	0	}
217		}