Coverage Report

Coverage Report - org.owasp.dependencycheck.data.update.AbstractUpdateTask

Classes in this File

Line Coverage

Branch Coverage

Complexity

AbstractUpdateTask

47%

28/59

87%

7/8

1.857

 /*
  * This file is part of dependency-check-core.
  *
  * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
  * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
  * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.update;
 
 import java.io.File;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.sql.SQLException;
 import java.util.List;
 import java.util.Map;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 import org.owasp.dependencycheck.data.UpdateException;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.NvdCve12Handler;
 import org.owasp.dependencycheck.data.nvdcve.NvdCve20Handler;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.xml.sax.SAXException;
 
 /**
  * Class responsible for updating the CPE and NVDCVE data stores.
  *
  * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class AbstractUpdateTask implements UpdateTask {
 
     /**
      * Initializes the AbstractUpdateTask.
      *
      * @param properties information about the data store
      * @throws MalformedURLException thrown if the configuration contains a
      * malformed url
      * @throws DownloadFailedException thrown if the timestamp on a file cannot
      * be checked
      * @throws UpdateException thrown if the update fails
      */
     public AbstractUpdateTask(DataStoreMetaInfo properties) throws MalformedURLException, DownloadFailedException, UpdateException {
         this.properties = properties;
         this.updateable = updatesNeeded();
     }
     /**
      * A collection of updateable NVD CVE items.
      */
     private Updateable updateable;
     /**
      * Utility to read and write meta-data about the data.
      */
     private DataStoreMetaInfo properties = null;
 
     /**
      * Returns the data store properties.
      *
      * @return the data store properties
      */
     protected DataStoreMetaInfo getProperties() {
         return properties;
     }
     /**
      * Reference to the Cve Database.
      */
     private CveDB cveDB = null;
 
     /**
      * Returns the CveDB.
      *
      * @return the CveDB
      */
     protected CveDB getCveDB() {
         return cveDB;
     }
 
     /**
      * Gets whether or not an update is needed.
      *
      * @return true or false depending on whether an update is needed
      */
     public boolean isUpdateNeeded() {
         return updateable.isUpdateNeeded();
     }
 
     /**
      * Gets the updateable NVD CVE Entries.
      *
      * @return an Updateable object containing the NVD CVE entries
      */
     protected Updateable getUpdateable() {
         return updateable;
     }
 
     /**
      * Determines if the index needs to be updated.
      *
      * @return a collection of updateable resources.
      * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta
      * data is incorrect.
      * @throws DownloadFailedException is thrown if there is an error.
      * downloading the NVD CVE download data file.
      * @throws UpdateException Is thrown if there is an issue with the last
      * updated properties file.
      */
     protected abstract Updateable updatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException;
 
     /**
      * <p>Updates the data store to the latest version.</p>
      *
      * @throws UpdateException is thrown if there is an error updating the
      * database
      */
     public abstract void update() throws UpdateException;
     /**
      * A flag indicating whether or not the current data store should be
      * deleted.
      */
     private boolean deleteAndRecreate = false;
 
     /**
      * Get the value of deleteAndRecreate.
      *
      * @return the value of deleteAndRecreate
      */
     public boolean shouldDeleteAndRecreate() {
         return deleteAndRecreate;
     }
 
     /**
      * Set the value of deleteAndRecreate.
      *
      * @param deleteAndRecreate new value of deleteAndRecreate
      */
     protected void setDeleteAndRecreate(boolean deleteAndRecreate) {
         this.deleteAndRecreate = deleteAndRecreate;
     }
 
     /**
      * Deletes the existing data directories.
      *
      * @throws IOException thrown if the directory cannot be deleted
      */
     protected void deleteExistingData() throws IOException {
         File data = Settings.getDataFile(Settings.KEYS.CVE_DATA_DIRECTORY);
         if (data.exists()) {
             FileUtils.delete(data);
         }
         data = DataStoreMetaInfo.getPropertiesFile();
         if (data.exists()) {
             FileUtils.delete(data);
         }
     }
 
     /**
      * Closes the CVE and CPE data stores.
      */
     protected void closeDataStores() {
         if (cveDB != null) {
             try {
                 cveDB.close();
             } catch (Exception ignore) {
                 Logger.getLogger(AbstractUpdateTask.class.getName()).log(Level.FINEST, "Error closing the cveDB", ignore);
             }
         }
     }
 
     /**
      * Opens the CVE and CPE data stores.
      *
      * @throws UpdateException thrown if a data store cannot be opened
      */
     protected void openDataStores() throws UpdateException {
         //open the cve and cpe data stores
         try {
             cveDB = new CveDB();
             cveDB.open();
         } catch (IOException ex) {
             closeDataStores();
             Logger.getLogger(AbstractUpdateTask.class.getName()).log(Level.FINE, "IO Error opening databases", ex);
             throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
         } catch (SQLException ex) {
             closeDataStores();
             Logger.getLogger(AbstractUpdateTask.class.getName()).log(Level.FINE, "SQL Exception opening databases", ex);
             throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
         } catch (DatabaseException ex) {
             closeDataStores();
             Logger.getLogger(AbstractUpdateTask.class.getName()).log(Level.FINE, "Database Exception opening databases", ex);
             throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
         } catch (ClassNotFoundException ex) {
             closeDataStores();
             Logger.getLogger(AbstractUpdateTask.class.getName()).log(Level.FINE, "Class not found exception opening databases", ex);
             throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
         }
     }
 
     /**
      * Determines if the epoch date is within the range specified of the
      * compareTo epoch time. This takes the (compareTo-date)/1000/60/60/24 to
      * get the number of days. If the calculated days is less then the range the
      * date is considered valid.
      *
      * @param date the date to be checked.
      * @param compareTo the date to compare to.
      * @param range the range in days to be considered valid.
      * @return whether or not the date is within the range.
      */
     protected boolean withinRange(long date, long compareTo, int range) {
         final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
         return differenceInDays < range;
     }
 
     /**
      * Imports the NVD CVE XML File into the Lucene Index.
      *
      * @param file the file containing the NVD CVE XML
      * @param oldVersion contains the file containing the NVD CVE XML 1.2
      * @throws ParserConfigurationException is thrown if there is a parser
      * configuration exception
      * @throws SAXException is thrown if there is a SAXException
      * @throws IOException is thrown if there is a IO Exception
      * @throws SQLException is thrown if there is a SQL exception
      * @throws DatabaseException is thrown if there is a database exception
      * @throws ClassNotFoundException thrown if the h2 database driver cannot be
      * loaded
      */
     protected void importXML(File file, File oldVersion) throws ParserConfigurationException,
             SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException {
 
         final SAXParserFactory factory = SAXParserFactory.newInstance();
         final SAXParser saxParser = factory.newSAXParser();
 
         final NvdCve12Handler cve12Handler = new NvdCve12Handler();
         saxParser.parse(oldVersion, cve12Handler);
         final Map<String, List<VulnerableSoftware>> prevVersionVulnMap = cve12Handler.getVulnerabilities();
 
         final NvdCve20Handler cve20Handler = new NvdCve20Handler();
         cve20Handler.setCveDB(cveDB);
         cve20Handler.setPrevVersionVulnMap(prevVersionVulnMap);
         saxParser.parse(file, cve20Handler);
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Dependency-check-core is free software: you can redistribute it and/or modify it
5		* under the terms of the GNU General Public License as published by the Free
6		* Software Foundation, either version 3 of the License, or (at your option) any
7		* later version.
8		*
9		* Dependency-check-core is distributed in the hope that it will be useful, but
10		* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11		* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
12		* details.
13		*
14		* You should have received a copy of the GNU General Public License along with
15		* dependency-check-core. If not, see http://www.gnu.org/licenses/.
16		*
17		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
18		*/
19		package org.owasp.dependencycheck.data.update;
20
21		import java.io.File;
22		import java.io.IOException;
23		import java.net.MalformedURLException;
24		import java.sql.SQLException;
25		import java.util.List;
26		import java.util.Map;
27		import java.util.logging.Level;
28		import java.util.logging.Logger;
29		import javax.xml.parsers.ParserConfigurationException;
30		import javax.xml.parsers.SAXParser;
31		import javax.xml.parsers.SAXParserFactory;
32		import org.owasp.dependencycheck.data.UpdateException;
33		import org.owasp.dependencycheck.data.nvdcve.CveDB;
34		import org.owasp.dependencycheck.utils.FileUtils;
35		import org.owasp.dependencycheck.utils.Settings;
36		import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
37		import org.owasp.dependencycheck.data.nvdcve.NvdCve12Handler;
38		import org.owasp.dependencycheck.data.nvdcve.NvdCve20Handler;
39		import org.owasp.dependencycheck.dependency.VulnerableSoftware;
40		import org.owasp.dependencycheck.utils.DownloadFailedException;
41		import org.xml.sax.SAXException;
42
43		/**
44		* Class responsible for updating the CPE and NVDCVE data stores.
45		*
46		* @author Jeremy Long (jeremy.long@owasp.org)
47		*/
48		public abstract class AbstractUpdateTask implements UpdateTask {
49
50		/**
51		* Initializes the AbstractUpdateTask.
52		*
53		* @param properties information about the data store
54		* @throws MalformedURLException thrown if the configuration contains a
55		* malformed url
56		* @throws DownloadFailedException thrown if the timestamp on a file cannot
57		* be checked
58		* @throws UpdateException thrown if the update fails
59		*/
60	6	public AbstractUpdateTask(DataStoreMetaInfo properties) throws MalformedURLException, DownloadFailedException, UpdateException {
61	6	this.properties = properties;
62	6	this.updateable = updatesNeeded();
63	6	}
64		/**
65		* A collection of updateable NVD CVE items.
66		*/
67		private Updateable updateable;
68		/**
69		* Utility to read and write meta-data about the data.
70		*/
71	6	private DataStoreMetaInfo properties = null;
72
73		/**
74		* Returns the data store properties.
75		*
76		* @return the data store properties
77		*/
78		protected DataStoreMetaInfo getProperties() {
79	3	return properties;
80		}
81		/**
82		* Reference to the Cve Database.
83		*/
84	6	private CveDB cveDB = null;
85
86		/**
87		* Returns the CveDB.
88		*
89		* @return the CveDB
90		*/
91		protected CveDB getCveDB() {
92	0	return cveDB;
93		}
94
95		/**
96		* Gets whether or not an update is needed.
97		*
98		* @return true or false depending on whether an update is needed
99		*/
100		public boolean isUpdateNeeded() {
101	0	return updateable.isUpdateNeeded();
102		}
103
104		/**
105		* Gets the updateable NVD CVE Entries.
106		*
107		* @return an Updateable object containing the NVD CVE entries
108		*/
109		protected Updateable getUpdateable() {
110	0	return updateable;
111		}
112
113		/**
114		* Determines if the index needs to be updated.
115		*
116		* @return a collection of updateable resources.
117		* @throws MalformedURLException is thrown if the URL for the NVD CVE Meta
118		* data is incorrect.
119		* @throws DownloadFailedException is thrown if there is an error.
120		* downloading the NVD CVE download data file.
121		* @throws UpdateException Is thrown if there is an issue with the last
122		* updated properties file.
123		*/
124		protected abstract Updateable updatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException;
125
126		/**
127		* <p>Updates the data store to the latest version.</p>
128		*
129		* @throws UpdateException is thrown if there is an error updating the
130		* database
131		*/
132		public abstract void update() throws UpdateException;
133		/**
134		* A flag indicating whether or not the current data store should be
135		* deleted.
136		*/
137	6	private boolean deleteAndRecreate = false;
138
139		/**
140		* Get the value of deleteAndRecreate.
141		*
142		* @return the value of deleteAndRecreate
143		*/
144		public boolean shouldDeleteAndRecreate() {
145	1	return deleteAndRecreate;
146		}
147
148		/**
149		* Set the value of deleteAndRecreate.
150		*
151		* @param deleteAndRecreate new value of deleteAndRecreate
152		*/
153		protected void setDeleteAndRecreate(boolean deleteAndRecreate) {
154	1	this.deleteAndRecreate = deleteAndRecreate;
155	1	}
156
157		/**
158		* Deletes the existing data directories.
159		*
160		* @throws IOException thrown if the directory cannot be deleted
161		*/
162		protected void deleteExistingData() throws IOException {
163	3	File data = Settings.getDataFile(Settings.KEYS.CVE_DATA_DIRECTORY);
164	3	if (data.exists()) {
165	1	FileUtils.delete(data);
166		}
167	3	data = DataStoreMetaInfo.getPropertiesFile();
168	3	if (data.exists()) {
169	1	FileUtils.delete(data);
170		}
171	3	}
172
173		/**
174		* Closes the CVE and CPE data stores.
175		*/
176		protected void closeDataStores() {
177	1	if (cveDB != null) {
178		try {
179	1	cveDB.close();
180	0	} catch (Exception ignore) {
181	0	Logger.getLogger(AbstractUpdateTask.class.getName()).log(Level.FINEST, "Error closing the cveDB", ignore);
182	1	}
183		}
184	1	}
185
186		/**
187		* Opens the CVE and CPE data stores.
188		*
189		* @throws UpdateException thrown if a data store cannot be opened
190		*/
191		protected void openDataStores() throws UpdateException {
192		//open the cve and cpe data stores
193		try {
194	1	cveDB = new CveDB();
195	1	cveDB.open();
196	0	} catch (IOException ex) {
197	0	closeDataStores();
198	0	Logger.getLogger(AbstractUpdateTask.class.getName()).log(Level.FINE, "IO Error opening databases", ex);
199	0	throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
200	0	} catch (SQLException ex) {
201	0	closeDataStores();
202	0	Logger.getLogger(AbstractUpdateTask.class.getName()).log(Level.FINE, "SQL Exception opening databases", ex);
203	0	throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
204	0	} catch (DatabaseException ex) {
205	0	closeDataStores();
206	0	Logger.getLogger(AbstractUpdateTask.class.getName()).log(Level.FINE, "Database Exception opening databases", ex);
207	0	throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
208	0	} catch (ClassNotFoundException ex) {
209	0	closeDataStores();
210	0	Logger.getLogger(AbstractUpdateTask.class.getName()).log(Level.FINE, "Class not found exception opening databases", ex);
211	0	throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
212	1	}
213	1	}
214
215		/**
216		* Determines if the epoch date is within the range specified of the
217		* compareTo epoch time. This takes the (compareTo-date)/1000/60/60/24 to
218		* get the number of days. If the calculated days is less then the range the
219		* date is considered valid.
220		*
221		* @param date the date to be checked.
222		* @param compareTo the date to compare to.
223		* @param range the range in days to be considered valid.
224		* @return whether or not the date is within the range.
225		*/
226		protected boolean withinRange(long date, long compareTo, int range) {
227	2	final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
228	2	return differenceInDays < range;
229		}
230
231		/**
232		* Imports the NVD CVE XML File into the Lucene Index.
233		*
234		* @param file the file containing the NVD CVE XML
235		* @param oldVersion contains the file containing the NVD CVE XML 1.2
236		* @throws ParserConfigurationException is thrown if there is a parser
237		* configuration exception
238		* @throws SAXException is thrown if there is a SAXException
239		* @throws IOException is thrown if there is a IO Exception
240		* @throws SQLException is thrown if there is a SQL exception
241		* @throws DatabaseException is thrown if there is a database exception
242		* @throws ClassNotFoundException thrown if the h2 database driver cannot be
243		* loaded
244		*/
245		protected void importXML(File file, File oldVersion) throws ParserConfigurationException,
246		SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException {
247
248	0	final SAXParserFactory factory = SAXParserFactory.newInstance();
249	0	final SAXParser saxParser = factory.newSAXParser();
250
251	0	final NvdCve12Handler cve12Handler = new NvdCve12Handler();
252	0	saxParser.parse(oldVersion, cve12Handler);
253	0	final Map<String, List<VulnerableSoftware>> prevVersionVulnMap = cve12Handler.getVulnerabilities();
254
255	0	final NvdCve20Handler cve20Handler = new NvdCve20Handler();
256	0	cve20Handler.setCveDB(cveDB);
257	0	cve20Handler.setPrevVersionVulnMap(prevVersionVulnMap);
258	0	saxParser.parse(file, cve20Handler);
259	0	}
260		}