Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.CentralAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

CentralAnalyzer

26%

18/69

13%

4/30

3.625

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URL;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.central.CentralSearch;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.jaxb.pom.PomUtils;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
  * digest.
  *
  * @author colezlaw
  */
 public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * The logger.
      */
     private static final Logger LOGGER = Logger.getLogger(CentralAnalyzer.class.getName());
 
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Central Analyzer";
 
     /**
      * The phase in which this analyzer runs.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
     /**
      * The types of files on which this will work.
      */
     private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
 
     /**
      * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
      */
     private boolean errorFlag = false;
 
     /**
      * The searcher itself.
      */
     private CentralSearch searcher;
     /**
      * Utility to read POM files.
      */
     private PomUtils pomUtil = new PomUtils();
     /**
      * Field indicating if the analyzer is enabled.
      */
     private final boolean enabled = checkEnabled();
 
     /**
      * Determine whether to enable this analyzer or not.
      *
      * @return whether the analyzer should be enabled
      */
     @Override
     public boolean isEnabled() {
         return enabled;
     }
 
     /**
      * Determines if this analyzer is enabled.
      *
      * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
      */
     private boolean checkEnabled() {
         boolean retval = false;
 
         try {
             if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
                 if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
                         || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
                     LOGGER.fine("Enabling the Central analyzer");
                     retval = true;
                 } else {
                     LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
                 }
             } else {
                 LOGGER.info("Central analyzer disabled");
             }
         } catch (InvalidSettingException ise) {
             LOGGER.warning("Invalid setting. Disabling the Central analyzer");
         }
         return retval;
     }
 
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
      * @throws Exception if there's an error during initialization
      */
     @Override
     public void initializeFileTypeAnalyzer() throws Exception {
         LOGGER.fine("Initializing Central analyzer");
         LOGGER.fine(String.format("Central analyzer enabled: %s", isEnabled()));
         if (isEnabled()) {
             final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
             LOGGER.fine(String.format("Central Analyzer URL: %s", searchUrl));
             searcher = new CentralSearch(new URL(searchUrl));
         }
     }
 
     /**
      * Returns the analyzer's name.
      *
      * @return the name of the analyzer
      */
     @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns the key used in the properties file to to reference the analyzer's enabled property.
      *
      * @return the analyzer's enabled property setting key.
      */
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
     }
 
     /**
      * Returns the analysis phase under which the analyzer runs.
      *
      * @return the phase under which the analyzer runs
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
 
     /**
      * Returns the extensions for which this Analyzer runs.
      *
      * @return the extensions for which this Analyzer runs
      */
     @Override
     public Set<String> getSupportedExtensions() {
         return SUPPORTED_EXTENSIONS;
     }
 
     /**
      * Performs the analysis.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         if (errorFlag || !isEnabled()) {
             return;
         }
 
         try {
             final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
             final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
             for (MavenArtifact ma : mas) {
                 LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
                 dependency.addAsEvidence("central", ma, confidence);
                 boolean pomAnalyzed = false;
                 for (Evidence e : dependency.getVendorEvidence()) {
                     if ("pom".equals(e.getSource())) {
                         pomAnalyzed = true;
                         break;
                     }
                 }
                 if (!pomAnalyzed && ma.getPomUrl() != null) {
                     File pomFile = null;
                     try {
                         final File baseDir = Settings.getTempDirectory();
                         pomFile = File.createTempFile("pom", ".xml", baseDir);
                         if (!pomFile.delete()) {
                             final String msg = String.format("Unable to fetch pom.xml for %s from Central; "
                                     + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                             LOGGER.warning(msg);
                             LOGGER.fine("Unable to delete temp file");
                         }
                         LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
                         Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
                         pomUtil.analyzePOM(dependency, pomFile);
 
                     } catch (DownloadFailedException ex) {
                         final String msg = String.format("Unable to download pom.xml for %s from Central; "
                                 + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                         LOGGER.warning(msg);
                     } finally {
                         if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
                             pomFile.deleteOnExit();
                         }
                     }
                 }
 
             }
         } catch (IllegalArgumentException iae) {
             LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
         } catch (FileNotFoundException fnfe) {
             LOGGER.fine(String.format("Artifact not found in repository: '%s", dependency.getFileName()));
         } catch (IOException ioe) {
             LOGGER.log(Level.FINE, "Could not connect to Central search", ioe);
             errorFlag = true;
         }
     }
 
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.File;
21		import java.io.FileNotFoundException;
22		import java.io.IOException;
23		import java.net.URL;
24		import java.util.List;
25		import java.util.Set;
26		import java.util.logging.Level;
27		import java.util.logging.Logger;
28		import org.apache.commons.io.FileUtils;
29		import org.owasp.dependencycheck.Engine;
30		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
31		import org.owasp.dependencycheck.data.central.CentralSearch;
32		import org.owasp.dependencycheck.data.nexus.MavenArtifact;
33		import org.owasp.dependencycheck.dependency.Confidence;
34		import org.owasp.dependencycheck.dependency.Dependency;
35		import org.owasp.dependencycheck.dependency.Evidence;
36		import org.owasp.dependencycheck.jaxb.pom.PomUtils;
37		import org.owasp.dependencycheck.utils.DownloadFailedException;
38		import org.owasp.dependencycheck.utils.Downloader;
39		import org.owasp.dependencycheck.utils.InvalidSettingException;
40		import org.owasp.dependencycheck.utils.Settings;
41
42		/**
43		* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
44		* digest.
45		*
46		* @author colezlaw
47		*/
48	2	public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
49
50		/**
51		* The logger.
52		*/
53	1	private static final Logger LOGGER = Logger.getLogger(CentralAnalyzer.class.getName());
54
55		/**
56		* The name of the analyzer.
57		*/
58		private static final String ANALYZER_NAME = "Central Analyzer";
59
60		/**
61		* The phase in which this analyzer runs.
62		*/
63	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
64
65		/**
66		* The types of files on which this will work.
67		*/
68	1	private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
69
70		/**
71		* The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
72		*/
73	2	private boolean errorFlag = false;
74
75		/**
76		* The searcher itself.
77		*/
78		private CentralSearch searcher;
79		/**
80		* Utility to read POM files.
81		*/
82	2	private PomUtils pomUtil = new PomUtils();
83		/**
84		* Field indicating if the analyzer is enabled.
85		*/
86	2	private final boolean enabled = checkEnabled();
87
88		/**
89		* Determine whether to enable this analyzer or not.
90		*
91		* @return whether the analyzer should be enabled
92		*/
93		@Override
94		public boolean isEnabled() {
95	0	return enabled;
96		}
97
98		/**
99		* Determines if this analyzer is enabled.
100		*
101		* @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
102		*/
103		private boolean checkEnabled() {
104	2	boolean retval = false;
105
106		try {
107	2	if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
108	1	if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
109		\|\| NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
110	1	LOGGER.fine("Enabling the Central analyzer");
111	1	retval = true;
112		} else {
113	0	LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
114		}
115		} else {
116	1	LOGGER.info("Central analyzer disabled");
117		}
118	0	} catch (InvalidSettingException ise) {
119	0	LOGGER.warning("Invalid setting. Disabling the Central analyzer");
120	2	}
121	2	return retval;
122		}
123
124		/**
125		* Initializes the analyzer once before any analysis is performed.
126		*
127		* @throws Exception if there's an error during initialization
128		*/
129		@Override
130		public void initializeFileTypeAnalyzer() throws Exception {
131	0	LOGGER.fine("Initializing Central analyzer");
132	0	LOGGER.fine(String.format("Central analyzer enabled: %s", isEnabled()));
133	0	if (isEnabled()) {
134	0	final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
135	0	LOGGER.fine(String.format("Central Analyzer URL: %s", searchUrl));
136	0	searcher = new CentralSearch(new URL(searchUrl));
137		}
138	0	}
139
140		/**
141		* Returns the analyzer's name.
142		*
143		* @return the name of the analyzer
144		*/
145		@Override
146		public String getName() {
147	4	return ANALYZER_NAME;
148		}
149
150		/**
151		* Returns the key used in the properties file to to reference the analyzer's enabled property.
152		*
153		* @return the analyzer's enabled property setting key.
154		*/
155		@Override
156		protected String getAnalyzerEnabledSettingKey() {
157	2	return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
158		}
159
160		/**
161		* Returns the analysis phase under which the analyzer runs.
162		*
163		* @return the phase under which the analyzer runs
164		*/
165		@Override
166		public AnalysisPhase getAnalysisPhase() {
167	1	return ANALYSIS_PHASE;
168		}
169
170		/**
171		* Returns the extensions for which this Analyzer runs.
172		*
173		* @return the extensions for which this Analyzer runs
174		*/
175		@Override
176		public Set<String> getSupportedExtensions() {
177	0	return SUPPORTED_EXTENSIONS;
178		}
179
180		/**
181		* Performs the analysis.
182		*
183		* @param dependency the dependency to analyze
184		* @param engine the engine
185		* @throws AnalysisException when there's an exception during analysis
186		*/
187		@Override
188		public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
189	0	if (errorFlag \|\| !isEnabled()) {
190	0	return;
191		}
192
193		try {
194	0	final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
195	0	final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
196	0	for (MavenArtifact ma : mas) {
197	0	LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
198	0	dependency.addAsEvidence("central", ma, confidence);
199	0	boolean pomAnalyzed = false;
200	0	for (Evidence e : dependency.getVendorEvidence()) {
201	0	if ("pom".equals(e.getSource())) {
202	0	pomAnalyzed = true;
203	0	break;
204		}
205	0	}
206	0	if (!pomAnalyzed && ma.getPomUrl() != null) {
207	0	File pomFile = null;
208		try {
209	0	final File baseDir = Settings.getTempDirectory();
210	0	pomFile = File.createTempFile("pom", ".xml", baseDir);
211	0	if (!pomFile.delete()) {
212	0	final String msg = String.format("Unable to fetch pom.xml for %s from Central; "
213		+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
214	0	LOGGER.warning(msg);
215	0	LOGGER.fine("Unable to delete temp file");
216		}
217	0	LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
218	0	Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
219	0	pomUtil.analyzePOM(dependency, pomFile);
220
221	0	} catch (DownloadFailedException ex) {
222	0	final String msg = String.format("Unable to download pom.xml for %s from Central; "
223		+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
224	0	LOGGER.warning(msg);
225		} finally {
226	0	if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
227	0	pomFile.deleteOnExit();
228		}
229		}
230		}
231
232	0	}
233	0	} catch (IllegalArgumentException iae) {
234	0	LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
235	0	} catch (FileNotFoundException fnfe) {
236	0	LOGGER.fine(String.format("Artifact not found in repository: '%s", dependency.getFileName()));
237	0	} catch (IOException ioe) {
238	0	LOGGER.log(Level.FINE, "Could not connect to Central search", ioe);
239	0	errorFlag = true;
240	0	}
241	0	}
242
243		}