View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import java.io.IOException;
21  import java.sql.SQLException;
22  import java.util.List;
23  import org.owasp.dependencycheck.Engine;
24  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
25  import org.owasp.dependencycheck.data.nvdcve.CveDB;
26  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
27  import org.owasp.dependencycheck.dependency.Dependency;
28  import org.owasp.dependencycheck.dependency.Identifier;
29  import org.owasp.dependencycheck.dependency.Vulnerability;
30  import org.owasp.dependencycheck.exception.InitializationException;
31  import org.owasp.dependencycheck.utils.Settings;
32  import org.slf4j.LoggerFactory;
33  
34  /**
35   * NvdCveAnalyzer is a utility class that takes a project dependency and
36   * attempts to discern if there is an associated CVEs. It uses the the
37   * identifiers found by other analyzers to lookup the CVE data.
38   *
39   * @author Jeremy Long
40   */
41  public class NvdCveAnalyzer extends AbstractAnalyzer {
42  
43      /**
44       * The Logger for use throughout the class
45       */
46      private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(NvdCveAnalyzer.class);
47      /**
48       * The maximum number of query results to return.
49       */
50      static final int MAX_QUERY_RESULTS = 100;
51      /**
52       * The CVE Index.
53       */
54      private CveDB cveDB;
55  
56      /**
57       * Opens the data source.
58       *
59       * @throws SQLException thrown when there is a SQL Exception
60       * @throws IOException thrown when there is an IO Exception
61       * @throws DatabaseException thrown when there is a database exceptions
62       * @throws ClassNotFoundException thrown if the h2 database driver cannot be
63       * loaded
64       */
65      public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
66          cveDB = new CveDB();
67          cveDB.open();
68      }
69  
70      /**
71       * Closes the data source.
72       */
73      @Override
74      public void closeAnalyzer() {
75          cveDB.close();
76          cveDB = null;
77      }
78  
79      /**
80       * Returns the status of the data source - is the database open.
81       *
82       * @return true or false.
83       */
84      public boolean isOpen() {
85          return cveDB != null;
86      }
87  
88      /**
89       * Ensures that the CVE Database is closed.
90       *
91       * @throws Throwable an exception raised by this method
92       */
93      @Override
94      protected void finalize() throws Throwable {
95          super.finalize();
96          if (isOpen()) {
97              close();
98          }
99      }
100 
101     /**
102      * Analyzes a dependency and attempts to determine if there are any CPE
103      * identifiers for this dependency.
104      *
105      * @param dependency The Dependency to analyze
106      * @param engine The analysis engine
107      * @throws AnalysisException thrown if there is an issue analyzing the
108      * dependency
109      */
110     @Override
111     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
112         for (Identifier id : dependency.getIdentifiers()) {
113             if ("cpe".equals(id.getType())) {
114                 try {
115                     final String value = id.getValue();
116                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
117                     dependency.getVulnerabilities().addAll(vulns);
118                 } catch (DatabaseException ex) {
119                     throw new AnalysisException(ex);
120                 }
121             }
122         }
123         for (Identifier id : dependency.getSuppressedIdentifiers()) {
124             if ("cpe".equals(id.getType())) {
125                 try {
126                     final String value = id.getValue();
127                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
128                     dependency.getSuppressedVulnerabilities().addAll(vulns);
129                 } catch (DatabaseException ex) {
130                     throw new AnalysisException(ex);
131                 }
132             }
133         }
134     }
135 
136     /**
137      * Returns the name of this analyzer.
138      *
139      * @return the name of this analyzer.
140      */
141     @Override
142     public String getName() {
143         return "NVD CVE Analyzer";
144     }
145 
146     /**
147      * Returns the analysis phase that this analyzer should run in.
148      *
149      * @return the analysis phase that this analyzer should run in.
150      */
151     @Override
152     public AnalysisPhase getAnalysisPhase() {
153         return AnalysisPhase.FINDING_ANALYSIS;
154     }
155 
156     /**
157      * <p>
158      * Returns the setting key to determine if the analyzer is enabled.</p>
159      *
160      * @return the key for the analyzer's enabled property
161      */
162     @Override
163     protected String getAnalyzerEnabledSettingKey() {
164         return Settings.KEYS.ANALYZER_NVD_CVE_ENABLED;
165     }
166 
167     /**
168      * Opens the database used to gather NVD CVE data.
169      *
170      * @throws InitializationException is thrown if there is an issue opening
171      * the index.
172      */
173     @Override
174     public void initializeAnalyzer() throws InitializationException {
175         try {
176             this.open();
177         } catch (SQLException ex) {
178             LOGGER.debug("SQL Exception initializing NvdCveAnalyzer", ex);
179             throw new InitializationException(ex);
180         } catch (IOException ex) {
181             LOGGER.debug("IO Exception initializing NvdCveAnalyzer", ex);
182             throw new InitializationException(ex);
183         } catch (DatabaseException ex) {
184             LOGGER.debug("Database Exception initializing NvdCveAnalyzer", ex);
185             throw new InitializationException(ex);
186         } catch (ClassNotFoundException ex) {
187             LOGGER.debug("Exception initializing NvdCveAnalyzer", ex);
188             throw new InitializationException(ex);
189         }
190     }
191 }