Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.CentralAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

CentralAnalyzer

26%

18/69

10%

3/30

3.625

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.central.CentralSearch;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.xml.pom.PomUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URL;
 import java.util.List;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
  * digest.
  *
  * @author colezlaw
  */
 public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(CentralAnalyzer.class);
 
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Central Analyzer";
 
     /**
      * The phase in which this analyzer runs.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
     /**
      * The types of files on which this will work.
      */
     private static final String SUPPORTED_EXTENSIONS = "jar";
 
     /**
      * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
      */
     private boolean errorFlag = false;
 
     /**
      * The searcher itself.
      */
     private CentralSearch searcher;
     /**
      * Field indicating if the analyzer is enabled.
      */
     private final boolean enabled = checkEnabled();
 
     /**
      * Determine whether to enable this analyzer or not.
      *
      * @return whether the analyzer should be enabled
      */
     @Override
     public boolean isEnabled() {
         return enabled;
     }
 
     /**
      * Determines if this analyzer is enabled.
      *
      * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
      */
     private boolean checkEnabled() {
         boolean retval = false;
 
         try {
             if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
                 if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
                         || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
                     LOGGER.debug("Enabling the Central analyzer");
                     retval = true;
                 } else {
                     LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
                 }
             } else {
                 LOGGER.info("Central analyzer disabled");
             }
         } catch (InvalidSettingException ise) {
             LOGGER.warn("Invalid setting. Disabling the Central analyzer");
         }
         return retval;
     }
 
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
      * @throws Exception if there's an error during initialization
      */
     @Override
     public void initializeFileTypeAnalyzer() throws Exception {
         LOGGER.debug("Initializing Central analyzer");
         LOGGER.debug("Central analyzer enabled: {}", isEnabled());
         if (isEnabled()) {
             final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
             LOGGER.debug("Central Analyzer URL: {}", searchUrl);
             searcher = new CentralSearch(new URL(searchUrl));
         }
     }
 
     /**
      * Returns the analyzer's name.
      *
      * @return the name of the analyzer
      */
     @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns the key used in the properties file to to reference the analyzer's enabled property.
      *
      * @return the analyzer's enabled property setting key.
      */
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
     }
 
     /**
      * Returns the analysis phase under which the analyzer runs.
      *
      * @return the phase under which the analyzer runs
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
 
     /**
      * The file filter used to determine which files this analyzer supports.
      */
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
 
     @Override
     protected FileFilter getFileFilter() {
         return FILTER;
     }
 
     /**
      * Performs the analysis.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         if (errorFlag || !isEnabled()) {
             return;
         }
 
         try {
             final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
             final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
             for (MavenArtifact ma : mas) {
                 LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma, dependency.getFileName());
                 dependency.addAsEvidence("central", ma, confidence);
                 boolean pomAnalyzed = false;
                 for (Evidence e : dependency.getVendorEvidence()) {
                     if ("pom".equals(e.getSource())) {
                         pomAnalyzed = true;
                         break;
                     }
                 }
                 if (!pomAnalyzed && ma.getPomUrl() != null) {
                     File pomFile = null;
                     try {
                         final File baseDir = Settings.getTempDirectory();
                         pomFile = File.createTempFile("pom", ".xml", baseDir);
                         if (!pomFile.delete()) {
                             LOGGER.warn("Unable to fetch pom.xml for {} from Central; "
                                     + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                             LOGGER.debug("Unable to delete temp file");
                         }
                         LOGGER.debug("Downloading {}", ma.getPomUrl());
                         Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
                         PomUtils.analyzePOM(dependency, pomFile);
 
                     } catch (DownloadFailedException ex) {
                         LOGGER.warn("Unable to download pom.xml for {} from Central; "
                                 + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                     } finally {
                         if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
                             pomFile.deleteOnExit();
                         }
                     }
                 }
 
             }
         } catch (IllegalArgumentException iae) {
             LOGGER.info("invalid sha1-hash on {}", dependency.getFileName());
         } catch (FileNotFoundException fnfe) {
             LOGGER.debug("Artifact not found in repository: '{}", dependency.getFileName());
         } catch (IOException ioe) {
             LOGGER.debug("Could not connect to Central search", ioe);
             errorFlag = true;
         }
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import org.apache.commons.io.FileUtils;
21		import org.owasp.dependencycheck.Engine;
22		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
23		import org.owasp.dependencycheck.data.central.CentralSearch;
24		import org.owasp.dependencycheck.data.nexus.MavenArtifact;
25		import org.owasp.dependencycheck.dependency.Confidence;
26		import org.owasp.dependencycheck.dependency.Dependency;
27		import org.owasp.dependencycheck.dependency.Evidence;
28		import org.owasp.dependencycheck.xml.pom.PomUtils;
29		import org.slf4j.Logger;
30		import org.slf4j.LoggerFactory;
31
32		import java.io.File;
33		import java.io.FileFilter;
34		import java.io.FileNotFoundException;
35		import java.io.IOException;
36		import java.net.URL;
37		import java.util.List;
38		import org.owasp.dependencycheck.utils.DownloadFailedException;
39		import org.owasp.dependencycheck.utils.Downloader;
40		import org.owasp.dependencycheck.utils.FileFilterBuilder;
41		import org.owasp.dependencycheck.utils.InvalidSettingException;
42		import org.owasp.dependencycheck.utils.Settings;
43
44		/**
45		* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
46		* digest.
47		*
48		* @author colezlaw
49		*/
50	4	public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
51
52		/**
53		* The logger.
54		*/
55	1	private static final Logger LOGGER = LoggerFactory.getLogger(CentralAnalyzer.class);
56
57		/**
58		* The name of the analyzer.
59		*/
60		private static final String ANALYZER_NAME = "Central Analyzer";
61
62		/**
63		* The phase in which this analyzer runs.
64		*/
65	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
66
67		/**
68		* The types of files on which this will work.
69		*/
70		private static final String SUPPORTED_EXTENSIONS = "jar";
71
72		/**
73		* The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
74		*/
75	4	private boolean errorFlag = false;
76
77		/**
78		* The searcher itself.
79		*/
80		private CentralSearch searcher;
81		/**
82		* Field indicating if the analyzer is enabled.
83		*/
84	4	private final boolean enabled = checkEnabled();
85
86		/**
87		* Determine whether to enable this analyzer or not.
88		*
89		* @return whether the analyzer should be enabled
90		*/
91		@Override
92		public boolean isEnabled() {
93	0	return enabled;
94		}
95
96		/**
97		* Determines if this analyzer is enabled.
98		*
99		* @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
100		*/
101		private boolean checkEnabled() {
102	4	boolean retval = false;
103
104		try {
105	4	if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
106	3	if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
107	0	\|\| NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
108	3	LOGGER.debug("Enabling the Central analyzer");
109	3	retval = true;
110		} else {
111	0	LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
112		}
113		} else {
114	1	LOGGER.info("Central analyzer disabled");
115		}
116	0	} catch (InvalidSettingException ise) {
117	0	LOGGER.warn("Invalid setting. Disabling the Central analyzer");
118	4	}
119	4	return retval;
120		}
121
122		/**
123		* Initializes the analyzer once before any analysis is performed.
124		*
125		* @throws Exception if there's an error during initialization
126		*/
127		@Override
128		public void initializeFileTypeAnalyzer() throws Exception {
129	0	LOGGER.debug("Initializing Central analyzer");
130	0	LOGGER.debug("Central analyzer enabled: {}", isEnabled());
131	0	if (isEnabled()) {
132	0	final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
133	0	LOGGER.debug("Central Analyzer URL: {}", searchUrl);
134	0	searcher = new CentralSearch(new URL(searchUrl));
135		}
136	0	}
137
138		/**
139		* Returns the analyzer's name.
140		*
141		* @return the name of the analyzer
142		*/
143		@Override
144		public String getName() {
145	4	return ANALYZER_NAME;
146		}
147
148		/**
149		* Returns the key used in the properties file to to reference the analyzer's enabled property.
150		*
151		* @return the analyzer's enabled property setting key.
152		*/
153		@Override
154		protected String getAnalyzerEnabledSettingKey() {
155	4	return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
156		}
157
158		/**
159		* Returns the analysis phase under which the analyzer runs.
160		*
161		* @return the phase under which the analyzer runs
162		*/
163		@Override
164		public AnalysisPhase getAnalysisPhase() {
165	3	return ANALYSIS_PHASE;
166		}
167
168		/**
169		* The file filter used to determine which files this analyzer supports.
170		*/
171	1	private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
172
173		@Override
174		protected FileFilter getFileFilter() {
175	853	return FILTER;
176		}
177
178		/**
179		* Performs the analysis.
180		*
181		* @param dependency the dependency to analyze
182		* @param engine the engine
183		* @throws AnalysisException when there's an exception during analysis
184		*/
185		@Override
186		public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
187	0	if (errorFlag \|\| !isEnabled()) {
188	0	return;
189		}
190
191		try {
192	0	final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
193	0	final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
194	0	for (MavenArtifact ma : mas) {
195	0	LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma, dependency.getFileName());
196	0	dependency.addAsEvidence("central", ma, confidence);
197	0	boolean pomAnalyzed = false;
198	0	for (Evidence e : dependency.getVendorEvidence()) {
199	0	if ("pom".equals(e.getSource())) {
200	0	pomAnalyzed = true;
201	0	break;
202		}
203	0	}
204	0	if (!pomAnalyzed && ma.getPomUrl() != null) {
205	0	File pomFile = null;
206		try {
207	0	final File baseDir = Settings.getTempDirectory();
208	0	pomFile = File.createTempFile("pom", ".xml", baseDir);
209	0	if (!pomFile.delete()) {
210	0	LOGGER.warn("Unable to fetch pom.xml for {} from Central; "
211	0	+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
212	0	LOGGER.debug("Unable to delete temp file");
213		}
214	0	LOGGER.debug("Downloading {}", ma.getPomUrl());
215	0	Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
216	0	PomUtils.analyzePOM(dependency, pomFile);
217
218	0	} catch (DownloadFailedException ex) {
219	0	LOGGER.warn("Unable to download pom.xml for {} from Central; "
220	0	+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
221		} finally {
222	0	if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
223	0	pomFile.deleteOnExit();
224		}
225		}
226		}
227
228	0	}
229	0	} catch (IllegalArgumentException iae) {
230	0	LOGGER.info("invalid sha1-hash on {}", dependency.getFileName());
231	0	} catch (FileNotFoundException fnfe) {
232	0	LOGGER.debug("Artifact not found in repository: '{}", dependency.getFileName());
233	0	} catch (IOException ioe) {
234	0	LOGGER.debug("Could not connect to Central search", ioe);
235	0	errorFlag = true;
236	0	}
237	0	}
238		}