View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import java.io.IOException;
21  import java.sql.SQLException;
22  import java.util.List;
23  import org.owasp.dependencycheck.Engine;
24  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
25  import org.owasp.dependencycheck.data.nvdcve.CveDB;
26  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
27  import org.owasp.dependencycheck.dependency.Dependency;
28  import org.owasp.dependencycheck.dependency.Identifier;
29  import org.owasp.dependencycheck.dependency.Vulnerability;
30  
31  /**
32   * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
33   * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
34   *
35   * @author Jeremy Long
36   */
37  public class NvdCveAnalyzer implements Analyzer {
38  
39      /**
40       * The maximum number of query results to return.
41       */
42      static final int MAX_QUERY_RESULTS = 100;
43      /**
44       * The CVE Index.
45       */
46      private CveDB cveDB;
47  
48      /**
49       * Opens the data source.
50       *
51       * @throws SQLException thrown when there is a SQL Exception
52       * @throws IOException thrown when there is an IO Exception
53       * @throws DatabaseException thrown when there is a database exceptions
54       * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
55       */
56      public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
57          cveDB = new CveDB();
58          cveDB.open();
59      }
60  
61      /**
62       * Closes the data source.
63       */
64      @Override
65      public void close() {
66          cveDB.close();
67          cveDB = null;
68      }
69  
70      /**
71       * Returns the status of the data source - is the database open.
72       *
73       * @return true or false.
74       */
75      public boolean isOpen() {
76          return cveDB != null;
77      }
78  
79      /**
80       * Ensures that the CVE Database is closed.
81       *
82       * @throws Throwable when a throwable is thrown.
83       */
84      @Override
85      protected void finalize() throws Throwable {
86          super.finalize();
87          if (isOpen()) {
88              close();
89          }
90      }
91  
92      /**
93       * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
94       *
95       * @param dependency The Dependency to analyze
96       * @param engine The analysis engine
97       * @throws AnalysisException is thrown if there is an issue analyzing the dependency
98       */
99      @Override
100     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
101         for (Identifier id : dependency.getIdentifiers()) {
102             if ("cpe".equals(id.getType())) {
103                 try {
104                     final String value = id.getValue();
105                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
106                     dependency.getVulnerabilities().addAll(vulns);
107                 } catch (DatabaseException ex) {
108                     throw new AnalysisException(ex);
109                 }
110             }
111         }
112         for (Identifier id : dependency.getSuppressedIdentifiers()) {
113             if ("cpe".equals(id.getType())) {
114                 try {
115                     final String value = id.getValue();
116                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
117                     dependency.getSuppressedVulnerabilities().addAll(vulns);
118                 } catch (DatabaseException ex) {
119                     throw new AnalysisException(ex);
120                 }
121             }
122         }
123     }
124 
125     /**
126      * Returns the name of this analyzer.
127      *
128      * @return the name of this analyzer.
129      */
130     @Override
131     public String getName() {
132         return "NVD CVE Analyzer";
133     }
134 
135     /**
136      * Returns the analysis phase that this analyzer should run in.
137      *
138      * @return the analysis phase that this analyzer should run in.
139      */
140     @Override
141     public AnalysisPhase getAnalysisPhase() {
142         return AnalysisPhase.FINDING_ANALYSIS;
143     }
144 
145     /**
146      * Opens the database used to gather NVD CVE data.
147      *
148      * @throws Exception is thrown if there is an issue opening the index.
149      */
150     @Override
151     public void initialize() throws Exception {
152         this.open();
153     }
154 }