Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.NexusAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

NexusAnalyzer

15%

6/39

0/20

3.333

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
  *
  * There are two settings which govern this behavior:
  *
  * <ul>
  * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
  * even enabled. This can be overridden by setting the system property.</li>
  * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
  * SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
  * </ul>
  *
  * @author colezlaw
  */
 public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * The logger.
      */
     private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
 
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Nexus Analyzer";
 
     /**
      * The phase in which the analyzer runs.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
     /**
      * The types of files on which this will work.
      */
     private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
 
     /**
      * The Nexus Search to be set up for this analyzer.
      */
     private NexusSearch searcher;
 
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
      * @throws Exception if there's an error during initialization
      */
     @Override
     public void initializeFileTypeAnalyzer() throws Exception {
         LOGGER.fine("Initializing Nexus Analyzer");
         LOGGER.fine(String.format("Nexus Analyzer enabled: %s", isEnabled()));
         if (isEnabled()) {
             final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
             LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
             try {
                 searcher = new NexusSearch(new URL(searchUrl));
                 if (!searcher.preflightRequest()) {
                     LOGGER.warning("There was an issue getting Nexus status. Disabling analyzer.");
                     setEnabled(false);
                 }
             } catch (MalformedURLException mue) {
                 // I know that initialize can throw an exception, but we'll
                 // just disable the analyzer if the URL isn't valid
                 LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
                 setEnabled(false);
             }
         }
     }
 
     /**
      * Returns the analyzer's name.
      *
      * @return the name of the analyzer
      */
     @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns the key used in the properties file to reference the analyzer's enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_NEXUS_ENABLED;
     }
 
     /**
      * Returns the analysis phase under which the analyzer runs.
      *
      * @return the phase under which this analyzer runs
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
 
     /**
      * Returns the extensions for which this Analyzer runs.
      *
      * @return the extensions for which this Analyzer runs
      */
     @Override
     public Set<String> getSupportedExtensions() {
         return SUPPORTED_EXTENSIONS;
     }
 
     /**
      * Performs the analysis.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
             if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
                 dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
             }
             if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
                 dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
             }
             if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
                 dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
             }
             if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
                 dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
             }
         } catch (IllegalArgumentException iae) {
             //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
             LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
         } catch (FileNotFoundException fnfe) {
             //dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
             LOGGER.fine(String.format("Artifact not found in repository '%s'", dependency.getFileName()));
             LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
         } catch (IOException ioe) {
             //dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
             LOGGER.log(Level.FINE, "Could not connect to nexus repository", ioe);
         }
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.FileNotFoundException;
21		import java.io.IOException;
22		import java.net.MalformedURLException;
23		import java.net.URL;
24		import java.util.Set;
25		import java.util.logging.Level;
26		import java.util.logging.Logger;
27		import org.owasp.dependencycheck.Engine;
28		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
29		import org.owasp.dependencycheck.data.nexus.MavenArtifact;
30		import org.owasp.dependencycheck.data.nexus.NexusSearch;
31		import org.owasp.dependencycheck.dependency.Confidence;
32		import org.owasp.dependencycheck.dependency.Dependency;
33		import org.owasp.dependencycheck.utils.Settings;
34
35		/**
36		* Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
37		*
38		* There are two settings which govern this behavior:
39		*
40		* <ul>
41		* <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
42		* even enabled. This can be overridden by setting the system property.</li>
43		* <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
44		* SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
45		* </ul>
46		*
47		* @author colezlaw
48		*/
49		public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
50
51		/**
52		* The logger.
53		*/
54	1	private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
55
56		/**
57		* The name of the analyzer.
58		*/
59		private static final String ANALYZER_NAME = "Nexus Analyzer";
60
61		/**
62		* The phase in which the analyzer runs.
63		*/
64	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
65
66		/**
67		* The types of files on which this will work.
68		*/
69	1	private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
70
71		/**
72		* The Nexus Search to be set up for this analyzer.
73		*/
74		private NexusSearch searcher;
75
76		/**
77		* Initializes the analyzer once before any analysis is performed.
78		*
79		* @throws Exception if there's an error during initialization
80		*/
81		@Override
82		public void initializeFileTypeAnalyzer() throws Exception {
83	0	LOGGER.fine("Initializing Nexus Analyzer");
84	0	LOGGER.fine(String.format("Nexus Analyzer enabled: %s", isEnabled()));
85	0	if (isEnabled()) {
86	0	final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
87	0	LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
88		try {
89	0	searcher = new NexusSearch(new URL(searchUrl));
90	0	if (!searcher.preflightRequest()) {
91	0	LOGGER.warning("There was an issue getting Nexus status. Disabling analyzer.");
92	0	setEnabled(false);
93		}
94	0	} catch (MalformedURLException mue) {
95		// I know that initialize can throw an exception, but we'll
96		// just disable the analyzer if the URL isn't valid
97	0	LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
98	0	setEnabled(false);
99	0	}
100		}
101	0	}
102
103		/**
104		* Returns the analyzer's name.
105		*
106		* @return the name of the analyzer
107		*/
108		@Override
109		public String getName() {
110	4	return ANALYZER_NAME;
111		}
112
113		/**
114		* Returns the key used in the properties file to reference the analyzer's enabled property.
115		*
116		* @return the analyzer's enabled property setting key
117		*/
118		@Override
119		protected String getAnalyzerEnabledSettingKey() {
120	2	return Settings.KEYS.ANALYZER_NEXUS_ENABLED;
121		}
122
123		/**
124		* Returns the analysis phase under which the analyzer runs.
125		*
126		* @return the phase under which this analyzer runs
127		*/
128		@Override
129		public AnalysisPhase getAnalysisPhase() {
130	1	return ANALYSIS_PHASE;
131		}
132
133		/**
134		* Returns the extensions for which this Analyzer runs.
135		*
136		* @return the extensions for which this Analyzer runs
137		*/
138		@Override
139		public Set<String> getSupportedExtensions() {
140	0	return SUPPORTED_EXTENSIONS;
141		}
142
143		/**
144		* Performs the analysis.
145		*
146		* @param dependency the dependency to analyze
147		* @param engine the engine
148		* @throws AnalysisException when there's an exception during analysis
149		*/
150		@Override
151		public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
152		try {
153	0	final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
154	0	if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
155	0	dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
156		}
157	0	if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
158	0	dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
159		}
160	0	if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
161	0	dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
162		}
163	0	if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
164	0	dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
165		}
166	0	} catch (IllegalArgumentException iae) {
167		//dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
168	0	LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
169	0	} catch (FileNotFoundException fnfe) {
170		//dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
171	0	LOGGER.fine(String.format("Artifact not found in repository '%s'", dependency.getFileName()));
172	0	LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
173	0	} catch (IOException ioe) {
174		//dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
175	0	LOGGER.log(Level.FINE, "Could not connect to nexus repository", ioe);
176	0	}
177	0	}
178		}