Coverage Report

Coverage Report - org.owasp.dependencycheck.data.nvdcve.NvdCveAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

NvdCveAnalyzer

11%

3/27

0/8

1.5

 /*
  * This file is part of dependency-check-core.
  *
  * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
  * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
  * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.AnalysisException;
 import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 
 /**
  * NvdCveAnalyzer is a utility class that takes a project dependency and
  * attempts to discern if there is an associated CVEs. It uses the the
  * identifiers found by other analyzers to lookup the CVE data.
  *
  * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCveAnalyzer implements Analyzer {
 
     /**
      * The maximum number of query results to return.
      */
     static final int MAX_QUERY_RESULTS = 100;
     /**
      * The CVE Index.
      */
     private CveDB cveDB;
 
     /**
      * Opens the data source.
      *
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
      * @throws ClassNotFoundException thrown if the h2 database driver cannot be
      * loaded
      */
     public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
         cveDB = new CveDB();
         cveDB.open();
     }
 
     /**
      * Closes the data source.
      */
     public void close() {
         cveDB.close();
         cveDB = null;
     }
 
     /**
      * Returns the status of the data source - is the database open.
      *
      * @return true or false.
      */
     public boolean isOpen() {
         return (cveDB != null);
     }
 
     /**
      * Ensures that the CVE Database is closed.
      *
      * @throws Throwable when a throwable is thrown.
      */
     @Override
     protected void finalize() throws Throwable {
         super.finalize();
         if (isOpen()) {
             close();
         }
     }
 
     /**
      * Analyzes a dependency and attempts to determine if there are any CPE
      * identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze
      * @param engine The analysis engine
      * @throws AnalysisException is thrown if there is an issue analyzing the
      * dependency
      */
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {
             if ("cpe".equals(id.getType())) {
                 try {
                     final String value = id.getValue();
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
                     dependency.getVulnerabilities().addAll(vulns);
 //TODO - remove this comment block after additional testing is completed
 //note - valid match functionality has been moved into the CveDB class.
 ////                    for (Vulnerability v : vulns) {
 ////                        if (isValidMatch(dependency, v)) {
 ////                            dependency.addVulnerability(v);
 ////                        }
 ////                    }
                 } catch (DatabaseException ex) {
                     throw new AnalysisException(ex);
                 }
             }
         }
     }
 
     /**
      * Returns true because this analyzer supports all dependency types.
      *
      * @return true.
      */
     public Set<String> getSupportedExtensions() {
         return null;
     }
 
     /**
      * Returns the name of this analyzer.
      *
      * @return the name of this analyzer.
      */
     public String getName() {
         return "NVD CVE Analyzer";
     }
 
     /**
      * Returns true because this analyzer supports all dependency types.
      *
      * @param extension the file extension of the dependency being analyzed.
      * @return true.
      */
     public boolean supportsExtension(String extension) {
         return true;
     }
 
     /**
      * Returns the analysis phase that this analyzer should run in.
      *
      * @return the analysis phase that this analyzer should run in.
      */
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.FINDING_ANALYSIS;
     }
 
     /**
      * Opens the NVD CVE Lucene Index.
      *
      * @throws Exception is thrown if there is an issue opening the index.
      */
     public void initialize() throws Exception {
         this.open();
     }
 //TODO - remove this comment block after additional testing is completed
 // The following check has been moved into the CveDB class.
 ////    /**
 ////     * <p>Determines if this is a valid vulnerability match for the given
 ////     * dependency. Specifically, this is concerned with ensuring the version
 ////     * numbers are correct.</p>
 ////     * <p>Currently, this is focused on the issues with the versions for Struts
 ////     * 1 and Struts 2. In the future this will due better matching on more
 ////     * version numbers.</p>
 ////     *
 ////     * @param dependency the dependency
 ////     * @param v the vulnerability
 ////     * @return returns true if the vulnerability is for the given dependency
 ////     */
 ////    private boolean isValidMatch(final Dependency dependency, final Vulnerability v) {
 ////        //right now I only know of the issue with Struts1/2
 ////        // start with fixing this problem.
 ////
 ////        //TODO extend this solution to do better version matching for the vulnerable software.
 ////        boolean struts1 = false;
 ////        boolean struts2 = false;
 ////        for (Identifier i : dependency.getIdentifiers()) {
 ////            if (i.getValue().startsWith("cpe:/a:apache:struts:")) {
 ////                final char version = i.getValue().charAt(21);
 ////                if (version == '1') {
 ////                    struts1 = true;
 ////                }
 ////                if (version == '2') {
 ////                    struts2 = true;
 ////                }
 ////            }
 ////        }
 ////        if (!struts1 && !struts2) {
 ////            return true; //we are not looking at struts, so return true.
 ////        }
 ////        if (struts1 && struts2) {
 ////            return true; //there is a mismatch here, but we can't solve it here so we return valid.
 ////        }
 ////        if (struts1) {
 ////            boolean hasStruts1Vuln = false;
 ////            boolean hasStruts2PreviousVersion = false;
 ////            for (VulnerableSoftware vs : v.getVulnerableSoftware()) {
 ////                //TODO FIX THIS
 ////                //hasStruts2PreviousVersion |= vs.hasPreviousVersion() && vs.getName().charAt(21) == '2';
 ////                //hasStruts1Vuln |= vs.getName().charAt(21) == '1';
 ////            }
 ////            if (!hasStruts1Vuln && hasStruts2PreviousVersion) {
 ////                return false;
 ////            }
 ////        }
 ////
 ////        return true;
 ////    }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Dependency-check-core is free software: you can redistribute it and/or modify it
5		* under the terms of the GNU General Public License as published by the Free
6		* Software Foundation, either version 3 of the License, or (at your option) any
7		* later version.
8		*
9		* Dependency-check-core is distributed in the hope that it will be useful, but
10		* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11		* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
12		* details.
13		*
14		* You should have received a copy of the GNU General Public License along with
15		* dependency-check-core. If not, see http://www.gnu.org/licenses/.
16		*
17		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
18		*/
19		package org.owasp.dependencycheck.data.nvdcve;
20
21		import java.io.IOException;
22		import java.sql.SQLException;
23		import java.util.List;
24		import java.util.Set;
25		import org.owasp.dependencycheck.Engine;
26		import org.owasp.dependencycheck.analyzer.AnalysisException;
27		import org.owasp.dependencycheck.analyzer.AnalysisPhase;
28		import org.owasp.dependencycheck.dependency.Dependency;
29		import org.owasp.dependencycheck.dependency.Vulnerability;
30		import org.owasp.dependencycheck.dependency.Identifier;
31		import org.owasp.dependencycheck.analyzer.Analyzer;
32
33		/**
34		* NvdCveAnalyzer is a utility class that takes a project dependency and
35		* attempts to discern if there is an associated CVEs. It uses the the
36		* identifiers found by other analyzers to lookup the CVE data.
37		*
38		* @author Jeremy Long (jeremy.long@owasp.org)
39		*/
40	3	public class NvdCveAnalyzer implements Analyzer {
41
42		/**
43		* The maximum number of query results to return.
44		*/
45		static final int MAX_QUERY_RESULTS = 100;
46		/**
47		* The CVE Index.
48		*/
49		private CveDB cveDB;
50
51		/**
52		* Opens the data source.
53		*
54		* @throws SQLException thrown when there is a SQL Exception
55		* @throws IOException thrown when there is an IO Exception
56		* @throws DatabaseException thrown when there is a database exceptions
57		* @throws ClassNotFoundException thrown if the h2 database driver cannot be
58		* loaded
59		*/
60		public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
61	0	cveDB = new CveDB();
62	0	cveDB.open();
63	0	}
64
65		/**
66		* Closes the data source.
67		*/
68		public void close() {
69	0	cveDB.close();
70	0	cveDB = null;
71	0	}
72
73		/**
74		* Returns the status of the data source - is the database open.
75		*
76		* @return true or false.
77		*/
78		public boolean isOpen() {
79	0	return (cveDB != null);
80		}
81
82		/**
83		* Ensures that the CVE Database is closed.
84		*
85		* @throws Throwable when a throwable is thrown.
86		*/
87		@Override
88		protected void finalize() throws Throwable {
89	0	super.finalize();
90	0	if (isOpen()) {
91	0	close();
92		}
93	0	}
94
95		/**
96		* Analyzes a dependency and attempts to determine if there are any CPE
97		* identifiers for this dependency.
98		*
99		* @param dependency The Dependency to analyze
100		* @param engine The analysis engine
101		* @throws AnalysisException is thrown if there is an issue analyzing the
102		* dependency
103		*/
104		public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
105	0	for (Identifier id : dependency.getIdentifiers()) {
106	0	if ("cpe".equals(id.getType())) {
107		try {
108	0	final String value = id.getValue();
109	0	final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
110	0	dependency.getVulnerabilities().addAll(vulns);
111		//TODO - remove this comment block after additional testing is completed
112		//note - valid match functionality has been moved into the CveDB class.
113		//// for (Vulnerability v : vulns) {
114		//// if (isValidMatch(dependency, v)) {
115		//// dependency.addVulnerability(v);
116		//// }
117		//// }
118	0	} catch (DatabaseException ex) {
119	0	throw new AnalysisException(ex);
120	0	}
121		}
122		}
123	0	}
124
125		/**
126		* Returns true because this analyzer supports all dependency types.
127		*
128		* @return true.
129		*/
130		public Set<String> getSupportedExtensions() {
131	17289	return null;
132		}
133
134		/**
135		* Returns the name of this analyzer.
136		*
137		* @return the name of this analyzer.
138		*/
139		public String getName() {
140	0	return "NVD CVE Analyzer";
141		}
142
143		/**
144		* Returns true because this analyzer supports all dependency types.
145		*
146		* @param extension the file extension of the dependency being analyzed.
147		* @return true.
148		*/
149		public boolean supportsExtension(String extension) {
150	0	return true;
151		}
152
153		/**
154		* Returns the analysis phase that this analyzer should run in.
155		*
156		* @return the analysis phase that this analyzer should run in.
157		*/
158		public AnalysisPhase getAnalysisPhase() {
159	3	return AnalysisPhase.FINDING_ANALYSIS;
160		}
161
162		/**
163		* Opens the NVD CVE Lucene Index.
164		*
165		* @throws Exception is thrown if there is an issue opening the index.
166		*/
167		public void initialize() throws Exception {
168	0	this.open();
169	0	}
170		//TODO - remove this comment block after additional testing is completed
171		// The following check has been moved into the CveDB class.
172		//// /**
173		//// * <p>Determines if this is a valid vulnerability match for the given
174		//// * dependency. Specifically, this is concerned with ensuring the version
175		//// * numbers are correct.</p>
176		//// * <p>Currently, this is focused on the issues with the versions for Struts
177		//// * 1 and Struts 2. In the future this will due better matching on more
178		//// * version numbers.</p>
179		//// *
180		//// * @param dependency the dependency
181		//// * @param v the vulnerability
182		//// * @return returns true if the vulnerability is for the given dependency
183		//// */
184		//// private boolean isValidMatch(final Dependency dependency, final Vulnerability v) {
185		//// //right now I only know of the issue with Struts1/2
186		//// // start with fixing this problem.
187		////
188		//// //TODO extend this solution to do better version matching for the vulnerable software.
189		//// boolean struts1 = false;
190		//// boolean struts2 = false;
191		//// for (Identifier i : dependency.getIdentifiers()) {
192		//// if (i.getValue().startsWith("cpe:/a:apache:struts:")) {
193		//// final char version = i.getValue().charAt(21);
194		//// if (version == '1') {
195		//// struts1 = true;
196		//// }
197		//// if (version == '2') {
198		//// struts2 = true;
199		//// }
200		//// }
201		//// }
202		//// if (!struts1 && !struts2) {
203		//// return true; //we are not looking at struts, so return true.
204		//// }
205		//// if (struts1 && struts2) {
206		//// return true; //there is a mismatch here, but we can't solve it here so we return valid.
207		//// }
208		//// if (struts1) {
209		//// boolean hasStruts1Vuln = false;
210		//// boolean hasStruts2PreviousVersion = false;
211		//// for (VulnerableSoftware vs : v.getVulnerableSoftware()) {
212		//// //TODO FIX THIS
213		//// //hasStruts2PreviousVersion \|= vs.hasPreviousVersion() && vs.getName().charAt(21) == '2';
214		//// //hasStruts1Vuln \|= vs.getName().charAt(21) == '1';
215		//// }
216		//// if (!hasStruts1Vuln && hasStruts2PreviousVersion) {
217		//// return false;
218		//// }
219		//// }
220		////
221		//// return true;
222		//// }
223		}