Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.NvdCveAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

NvdCveAnalyzer

73%

19/26

37%

3/8

1.5

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 
 /**
  * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
  * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class NvdCveAnalyzer implements Analyzer {
 
     /**
      * The maximum number of query results to return.
      */
     static final int MAX_QUERY_RESULTS = 100;
     /**
      * The CVE Index.
      */
     private CveDB cveDB;
 
     /**
      * Opens the data source.
      *
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
      * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
      */
     public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
         cveDB = new CveDB();
         cveDB.open();
     }
 
     /**
      * Closes the data source.
      */
     public void close() {
         cveDB.close();
         cveDB = null;
     }
 
     /**
      * Returns the status of the data source - is the database open.
      *
      * @return true or false.
      */
     public boolean isOpen() {
         return (cveDB != null);
     }
 
     /**
      * Ensures that the CVE Database is closed.
      *
      * @throws Throwable when a throwable is thrown.
      */
     @Override
     protected void finalize() throws Throwable {
         super.finalize();
         if (isOpen()) {
             close();
         }
     }
 
     /**
      * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze
      * @param engine The analysis engine
      * @throws AnalysisException is thrown if there is an issue analyzing the dependency
      */
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {
             if ("cpe".equals(id.getType())) {
                 try {
                     final String value = id.getValue();
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
                     dependency.getVulnerabilities().addAll(vulns);
                 } catch (DatabaseException ex) {
                     throw new AnalysisException(ex);
                 }
             }
         }
     }
 
     /**
      * Returns true because this analyzer supports all dependency types.
      *
      * @return true.
      */
     public Set<String> getSupportedExtensions() {
         return null;
     }
 
     /**
      * Returns the name of this analyzer.
      *
      * @return the name of this analyzer.
      */
     public String getName() {
         return "NVD CVE Analyzer";
     }
 
     /**
      * Returns true because this analyzer supports all dependency types.
      *
      * @param extension the file extension of the dependency being analyzed.
      * @return true.
      */
     public boolean supportsExtension(String extension) {
         return true;
     }
 
     /**
      * Returns the analysis phase that this analyzer should run in.
      *
      * @return the analysis phase that this analyzer should run in.
      */
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.FINDING_ANALYSIS;
     }
 
     /**
      * Opens the NVD CVE Lucene Index.
      *
      * @throws Exception is thrown if there is an issue opening the index.
      */
     public void initialize() throws Exception {
         this.open();
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
21		import java.io.IOException;
22		import java.sql.SQLException;
23		import java.util.List;
24		import java.util.Set;
25		import org.owasp.dependencycheck.Engine;
26		import org.owasp.dependencycheck.data.nvdcve.CveDB;
27		import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
28		import org.owasp.dependencycheck.dependency.Dependency;
29		import org.owasp.dependencycheck.dependency.Identifier;
30		import org.owasp.dependencycheck.dependency.Vulnerability;
31
32		/**
33		* NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
34		* CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
35		*
36		* @author Jeremy Long <jeremy.long@owasp.org>
37		*/
38		public class NvdCveAnalyzer implements Analyzer {
39
40		/**
41		* The maximum number of query results to return.
42		*/
43		static final int MAX_QUERY_RESULTS = 100;
44		/**
45		* The CVE Index.
46		*/
47		private CveDB cveDB;
48
49		/**
50		* Opens the data source.
51		*
52		* @throws SQLException thrown when there is a SQL Exception
53		* @throws IOException thrown when there is an IO Exception
54		* @throws DatabaseException thrown when there is a database exceptions
55		* @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
56		*/
57		public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
58	3	cveDB = new CveDB();
59	3	cveDB.open();
60	3	}
61
62		/**
63		* Closes the data source.
64		*/
65		public void close() {
66	3	cveDB.close();
67	3	cveDB = null;
68	3	}
69
70		/**
71		* Returns the status of the data source - is the database open.
72		*
73		* @return true or false.
74		*/
75		public boolean isOpen() {
76	0	return (cveDB != null);
77		}
78
79		/**
80		* Ensures that the CVE Database is closed.
81		*
82		* @throws Throwable when a throwable is thrown.
83		*/
84		@Override
85		protected void finalize() throws Throwable {
86	0	super.finalize();
87	0	if (isOpen()) {
88	0	close();
89		}
90	0	}
91
92		/**
93		* Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
94		*
95		* @param dependency The Dependency to analyze
96		* @param engine The analysis engine
97		* @throws AnalysisException is thrown if there is an issue analyzing the dependency
98		*/
99		public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
100	9	for (Identifier id : dependency.getIdentifiers()) {
101	11	if ("cpe".equals(id.getType())) {
102		try {
103	11	final String value = id.getValue();
104	11	final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
105	11	dependency.getVulnerabilities().addAll(vulns);
106	0	} catch (DatabaseException ex) {
107	0	throw new AnalysisException(ex);
108	11	}
109		}
110	11	}
111	9	}
112
113		/**
114		* Returns true because this analyzer supports all dependency types.
115		*
116		* @return true.
117		*/
118		public Set<String> getSupportedExtensions() {
119		return null;
120		}
121
122		/**
123		* Returns the name of this analyzer.
124		*
125		* @return the name of this analyzer.
126		*/
127		public String getName() {
128	9	return "NVD CVE Analyzer";
129		}
130
131		/**
132		* Returns true because this analyzer supports all dependency types.
133		*
134		* @param extension the file extension of the dependency being analyzed.
135		* @return true.
136		*/
137		public boolean supportsExtension(String extension) {
138	9	return true;
139		}
140
141		/**
142		* Returns the analysis phase that this analyzer should run in.
143		*
144		* @return the analysis phase that this analyzer should run in.
145		*/
146		public AnalysisPhase getAnalysisPhase() {
147	6	return AnalysisPhase.FINDING_ANALYSIS;
148		}
149
150		/**
151		* Opens the NVD CVE Lucene Index.
152		*
153		* @throws Exception is thrown if there is an issue opening the index.
154		*/
155		public void initialize() throws Exception {
156	3	this.open();
157	3	}
158		}