View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2023 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.data.update.nvd.api;
19  
20  import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;
21  
22  import java.io.BufferedInputStream;
23  import java.io.File;
24  import java.io.IOException;
25  import java.io.InputStream;
26  import java.nio.file.Files;
27  import java.util.concurrent.Callable;
28  import java.util.zip.GZIPInputStream;
29  
30  import org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper;
31  import org.owasp.dependencycheck.data.nvdcve.CveDB;
32  import org.slf4j.Logger;
33  import org.slf4j.LoggerFactory;
34  
35  /**
36   * Stores a collection of NVD CVE Data from the NVD API into the database.
37   *
38   * @author Jeremy Long
39   */
40  public class NvdApiProcessor implements Callable<NvdApiProcessor> {
41  
42      /**
43       * The Logger for use throughout the class.
44       */
45      private static final Logger LOGGER = LoggerFactory.getLogger(NvdApiProcessor.class);
46      /**
47       * A reference to the database.
48       */
49      private final CveDB cveDB;
50      /**
51       * The file containing the data to inject.
52       */
53      private File jsonFile;
54      /**
55       * Reference to the CVE Ecosystem Mapper object.
56       */
57      private final CveEcosystemMapper mapper = new CveEcosystemMapper();
58      /**
59       * The start time.
60       */
61      private final long startTime;
62      /**
63       * The end time.
64       */
65      private long endTime = 0;
66  
67      /**
68       * Create a new processor to put the NVD data into the database.
69       *
70       * @param cveDB a reference to the database.
71       * @param jsonFile the JSON data file to inject.
72       * @param startTime the start time of the update process.
73       */
74      public NvdApiProcessor(final CveDB cveDB, File jsonFile, long startTime) {
75          this.cveDB = cveDB;
76          this.jsonFile = jsonFile;
77          this.startTime = startTime;
78      }
79  
80      /**
81       * Create a new processor to put the NVD data into the database.
82       *
83       * @param cveDB a reference to the database
84       * @param jsonFile the JSON data file to inject.
85       */
86      public NvdApiProcessor(final CveDB cveDB, File jsonFile) {
87          this(cveDB, jsonFile, System.currentTimeMillis());
88      }
89  
90      @Override
91      public NvdApiProcessor call() throws Exception {
92          if (jsonFile.getName().endsWith(".jsonarray.gz")) {
93              try (InputStream fis = Files.newInputStream(jsonFile.toPath());
94                   InputStream is = new BufferedInputStream(new GZIPInputStream(fis));
95                   CveItemSource<DefCveItem> itemSource = new JsonArrayCveItemSource(is)) {
96                  updateCveDb(itemSource);
97              }
98          } else if (jsonFile.getName().endsWith(".gz")) {
99              try (InputStream fis = Files.newInputStream(jsonFile.toPath());
100                  InputStream is = new BufferedInputStream(new GZIPInputStream(fis));
101                  CveItemSource<DefCveItem> itemSource = new CveApiJson20CveItemSource(is)) {
102                 updateCveDb(itemSource);
103             }
104         } else {
105             try (InputStream fis = Files.newInputStream(jsonFile.toPath());
106                  InputStream is = new BufferedInputStream(fis);
107                  CveItemSource<DefCveItem> itemSource = new JsonArrayCveItemSource(is)) {
108                 updateCveDb(itemSource);
109             }
110         }
111         endTime = System.currentTimeMillis();
112         return this;
113     }
114 
115     private void updateCveDb(CveItemSource<DefCveItem> itemSource) throws IOException {
116         while (itemSource.hasNext()) {
117             DefCveItem entry = itemSource.next();
118             try {
119                 cveDB.updateVulnerability(entry, mapper.getEcosystem(entry));
120             } catch (Exception ex) {
121                 LOGGER.error("Failed to process " + entry.getCve().getId(), ex);
122             }
123         }
124     }
125 
126     /**
127      * Calculates how long the update process took.
128      *
129      * @return the number of milliseconds that the update process took
130      */
131     public long getDurationMillis() {
132         return endTime - startTime;
133     }
134 }