@ThreadSafe public abstract class AbstractNpmAnalyzer extends AbstractFileTypeAnalyzer
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
NPM_DEPENDENCY_ECOSYSTEM
A descriptor for the type of dependencies processed or added by this
analyzer.
|
Constructor and Description |
---|
AbstractNpmAnalyzer() |
Modifier and Type | Method and Description |
---|---|
boolean |
accept(java.io.File pathname)
Determines if the file can be analyzed by the analyzer.
|
protected Dependency |
createDependency(Dependency dependency,
java.lang.String name,
java.lang.String version,
java.lang.String scope)
Construct a dependency object.
|
static java.lang.String |
determineVersionFromMap(java.lang.String versionRange,
java.util.Collection<java.lang.String> availableVersions)
Give an NPM version range and a collection of versions, this method
attempts to select a specific version from the collection that is in the
range.
|
protected Dependency |
findDependency(Engine engine,
java.lang.String name,
java.lang.String version)
Locates the dependency from the list of dependencies that have been
scanned by the engine.
|
void |
gatherEvidence(javax.json.JsonObject json,
Dependency dependency)
Collects evidence from the given JSON for the associated dependency.
|
protected NodeAuditSearch |
getSearcher()
Returns the node audit search utility.
|
protected void |
prepareFileTypeAnalyzer(Engine engine)
Initializes the analyzer once before any analysis is performed.
|
protected void |
processPackage(Engine engine,
Dependency dependency,
javax.json.JsonArray jsonArray,
java.lang.String depType)
Processes a part of package.json (as defined by JsonArray) and update the
specified dependency with relevant info.
|
protected void |
processPackage(Engine engine,
Dependency dependency,
javax.json.JsonObject jsonObject,
java.lang.String depType)
Processes a part of package.json (as defined by JsonObject) and update
the specified dependency with relevant info.
|
protected void |
processResults(java.util.List<Advisory> advisories,
Engine engine,
Dependency dependency,
org.apache.commons.collections4.MultiValuedMap<java.lang.String,java.lang.String> dependencyMap)
Processes the advisories creating the appropriate dependency objects and
adding the resulting vulnerabilities.
|
protected void |
replaceOrAddVulnerability(Dependency dependency,
Vulnerability vuln)
Evaluates if the vulnerability is already present; if it is the
vulnerability is not added.
|
static boolean |
shouldProcess(java.io.File pathname)
Determines if the path contains "/node_modules/" or "/bower_components/"
(i.e.
|
getFileFilter, getFilesMatched, newHashSet, prepareAnalyzer, setFilesMatched
analyze, analyzeDependency, close, closeAnalyzer, getAnalyzerEnabledSettingKey, getSettings, initialize, isEnabled, prepare, setEnabled, supportsParallelProcessing
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
analyze, close, getAnalysisPhase, getName, initialize, isEnabled, prepare, supportsParallelProcessing
public static final java.lang.String NPM_DEPENDENCY_ECOSYSTEM
public boolean accept(java.io.File pathname)
accept
in interface java.io.FileFilter
accept
in class AbstractFileTypeAnalyzer
pathname
- the path to the filepublic static boolean shouldProcess(java.io.File pathname) throws AnalysisException
pathname
- the path to testtrue
if the path does not contain "/node_modules/"
or "/bower_components/"AnalysisException
- thrown if the canonical path cannot be obtained
from the given fileprotected Dependency createDependency(Dependency dependency, java.lang.String name, java.lang.String version, java.lang.String scope)
dependency
- the parent dependencyname
- the name of the dependency to createversion
- the version of the dependency to createscope
- the scope of the dependency being createdprotected void processPackage(Engine engine, Dependency dependency, javax.json.JsonArray jsonArray, java.lang.String depType)
engine
- the dependency-check enginedependency
- the Dependency to updatejsonArray
- the jsonArray to parsedepType
- the dependency typeprotected void processPackage(Engine engine, Dependency dependency, javax.json.JsonObject jsonObject, java.lang.String depType)
engine
- the dependency-check enginedependency
- the Dependency to updatejsonObject
- the jsonObject to parsedepType
- the dependency typeprotected Dependency findDependency(Engine engine, java.lang.String name, java.lang.String version)
engine
- the dependency-check enginename
- the name of the dependency to findversion
- the version of the dependency to findpublic void gatherEvidence(javax.json.JsonObject json, Dependency dependency)
json
- the JSON that contains the evidence to collectdependency
- the dependency to add the evidence tooprotected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException
prepareFileTypeAnalyzer
in class AbstractFileTypeAnalyzer
engine
- a reference to the dependency-check engineInitializationException
- if there's an error during initializationprotected void processResults(java.util.List<Advisory> advisories, Engine engine, Dependency dependency, org.apache.commons.collections4.MultiValuedMap<java.lang.String,java.lang.String> dependencyMap) throws us.springett.parsers.cpe.exceptions.CpeValidationException
advisories
- a collection of advisories from npmengine
- a reference to the analysis enginedependency
- a reference to the package-lock.json dependencydependencyMap
- a collection of module/version pairs obtained from
the package-lock file - used in case the advisories do not include a
version numberus.springett.parsers.cpe.exceptions.CpeValidationException
- thrown when a CPE cannot be createdprotected void replaceOrAddVulnerability(Dependency dependency, Vulnerability vuln)
dependency
- a reference to the dependency being analyzedvuln
- the vulnerability to addprotected NodeAuditSearch getSearcher()
public static java.lang.String determineVersionFromMap(java.lang.String versionRange, java.util.Collection<java.lang.String> availableVersions)
versionRange
- the version range to evaluateavailableVersions
- the collection of possible versions to selectCopyright© 2012-21 Jeremy Long. All Rights Reserved.