Package org.owasp.dependencycheck.analyzer

Class AbstractNpmAnalyzer

    • Field Detail

      • NPM_DEPENDENCY_ECOSYSTEM

        public static final java.lang.String NPM_DEPENDENCY_ECOSYSTEM
        A descriptor for the type of dependencies processed or added by this analyzer.
        See Also:
        Constant Field Values

    • Constructor Detail

      • AbstractNpmAnalyzer

        public AbstractNpmAnalyzer()

    • Method Detail

      • accept

        public boolean accept​(java.io.File pathname)
        Determines if the file can be analyzed by the analyzer.
        Specified by:
        accept in interface java.io.FileFilter
        Overrides:
        accept in class AbstractFileTypeAnalyzer
        Parameters:
        pathname - the path to the file
        Returns:
        true if the file can be analyzed by the given analyzer; otherwise false

      • shouldProcess

        public static boolean shouldProcess​(java.io.File pathname)
                             throws AnalysisException
        Determines if the path contains "/node_modules/" or "/bower_components/" (i.e. it is a child module). This analyzer does not scan child modules.
        Parameters:
        pathname - the path to test
        Returns:
        true if the path does not contain "/node_modules/" or "/bower_components/"
        Throws:
        AnalysisException - thrown if the canonical path cannot be obtained from the given file

      • createDependency

        protected Dependency createDependency​(Dependency dependency,
                                      java.lang.String name,
                                      java.lang.String version,
                                      java.lang.String scope)
        Construct a dependency object.
        Parameters:
        dependency - the parent dependency
        name - the name of the dependency to create
        version - the version of the dependency to create
        scope - the scope of the dependency being created
        Returns:
        the generated dependency

      • processPackage

        protected void processPackage​(Engine engine,
                              Dependency dependency,
                              javax.json.JsonArray jsonArray,
                              java.lang.String depType)
        Processes a part of package.json (as defined by JsonArray) and update the specified dependency with relevant info.
        Parameters:
        engine - the dependency-check engine
        dependency - the Dependency to update
        jsonArray - the jsonArray to parse
        depType - the dependency type

      • processPackage

        protected void processPackage​(Engine engine,
                              Dependency dependency,
                              javax.json.JsonObject jsonObject,
                              java.lang.String depType)
        Processes a part of package.json (as defined by JsonObject) and update the specified dependency with relevant info.
        Parameters:
        engine - the dependency-check engine
        dependency - the Dependency to update
        jsonObject - the jsonObject to parse
        depType - the dependency type

      • findDependency

        protected Dependency findDependency​(Engine engine,
                                    java.lang.String name,
                                    java.lang.String version)
        Locates the dependency from the list of dependencies that have been scanned by the engine.
        Parameters:
        engine - the dependency-check engine
        name - the name of the dependency to find
        version - the version of the dependency to find
        Returns:
        the identified dependency; otherwise null

      • gatherEvidence

        public void gatherEvidence​(javax.json.JsonObject json,
                           Dependency dependency)
        Collects evidence from the given JSON for the associated dependency.
        Parameters:
        json - the JSON that contains the evidence to collect
        dependency - the dependency to add the evidence too

      • processResults

        protected void processResults​(java.util.List<Advisory> advisories,
                              Engine engine,
                              Dependency dependency,
                              org.apache.commons.collections4.MultiValuedMap<java.lang.String,​java.lang.String> dependencyMap)
                       throws us.springett.parsers.cpe.exceptions.CpeValidationException
        Processes the advisories creating the appropriate dependency objects and adding the resulting vulnerabilities.
        Parameters:
        advisories - a collection of advisories from npm
        engine - a reference to the analysis engine
        dependency - a reference to the package-lock.json dependency
        dependencyMap - a collection of module/version pairs obtained from the package-lock file - used in case the advisories do not include a version number
        Throws:
        us.springett.parsers.cpe.exceptions.CpeValidationException - thrown when a CPE cannot be created

      • replaceOrAddVulnerability

        protected void replaceOrAddVulnerability​(Dependency dependency,
                                         Vulnerability vuln)
        Evaluates if the vulnerability is already present; if it is the vulnerability is not added.
        Parameters:
        dependency - a reference to the dependency being analyzed
        vuln - the vulnerability to add

      • getSearcher

        protected NodeAuditSearch getSearcher()
        Returns the node audit search utility.
        Returns:
        the node audit search utility

      • determineVersionFromMap

        public static java.lang.String determineVersionFromMap​(java.lang.String versionRange,
                                                       java.util.Collection<java.lang.String> availableVersions)
        Give an NPM version range and a collection of versions, this method attempts to select a specific version from the collection that is in the range.
        Parameters:
        versionRange - the version range to evaluate
        availableVersions - the collection of possible versions to select
        Returns:
        the selected range from the versionRange