Package org.owasp.dependencycheck.analyzer

Class JarAnalyzer

  • All Implemented Interfaces:
    java.io.FileFilter, Analyzer, FileTypeAnalyzer
    public class JarAnalyzer
extends AbstractFileTypeAnalyzer
    Used to load a JAR file and collect information that can be used to determine the associated CPE.
    Author:
    Jeremy Long

    • Field Detail

      • DEPENDENCY_ECOSYSTEM

        public static final java.lang.String DEPENDENCY_ECOSYSTEM
        A descriptor for the type of dependencies processed or added by this analyzer.
        See Also:
        Constant Field Values

    • Constructor Detail

      • JarAnalyzer

        public JarAnalyzer()

    • Method Detail

      • getName

        public java.lang.String getName()
        Returns the name of the analyzer.
        Returns:
        the name of the analyzer.

      • getAnalysisPhase

        public AnalysisPhase getAnalysisPhase()
        Returns the phase that the analyzer is intended to run in.
        Returns:
        the phase that the analyzer is intended to run in.

      • accept

        public boolean accept​(java.io.File pathname)
        Description copied from class: AbstractFileTypeAnalyzer
        Determines if the file can be analyzed by the analyzer.
        Specified by:
        accept in interface java.io.FileFilter
        Overrides:
        accept in class AbstractFileTypeAnalyzer
        Parameters:
        pathname - the path to the file
        Returns:
        true if the file can be analyzed by the given analyzer; otherwise false

      • getAnalyzerEnabledSettingKey

        protected java.lang.String getAnalyzerEnabledSettingKey()
        Returns the key used in the properties file to reference the analyzer's enabled property.
        Specified by:
        getAnalyzerEnabledSettingKey in class AbstractAnalyzer
        Returns:
        the analyzer's enabled property setting key

      • analyzeDependency

        public void analyzeDependency​(Dependency dependency,
                              Engine engine)
                       throws AnalysisException
        Loads a specified JAR file and collects information from the manifest and checksums to identify the correct CPE information.
        Specified by:
        analyzeDependency in class AbstractAnalyzer
        Parameters:
        dependency - the dependency to analyze.
        engine - the engine that is scanning the dependencies
        Throws:
        AnalysisException - is thrown if there is an error reading the JAR file.

      • analyzePOM

        protected boolean analyzePOM​(Dependency dependency,
                             java.util.List<JarAnalyzer.ClassNameInformation> classes,
                             Engine engine)
                      throws AnalysisException
        Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence. This will attempt to interpolate the strings contained within the pom.properties if one exists.
        Parameters:
        dependency - the dependency being analyzed
        classes - a collection of class name information
        engine - the analysis engine, used to add additional dependencies
        Returns:
        whether or not evidence was added to the dependency
        Throws:
        AnalysisException - is thrown if there is an exception parsing the pom

      • setPomEvidence

        public static boolean setPomEvidence​(Dependency dependency,
                                     Model pom,
                                     java.util.List<JarAnalyzer.ClassNameInformation> classes,
                                     boolean isMainPom)
        Sets evidence from the pom on the supplied dependency.
        Parameters:
        dependency - the dependency to set data on
        pom - the information from the pom
        classes - a collection of ClassNameInformation - containing data about the fully qualified class names within the JAR file being analyzed
        isMainPom - a flag indicating if this is the primary pom.
        Returns:
        true if there was evidence within the pom that we could use; otherwise false

      • analyzePackageNames

        protected void analyzePackageNames​(java.util.List<JarAnalyzer.ClassNameInformation> classNames,
                                   Dependency dependency,
                                   boolean addPackagesAsEvidence)
        Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible vendor or product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
        Parameters:
        classNames - a list of class names
        dependency - a dependency to analyze
        addPackagesAsEvidence - a flag indicating whether or not package names should be added as evidence.

      • parseManifest

        protected boolean parseManifest​(Dependency dependency,
                                java.util.List<JarAnalyzer.ClassNameInformation> classInformation)
                         throws java.io.IOException

        Reads the manifest from the JAR file and collects the entries. Some vendorKey entries are:

        • Implementation Title
        • Implementation Version
        • Implementation Vendor
        • Implementation VendorId
        • Bundle Name
        • Bundle Version
        • Bundle Vendor
        • Bundle Description
        • Main Class
        However, all but a handful of specific entries are read in.
        Parameters:
        dependency - A reference to the dependency
        classInformation - a collection of class information
        Returns:
        whether evidence was identified parsing the manifest
        Throws:
        java.io.IOException - if there is an issue reading the JAR file

      • addDescription

        public static java.lang.String addDescription​(Dependency dependency,
                                              java.lang.String description,
                                              java.lang.String source,
                                              java.lang.String key)
        Adds a description to the given dependency. If the description contains one of the following strings beyond 100 characters, then the description used will be trimmed to that position:
        • "such as"
        • "like "
        • "will use "
        • "* uses "
        Parameters:
        dependency - a dependency
        description - the description
        source - the source of the evidence
        key - the "name" of the evidence
        Returns:
        if the description is trimmed, the trimmed version is returned; otherwise the original description is returned

      • closeAnalyzer

        public void closeAnalyzer()
        Deletes any files extracted from the JAR during analysis.
        Overrides:
        closeAnalyzer in class AbstractAnalyzer

      • collectClassNames

        protected java.util.List<JarAnalyzer.ClassNameInformation> collectClassNames​(Dependency dependency)
        Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class names. This does not include core Java package names (i.e. java.* or javax.*).
        Parameters:
        dependency - the dependency being analyzed
        Returns:
        an list of fully qualified class names

      • addMatchingValues

        protected static void addMatchingValues​(java.util.List<JarAnalyzer.ClassNameInformation> classes,
                                        java.lang.String value,
                                        Dependency dep,
                                        EvidenceType type)
        Cycles through the collection of class name information to see if parts of the package names are contained in the provided value. If found, it will be added as the HIGHEST confidence evidence because we have more then one source corroborating the value.
        Parameters:
        classes - a collection of class name information
        value - the value to check to see if it contains a package name
        dep - the dependency to add new entries too
        type - the type of evidence (vendor, product, or version)

      • extractLicense

        public static void extractLicense​(Model pom,
                                  Dependency dependency)
        Extracts the license information from the pom and adds it to the dependency.
        Parameters:
        pom - the pom object
        dependency - the dependency to add license information too