Package org.owasp.dependencycheck.analyzer

Class NodePackageAnalyzer

  • All Implemented Interfaces:
    java.io.FileFilter, Analyzer, FileTypeAnalyzer
    @ThreadSafe
public class NodePackageAnalyzer
extends AbstractNpmAnalyzer
    Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the associated CPE.
    Author:
    Dale Visser

    • Field Detail

      • DEPENDENCY_ECOSYSTEM

        public static final java.lang.String DEPENDENCY_ECOSYSTEM
        A descriptor for the type of dependencies processed or added by this analyzer.
        See Also:
        Constant Field Values

      • PACKAGE_JSON

        public static final java.lang.String PACKAGE_JSON
        The file name to scan.
        See Also:
        Constant Field Values

      • PACKAGE_LOCK_JSON

        public static final java.lang.String PACKAGE_LOCK_JSON
        The file name to scan.
        See Also:
        Constant Field Values

      • SHRINKWRAP_JSON

        public static final java.lang.String SHRINKWRAP_JSON
        The file name to scan.
        See Also:
        Constant Field Values

      • NODE_MODULES_DIRNAME

        public static final java.lang.String NODE_MODULES_DIRNAME
        The name of the directory that contains node modules.
        See Also:
        Constant Field Values

    • Constructor Detail

      • NodePackageAnalyzer

        public NodePackageAnalyzer()

    • Method Detail

      • getName

        public java.lang.String getName()
        Returns the name of the analyzer.
        Returns:
        the name of the analyzer.

      • getAnalysisPhase

        public AnalysisPhase getAnalysisPhase()
        Returns the phase that the analyzer is intended to run in.
        Returns:
        the phase that the analyzer is intended to run in.

      • getAnalyzerEnabledSettingKey

        protected java.lang.String getAnalyzerEnabledSettingKey()
        Returns the key used in the properties file to reference the enabled property for the analyzer.
        Specified by:
        getAnalyzerEnabledSettingKey in class AbstractAnalyzer
        Returns:
        the enabled property setting key for the analyzer

      • analyzeDependency

        protected void analyzeDependency​(Dependency dependency,
                                 Engine engine)
                          throws AnalysisException
        Description copied from class: AbstractAnalyzer
        Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned, and added to the list of dependencies within the engine.
        Specified by:
        analyzeDependency in class AbstractAnalyzer
        Parameters:
        dependency - the dependency to analyze
        engine - the engine scanning
        Throws:
        AnalysisException - thrown if there is an analysis exception

      • shouldSkipDependency

        public static boolean shouldSkipDependency​(java.lang.String name,
                                           java.lang.String version,
                                           boolean optional,
                                           boolean fileExist)
        should process the dependency ? Will return true if you need to skip it . (e.g. dependency can't be read, or if npm audit doesn't handle it)
        Parameters:
        name - the name of the dependency
        version - the version of the dependency
        optional - is the dependency optional ?
        fileExist - is the package.json available for this file ?
        Returns:
        should you skip this dependency ?

      • shouldSkipDependency

        public static boolean shouldSkipDependency​(java.lang.String name,
                                           java.lang.String version)
        Checks if the given dependency should be skipped.
        Parameters:
        name - the name of the dependency to test
        version - the version of the dependency to test
        Returns:
        true if the dependency should be skipped; otherwise false
        See Also:
        shouldSkipDependency(java.lang.String, java.lang.String, boolean, boolean)