Package org.owasp.dependencycheck.analyzer

Class YarnAuditAnalyzer

java.lang.Object

org.owasp.dependencycheck.analyzer.AbstractAnalyzer

org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer

org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer

All Implemented Interfaces:

java.io.FileFilter, Analyzer, FileTypeAnalyzer

@ThreadSafe
public class YarnAuditAnalyzer
extends AbstractNpmAnalyzer

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	YARN_PACKAGE_LOCK	The file name to scan.

Fields inherited from class org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer

NPM_DEPENDENCY_ECOSYSTEM

Constructor Summary

Constructors

Constructor	Description
YarnAuditAnalyzer()

Method Summary

Modifier and Type	Method	Description
protected void	analyzeDependency(Dependency dependency, Engine engine)	Analyzes the yarn lock file to determine vulnerable dependencies.
static java.lang.String	extractGhsaId(java.lang.String url)
AnalysisPhase	getAnalysisPhase()	Returns the phase that the analyzer is intended to run in.
protected java.lang.String	getAnalyzerEnabledSettingKey()	Returns the setting key to determine if the analyzer is enabled.
protected java.io.FileFilter	getFileFilter()	Returns the FileFilter used to determine which files are to be analyzed.
java.lang.String	getName()	Returns the name of the analyzer.
protected void	prepareFileTypeAnalyzer(Engine engine)	Initializes the analyzer once before any analysis is performed.

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer

accept, createDependency, determineVersionFromMap, findDependency, gatherEvidence, getSearcher, processPackage, processPackage, processResults, replaceOrAddVulnerability, shouldProcess

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

getFilesMatched, newHashSet, prepareAnalyzer, setFilesMatched

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractAnalyzer

analyze, close, closeAnalyzer, getSettings, initialize, isEnabled, prepare, setEnabled, supportsParallelProcessing

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.owasp.dependencycheck.analyzer.Analyzer

analyze, close, initialize, isEnabled, prepare, supportsParallelProcessing

Field Detail

YARN_PACKAGE_LOCK

public static final java.lang.String YARN_PACKAGE_LOCK

The file name to scan.

See Also:

Constant Field Values

Constructor Detail

YarnAuditAnalyzer

public YarnAuditAnalyzer()

Method Detail

getAnalyzerEnabledSettingKey

protected java.lang.String getAnalyzerEnabledSettingKey()

Description copied from class: AbstractAnalyzer

Returns the setting key to determine if the analyzer is enabled.

Specified by:

getAnalyzerEnabledSettingKey in class AbstractAnalyzer

Returns:

the key for the analyzer's enabled property

getFileFilter

protected java.io.FileFilter getFileFilter()

Description copied from class: AbstractFileTypeAnalyzer

Returns the FileFilter used to determine which files are to be analyzed. An example would be an analyzer that inspected Java jar files. Implementors may use FileFilterBuilder.

If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file loaded.

Specified by:

getFileFilter in class AbstractFileTypeAnalyzer

Returns:

the file filter used to determine which files are to be analyzed

getName

public java.lang.String getName()

Description copied from interface: Analyzer

Returns the name of the analyzer.

Returns:

the name of the analyzer.

getAnalysisPhase

public AnalysisPhase getAnalysisPhase()

Description copied from interface: Analyzer

Returns the phase that the analyzer is intended to run in.

Returns:

the phase that the analyzer is intended to run in.

prepareFileTypeAnalyzer

protected void prepareFileTypeAnalyzer(Engine engine)
                                throws InitializationException

Initializes the analyzer once before any analysis is performed.

Overrides:

prepareFileTypeAnalyzer in class AbstractNpmAnalyzer

Parameters:

engine - a reference to the dependency-check engine

Throws:

InitializationException - if there's an error during initialization

analyzeDependency

protected void analyzeDependency(Dependency dependency,
                                 Engine engine)
                          throws AnalysisException

Analyzes the yarn lock file to determine vulnerable dependencies. Uses yarn audit --offline to generate the payload to be sent to the NPM API.

Specified by:

analyzeDependency in class AbstractAnalyzer

Parameters:

dependency - the yarn lock file

engine - the analysis engine

Throws:

AnalysisException - thrown if there is an error analyzing the file

extractGhsaId

public static java.lang.String extractGhsaId(java.lang.String url)