Package org.owasp.dependencycheck.data.nvdcve

Class CveDB

  • All Implemented Interfaces:
    java.lang.AutoCloseable
    @ThreadSafe
public final class CveDB
extends java.lang.Object
implements java.lang.AutoCloseable
    The database holding information about the NVD CVE data. This class is safe to be accessed from multiple threads in parallel, however internally only one connection will be used.
    Author:
    Jeremy Long

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String DB_ECOSYSTEM_CACHE
      Resource location for SQL file containing updates to the ecosystem cache.

    • Constructor Summary

      Constructors 
      Constructor Description
      CveDB​(Settings settings)
      Creates a new CveDB object and opens the database connection.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void addCpe​(java.lang.String cpe, java.lang.String vendor, java.lang.String product)
      This method is only referenced in unused code and will likely break on MySQL if ever used due to the MERGE statement.
      void cleanupDatabase()
      It is possible that orphaned rows may be generated during database updates.
      void close()
      Closes the database connection.
      boolean dataExists()
      Checks to see if data exists so that analysis can be performed.
      void defrag()
      If the database is using an H2 file based database calling defrag() will de-fragment the database.
      void deleteUnusedCpe()
      This method is only referenced in unused code.
      protected void finalize()
      Cleans up the object and ensures that "close" has been called.
      java.util.Set<CpePlus> getCPEs​(java.lang.String vendor, java.lang.String product)
      Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination.
      DatabaseProperties getDatabaseProperties()
      Get the value of databaseProperties.
      java.util.Map<java.lang.String,​Vulnerability> getknownExploitedVulnerabilities()
      Returns a map of known exploited vulnerabilities.
      java.util.Properties getProperties()
      Returns a set of properties.
      java.util.Set<Pair<java.lang.String,​java.lang.String>> getVendorProductList()
      Returns the entire list of vendor/product combinations.
      java.util.Set<Pair<java.lang.String,​java.lang.String>> getVendorProductListForNode()
      Returns the entire list of vendor/product combinations filtered for just Node JS related products.
      java.util.List<Vulnerability> getVulnerabilities​(us.springett.parsers.cpe.Cpe cpe)
      Retrieves the vulnerabilities associated with the specified CPE.
      Vulnerability getVulnerability​(java.lang.String cve)
      Gets a vulnerability for the provided CVE.
      Vulnerability getVulnerability​(java.lang.String cve, java.sql.Connection conn)
      Gets a vulnerability for the provided CVE.
      boolean isOpen()
      Returns whether the database connection is open or closed.
      void open()
      Opens the database connection pool.
      void persistEcosystemCache()
      Persist the EcosystemCache into the database.
      void saveProperty​(java.lang.String key, java.lang.String value)
      Saves a property to the database.
      int updateEcosystemCache()
      Updates the EcoSystem Cache.
      void updateKnownExploitedVulnerabilities​(java.util.List<Vulnerability> vulnerabilities)
      Merges the list of known exploited vulnerabilities into the database.
      void updateVulnerability​(io.github.jeremylong.openvulnerability.client.nvd.DefCveItem cve, java.lang.String baseEcosystem)
      Updates the vulnerability within the database.

      • Methods inherited from class java.lang.Object

        clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • DB_ECOSYSTEM_CACHE

        public static final java.lang.String DB_ECOSYSTEM_CACHE
        Resource location for SQL file containing updates to the ecosystem cache.
        See Also:
        Constant Field Values

    • Constructor Detail

      • CveDB

        public CveDB​(Settings settings)
      throws DatabaseException
        Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling the close method.
        Parameters:
        settings - the configured settings
        Throws:
        DatabaseException - thrown if there is an exception opening the database.

    • Method Detail

      • updateEcosystemCache

        public int updateEcosystemCache()
        Updates the EcoSystem Cache.
        Returns:
        The number of records updated by the DB_ECOSYSTEM_CACHE update script.

      • open

        public void open()
        Opens the database connection pool.

      • close

        public void close()
        Closes the database connection. Close should be called on this object when it is done being used.
        Specified by:
        close in interface java.lang.AutoCloseable

      • isOpen

        public boolean isOpen()
        Returns whether the database connection is open or closed.
        Returns:
        whether the database connection is open or closed

      • finalize

        protected void finalize()
                 throws java.lang.Throwable
        Cleans up the object and ensures that "close" has been called.
        Overrides:
        finalize in class java.lang.Object
        Throws:
        java.lang.Throwable - thrown if there is a problem

      • getDatabaseProperties

        public DatabaseProperties getDatabaseProperties()
        Get the value of databaseProperties.
        Returns:
        the value of databaseProperties

      • getCPEs

        public java.util.Set<CpePlus> getCPEs​(java.lang.String vendor,
                                      java.lang.String product)
        Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned list will include all versions of the product that are registered in the NVD CVE data.
        Parameters:
        vendor - the identified vendor name of the dependency being analyzed
        product - the identified name of the product of the dependency being analyzed
        Returns:
        a set of vulnerable software

      • getVendorProductList

        public java.util.Set<Pair<java.lang.String,​java.lang.String>> getVendorProductList()
                                                                                  throws DatabaseException
        Returns the entire list of vendor/product combinations.
        Returns:
        the entire list of vendor/product combinations
        Throws:
        DatabaseException - thrown when there is an error retrieving the data from the DB

      • getVendorProductListForNode

        public java.util.Set<Pair<java.lang.String,​java.lang.String>> getVendorProductListForNode()
                                                                                         throws DatabaseException
        Returns the entire list of vendor/product combinations filtered for just Node JS related products.
        Returns:
        the list of vendor/product combinations that are known to be related to Node JS
        Throws:
        DatabaseException - thrown when there is an error retrieving the data from the DB

      • getProperties

        public java.util.Properties getProperties()
        Returns a set of properties.
        Returns:
        the properties from the database

      • saveProperty

        public void saveProperty​(java.lang.String key,
                         java.lang.String value)
        Saves a property to the database.
        Parameters:
        key - the property key
        value - the property value

      • getVulnerabilities

        public java.util.List<Vulnerability> getVulnerabilities​(us.springett.parsers.cpe.Cpe cpe)
                                                 throws DatabaseException
        Retrieves the vulnerabilities associated with the specified CPE.
        Parameters:
        cpe - the CPE to retrieve vulnerabilities for
        Returns:
        a list of Vulnerabilities
        Throws:
        DatabaseException - thrown if there is an exception retrieving data

      • getVulnerability

        public Vulnerability getVulnerability​(java.lang.String cve)
                               throws DatabaseException
        Gets a vulnerability for the provided CVE.
        Parameters:
        cve - the CVE to lookup
        Returns:
        a vulnerability object
        Throws:
        DatabaseException - if an exception occurs

      • getVulnerability

        public Vulnerability getVulnerability​(java.lang.String cve,
                                      java.sql.Connection conn)
                               throws DatabaseException
        Gets a vulnerability for the provided CVE.
        Parameters:
        cve - the CVE to lookup
        conn - already active database connection
        Returns:
        a vulnerability object
        Throws:
        DatabaseException - if an exception occurs

      • updateVulnerability

        public void updateVulnerability​(io.github.jeremylong.openvulnerability.client.nvd.DefCveItem cve,
                                java.lang.String baseEcosystem)
        Updates the vulnerability within the database. If the vulnerability does not exist it will be added.
        Parameters:
        cve - the vulnerability from the NVD CVE Data Feed to add to the database
        baseEcosystem - the ecosystem the CVE belongs to; this is based off of things like the CVE description
        Throws:
        DatabaseException - is thrown if the database

      • updateKnownExploitedVulnerabilities

        public void updateKnownExploitedVulnerabilities​(java.util.List<Vulnerability> vulnerabilities)
                                         throws DatabaseException,
                                                java.sql.SQLException
        Merges the list of known exploited vulnerabilities into the database.
        Parameters:
        vulnerabilities - the list of known exploited vulnerabilities
        Throws:
        DatabaseException - thrown if there is an exception... duh..
        java.sql.SQLException - thrown if there is an exception... duh..

      • dataExists

        public boolean dataExists()
        Checks to see if data exists so that analysis can be performed.
        Returns:
        true if data exists; otherwise false

      • cleanupDatabase

        public void cleanupDatabase()
        It is possible that orphaned rows may be generated during database updates. This should be called after all updates have been completed to ensure orphan entries are removed.

      • persistEcosystemCache

        public void persistEcosystemCache()
        Persist the EcosystemCache into the database.

      • defrag

        public void defrag()
        If the database is using an H2 file based database calling defrag() will de-fragment the database.

      • deleteUnusedCpe

        public void deleteUnusedCpe()
        This method is only referenced in unused code.

        Deletes unused dictionary entries from the database.

      • addCpe

        public void addCpe​(java.lang.String cpe,
                   java.lang.String vendor,
                   java.lang.String product)
        This method is only referenced in unused code and will likely break on MySQL if ever used due to the MERGE statement.

        Merges CPE entries into the database.

        Parameters:
        cpe - the CPE identifier
        vendor - the CPE vendor
        product - the CPE product

      • getknownExploitedVulnerabilities

        public java.util.Map<java.lang.String,​Vulnerability> getknownExploitedVulnerabilities()
        Returns a map of known exploited vulnerabilities.
        Returns:
        a map of known exploited vulnerabilities