org.owasp.dependencycheck.data.nvdcve

Class CveDB

java.lang.Object

org.owasp.dependencycheck.data.nvdcve.CveDB

All Implemented Interfaces:

java.lang.AutoCloseable

@ThreadSafe
public final class CveDB
extends java.lang.Object
implements java.lang.AutoCloseable

The database holding information about the NVD CVE data. This class is safe to be accessed from multiple threads in parallel, however internally only one connection will be used.

Author:

Jeremy Long

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	DB_ECOSYSTEM_CACHE Resource location for SQL file containing updates to the ecosystem cache.

Constructor Summary

Constructors

Constructor and Description
CveDB(Settings settings) Creates a new CveDB object and opens the database connection.

Method Summary

Modifier and Type	Method and Description
void	addCpe(java.lang.String cpe, java.lang.String vendor, java.lang.String product) This method is only referenced in unused code and will likely break on MySQL if ever used due to the MERGE statement.
void	cleanupDatabase() It is possible that orphaned rows may be generated during database updates.
void	close() Closes the database connection.
boolean	dataExists() Checks to see if data exists so that analysis can be performed.
void	defrag() If the database is using an H2 file based database calling defrag() will de-fragment the database.
void	deleteUnusedCpe() This method is only referenced in unused code.
protected void	finalize() Cleans up the object and ensures that "close" has been called.
java.util.Set<CpePlus>	getCPEs(java.lang.String vendor, java.lang.String product) Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination.
DatabaseProperties	getDatabaseProperties() Get the value of databaseProperties.
java.util.Map<java.lang.String,Vulnerability>	getknownExploitedVulnerabilities() Returns a map of known exploited vulnerabilities.
java.util.Properties	getProperties() Returns a set of properties.
java.util.Set<Pair<java.lang.String,java.lang.String>>	getVendorProductList() Returns the entire list of vendor/product combinations.
java.util.Set<Pair<java.lang.String,java.lang.String>>	getVendorProductListForNode() Returns the entire list of vendor/product combinations filtered for just Node JS related products.
java.util.List<Vulnerability>	getVulnerabilities(us.springett.parsers.cpe.Cpe cpe) Retrieves the vulnerabilities associated with the specified CPE.
Vulnerability	getVulnerability(java.lang.String cve) Gets a vulnerability for the provided CVE.
Vulnerability	getVulnerability(java.lang.String cve, java.sql.Connection conn) Gets a vulnerability for the provided CVE.
boolean	isOpen() Returns whether the database connection is open or closed.
void	open() Opens the database connection pool.
void	persistEcosystemCache() Persist the EcosystemCache into the database.
void	saveProperty(java.lang.String key, java.lang.String value) Saves a property to the database.
int	updateEcosystemCache() Updates the EcoSystem Cache.
void	updateKnownExploitedVulnerabilities(java.util.List<Vulnerability> vulnerabilities) Merges the list of known exploited vulnerabilities into the database.
void	updateVulnerability(io.github.jeremylong.openvulnerability.client.nvd.DefCveItem cve, java.lang.String baseEcosystem) Updates the vulnerability within the database.

Methods inherited from class java.lang.Object

clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DB_ECOSYSTEM_CACHE

public static final java.lang.String DB_ECOSYSTEM_CACHE

Resource location for SQL file containing updates to the ecosystem cache.

See Also:

Constant Field Values

Constructor Detail

CveDB

public CveDB(Settings settings)
      throws DatabaseException

Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling the close method.

Parameters:

settings - the configured settings

Throws:

DatabaseException - thrown if there is an exception opening the database.

Method Detail

updateEcosystemCache

public int updateEcosystemCache()

Updates the EcoSystem Cache.

Returns:

The number of records updated by the DB_ECOSYSTEM_CACHE update script.

open

public void open()

Opens the database connection pool.

close

public void close()

Closes the database connection. Close should be called on this object when it is done being used.

Specified by:

close in interface java.lang.AutoCloseable

isOpen

public boolean isOpen()

Returns whether the database connection is open or closed.

Returns:

whether the database connection is open or closed

finalize

protected void finalize()
                 throws java.lang.Throwable

Cleans up the object and ensures that "close" has been called.

Overrides:

finalize in class java.lang.Object

Throws:

java.lang.Throwable - thrown if there is a problem

getDatabaseProperties

public DatabaseProperties getDatabaseProperties()

Get the value of databaseProperties.

Returns:

the value of databaseProperties

getCPEs

public java.util.Set<CpePlus> getCPEs(java.lang.String vendor,
                                      java.lang.String product)

Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned list will include all versions of the product that are registered in the NVD CVE data.

Parameters:

vendor - the identified vendor name of the dependency being analyzed

product - the identified name of the product of the dependency being analyzed

Returns:

a set of vulnerable software

getVendorProductList

public java.util.Set<Pair<java.lang.String,java.lang.String>> getVendorProductList()
                                                                            throws DatabaseException

Returns the entire list of vendor/product combinations.

Returns:

the entire list of vendor/product combinations

Throws:

DatabaseException - thrown when there is an error retrieving the data from the DB

getVendorProductListForNode

public java.util.Set<Pair<java.lang.String,java.lang.String>> getVendorProductListForNode()
                                                                                   throws DatabaseException

Returns the entire list of vendor/product combinations filtered for just Node JS related products.

Returns:

the list of vendor/product combinations that are known to be related to Node JS

Throws:

DatabaseException - thrown when there is an error retrieving the data from the DB

getProperties

public java.util.Properties getProperties()

Returns a set of properties.

Returns:

the properties from the database

saveProperty

public void saveProperty(java.lang.String key,
                         java.lang.String value)

Saves a property to the database.

Parameters:

key - the property key

value - the property value

getVulnerabilities

public java.util.List<Vulnerability> getVulnerabilities(us.springett.parsers.cpe.Cpe cpe)
                                                 throws DatabaseException

Retrieves the vulnerabilities associated with the specified CPE.

Parameters:

cpe - the CPE to retrieve vulnerabilities for

Returns:

a list of Vulnerabilities

Throws:

DatabaseException - thrown if there is an exception retrieving data

getVulnerability

public Vulnerability getVulnerability(java.lang.String cve)
                               throws DatabaseException

Gets a vulnerability for the provided CVE.

Parameters:

cve - the CVE to lookup

Returns:

a vulnerability object

Throws:

DatabaseException - if an exception occurs

getVulnerability

public Vulnerability getVulnerability(java.lang.String cve,
                                      java.sql.Connection conn)
                               throws DatabaseException

Gets a vulnerability for the provided CVE.

Parameters:

cve - the CVE to lookup

conn - already active database connection

Returns:

a vulnerability object

Throws:

DatabaseException - if an exception occurs

updateVulnerability

public void updateVulnerability(io.github.jeremylong.openvulnerability.client.nvd.DefCveItem cve,
                                java.lang.String baseEcosystem)

Updates the vulnerability within the database. If the vulnerability does not exist it will be added.

Parameters:

cve - the vulnerability from the NVD CVE Data Feed to add to the database

baseEcosystem - the ecosystem the CVE belongs to; this is based off of things like the CVE description

Throws:

DatabaseException - is thrown if the database

updateKnownExploitedVulnerabilities

public void updateKnownExploitedVulnerabilities(java.util.List<Vulnerability> vulnerabilities)
                                         throws DatabaseException,
                                                java.sql.SQLException

Merges the list of known exploited vulnerabilities into the database.

Parameters:

vulnerabilities - the list of known exploited vulnerabilities

Throws:

DatabaseException - thrown if there is an exception... duh..

java.sql.SQLException - thrown if there is an exception... duh..

dataExists

public boolean dataExists()

Checks to see if data exists so that analysis can be performed.

Returns:

true if data exists; otherwise false

cleanupDatabase

public void cleanupDatabase()

It is possible that orphaned rows may be generated during database updates. This should be called after all updates have been completed to ensure orphan entries are removed.

persistEcosystemCache

public void persistEcosystemCache()

Persist the EcosystemCache into the database.

defrag

public void defrag()

If the database is using an H2 file based database calling defrag() will de-fragment the database.

deleteUnusedCpe

public void deleteUnusedCpe()

This method is only referenced in unused code.

Deletes unused dictionary entries from the database.

addCpe

public void addCpe(java.lang.String cpe,
                   java.lang.String vendor,
                   java.lang.String product)

This method is only referenced in unused code and will likely break on MySQL if ever used due to the MERGE statement.

Merges CPE entries into the database.

Parameters:

cpe - the CPE identifier

vendor - the CPE vendor

product - the CPE product

getknownExploitedVulnerabilities

public java.util.Map<java.lang.String,Vulnerability> getknownExploitedVulnerabilities()

Returns a map of known exploited vulnerabilities.

Returns:

a map of known exploited vulnerabilities