NpmCPEAnalyzer.java

  1. /*
  2.  * This file is part of dependency-check-core.
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *     http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  *
  16.  * Copyright (c) 2020 Jeremy Long. All Rights Reserved.
  17.  */
  18. package org.owasp.dependencycheck.analyzer;

  20. import java.io.IOException;
  21. import java.util.concurrent.TimeUnit;
  22. import javax.annotation.concurrent.ThreadSafe;
  23. import org.apache.lucene.index.CorruptIndexException;
  24. import org.apache.lucene.queryparser.classic.ParseException;
  25. import org.owasp.dependencycheck.Engine;
  26. import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
  27. import org.owasp.dependencycheck.data.cpe.IndexException;
  28. import org.owasp.dependencycheck.data.cpe.NpmCpeMemoryIndex;
  29. import org.owasp.dependencycheck.data.nvdcve.CveDB;
  30. import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
  31. import org.owasp.dependencycheck.dependency.Dependency;
  32. import org.owasp.dependencycheck.utils.Settings;
  33. import org.slf4j.Logger;
  34. import org.slf4j.LoggerFactory;

  36. /**
  37.  * NpmCPEAnalyzer takes a project dependency and attempts to discern if there is
  38.  * an associated CPE. Unlike the CPEAnalyzer, the NpmCPEAnalyzer only includes
  39.  * product and vendor associates known to be related to node from the NVD data
  40.  * set. It uses the evidence contained within the dependency to search the
  41.  * Lucene index.
  42.  *
  43.  * @author Jeremy Long
  44.  */
  45. @ThreadSafe
  46. @Experimental
  47. public class NpmCPEAnalyzer extends CPEAnalyzer {

  49.     /**
  50.      * The Logger.
  51.      */
  52.     private static final Logger LOGGER = LoggerFactory.getLogger(NpmCPEAnalyzer.class);

  54.     /**
  55.      * Returns the analysis phase that this analyzer should run in.
  56.      *
  57.      * @return the analysis phase that this analyzer should run in.
  58.      */
  59.     @Override
  60.     public AnalysisPhase getAnalysisPhase() {
  61.         //TODO this is a hack because we use the same singleton CPE Index as the CPE Analyzer
  62.         // thus to filter to just node products we can't run in the same phase.
  63.         // possibly extenend the CPE Index to include an ecosystem and use that
  64.         // as a filter for node..
  65.         return AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
  66.     }

  68.     /**
  69.      * Returns the name of this analyzer.
  70.      *
  71.      * @return the name of this analyzer.
  72.      */
  73.     @Override
  74.     public String getName() {
  75.         return "NPM CPE Analyzer";
  76.     }

  78.     /**
  79.      * <p>
  80.      * Returns the setting key to determine if the analyzer is enabled.</p>
  81.      *
  82.      * @return the key for the analyzer's enabled property
  83.      */
  84.     @Override
  85.     protected String getAnalyzerEnabledSettingKey() {
  86.         return Settings.KEYS.ANALYZER_NPM_CPE_ENABLED;
  87.     }

  89.     /**
  90.      * Opens the data source.
  91.      *
  92.      * @param cve a reference to the NVD CVE database
  93.      * @throws IOException when the Lucene directory to be queried does not
  94.      * exist or is corrupt.
  95.      * @throws DatabaseException when the database throws an exception. This
  96.      * usually occurs when the database is in use by another process.
  97.      */
  98.     @Override
  99.     public void open(CveDB cve) throws IOException, DatabaseException {
  100.         setCveDB(cve);
  101.         setMemoryIndex(NpmCpeMemoryIndex.getInstance());
  102.         try {
  103.             final long creationStart = System.currentTimeMillis();
  104.             getMemoryIndex().open(cve.getVendorProductListForNode(), this.getSettings());
  105.             final long creationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - creationStart);
  106.             LOGGER.info("Created CPE Index ({} seconds)", creationSeconds);
  107.         } catch (IndexException ex) {
  108.             LOGGER.debug("IndexException", ex);
  109.             throw new DatabaseException(ex);
  110.         }
  111.     }

  113.     /**
  114.      * Analyzes a dependency and attempts to determine if there are any CPE
  115.      * identifiers for this dependency.
  116.      *
  117.      * @param dependency The Dependency to analyze.
  118.      * @param engine The analysis engine
  119.      * @throws AnalysisException is thrown if there is an issue analyzing the
  120.      * dependency.
  121.      */
  122.     @Override
  123.     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
  124.         if (!"npm".equals(dependency.getEcosystem())) {
  125.             return;
  126.         }
  127.         try {
  128.             determineCPE(dependency);
  129.         } catch (CorruptIndexException ex) {
  130.             throw new AnalysisException("CPE Index is corrupt.", ex);
  131.         } catch (IOException ex) {
  132.             throw new AnalysisException("Failure opening the CPE Index.", ex);
  133.         } catch (ParseException ex) {
  134.             throw new AnalysisException("Unable to parse the generated Lucene query for this dependency.", ex);
  135.         }
  136.     }
  137. }
Created with JaCoCo 0.8.12.202403310830