NvdCveAnalyzer.java

  1. /*
  2.  * This file is part of dependency-check-core.
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *     http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  *
  16.  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  17.  */
  18. package org.owasp.dependencycheck.analyzer;

  20. import java.util.ArrayList;
  21. import java.util.HashSet;
  22. import java.util.List;
  23. import java.util.Set;
  24. import javax.annotation.concurrent.ThreadSafe;

  26. import org.owasp.dependencycheck.Engine;
  27. import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
  28. import org.owasp.dependencycheck.analyzer.exception.LambdaExceptionWrapper;
  29. import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
  30. import org.owasp.dependencycheck.data.nvdcve.CveDB;
  31. import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
  32. import org.owasp.dependencycheck.dependency.Dependency;
  33. import org.owasp.dependencycheck.dependency.Vulnerability;
  34. import org.owasp.dependencycheck.dependency.Vulnerability.Source;
  35. import org.owasp.dependencycheck.dependency.VulnerableSoftware;
  36. import org.owasp.dependencycheck.dependency.naming.CpeIdentifier;
  37. import org.owasp.dependencycheck.utils.Settings;

  39. /**
  40.  * NvdCveAnalyzer is a utility class that takes a project dependency and
  41.  * attempts to discern if there is an associated CVEs. It uses the the
  42.  * identifiers found by other analyzers to lookup the CVE data.
  43.  *
  44.  * @author Jeremy Long
  45.  */
  46. @ThreadSafe
  47. public class NvdCveAnalyzer extends AbstractAnalyzer {

  49.     /**
  50.      * Analyzes a dependency and attempts to determine if there are any CPE
  51.      * identifiers for this dependency.
  52.      *
  53.      * @param dependency The Dependency to analyze
  54.      * @param engine The analysis engine
  55.      * @throws AnalysisException thrown if there is an issue analyzing the
  56.      * dependency
  57.      */
  58.     @Override
  59.     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
  60.         final CveDB cveDB = engine.getDatabase();
  61.         try {
  62.             dependency.getVulnerableSoftwareIdentifiers().stream()
  63.                     .filter((i) -> (i instanceof CpeIdentifier))
  64.                     .map(i -> (CpeIdentifier) i)
  65.                     .forEach(i -> {
  66.                         try {
  67.                             final List<Vulnerability> vulns = filterEcosystem(dependency.getEcosystem(), cveDB.getVulnerabilities(i.getCpe()));

  69.                             if (Ecosystem.NODEJS.equals(dependency.getEcosystem())) {
  70.                                 replaceOrAddVulnerability(dependency, vulns);
  71.                             } else {
  72.                                 dependency.addVulnerabilities(vulns);
  73.                             }
  74.                         } catch (DatabaseException ex) {
  75.                             throw new LambdaExceptionWrapper(new AnalysisException(ex));
  76.                         }
  77.                     });
  78.             dependency.getSuppressedIdentifiers().stream()
  79.                     .filter((i) -> (i instanceof CpeIdentifier))
  80.                     .map(i -> (CpeIdentifier) i)
  81.                     .forEach(i -> {
  82.                         try {
  83.                             final List<Vulnerability> vulns = cveDB.getVulnerabilities(i.getCpe());
  84.                             dependency.addSuppressedVulnerabilities(vulns);
  85.                         } catch (DatabaseException ex) {
  86.                             throw new LambdaExceptionWrapper(new AnalysisException(ex));
  87.                         }
  88.                     });
  89.         } catch (LambdaExceptionWrapper ex) {
  90.             throw (AnalysisException) ex.getCause();
  91.         }
  92.     }

  94.     /**
  95.      * Returns the name of this analyzer.
  96.      *
  97.      * @return the name of this analyzer.
  98.      */
  99.     @Override
  100.     public String getName() {
  101.         return "NVD CVE Analyzer";
  102.     }

  104.     /**
  105.      * Returns the analysis phase that this analyzer should run in.
  106.      *
  107.      * @return the analysis phase that this analyzer should run in.
  108.      */
  109.     @Override
  110.     public AnalysisPhase getAnalysisPhase() {
  111.         return AnalysisPhase.FINDING_ANALYSIS;
  112.     }

  114.     /**
  115.      * <p>
  116.      * Returns the setting key to determine if the analyzer is enabled.</p>
  117.      *
  118.      * @return the key for the analyzer's enabled property
  119.      */
  120.     @Override
  121.     protected String getAnalyzerEnabledSettingKey() {
  122.         return Settings.KEYS.ANALYZER_NVD_CVE_ENABLED;
  123.     }

  125.     /**
  126.      * Evaluates if the vulnerability is already present; if it is the
  127.      * vulnerability is not added.
  128.      *
  129.      * @param dependency a reference to the dependency being analyzed
  130.      * @param vulns the vulnerability to add
  131.      */
  132.     private void replaceOrAddVulnerability(Dependency dependency, List<Vulnerability> vulns) {
  133.         vulns.forEach(v -> v.getReferences().forEach(ref -> dependency.getVulnerabilities().forEach(existing -> {
  134.                 if (existing.getSource() == Source.NPM
  135.                         && ref.getName() != null
  136.                         && ref.getName().equals("https://nodesecurity.io/advisories/" + existing.getName())) {
  137.                     dependency.removeVulnerability(existing);
  138.                 }
  139.             })));
  140.         dependency.addVulnerabilities(vulns);
  141.     }

  143.     /**
  144.      * Filters the list of vulnerabilities for the given ecosystem compared to
  145.      * the target software from the NVD.
  146.      *
  147.      * @param ecosystem the dependency's ecosystem
  148.      * @param vulnerabilities the list of vulnerabilities to filter
  149.      * @return the filtered list of vulnerabilities
  150.      */
  151.     private synchronized List<Vulnerability> filterEcosystem(String ecosystem, List<Vulnerability> vulnerabilities) {
  152.         final List<Vulnerability> remove = new ArrayList<>();
  153.         vulnerabilities.forEach((v) -> {
  154.             boolean found = false;
  155.             final Set<VulnerableSoftware> removeSoftware = new HashSet<>();
  156.             for (VulnerableSoftware s : v.getVulnerableSoftware()) {
  157.                 if (ecosystemMatchesTargetSoftware(ecosystem, s.getTargetSw())) {
  158.                     found = true;
  159.                 } else {
  160.                     removeSoftware.add(s);
  161.                 }
  162.             }
  163.             if (found) {
  164.                 if (!removeSoftware.isEmpty()) {
  165.                     v.removeVulnerableSoftware(removeSoftware);
  166.                 }
  167.             } else {
  168.                 remove.add(v);
  169.             }
  170.         });
  171.         if (!remove.isEmpty()) {
  172.             vulnerabilities.removeAll(remove);
  173.         }
  174.         return vulnerabilities;
  175.     }

  177.     /**
  178.      * Determines if the target software matches the given ecosystem. Currently,
  179.      * this is very Node JS specific and broadly returns matches for everything
  180.      * else.
  181.      *
  182.      * @param ecosystem the ecosystem to match against
  183.      * @param targetSoftware the target software from the NVD
  184.      * @return <code>true</code> if there is a match; otherwise
  185.      * <code>false</code>
  186.      */
  187.     private boolean ecosystemMatchesTargetSoftware(String ecosystem, String targetSoftware) {
  188.         if ("*".equals(targetSoftware) || "-".equals(targetSoftware)) {
  189.             return true;
  190.         }
  191.         if (Ecosystem.NODEJS.equals(ecosystem)) {
  192.             switch (targetSoftware.toLowerCase()) {
  193.                 case "nodejs":
  194.                 case "node.js":
  195.                 case "node_js":
  196.                 case "npm":
  197.                 case "node-js":
  198.                     return true;
  199.                 default:
  200.                     return false;
  201.             }
  202.         }
  203.         return true;
  204.     }
  205. }
Created with JaCoCo 0.8.12.202403310830