DatabaseManager.java

  1. /*
  2.  * This file is part of dependency-check-core.
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *     http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  *
  16.  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  17.  */
  18. package org.owasp.dependencycheck.data.nvdcve;

  20. import com.google.common.io.Resources;
  21. import java.io.File;
  22. import java.io.IOException;
  23. import java.io.InputStream;
  24. import java.net.URL;
  25. import java.nio.charset.StandardCharsets;
  26. import java.sql.PreparedStatement;
  27. import java.sql.Connection;
  28. import java.sql.Driver;
  29. import java.sql.DriverManager;
  30. import java.sql.ResultSet;
  31. import java.sql.SQLException;
  32. import java.sql.Statement;
  33. import java.util.Locale;
  34. import java.util.ResourceBundle;
  35. import javax.annotation.concurrent.ThreadSafe;
  36. import org.anarres.jdiagnostics.DefaultQuery;
  37. import org.apache.commons.dbcp2.BasicDataSource;
  38. import org.apache.commons.io.IOUtils;
  39. import org.owasp.dependencycheck.utils.DBUtils;
  40. import org.owasp.dependencycheck.utils.DependencyVersion;
  41. import org.owasp.dependencycheck.utils.DependencyVersionUtil;
  42. import org.owasp.dependencycheck.utils.FileUtils;
  43. import org.owasp.dependencycheck.utils.Settings;
  44. import org.slf4j.Logger;
  45. import org.slf4j.LoggerFactory;

  47. /**
  48.  * Loads the configured database driver and returns the database connection. If
  49.  * the embedded H2 database is used obtaining a connection will ensure the
  50.  * database file exists and that the appropriate table structure has been
  51.  * created.
  52.  *
  53.  * @author Jeremy Long
  54.  */
  55. @ThreadSafe
  56. public final class DatabaseManager {

  58.     /**
  59.      * The Logger.
  60.      */
  61.     private static final Logger LOGGER = LoggerFactory.getLogger(DatabaseManager.class);
  62.     /**
  63.      * Resource location for SQL file used to create the database schema.
  64.      */
  65.     public static final String DB_STRUCTURE_RESOURCE = "data/initialize.sql";
  66.     /**
  67.      * Resource location for SQL file used to create the database schema.
  68.      */
  69.     public static final String DB_STRUCTURE_UPDATE_RESOURCE = "data/upgrade_%s.sql";
  70.     /**
  71.      * The URL that discusses upgrading non-H2 databases.
  72.      */
  73.     public static final String UPGRADE_HELP_URL = "https://jeremylong.github.io/DependencyCheck/data/upgrade.html";
  74.     /**
  75.      * The database driver used to connect to the database.
  76.      */
  77.     private Driver driver = null;
  78.     /**
  79.      * The database connection string.
  80.      */
  81.     private String connectionString = null;
  82.     /**
  83.      * The username to connect to the database.
  84.      */
  85.     private String userName = null;
  86.     /**
  87.      * The password for the database.
  88.      */
  89.     private String password = null;
  90.     /**
  91.      * Counter to ensure that calls to ensureSchemaVersion does not end up in an
  92.      * endless loop.
  93.      */
  94.     private int callDepth = 0;
  95.     /**
  96.      * The configured settings.
  97.      */
  98.     private final Settings settings;
  99.     /**
  100.      * Flag indicating if the database connection is for an H2 database.
  101.      */
  102.     private boolean isH2;
  103.     /**
  104.      * Flag indicating if the database connection is for an Oracle database.
  105.      */
  106.     private boolean isOracle;
  107.     /**
  108.      * The database product name.
  109.      */
  110.     private String databaseProductName;
  111.     /**
  112.      * The database connection pool.
  113.      */
  114.     private BasicDataSource connectionPool;

  116.     /**
  117.      * Private constructor for this factory class; no instance is ever needed.
  118.      *
  119.      * @param settings the configured settings
  120.      * @throws DatabaseException thrown if we are unable to connect to the
  121.      * database
  122.      */
  123.     public DatabaseManager(Settings settings) throws DatabaseException {
  124.         this.settings = settings;
  125.         initialize();
  126.     }

  128.     /**
  129.      * Initializes the connection factory. Ensuring that the appropriate drivers
  130.      * are loaded and that a connection can be made successfully.
  131.      *
  132.      * @throws DatabaseException thrown if we are unable to connect to the
  133.      * database
  134.      */
  135.     private void initialize() throws DatabaseException {
  136.         final boolean autoUpdate = settings.getBoolean(Settings.KEYS.AUTO_UPDATE, true);
  137.         Connection conn = null;
  138.         try {
  139.             //load the driver if necessary
  140.             final String driverName = settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
  141.             if (!driverName.isEmpty()) {
  142.                 final String driverPath = settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
  143.                 LOGGER.debug("Loading driver '{}'", driverName);
  144.                 try {
  145.                     if (!driverPath.isEmpty()) {
  146.                         LOGGER.debug("Loading driver from: {}", driverPath);
  147.                         driver = DriverLoader.load(driverName, driverPath);
  148.                     } else {
  149.                         driver = DriverLoader.load(driverName);
  150.                     }
  151.                 } catch (DriverLoadException ex) {
  152.                     LOGGER.debug("Unable to load database driver", ex);
  153.                     throw new DatabaseException("Unable to load database driver", ex);
  154.                 }
  155.             }
  156.             userName = settings.getString(Settings.KEYS.DB_USER, "dcuser");
  157.             //yes, yes - hard-coded password - only if there isn't one in the properties file.
  158.             password = settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
  159.             try {
  160.                 connectionString = settings.getConnectionString(
  161.                         Settings.KEYS.DB_CONNECTION_STRING,
  162.                         Settings.KEYS.DB_FILE_NAME);
  163.             } catch (IOException ex) {
  164.                 LOGGER.debug("Unable to retrieve the database connection string", ex);
  165.                 throw new DatabaseException("Unable to retrieve the database connection string", ex);
  166.             }
  167.             isH2 = isH2Connection(connectionString);
  168.             boolean shouldCreateSchema = false;
  169.             try {
  170.                 if (autoUpdate && isH2) {
  171.                     shouldCreateSchema = !h2DataFileExists();
  172.                     LOGGER.debug("Need to create DB Structure: {}", shouldCreateSchema);
  173.                 }
  174.             } catch (IOException ioex) {
  175.                 LOGGER.debug("Unable to verify database exists", ioex);
  176.                 throw new DatabaseException("Unable to verify database exists", ioex);
  177.             }
  178.             LOGGER.debug("Loading database connection");
  179.             LOGGER.debug("Connection String: {}", connectionString);
  180.             LOGGER.debug("Database User: {}", userName);

  182.             try {
  183.                 if (connectionString.toLowerCase().contains("integrated security=true")
  184.                         || connectionString.toLowerCase().contains("trusted_connection=true")) {
  185.                     conn = DriverManager.getConnection(connectionString);
  186.                 } else {
  187.                     conn = DriverManager.getConnection(connectionString, userName, password);
  188.                 }
  189.             } catch (SQLException ex) {
  190.                 if (ex.getMessage().contains("java.net.UnknownHostException") && connectionString.contains("AUTO_SERVER=TRUE;")) {
  191.                     connectionString = connectionString.replace("AUTO_SERVER=TRUE;", "");
  192.                     try {
  193.                         conn = DriverManager.getConnection(connectionString, userName, password);
  194.                         settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
  195.                         LOGGER.debug("Unable to start the database in server mode; reverting to single user mode");
  196.                     } catch (SQLException sqlex) {
  197.                         LOGGER.debug("Unable to connect to the database", ex);
  198.                         throw new DatabaseException("Unable to connect to the database", ex);
  199.                     }
  200.                 } else if (isH2 && ex.getMessage().contains("file version or invalid file header")) {
  201.                     LOGGER.error("Incompatible or corrupt database found. To resolve this issue please remove the existing "
  202.                             + "database by running purge");
  203.                     throw new DatabaseException("Incompatible or corrupt database found; run the purge command to resolve the issue");
  204.                 } else {
  205.                     LOGGER.debug("Unable to connect to the database", ex);
  206.                     throw new DatabaseException("Unable to connect to the database", ex);
  207.                 }
  208.             }
  209.             databaseProductName = determineDatabaseProductName(conn);
  210.             isOracle = "oracle".equals(databaseProductName);
  211.             if (shouldCreateSchema) {
  212.                 try {
  213.                     createTables(conn);
  214.                 } catch (DatabaseException dex) {
  215.                     LOGGER.debug("", dex);
  216.                     throw new DatabaseException("Unable to create the database structure", dex);
  217.                 }
  218.             }
  219.             try {
  220.                 ensureSchemaVersion(conn);
  221.             } catch (DatabaseException dex) {
  222.                 LOGGER.debug("", dex);
  223.                 throw new DatabaseException("Database schema does not match this version of dependency-check", dex);
  224.             }
  225.         } finally {
  226.             if (conn != null) {
  227.                 try {
  228.                     conn.close();
  229.                 } catch (SQLException ex) {
  230.                     LOGGER.debug("An error occurred closing the connection", ex);
  231.                 }
  232.             }
  233.         }
  234.     }

  236.     /**
  237.      * Tries to determine the product name of the database.
  238.      *
  239.      * @param conn the database connection
  240.      * @return the product name of the database if successful, {@code null} else
  241.      */
  242.     private String determineDatabaseProductName(Connection conn) {
  243.         try {
  244.             final String databaseProductName = conn.getMetaData().getDatabaseProductName().toLowerCase();
  245.             LOGGER.debug("Database product: {}", databaseProductName);
  246.             return databaseProductName;
  247.         } catch (SQLException se) {
  248.             LOGGER.warn("Problem determining database product!", se);
  249.             return null;
  250.         }
  251.     }

  253.     /**
  254.      * Cleans up resources and unloads any registered database drivers. This
  255.      * needs to be called to ensure the driver is unregistered prior to the
  256.      * finalize method being called as during shutdown the class loader used to
  257.      * load the driver may be unloaded prior to the driver being de-registered.
  258.      */
  259.     public void cleanup() {
  260.         if (driver != null) {
  261.             DriverLoader.cleanup(driver);
  262.             driver = null;
  263.         }
  264.         connectionString = null;
  265.         userName = null;
  266.         password = null;
  267.     }

  269.     /**
  270.      * Determines if the H2 database file exists. If it does not exist then the
  271.      * data structure will need to be created.
  272.      *
  273.      * @return true if the H2 database file does not exist; otherwise false
  274.      * @throws IOException thrown if the data directory does not exist and
  275.      * cannot be created
  276.      */
  277.     public boolean h2DataFileExists() throws IOException {
  278.         return h2DataFileExists(settings);
  279.     }

  281.     /**
  282.      * Determines if the H2 database file exists. If it does not exist then the
  283.      * data structure will need to be created.
  284.      *
  285.      * @param configuration the configured settings
  286.      * @return true if the H2 database file does not exist; otherwise false
  287.      * @throws IOException thrown if the data directory does not exist and
  288.      * cannot be created
  289.      */
  290.     public static boolean h2DataFileExists(Settings configuration) throws IOException {
  291.         final File file = getH2DataFile(configuration);
  292.         return file.exists();
  293.     }

  295.     /**
  296.      * Returns a reference to the H2 database file.
  297.      *
  298.      * @param configuration the configured settings
  299.      * @return the path to the H2 database file
  300.      * @throws IOException thrown if there is an error
  301.      */
  302.     public static File getH2DataFile(Settings configuration) throws IOException {
  303.         final File dir = configuration.getH2DataDirectory();
  304.         final String fileName = configuration.getString(Settings.KEYS.DB_FILE_NAME);
  305.         return new File(dir, fileName);
  306.     }

  308.     /**
  309.      * Returns the database product name.
  310.      *
  311.      * @return the database product name
  312.      */
  313.     public String getDatabaseProductName() {
  314.         return databaseProductName;
  315.     }

  317.     /**
  318.      * Determines if the connection string is for an H2 database.
  319.      *
  320.      * @return true if the connection string is for an H2 database
  321.      */
  322.     public boolean isH2Connection() {
  323.         return isH2;
  324.     }

  326.     /**
  327.      * Determines if the connection string is for an Oracle database.
  328.      *
  329.      * @return true if the connection string is for an Oracle database
  330.      */
  331.     public boolean isOracle() {
  332.         return isOracle;
  333.     }

  335.     /**
  336.      * Determines if the connection string is for an H2 database.
  337.      *
  338.      * @param configuration the configured settings
  339.      * @return true if the connection string is for an H2 database
  340.      */
  341.     public static boolean isH2Connection(Settings configuration) {
  342.         final String connStr;
  343.         try {
  344.             connStr = configuration.getConnectionString(
  345.                     Settings.KEYS.DB_CONNECTION_STRING,
  346.                     Settings.KEYS.DB_FILE_NAME);
  347.         } catch (IOException ex) {
  348.             LOGGER.debug("Unable to get connectionn string", ex);
  349.             return false;
  350.         }
  351.         return isH2Connection(connStr);
  352.     }

  354.     /**
  355.      * Determines if the connection string is for an H2 database.
  356.      *
  357.      * @param connectionString the connection string
  358.      * @return true if the connection string is for an H2 database
  359.      */
  360.     public static boolean isH2Connection(String connectionString) {
  361.         return connectionString.startsWith("jdbc:h2:file:");
  362.     }

  364.     /**
  365.      * Creates the database structure (tables and indexes) to store the CVE
  366.      * data.
  367.      *
  368.      * @param conn the database connection
  369.      * @throws DatabaseException thrown if there is a Database Exception
  370.      */
  371.     private void createTables(Connection conn) throws DatabaseException {
  372.         LOGGER.debug("Creating database structure");
  373.         final String dbStructure;
  374.         try {
  375.             dbStructure = getResource(DB_STRUCTURE_RESOURCE);

  377.             Statement statement = null;
  378.             try {
  379.                 statement = conn.createStatement();
  380.                 statement.execute(dbStructure);
  381.             } catch (SQLException ex) {
  382.                 LOGGER.debug("", ex);
  383.                 throw new DatabaseException("Unable to create database statement", ex);
  384.             } finally {
  385.                 DBUtils.closeStatement(statement);
  386.             }
  387.         } catch (IOException ex) {
  388.             throw new DatabaseException("Unable to create database schema", ex);
  389.         } catch (LinkageError ex) {
  390.             LOGGER.debug(new DefaultQuery(ex).call().toString());
  391.         }
  392.     }

  394.     private String getResource(String resource) throws IOException {
  395.         String dbStructure;
  396.         try {
  397.             final URL url = Resources.getResource(resource);
  398.             dbStructure = Resources.toString(url, StandardCharsets.UTF_8);
  399.         } catch (IllegalArgumentException ex) {
  400.             LOGGER.debug("Resources.getResource(String) failed to find the DB Structure Resource", ex);
  401.             try (InputStream is = FileUtils.getResourceAsStream(resource)) {
  402.                 dbStructure = IOUtils.toString(is, StandardCharsets.UTF_8);
  403.             }
  404.         }
  405.         return dbStructure;
  406.     }

  408.     /**
  409.      * Updates the database schema by loading the upgrade script for the version
  410.      * specified. The intended use is that if the current schema version is 2.9
  411.      * then we would call updateSchema(conn, "2.9"). This would load the
  412.      * upgrade_2.9.sql file and execute it against the database. The upgrade
  413.      * script must update the 'version' in the properties table.
  414.      *
  415.      * @param conn the database connection object
  416.      * @param appExpectedVersion the schema version that the application expects
  417.      * @param currentDbVersion the current schema version of the database
  418.      * @throws DatabaseException thrown if there is an exception upgrading the
  419.      * database schema
  420.      */
  421.     private void updateSchema(Connection conn, DependencyVersion appExpectedVersion, DependencyVersion currentDbVersion)
  422.             throws DatabaseException {

  424.         if (connectionString.startsWith("jdbc:h2:file:")) {
  425.             LOGGER.debug("Updating database structure");
  426.             final String updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, currentDbVersion.toString());
  427.             if ("data/upgrade_4.2.sql".equals(updateFile) && !FileUtils.getResourceAsFile(updateFile).exists()) {
  428.                 throw new DatabaseException("unable to upgrade the database schema - please run the dependency-check "
  429.                         + "purge command to remove the existing database");
  430.             }
  431.             try {
  432.                 final String dbStructureUpdate = getResource(updateFile);
  433.                 Statement statement = null;
  434.                 try {
  435.                     statement = conn.createStatement();
  436.                     statement.execute(dbStructureUpdate);
  437.                 } catch (SQLException ex) {
  438.                     throw new DatabaseException(String.format("Unable to upgrade the database schema from %s to %s",
  439.                             currentDbVersion, appExpectedVersion.toString()), ex);
  440.                 } finally {
  441.                     DBUtils.closeStatement(statement);
  442.                 }
  443.             } catch (IllegalArgumentException | IOException ex) {
  444.                 final String msg = String.format("Upgrade SQL file does not exist: %s", updateFile);
  445.                 throw new DatabaseException(msg, ex);
  446.             }
  447.         } else {
  448.             final int e0 = Integer.parseInt(appExpectedVersion.getVersionParts().get(0));
  449.             final int c0 = Integer.parseInt(currentDbVersion.getVersionParts().get(0));
  450.             final int e1 = Integer.parseInt(appExpectedVersion.getVersionParts().get(1));
  451.             final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
  452.             //CSOFF: EmptyBlock
  453.             if (e0 == c0 && e1 < c1) {
  454.                 LOGGER.warn("A new version of dependency-check is available; consider upgrading");
  455.                 settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
  456.             } else if (e0 == c0 && e1 == c1) {
  457.                 //do nothing - not sure how we got here, but just in case...
  458.             } else {
  459.                 LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.",
  460.                         UPGRADE_HELP_URL);
  461.                 throw new DatabaseException("Database schema is out of date");
  462.             }
  463.             //CSON: EmptyBlock
  464.         }
  465.     }

  467.     /**
  468.      * Returns a resource bundle containing the SQL Statements needed for the
  469.      * database engine being used.
  470.      *
  471.      * @return a resource bundle containing the SQL Statements
  472.      */
  473.     public ResourceBundle getSqlStatements() {
  474.         final ResourceBundle statementBundle = getDatabaseProductName() != null
  475.                 ? ResourceBundle.getBundle("data/dbStatements", new Locale(getDatabaseProductName()))
  476.                 : ResourceBundle.getBundle("data/dbStatements");
  477.         return statementBundle;
  478.     }

  480.     /**
  481.      * Uses the provided connection to check the specified schema version within
  482.      * the database.
  483.      *
  484.      * @param conn the database connection object
  485.      * @throws DatabaseException thrown if the schema version is not compatible
  486.      * with this version of dependency-check
  487.      */
  488.     private void ensureSchemaVersion(Connection conn) throws DatabaseException {
  489.         ResultSet rs = null;
  490.         PreparedStatement ps = null;
  491.         final ResourceBundle statementBundle = getSqlStatements();
  492.         final String sql = statementBundle.getString("SELECT_SCHEMA_VERSION");
  493.         try {
  494.             ps = conn.prepareStatement(sql);
  495.             rs = ps.executeQuery();
  496.             if (rs.next()) {
  497.                 final String dbSchemaVersion = settings.getString(Settings.KEYS.DB_VERSION);
  498.                 final DependencyVersion appDbVersion = DependencyVersionUtil.parseVersion(dbSchemaVersion);
  499.                 if (appDbVersion == null) {
  500.                     throw new DatabaseException("Invalid application database schema");
  501.                 }
  502.                 final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
  503.                 if (db == null) {
  504.                     throw new DatabaseException("Invalid database schema");
  505.                 }
  506.                 LOGGER.debug("DC Schema: {}", appDbVersion);
  507.                 LOGGER.debug("DB Schema: {}", db);
  508.                 if (appDbVersion.compareTo(db) > 0) {
  509.                     final boolean autoUpdate = settings.getBoolean(Settings.KEYS.AUTO_UPDATE, true);
  510.                     if (autoUpdate) {
  511.                         updateSchema(conn, appDbVersion, db);
  512.                         if (++callDepth < 10) {
  513.                             ensureSchemaVersion(conn);
  514.                         }
  515.                     } else {
  516.                         throw new DatabaseException("Old database schema identified - please execute "
  517.                                 + "dependency-check without the no-update configuration to continue");
  518.                     }
  519.                 }
  520.             } else {
  521.                 throw new DatabaseException("Database schema is missing");
  522.             }
  523.         } catch (SQLException ex) {
  524.             LOGGER.debug("", ex);
  525.             throw new DatabaseException("Unable to check the database schema version", ex);
  526.         } finally {
  527.             DBUtils.closeResultSet(rs);
  528.             DBUtils.closeStatement(ps);
  529.         }
  530.     }

  532.     /**
  533.      * Opens the database connection pool.
  534.      */
  535.     public void open() {
  536.         connectionPool = new BasicDataSource();
  537.         if (driver != null) {
  538.             connectionPool.setDriver(driver);
  539.         }
  540.         connectionPool.setUrl(connectionString);
  541.         connectionPool.setUsername(userName);
  542.         connectionPool.setPassword(password);
  543.     }

  545.     /**
  546.      * Closes the database connection pool.
  547.      */
  548.     public void close() {
  549.         try {
  550.             connectionPool.close();
  551.         } catch (SQLException ex) {
  552.             LOGGER.debug("Error closing the connection pool", ex);
  553.         }
  554.         connectionPool = null;
  555.     }

  557.     /**
  558.      * Returns if the connection pool is open.
  559.      *
  560.      * @return if the connection pool is open
  561.      */
  562.     public boolean isOpen() {
  563.         return connectionPool != null;
  564.     }

  566.     /**
  567.      * Constructs a new database connection object per the database
  568.      * configuration.
  569.      *
  570.      * @return a database connection object
  571.      * @throws DatabaseException thrown if there is an exception obtaining the
  572.      * database connection
  573.      */
  574.     public Connection getConnection() throws DatabaseException {
  575.         try {
  576.             return connectionPool.getConnection();
  577.         } catch (SQLException ex) {
  578.             throw new DatabaseException("Error connecting to the database", ex);
  579.         }
  580.     }
  581. }
Created with JaCoCo 0.8.12.202403310830