KnownExploitedVulnerabilityParser.java

  1. /*
  2.  * This file is part of dependency-check-core.
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *     http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  *
  16.  * Copyright (c) 2022 Jeremy Long. All Rights Reserved.
  17.  */
  18. package org.owasp.dependencycheck.data.update.cisa;

  20. import com.fasterxml.jackson.core.JsonParser;
  21. import com.fasterxml.jackson.databind.DeserializationFeature;
  22. import com.fasterxml.jackson.databind.ObjectMapper;
  23. import com.fasterxml.jackson.databind.ObjectReader;
  24. import com.fasterxml.jackson.module.blackbird.BlackbirdModule;
  25. import java.io.EOFException;
  26. import java.io.IOException;
  27. import java.io.InputStream;
  28. import java.io.InputStreamReader;
  29. import static java.nio.charset.StandardCharsets.UTF_8;
  30. import java.util.zip.ZipException;
  31. import org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema;
  32. import org.owasp.dependencycheck.data.update.exception.CorruptedDatastreamException;
  33. import org.owasp.dependencycheck.data.update.exception.UpdateException;
  34. import org.slf4j.Logger;
  35. import org.slf4j.LoggerFactory;

  37. /**
  38.  *
  39.  * @author Jeremy Long
  40.  */
  41. public class KnownExploitedVulnerabilityParser {

  43.     /**
  44.      * The logger.
  45.      */
  46.     private static final Logger LOGGER = LoggerFactory.getLogger(KnownExploitedVulnerabilityParser.class);

  48.     /**
  49.      * Parses the CISA Known Exploited JSON file and inserts/updates data into
  50.      * the database.
  51.      *
  52.      * @param in the CISA Known Exploited JSON input stream to parse
  53.      * @return the Known Exploited Vulnerabilities object
  54.      * @throws UpdateException thrown if the file could not be read
  55.      * @throws CorruptedDatastreamException thrown if the file was found to be a
  56.      * corrupted download (ZipException or premature EOF)
  57.      */
  58.     public KnownExploitedVulnerabilitiesSchema parse(InputStream in) throws UpdateException, CorruptedDatastreamException {

  60.         final ObjectMapper objectMapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
  61.         objectMapper.registerModule(new BlackbirdModule());

  63.         final ObjectReader objectReader = objectMapper.readerFor(KnownExploitedVulnerabilitiesSchema.class);

  65.         //InputStream in = new GZIPInputStream(fin);
  66.         try (InputStreamReader isr = new InputStreamReader(in, UTF_8);
  67.                 JsonParser parser = objectReader.getFactory().createParser(isr)) {
  68.             final KnownExploitedVulnerabilitiesSchema data = objectReader.readValue(parser);
  69.             return data;
  70.         } catch (ZipException | EOFException ex) {
  71.             throw new CorruptedDatastreamException("Error parsing CISA Known Exploited Vulnerabilities file", ex);
  72.         } catch (IOException ex) {
  73.             LOGGER.error("Error reading CISA Known Exploited Vulnerabilities JSON data");
  74.             LOGGER.debug("Error extracting the CISA Known Exploited Vulnerabilities JSON data", ex);
  75.             throw new UpdateException("Unable to find the CISA Known Exploited Vulnerabilities file to parse", ex);
  76.         }
  77.     }
  78. }
Created with JaCoCo 0.8.12.202403310830