KnownExploitedVulnerabilityParser.java

/*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2022 Jeremy Long. All Rights Reserved.
 */
package org.owasp.dependencycheck.data.update.cisa;

import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.Module;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectReader;
import com.fasterxml.jackson.module.afterburner.AfterburnerModule;
import com.fasterxml.jackson.module.blackbird.BlackbirdModule;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import static java.nio.charset.StandardCharsets.UTF_8;
import java.util.zip.ZipException;
import org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema;
import org.owasp.dependencycheck.data.update.exception.CorruptedDatastreamException;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 *
 * @author Jeremy Long
 */
public class KnownExploitedVulnerabilityParser {

    /**
     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(KnownExploitedVulnerabilityParser.class);

    /**
     * Parses the CISA Known Exploited JSON file and inserts/updates data into
     * the database.
     *
     * @param in the CISA Known Exploited JSON input stream to parse
     * @return the Known Exploited Vulnerabilities object
     * @throws UpdateException thrown if the file could not be read
     * @throws CorruptedDatastreamException thrown if the file was found to be a
     * corrupted download (ZipException or premature EOF)
     */
    public KnownExploitedVulnerabilitiesSchema parse(InputStream in) throws UpdateException, CorruptedDatastreamException {

        final ObjectMapper objectMapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
        final Module module;
        if (Utils.getJavaVersion() <= 8) {
            module = new AfterburnerModule();
        } else {
            module = new BlackbirdModule();
        }
        objectMapper.registerModule(module);

        final ObjectReader objectReader = objectMapper.readerFor(KnownExploitedVulnerabilitiesSchema.class);

        //InputStream in = new GZIPInputStream(fin);
        try (InputStreamReader isr = new InputStreamReader(in, UTF_8);
                JsonParser parser = objectReader.getFactory().createParser(isr)) {
            final KnownExploitedVulnerabilitiesSchema data = objectReader.readValue(parser);
            return data;
        } catch (ZipException | EOFException ex) {
            throw new CorruptedDatastreamException("Error parsing CISA Known Exploited Vulnerabilities file", ex);
        } catch (IOException ex) {
            LOGGER.error("Error reading CISA Known Exploited Vulnerabilities JSON data");
            LOGGER.debug("Error extracting the CISA Known Exploited Vulnerabilities JSON data", ex);
            throw new UpdateException("Unable to find the CISA Known Exploited Vulnerabilities file to parse", ex);
        }
    }
}