KnownExploitedDataSource.java
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2022 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.sql.SQLException;
import org.apache.hc.client5.http.impl.classic.AbstractHttpClientResponseHandler;
import org.apache.hc.core5.http.HttpEntity;
import org.apache.hc.core5.http.io.HttpClientResponseHandler;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser;
import org.owasp.dependencycheck.data.update.exception.CorruptedDatastreamException;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.ResourceNotFoundException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.TooManyRequestsException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
*
* @author jeremy
*/
public class KnownExploitedDataSource implements CachedWebDataSource {
/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(KnownExploitedDataSource.class);
/**
* The default URL for the CISA Known Exploited Vulnerability Catalog.
*/
private static final String DEFAULT_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json";
/**
* A reference to the CVE DB.
*/
private CveDB cveDB;
/**
* A reference to the ODC settings.
*/
private Settings settings;
/**
* The properties obtained from the database.
*/
private DatabaseProperties dbProperties = null;
@Override
public boolean update(Engine engine) throws UpdateException {
this.cveDB = engine.getDatabase();
this.settings = engine.getSettings();
dbProperties = cveDB.getDatabaseProperties();
final boolean autoUpdate = settings.getBoolean(Settings.KEYS.AUTO_UPDATE, true);
final boolean kevEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_KNOWN_EXPLOITED_ENABLED, true);
if (autoUpdate && kevEnabled && shouldUpdate()) {
try {
final URL url = new URL(settings.getString(Settings.KEYS.KEV_URL, DEFAULT_URL));
LOGGER.info("Updating CISA Known Exploited Vulnerability list: " + url.toString());
final HttpClientResponseHandler<KnownExploitedVulnerabilitiesSchema> kevParsingResponseHandler
= new AbstractHttpClientResponseHandler<>() {
@Override
public KnownExploitedVulnerabilitiesSchema handleEntity(HttpEntity entity) throws IOException {
try (InputStream in = entity.getContent()) {
final KnownExploitedVulnerabilityParser parser = new KnownExploitedVulnerabilityParser();
final KnownExploitedVulnerabilitiesSchema data = parser.parse(in);
return data;
} catch (CorruptedDatastreamException | UpdateException e) {
throw new IOException("Error processing response", e);
}
}
};
final KnownExploitedVulnerabilitiesSchema data = Downloader.getInstance().fetchAndHandle(url, kevParsingResponseHandler);
final String currentVersion = dbProperties.getProperty(DatabaseProperties.KEV_VERSION, "");
if (!currentVersion.equals(data.getCatalogVersion())) {
cveDB.updateKnownExploitedVulnerabilities(data.getVulnerabilities());
}
//all dates in the db are now stored in seconds as opposed to previously milliseconds.
dbProperties.save(DatabaseProperties.KEV_LAST_CHECKED, Long.toString(System.currentTimeMillis() / 1000));
return true;
} catch (TooManyRequestsException | ResourceNotFoundException | IOException | DatabaseException | SQLException ex) {
throw new UpdateException(ex);
}
}
return false;
}
@Override
public boolean purge(Engine engine) {
//do nothing - covered by the NvdApiDataSource.
return true;
}
/**
* Checks if the Known Exploited Vulnerabilities (KEV) were last checked
* recently. As an optimization, we can avoid repetitive checks against the
* KEV. Setting KEV_CHECK_VALID_FOR_HOURS determines the duration since last
* check before checking again. A database property stores the timestamp of
* the last check.
*
* @return true to proceed with the check, or false to skip
* @throws UpdateException thrown when there is an issue checking for
* updates
*/
private boolean shouldUpdate() throws UpdateException {
boolean proceed = true;
// If the valid setting has not been specified, then we proceed to check...
final int validForHours = settings.getInt(Settings.KEYS.KEV_CHECK_VALID_FOR_HOURS, 24);
if (cveDB.dataExists() && 0 < validForHours) {
// ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
final long validForSeconds = validForHours * 60L * 60L;
final long lastChecked = dbProperties.getPropertyInSeconds(DatabaseProperties.KEV_LAST_CHECKED);
final long now = System.currentTimeMillis() / 1000;
proceed = (now - lastChecked) > validForSeconds;
if (!proceed) {
LOGGER.info("Skipping Known Exploited Vulnerabilities update check since last check was within {} hours.", validForHours);
}
}
return proceed;
}
}