View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import javax.annotation.concurrent.ThreadSafe;
21  import org.owasp.dependencycheck.Engine;
22  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
23  import org.owasp.dependencycheck.dependency.Dependency;
24  import org.owasp.dependencycheck.utils.Settings;
25  import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
26  
27  /**
28   * <p>
29   * This is no longer used as a standalone analyzer; rather this is called by the
30   * CPE Analyzer directly. TODO - refactor this class so that is not an
31   * 'analyzer'.</p>
32   *
33   * <p>
34   * The suppression analyzer processes an externally defined XML document that
35   * complies with the suppressions.xsd schema. Any identified CPE entries within
36   * the dependencies that match will be removed.</p>
37   *
38   * @author Jeremy Long
39   */
40  @ThreadSafe
41  public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
42  
43      /**
44       * The name of the analyzer.
45       */
46      private static final String ANALYZER_NAME = "Cpe Suppression Analyzer";
47      /**
48       * The phase that this analyzer is intended to run in.
49       */
50      private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
51  
52      /**
53       * Returns the name of the analyzer.
54       *
55       * @return the name of the analyzer.
56       */
57      @Override
58      public String getName() {
59          return ANALYZER_NAME;
60      }
61  
62      /**
63       * Returns the phase that the analyzer is intended to run in.
64       *
65       * @return the phase that the analyzer is intended to run in.
66       */
67      @Override
68      public AnalysisPhase getAnalysisPhase() {
69          return ANALYSIS_PHASE;
70      }
71  
72      /**
73       * <p>
74       * Returns the setting key to determine if the analyzer is enabled.</p>
75       *
76       * @return the key for the analyzer's enabled property
77       */
78      @Override
79      protected String getAnalyzerEnabledSettingKey() {
80          return Settings.KEYS.ANALYZER_CPE_SUPPRESSION_ENABLED;
81      }
82  
83      @Override
84      public boolean filter(SuppressionRule rule) {
85          return rule.hasCpe();
86      }
87  
88      @Override
89      protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
90          if (dependency.getVulnerableSoftwareIdentifiersCount() > 0) {
91              super.analyzeDependency(dependency, engine);
92          }
93      }
94  }