View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2022 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.data.update;
19  
20  import java.io.IOException;
21  import java.io.InputStream;
22  import java.net.URL;
23  import java.sql.SQLException;
24  
25  import org.apache.hc.client5.http.impl.classic.AbstractHttpClientResponseHandler;
26  import org.apache.hc.core5.http.HttpEntity;
27  import org.apache.hc.core5.http.io.HttpClientResponseHandler;
28  import org.owasp.dependencycheck.Engine;
29  import org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema;
30  import org.owasp.dependencycheck.data.nvdcve.CveDB;
31  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
32  import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
33  import org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser;
34  import org.owasp.dependencycheck.data.update.exception.CorruptedDatastreamException;
35  import org.owasp.dependencycheck.data.update.exception.UpdateException;
36  import org.owasp.dependencycheck.utils.Downloader;
37  import org.owasp.dependencycheck.utils.ResourceNotFoundException;
38  import org.owasp.dependencycheck.utils.Settings;
39  import org.owasp.dependencycheck.utils.TooManyRequestsException;
40  import org.slf4j.Logger;
41  import org.slf4j.LoggerFactory;
42  
43  /**
44   *
45   * @author jeremy
46   */
47  public class KnownExploitedDataSource implements CachedWebDataSource {
48  
49      /**
50       * The logger.
51       */
52      private static final Logger LOGGER = LoggerFactory.getLogger(KnownExploitedDataSource.class);
53      /**
54       * The default URL for the CISA Known Exploited Vulnerability Catalog.
55       */
56      private static final String DEFAULT_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json";
57      /**
58       * A reference to the CVE DB.
59       */
60      private CveDB cveDB;
61      /**
62       * A reference to the ODC settings.
63       */
64      private Settings settings;
65      /**
66       * The properties obtained from the database.
67       */
68      private DatabaseProperties dbProperties = null;
69  
70      @Override
71      public boolean update(Engine engine) throws UpdateException {
72          this.cveDB = engine.getDatabase();
73          this.settings = engine.getSettings();
74          dbProperties = cveDB.getDatabaseProperties();
75          final boolean autoUpdate = settings.getBoolean(Settings.KEYS.AUTO_UPDATE, true);
76          final boolean kevEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_KNOWN_EXPLOITED_ENABLED, true);
77          if (autoUpdate && kevEnabled && shouldUpdate()) {
78              try {
79                  final URL url = new URL(settings.getString(Settings.KEYS.KEV_URL, DEFAULT_URL));
80                  LOGGER.info("Updating CISA Known Exploited Vulnerability list: " + url.toString());
81  
82                  final HttpClientResponseHandler<KnownExploitedVulnerabilitiesSchema> kevParsingResponseHandler
83                          = new AbstractHttpClientResponseHandler<>() {
84                      @Override
85                      public KnownExploitedVulnerabilitiesSchema handleEntity(HttpEntity entity) throws IOException {
86                          try (InputStream in = entity.getContent()) {
87                              final KnownExploitedVulnerabilityParser parser = new KnownExploitedVulnerabilityParser();
88                              final KnownExploitedVulnerabilitiesSchema data = parser.parse(in);
89                              return data;
90                          } catch (CorruptedDatastreamException | UpdateException e) {
91                              throw new IOException("Error processing response", e);
92                          }
93                      }
94                  };
95  
96                  final KnownExploitedVulnerabilitiesSchema data = Downloader.getInstance().fetchAndHandle(url, kevParsingResponseHandler);
97                  final String currentVersion = dbProperties.getProperty(DatabaseProperties.KEV_VERSION, "");
98                  if (!currentVersion.equals(data.getCatalogVersion())) {
99                      cveDB.updateKnownExploitedVulnerabilities(data.getVulnerabilities());
100                 }
101                 //all dates in the db are now stored in seconds as opposed to previously milliseconds.
102                 dbProperties.save(DatabaseProperties.KEV_LAST_CHECKED, Long.toString(System.currentTimeMillis() / 1000));
103                 return true;
104             } catch (TooManyRequestsException | ResourceNotFoundException | IOException | DatabaseException | SQLException ex) {
105                 throw new UpdateException(ex);
106             }
107         }
108         return false;
109     }
110 
111     @Override
112     public boolean purge(Engine engine) {
113         //do nothing - covered by the NvdApiDataSource.
114         return true;
115     }
116 
117     /**
118      * Checks if the Known Exploited Vulnerabilities (KEV) were last checked
119      * recently. As an optimization, we can avoid repetitive checks against the
120      * KEV. Setting KEV_CHECK_VALID_FOR_HOURS determines the duration since last
121      * check before checking again. A database property stores the timestamp of
122      * the last check.
123      *
124      * @return true to proceed with the check, or false to skip
125      * @throws UpdateException thrown when there is an issue checking for
126      * updates
127      */
128     private boolean shouldUpdate() throws UpdateException {
129         boolean proceed = true;
130         // If the valid setting has not been specified, then we proceed to check...
131         final int validForHours = settings.getInt(Settings.KEYS.KEV_CHECK_VALID_FOR_HOURS, 24);
132         if (cveDB.dataExists() && 0 < validForHours) {
133             // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
134             final long validForSeconds = validForHours * 60L * 60L;
135             final long lastChecked = dbProperties.getPropertyInSeconds(DatabaseProperties.KEV_LAST_CHECKED);
136             final long now = System.currentTimeMillis() / 1000;
137             proceed = (now - lastChecked) > validForSeconds;
138             if (!proceed) {
139                 LOGGER.info("Skipping Known Exploited Vulnerabilities update check since last check was within {} hours.", validForHours);
140             }
141         }
142         return proceed;
143     }
144 
145 }