View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2022 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.data.update.cisa;
19  
20  import com.fasterxml.jackson.core.JsonParser;
21  import com.fasterxml.jackson.databind.DeserializationFeature;
22  import com.fasterxml.jackson.databind.ObjectMapper;
23  import com.fasterxml.jackson.databind.ObjectReader;
24  import com.fasterxml.jackson.module.blackbird.BlackbirdModule;
25  import java.io.EOFException;
26  import java.io.IOException;
27  import java.io.InputStream;
28  import java.io.InputStreamReader;
29  import static java.nio.charset.StandardCharsets.UTF_8;
30  import java.util.zip.ZipException;
31  import org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema;
32  import org.owasp.dependencycheck.data.update.exception.CorruptedDatastreamException;
33  import org.owasp.dependencycheck.data.update.exception.UpdateException;
34  import org.slf4j.Logger;
35  import org.slf4j.LoggerFactory;
36  
37  /**
38   *
39   * @author Jeremy Long
40   */
41  public class KnownExploitedVulnerabilityParser {
42  
43      /**
44       * The logger.
45       */
46      private static final Logger LOGGER = LoggerFactory.getLogger(KnownExploitedVulnerabilityParser.class);
47  
48      /**
49       * Parses the CISA Known Exploited JSON file and inserts/updates data into
50       * the database.
51       *
52       * @param in the CISA Known Exploited JSON input stream to parse
53       * @return the Known Exploited Vulnerabilities object
54       * @throws UpdateException thrown if the file could not be read
55       * @throws CorruptedDatastreamException thrown if the file was found to be a
56       * corrupted download (ZipException or premature EOF)
57       */
58      public KnownExploitedVulnerabilitiesSchema parse(InputStream in) throws UpdateException, CorruptedDatastreamException {
59  
60          final ObjectMapper objectMapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
61          objectMapper.registerModule(new BlackbirdModule());
62  
63          final ObjectReader objectReader = objectMapper.readerFor(KnownExploitedVulnerabilitiesSchema.class);
64  
65          //InputStream in = new GZIPInputStream(fin);
66          try (InputStreamReader isr = new InputStreamReader(in, UTF_8);
67                  JsonParser parser = objectReader.getFactory().createParser(isr)) {
68              final KnownExploitedVulnerabilitiesSchema data = objectReader.readValue(parser);
69              return data;
70          } catch (ZipException | EOFException ex) {
71              throw new CorruptedDatastreamException("Error parsing CISA Known Exploited Vulnerabilities file", ex);
72          } catch (IOException ex) {
73              LOGGER.error("Error reading CISA Known Exploited Vulnerabilities JSON data");
74              LOGGER.debug("Error extracting the CISA Known Exploited Vulnerabilities JSON data", ex);
75              throw new UpdateException("Unable to find the CISA Known Exploited Vulnerabilities file to parse", ex);
76          }
77      }
78  }