Class AbstractNpmAnalyzer

java.lang.Object
org.owasp.dependencycheck.analyzer.AbstractAnalyzer
org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer
All Implemented Interfaces:
FileFilter, Analyzer, FileTypeAnalyzer
Direct Known Subclasses:
NodeAuditAnalyzer, NodePackageAnalyzer, PnpmAuditAnalyzer, YarnAuditAnalyzer
@ThreadSafe public abstract class AbstractNpmAnalyzer extends AbstractFileTypeAnalyzer
An abstract NPM analyzer that contains common methods for concrete implementations.
Author:
Steve Springett

  • Field Details

    • NPM_DEPENDENCY_ECOSYSTEM

      public static final String NPM_DEPENDENCY_ECOSYSTEM
      A descriptor for the type of dependencies processed or added by this analyzer.
      See Also:

  • Constructor Details

    • AbstractNpmAnalyzer

      public AbstractNpmAnalyzer()

  • Method Details

    • accept

      public boolean accept(File pathname)
      Determines if the file can be analyzed by the analyzer.
      Specified by:
      accept in interface FileFilter
      Overrides:
      accept in class AbstractFileTypeAnalyzer
      Parameters:
      pathname - the path to the file
      Returns:
      true if the file can be analyzed by the given analyzer; otherwise false

    • shouldProcess

      public static boolean shouldProcess(File pathname) throws AnalysisException
      Determines if the path contains "/node_modules/" or "/bower_components/" (i.e. it is a child module). This analyzer does not scan child modules.
      Parameters:
      pathname - the path to test
      Returns:
      true if the path does not contain "/node_modules/" or "/bower_components/"
      Throws:
      AnalysisException - thrown if the canonical path cannot be obtained from the given file

    • createDependency

      protected Dependency createDependency(Dependency dependency, String name, String version, String scope)
      Construct a dependency object.
      Parameters:
      dependency - the parent dependency
      name - the name of the dependency to create
      version - the version of the dependency to create
      scope - the scope of the dependency being created
      Returns:
      the generated dependency

    • processPackage

      protected void processPackage(Engine engine, Dependency dependency, jakarta.json.JsonArray jsonArray, String depType)
      Processes a part of package.json (as defined by JsonArray) and update the specified dependency with relevant info.
      Parameters:
      engine - the dependency-check engine
      dependency - the Dependency to update
      jsonArray - the jsonArray to parse
      depType - the dependency type

    • processPackage

      protected void processPackage(Engine engine, Dependency dependency, jakarta.json.JsonObject jsonObject, String depType)
      Processes a part of package.json (as defined by JsonObject) and update the specified dependency with relevant info.
      Parameters:
      engine - the dependency-check engine
      dependency - the Dependency to update
      jsonObject - the jsonObject to parse
      depType - the dependency type

    • findDependency

      protected Dependency findDependency(Engine engine, String name, String version)
      Locates the dependency from the list of dependencies that have been scanned by the engine.
      Parameters:
      engine - the dependency-check engine
      name - the name of the dependency to find
      version - the version of the dependency to find
      Returns:
      the identified dependency; otherwise null

    • gatherEvidence

      public void gatherEvidence(jakarta.json.JsonObject json, Dependency dependency)
      Collects evidence from the given JSON for the associated dependency.
      Parameters:
      json - the JSON that contains the evidence to collect
      dependency - the dependency to add the evidence too

    • prepareFileTypeAnalyzer

      protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException
      Initializes the analyzer once before any analysis is performed.
      Specified by:
      prepareFileTypeAnalyzer in class AbstractFileTypeAnalyzer
      Parameters:
      engine - a reference to the dependency-check engine
      Throws:
      InitializationException - if there's an error during initialization

    • processResults

      protected void processResults(List<Advisory> advisories, Engine engine, Dependency dependency, org.apache.commons.collections4.MultiValuedMap<String,String> dependencyMap) throws us.springett.parsers.cpe.exceptions.CpeValidationException
      Processes the advisories creating the appropriate dependency objects and adding the resulting vulnerabilities.
      Parameters:
      advisories - a collection of advisories from npm
      engine - a reference to the analysis engine
      dependency - a reference to the package-lock.json dependency
      dependencyMap - a collection of module/version pairs obtained from the package-lock file - used in case the advisories do not include a version number
      Throws:
      us.springett.parsers.cpe.exceptions.CpeValidationException - thrown when a CPE cannot be created

    • replaceOrAddVulnerability

      protected void replaceOrAddVulnerability(Dependency dependency, Vulnerability vuln)
      Evaluates if the vulnerability is already present; if it is the vulnerability is not added.
      Parameters:
      dependency - a reference to the dependency being analyzed
      vuln - the vulnerability to add

    • getSearcher

      protected NodeAuditSearch getSearcher()
      Returns the node audit search utility.
      Returns:
      the node audit search utility

    • determineVersionFromMap

      public static String determineVersionFromMap(String versionRange, Collection<String> availableVersions)
      Give an NPM version range and a collection of versions, this method attempts to select a specific version from the collection that is in the range.
      Parameters:
      versionRange - the version range to evaluate
      availableVersions - the collection of possible versions to select
      Returns:
      the selected range from the versionRange