Class CPEAnalyzer

java.lang.Object
org.owasp.dependencycheck.analyzer.AbstractAnalyzer
org.owasp.dependencycheck.analyzer.CPEAnalyzer
All Implemented Interfaces:
Analyzer
Direct Known Subclasses:
NpmCPEAnalyzer
@ThreadSafe public class CPEAnalyzer extends AbstractAnalyzer
CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE. It uses the evidence contained within the dependency to search the Lucene index.
Author:
Jeremy Long

  • Constructor Details

    • CPEAnalyzer

      public CPEAnalyzer()

  • Method Details

    • getName

      public String getName()
      Returns the name of this analyzer.
      Returns:
      the name of this analyzer.

    • getAnalysisPhase

      public AnalysisPhase getAnalysisPhase()
      Returns the analysis phase that this analyzer should run in.
      Returns:
      the analysis phase that this analyzer should run in.

    • prepareAnalyzer

      public void prepareAnalyzer(Engine engine) throws InitializationException
      Creates the CPE Lucene Index.
      Overrides:
      prepareAnalyzer in class AbstractAnalyzer
      Parameters:
      engine - a reference to the dependency-check engine
      Throws:
      InitializationException - is thrown if there is an issue opening the index.

    • open

      public void open(CveDB cve) throws IOException, DatabaseException
      Opens the data source.
      Parameters:
      cve - a reference to the NVD CVE database
      Throws:
      IOException - when the Lucene directory to be queried does not exist or is corrupt.
      DatabaseException - when the database throws an exception. This usually occurs when the database is in use by another process.

    • closeAnalyzer

      public void closeAnalyzer()
      Closes the data sources.
      Overrides:
      closeAnalyzer in class AbstractAnalyzer

    • determineCPE

      protected void determineCPE(Dependency dependency) throws org.apache.lucene.index.CorruptIndexException, IOException, org.apache.lucene.queryparser.classic.ParseException, AnalysisException
      Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence contained within. The dependency passed in is updated with any identified CPE values.
      Parameters:
      dependency - the dependency to search for CPE entries on
      Throws:
      org.apache.lucene.index.CorruptIndexException - is thrown when the Lucene index is corrupt
      IOException - is thrown when an IOException occurs
      org.apache.lucene.queryparser.classic.ParseException - is thrown when the Lucene query cannot be parsed
      AnalysisException - thrown if the suppression rules failed

    • collectTerms

      protected void collectTerms(Map<String, org.apache.commons.lang3.mutable.MutableInt> terms, Iterable<Evidence> evidence)

      Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a specific confidence). This attempts to prevent duplicate terms from being added.

      Note, if the evidence is longer then 1000 characters it will be truncated.

      Parameters:
      terms - the collection of terms
      evidence - an iterable set of evidence to concatenate

    • searchCPE

      protected List<IndexEntry> searchCPE(Map<String, org.apache.commons.lang3.mutable.MutableInt> vendor, Map<String, org.apache.commons.lang3.mutable.MutableInt> product, Set<String> vendorWeightings, Set<String> productWeightings, String ecosystem)

      Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and version.

      If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting factors to the search.

      Parameters:
      vendor - the text used to search the vendor field
      product - the text used to search the product field
      vendorWeightings - a list of strings to use to add weighting factors to the vendor field
      productWeightings - Adds a list of strings that will be used to add weighting factors to the product search
      ecosystem - the dependency's ecosystem
      Returns:
      a list of possible CPE values

    • buildSearch

      protected String buildSearch(Map<String, org.apache.commons.lang3.mutable.MutableInt> vendor, Map<String, org.apache.commons.lang3.mutable.MutableInt> product, Set<String> vendorWeighting, Set<String> productWeightings)

      Builds a Lucene search string by properly escaping data and constructing a valid search query.

      If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting factors to the search string generated.

      Parameters:
      vendor - text to search the vendor field
      product - text to search the product field
      vendorWeighting - a list of strings to apply to the vendor to boost the terms weight
      productWeightings - a list of strings to apply to the product to boost the terms weight
      Returns:
      the Lucene query

    • analyzeDependency

      protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException
      Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
      Specified by:
      analyzeDependency in class AbstractAnalyzer
      Parameters:
      dependency - The Dependency to analyze.
      engine - The analysis engine
      Throws:
      AnalysisException - is thrown if there is an issue analyzing the dependency.

    • determineIdentifiers

      protected boolean determineIdentifiers(Dependency dependency, String vendor, String product, Confidence currentConfidence) throws AnalysisException
      Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a best effort "guess" based on the vendor, product, and version information.
      Parameters:
      dependency - the Dependency being analyzed
      vendor - the vendor for the CPE being analyzed
      product - the product for the CPE being analyzed
      currentConfidence - the current confidence being used during analysis
      Returns:
      true if an identifier was added to the dependency; otherwise false
      Throws:
      AnalysisException - thrown if the suppression rules failed

    • getAnalyzerEnabledSettingKey

      protected String getAnalyzerEnabledSettingKey()

      Returns the setting key to determine if the analyzer is enabled.

      Specified by:
      getAnalyzerEnabledSettingKey in class AbstractAnalyzer
      Returns:
      the key for the analyzer's enabled property

    • main

      public static void main(String[] args)
      Command line tool for querying the Lucene CPE Index.
      Parameters:
      args - not used

    • setCveDB

      protected void setCveDB(CveDB cveDb)
      Sets the reference to the CveDB.
      Parameters:
      cveDb - the CveDB

    • getCveDB

      protected CveDB getCveDB()
      returns a reference to the CveDB.
      Returns:
      a reference to the CveDB

    • setMemoryIndex

      protected void setMemoryIndex(MemoryIndex idx)
      Sets the MemoryIndex.
      Parameters:
      idx - the memory index

    • getMemoryIndex

      protected MemoryIndex getMemoryIndex()
      Returns the memory index.
      Returns:
      the memory index

    • setCpeSuppressionAnalyzer

      protected void setCpeSuppressionAnalyzer(CpeSuppressionAnalyzer suppression)
      Sets the CPE Suppression Analyzer.
      Parameters:
      suppression - the CPE Suppression Analyzer