Class JarAnalyzer

java.lang.Object
org.owasp.dependencycheck.analyzer.AbstractAnalyzer
org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
org.owasp.dependencycheck.analyzer.JarAnalyzer
All Implemented Interfaces:
FileFilter, Analyzer, FileTypeAnalyzer
public class JarAnalyzer extends AbstractFileTypeAnalyzer
Used to load a JAR file and collect information that can be used to determine the associated CPE.
Author:
Jeremy Long

  • Field Details

    • DEPENDENCY_ECOSYSTEM

      public static final String DEPENDENCY_ECOSYSTEM
      A descriptor for the type of dependencies processed or added by this analyzer.
      See Also:

  • Constructor Details

    • JarAnalyzer

      public JarAnalyzer()

  • Method Details

    • getFileFilter

      protected FileFilter getFileFilter()
      Returns the FileFilter.
      Specified by:
      getFileFilter in class AbstractFileTypeAnalyzer
      Returns:
      the FileFilter

    • getName

      public String getName()
      Returns the name of the analyzer.
      Returns:
      the name of the analyzer.

    • getAnalysisPhase

      public AnalysisPhase getAnalysisPhase()
      Returns the phase that the analyzer is intended to run in.
      Returns:
      the phase that the analyzer is intended to run in.

    • accept

      public boolean accept(File pathname)
      Description copied from class: AbstractFileTypeAnalyzer
      Determines if the file can be analyzed by the analyzer.
      Specified by:
      accept in interface FileFilter
      Overrides:
      accept in class AbstractFileTypeAnalyzer
      Parameters:
      pathname - the path to the file
      Returns:
      true if the file can be analyzed by the given analyzer; otherwise false

    • getAnalyzerEnabledSettingKey

      protected String getAnalyzerEnabledSettingKey()
      Returns the key used in the properties file to reference the analyzer's enabled property.
      Specified by:
      getAnalyzerEnabledSettingKey in class AbstractAnalyzer
      Returns:
      the analyzer's enabled property setting key

    • analyzeDependency

      public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException
      Loads a specified JAR file and collects information from the manifest and checksums to identify the correct CPE information.
      Specified by:
      analyzeDependency in class AbstractAnalyzer
      Parameters:
      dependency - the dependency to analyze.
      engine - the engine that is scanning the dependencies
      Throws:
      AnalysisException - is thrown if there is an error reading the JAR file.

    • analyzePOM

      protected boolean analyzePOM(Dependency dependency, List<JarAnalyzer.ClassNameInformation> classes, Engine engine) throws AnalysisException
      Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence. This will attempt to interpolate the strings contained within the pom.properties if one exists.
      Parameters:
      dependency - the dependency being analyzed
      classes - a collection of class name information
      engine - the analysis engine, used to add additional dependencies
      Returns:
      whether or not evidence was added to the dependency
      Throws:
      AnalysisException - is thrown if there is an exception parsing the pom

    • setPomEvidence

      public static boolean setPomEvidence(Dependency dependency, Model pom, List<JarAnalyzer.ClassNameInformation> classes, boolean isMainPom)
      Sets evidence from the pom on the supplied dependency.
      Parameters:
      dependency - the dependency to set data on
      pom - the information from the pom
      classes - a collection of ClassNameInformation - containing data about the fully qualified class names within the JAR file being analyzed
      isMainPom - a flag indicating if this is the primary pom.
      Returns:
      true if there was evidence within the pom that we could use; otherwise false

    • analyzePackageNames

      protected void analyzePackageNames(List<JarAnalyzer.ClassNameInformation> classNames, Dependency dependency, boolean addPackagesAsEvidence)
      Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible vendor or product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
      Parameters:
      classNames - a list of class names
      dependency - a dependency to analyze
      addPackagesAsEvidence - a flag indicating whether or not package names should be added as evidence.

    • parseManifest

      protected boolean parseManifest(Dependency dependency, List<JarAnalyzer.ClassNameInformation> classInformation) throws IOException

      Reads the manifest from the JAR file and collects the entries. Some vendorKey entries are:

      • Implementation Title
      • Implementation Version
      • Implementation Vendor
      • Implementation VendorId
      • Bundle Name
      • Bundle Version
      • Bundle Vendor
      • Bundle Description
      • Main Class
      However, all but a handful of specific entries are read in.
      Parameters:
      dependency - A reference to the dependency
      classInformation - a collection of class information
      Returns:
      whether evidence was identified parsing the manifest
      Throws:
      IOException - if there is an issue reading the JAR file

    • addDescription

      public static String addDescription(Dependency dependency, String description, String source, String key)
      Adds a description to the given dependency. If the description contains one of the following strings beyond 100 characters, then the description used will be trimmed to that position:
      • "such as"
      • "like "
      • "will use "
      • "* uses "
      Parameters:
      dependency - a dependency
      description - the description
      source - the source of the evidence
      key - the "name" of the evidence
      Returns:
      if the description is trimmed, the trimmed version is returned; otherwise the original description is returned

    • prepareFileTypeAnalyzer

      public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException
      Initializes the JarAnalyzer.
      Specified by:
      prepareFileTypeAnalyzer in class AbstractFileTypeAnalyzer
      Parameters:
      engine - a reference to the dependency-check engine
      Throws:
      InitializationException - is thrown if there is an exception creating a temporary directory

    • closeAnalyzer

      public void closeAnalyzer()
      Deletes any files extracted from the JAR during analysis.
      Overrides:
      closeAnalyzer in class AbstractAnalyzer

    • collectClassNames

      protected List<JarAnalyzer.ClassNameInformation> collectClassNames(Dependency dependency)
      Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class names. This does not include core Java package names (i.e. java.* or javax.*).
      Parameters:
      dependency - the dependency being analyzed
      Returns:
      an list of fully qualified class names

    • addMatchingValues

      protected static void addMatchingValues(List<JarAnalyzer.ClassNameInformation> classes, String value, Dependency dep, EvidenceType type)
      Cycles through the collection of class name information to see if parts of the package names are contained in the provided value. If found, it will be added as the HIGHEST confidence evidence because we have more then one source corroborating the value.
      Parameters:
      classes - a collection of class name information
      value - the value to check to see if it contains a package name
      dep - the dependency to add new entries too
      type - the type of evidence (vendor, product, or version)

    • extractLicense

      public static void extractLicense(Model pom, Dependency dependency)
      Extracts the license information from the pom and adds it to the dependency.
      Parameters:
      pom - the pom object
      dependency - the dependency to add license information too