Class NodePackageAnalyzer

java.lang.Object
org.owasp.dependencycheck.analyzer.AbstractAnalyzer
org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer
org.owasp.dependencycheck.analyzer.NodePackageAnalyzer
All Implemented Interfaces:
FileFilter, Analyzer, FileTypeAnalyzer
@ThreadSafe public class NodePackageAnalyzer extends AbstractNpmAnalyzer
Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the associated CPE.
Author:
Dale Visser

  • Field Details

    • DEPENDENCY_ECOSYSTEM

      public static final String DEPENDENCY_ECOSYSTEM
      A descriptor for the type of dependencies processed or added by this analyzer.
      See Also:

    • PACKAGE_JSON

      public static final String PACKAGE_JSON
      The file name to scan.
      See Also:

    • PACKAGE_LOCK_JSON

      public static final String PACKAGE_LOCK_JSON
      The file name to scan.
      See Also:

    • SHRINKWRAP_JSON

      public static final String SHRINKWRAP_JSON
      The file name to scan.
      See Also:

    • NODE_MODULES_DIRNAME

      public static final String NODE_MODULES_DIRNAME
      The name of the directory that contains node modules.
      See Also:

  • Constructor Details

    • NodePackageAnalyzer

      public NodePackageAnalyzer()

  • Method Details

    • getFileFilter

      protected FileFilter getFileFilter()
      Returns the FileFilter
      Specified by:
      getFileFilter in class AbstractFileTypeAnalyzer
      Returns:
      the FileFilter

    • prepareFileTypeAnalyzer

      protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException
      Performs validation on the configuration to ensure that the correct analyzers are in place.
      Overrides:
      prepareFileTypeAnalyzer in class AbstractNpmAnalyzer
      Parameters:
      engine - the dependency-check engine
      Throws:
      InitializationException - thrown if there is a configuration error

    • getName

      public String getName()
      Returns the name of the analyzer.
      Returns:
      the name of the analyzer.

    • getAnalysisPhase

      public AnalysisPhase getAnalysisPhase()
      Returns the phase that the analyzer is intended to run in.
      Returns:
      the phase that the analyzer is intended to run in.

    • getAnalyzerEnabledSettingKey

      protected String getAnalyzerEnabledSettingKey()
      Returns the key used in the properties file to reference the enabled property for the analyzer.
      Specified by:
      getAnalyzerEnabledSettingKey in class AbstractAnalyzer
      Returns:
      the enabled property setting key for the analyzer

    • analyzeDependency

      protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException
      Description copied from class: AbstractAnalyzer
      Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned, and added to the list of dependencies within the engine.
      Specified by:
      analyzeDependency in class AbstractAnalyzer
      Parameters:
      dependency - the dependency to analyze
      engine - the engine scanning
      Throws:
      AnalysisException - thrown if there is an analysis exception

    • shouldSkipDependency

      public static boolean shouldSkipDependency(String name, String version, boolean optional, boolean fileExist)
      should process the dependency ? Will return true if you need to skip it . (e.g. dependency can't be read, or if npm audit doesn't handle it)
      Parameters:
      name - the name of the dependency
      version - the version of the dependency
      optional - is the dependency optional ?
      fileExist - is the package.json available for this file ?
      Returns:
      should you skip this dependency ?

    • shouldSkipDependency

      public static boolean shouldSkipDependency(String name, String version)
      Checks if the given dependency should be skipped.
      Parameters:
      name - the name of the dependency to test
      version - the version of the dependency to test
      Returns:
      true if the dependency should be skipped; otherwise false
      See Also: