Class CveDB

java.lang.Object
org.owasp.dependencycheck.data.nvdcve.CveDB
All Implemented Interfaces:
AutoCloseable
@ThreadSafe public final class CveDB extends Object implements AutoCloseable
The database holding information about the NVD CVE data. This class is safe to be accessed from multiple threads in parallel, however internally only one connection will be used.
Author:
Jeremy Long

  • Field Details

    • DB_ECOSYSTEM_CACHE

      public static final String DB_ECOSYSTEM_CACHE
      Resource location for SQL file containing updates to the ecosystem cache.
      See Also:

  • Constructor Details

    • CveDB

      public CveDB(Settings settings) throws DatabaseException
      Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling the close method.
      Parameters:
      settings - the configured settings
      Throws:
      DatabaseException - thrown if there is an exception opening the database.

  • Method Details

    • updateEcosystemCache

      public int updateEcosystemCache()
      Updates the EcoSystem Cache.
      Returns:
      The number of records updated by the DB_ECOSYSTEM_CACHE update script.

    • open

      public void open()
      Opens the database connection pool.

    • close

      public void close()
      Closes the database connection. Close should be called on this object when it is done being used.
      Specified by:
      close in interface AutoCloseable

    • isOpen

      public boolean isOpen()
      Returns whether the database connection is open or closed.
      Returns:
      whether the database connection is open or closed

    • finalize

      protected void finalize() throws Throwable
      Cleans up the object and ensures that "close" has been called.
      Overrides:
      finalize in class Object
      Throws:
      Throwable - thrown if there is a problem

    • getDatabaseProperties

      public DatabaseProperties getDatabaseProperties()
      Get the value of databaseProperties.
      Returns:
      the value of databaseProperties

    • getCPEs

      public Set<CpePlus> getCPEs(String vendor, String product)
      Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned list will include all versions of the product that are registered in the NVD CVE data.
      Parameters:
      vendor - the identified vendor name of the dependency being analyzed
      product - the identified name of the product of the dependency being analyzed
      Returns:
      a set of vulnerable software

    • getVendorProductList

      public Set<Pair<String,String>> getVendorProductList() throws DatabaseException
      Returns the entire list of vendor/product combinations.
      Returns:
      the entire list of vendor/product combinations
      Throws:
      DatabaseException - thrown when there is an error retrieving the data from the DB

    • getVendorProductListForNode

      public Set<Pair<String,String>> getVendorProductListForNode() throws DatabaseException
      Returns the entire list of vendor/product combinations filtered for just Node JS related products.
      Returns:
      the list of vendor/product combinations that are known to be related to Node JS
      Throws:
      DatabaseException - thrown when there is an error retrieving the data from the DB

    • getProperties

      public Properties getProperties()
      Returns a set of properties.
      Returns:
      the properties from the database

    • saveProperty

      public void saveProperty(String key, String value)
      Saves a property to the database.
      Parameters:
      key - the property key
      value - the property value

    • getVulnerabilities

      public List<Vulnerability> getVulnerabilities(us.springett.parsers.cpe.Cpe cpe) throws DatabaseException
      Retrieves the vulnerabilities associated with the specified CPE.
      Parameters:
      cpe - the CPE to retrieve vulnerabilities for
      Returns:
      a list of Vulnerabilities
      Throws:
      DatabaseException - thrown if there is an exception retrieving data

    • getVulnerability

      public Vulnerability getVulnerability(String cve) throws DatabaseException
      Gets a vulnerability for the provided CVE.
      Parameters:
      cve - the CVE to lookup
      Returns:
      a vulnerability object
      Throws:
      DatabaseException - if an exception occurs

    • getVulnerability

      public Vulnerability getVulnerability(String cve, Connection conn) throws DatabaseException
      Gets a vulnerability for the provided CVE.
      Parameters:
      cve - the CVE to lookup
      conn - already active database connection
      Returns:
      a vulnerability object
      Throws:
      DatabaseException - if an exception occurs

    • updateVulnerability

      public void updateVulnerability(io.github.jeremylong.openvulnerability.client.nvd.DefCveItem cve, String baseEcosystem)
      Updates the vulnerability within the database. If the vulnerability does not exist it will be added.
      Parameters:
      cve - the vulnerability from the NVD CVE Data Feed to add to the database
      baseEcosystem - the ecosystem the CVE belongs to; this is based off of things like the CVE description
      Throws:
      DatabaseException - is thrown if the database

    • updateKnownExploitedVulnerabilities

      public void updateKnownExploitedVulnerabilities(List<Vulnerability> vulnerabilities) throws DatabaseException, SQLException
      Merges the list of known exploited vulnerabilities into the database.
      Parameters:
      vulnerabilities - the list of known exploited vulnerabilities
      Throws:
      DatabaseException - thrown if there is an exception... duh..
      SQLException - thrown if there is an exception... duh..

    • dataExists

      public boolean dataExists()
      Checks to see if data exists so that analysis can be performed.
      Returns:
      true if data exists; otherwise false

    • cleanupDatabase

      public void cleanupDatabase()
      It is possible that orphaned rows may be generated during database updates. This should be called after all updates have been completed to ensure orphan entries are removed.

    • persistEcosystemCache

      public void persistEcosystemCache()
      Persist the EcosystemCache into the database.

    • defrag

      public void defrag()
      If the database is using an H2 file based database calling defrag() will de-fragment the database.

    • deleteUnusedCpe

      public void deleteUnusedCpe()
      This method is only referenced in unused code.

      Deletes unused dictionary entries from the database.

    • addCpe

      public void addCpe(String cpe, String vendor, String product)
      This method is only referenced in unused code and will likely break on MySQL if ever used due to the MERGE statement.

      Merges CPE entries into the database.

      Parameters:
      cpe - the CPE identifier
      vendor - the CPE vendor
      product - the CPE product

    • getknownExploitedVulnerabilities

      public Map<String, Vulnerability> getknownExploitedVulnerabilities()
      Returns a map of known exploited vulnerabilities.
      Returns:
      a map of known exploited vulnerabilities