View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import javax.annotation.concurrent.ThreadSafe;
21  import org.owasp.dependencycheck.Engine;
22  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
23  import org.owasp.dependencycheck.dependency.Dependency;
24  import org.owasp.dependencycheck.utils.Settings;
25  import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
26  
27  /**
28   * The suppression analyzer processes an externally defined XML document that
29   * complies with the suppressions.xsd schema. Any identified Vulnerability
30   * entries within the dependencies that match will be removed.
31   *
32   * @author Jeremy Long
33   */
34  @ThreadSafe
35  public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyzer {
36  
37      /**
38       * The name of the analyzer.
39       */
40      private static final String ANALYZER_NAME = "Vulnerability Suppression Analyzer";
41      /**
42       * The phase that this analyzer is intended to run in.
43       */
44      private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_FINDING_ANALYSIS;
45  
46      /**
47       * Returns the name of the analyzer.
48       *
49       * @return the name of the analyzer.
50       */
51      @Override
52      public String getName() {
53          return ANALYZER_NAME;
54      }
55  
56      /**
57       * Returns the phase that the analyzer is intended to run in.
58       *
59       * @return the phase that the analyzer is intended to run in.
60       */
61      @Override
62      public AnalysisPhase getAnalysisPhase() {
63          return ANALYSIS_PHASE;
64      }
65  
66      /**
67       * <p>
68       * Returns the setting key to determine if the analyzer is enabled.</p>
69       *
70       * @return the key for the analyzer's enabled property
71       */
72      @Override
73      protected String getAnalyzerEnabledSettingKey() {
74          return Settings.KEYS.ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED;
75      }
76  
77      @Override
78      public boolean filter(SuppressionRule rule) {
79          return rule.hasCve() || rule.hasCvssBelow() || rule.hasCvssV2Below() || rule.hasCvssV3Below()  || rule.hasCvssV4Below() || rule.hasCwe() || rule.hasVulnerabilityName();
80      }
81  
82      @Override
83      protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
84          if (dependency.getVulnerabilitiesCount() > 0) {
85              super.analyzeDependency(dependency, engine);
86          }
87      }
88  }