CpeIdentifier

/*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2019 Jeremy Long. All Rights Reserved.
 */
package org.owasp.dependencycheck.dependency.naming;

import org.apache.commons.lang3.builder.CompareToBuilder;
import org.apache.commons.lang3.builder.EqualsBuilder;
import org.apache.commons.lang3.builder.HashCodeBuilder;
import org.apache.hc.core5.net.PercentCodec;
import org.jetbrains.annotations.NotNull;
import org.owasp.dependencycheck.dependency.Confidence;
import us.springett.parsers.cpe.Cpe;
import us.springett.parsers.cpe.CpeBuilder;
import us.springett.parsers.cpe.exceptions.CpeValidationException;
import us.springett.parsers.cpe.values.Part;

import static java.nio.charset.StandardCharsets.UTF_8;

/**
 * A CPE Identifier for a dependency object.
 *
 * @author Jeremy Long
 */
public class CpeIdentifier implements Identifier {

    /**
     * The serial version UID for serialization.
     */
    private static final long serialVersionUID = 2901855131887281680L;

    /**
     * The CPE identifier.
     */
    private final Cpe cpe;
    /**
     * The confidence that this is the correct identifier.
     */
    private Confidence confidence;
    /**
     * The URL for the identifier.
     */
    private String url;
    /**
     * Notes about the vulnerability. Generally used for suppression
     * information.
     */
    private String notes;

    /**
     * Constructs a new CPE Identifier from a CPE object with the given
     * confidence.
     *
     * @param cpe the CPE value
     * @param confidence the confidence in the identifiers match
     */
    public CpeIdentifier(Cpe cpe, Confidence confidence) {
        this.cpe = cpe;
        this.confidence = confidence;
        this.url = null;
    }

    /**
     * Constructs a new CPE Identifier from a CPE object with the given
     * confidence.
     *
     * @param cpe the CPE value
     * @param url the URL for the identifier
     * @param confidence the confidence in the identifiers match
     */
    public CpeIdentifier(Cpe cpe, String url, Confidence confidence) {
        this.cpe = cpe;
        this.confidence = confidence;
        this.url = url;
    }

    /**
     * Constructs a new CPE Identifier from a CPE object with the given
     * confidence.
     *
     * @param vendor the vendor
     * @param product the product name
     * @param version the version
     * @param confidence the confidence in the identifiers match
     * @throws CpeValidationException thrown if there is an error converting the
     * vendor, product, and version into a CPE object
     */
    public CpeIdentifier(String vendor, String product, String version, Confidence confidence) throws CpeValidationException {
        final CpeBuilder builder = new CpeBuilder();
        this.cpe = builder.part(Part.APPLICATION).vendor(vendor).product(product).version(version).build();
        this.confidence = confidence;
    }

    /**
     * Returns the CPE object.
     *
     * @return the CPE object
     */
    public Cpe getCpe() {
        return cpe;
    }

    @Override
    public Confidence getConfidence() {
        return confidence;
    }

    @Override
    public String getNotes() {
        return notes;
    }

    @Override
    public String getUrl() {
        return url;
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public void setConfidence(Confidence confidence) {
        this.confidence = confidence;
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public void setUrl(String url) {
        this.url = url;
    }

    @Override
    public void setNotes(String notes) {
        this.notes = notes;
    }

    @Override
    public String getValue() {
        return cpe.toCpe23FS();
    }

    /**
     * Returns the CPE 2.3 formatted string.
     *
     * @return the CPE 2.3 formatted string
     */
    @Override
    public String toString() {
        return cpe.toCpe23FS();
    }

    @Override
    public int hashCode() {
        return new HashCodeBuilder(95, 183)
                .append(this.cpe)
                .append(this.confidence)
                .append(this.url)
                .append(this.notes)
                .toHashCode();
    }

    @Override
    public boolean equals(Object obj) {
        if (obj == null || !(obj instanceof CpeIdentifier)) {
            return false;
        }
        if (this == obj) {
            return true;
        }
        final CpeIdentifier other = (CpeIdentifier) obj;
        return new EqualsBuilder().append(cpe, other.cpe)
                .append(this.confidence, other.confidence)
                .append(this.url, other.url)
                .append(this.notes, other.notes).isEquals();
    }

    @Override
    public int compareTo(@NotNull Identifier o) {
        if (o instanceof CpeIdentifier) {
            final CpeIdentifier other = (CpeIdentifier) o;
            return new CompareToBuilder()
                    .append(this.cpe, other.cpe)
                    .append(this.url, other.getUrl())
                    .append(this.confidence, other.getConfidence())
                    .toComparison();

        }
        return new CompareToBuilder()
                .append(this.toString(), o.toString())
                .append(this.url, o.getUrl())
                .append(this.confidence, o.getConfidence())
                .toComparison();
    }

    /**
     * Produces an NVD search URL for a given CPE to find all applicable vulnerabilities, including all populated parts
     * of the given CPE.
     * <p/>
     * The opened link should be sorted in descending order (sortDirection=2) by publish date (sortOrder=3).
     */
    public static String nvdSearchUrlFor(Cpe cpe) {
        // Use PercentCodec to force `*` to be encoded for CPE strings inside the URL. Technically '*' is not a reserved
        // character in the fragment of URLs, but not all browsers handle this consistently, so better to encode aggressively.
        // URlEncoder does not distinguish between parts of URLs appropriately, as well as not forcing encoding of these.
        return String.format("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&cpeName=%s",
                PercentCodec.encode(cpe.toCpe23FS(), UTF_8));
    }

    /**
     * Produces an NVD search URL for a given application vendor/product/version combination to find all applicable vulnerabilities.
     * <p/>
     * The opened link should be sorted in descending order (sortDirection=2) by publish date (sortOrder=3).
     */
    public static String nvdSearchUrlFor(String vendor, String product, String version) throws CpeValidationException {
        return nvdSearchUrlFor(new CpeBuilder().part(Part.APPLICATION).vendor(vendor).product(product).version(version).build());
    }

    /**
     * Produces an NVD search URL for a given CPE to find all applicable vulnerabilities, including only the part, vendor,
     * and product of the given CPE (if populated). Discards all other parts/discriminators of the CPE in the generated search.
     * <p/>
     * The opened link should be sorted in descending order (sortDirection=2) by publish date (sortOrder=3).
     */
    public static String nvdProductSearchUrlFor(Cpe cpe) {
        try {
            return nvdSearchUrlFor(new CpeBuilder().part(cpe.getPart()).vendor(cpe.getVendor()).product(cpe.getProduct()).build());
        } catch (CpeValidationException e) {
            throw new RuntimeException(e);
        }
    }
}