-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
63 changed files
with
10,775 additions
and
107 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
125 changes: 125 additions & 0 deletions
125
...src/main/java/org/owasp/dependencycheck/analyzer/KnownExploitedVulnerabilityAnalyzer.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,125 @@ | ||
/* | ||
* This file is part of dependency-check-core. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
* | ||
* Copyright (c) 2022 Jeremy Long. All Rights Reserved. | ||
*/ | ||
package org.owasp.dependencycheck.analyzer; | ||
|
||
import java.util.Map; | ||
import java.util.Set; | ||
import javax.annotation.concurrent.ThreadSafe; | ||
import org.owasp.dependencycheck.Engine; | ||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException; | ||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException; | ||
import org.owasp.dependencycheck.dependency.Dependency; | ||
import org.owasp.dependencycheck.dependency.Vulnerability; | ||
import org.owasp.dependencycheck.exception.InitializationException; | ||
import org.owasp.dependencycheck.utils.Settings; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
/** | ||
* This analyzer adds information about known exploited vulnerabilities. | ||
* | ||
* @author Jeremy Long | ||
*/ | ||
@ThreadSafe | ||
public class KnownExploitedVulnerabilityAnalyzer extends AbstractAnalyzer { | ||
|
||
/** | ||
* The Logger for use throughout the class | ||
*/ | ||
private static final Logger LOGGER = LoggerFactory.getLogger(KnownExploitedVulnerabilityAnalyzer.class); | ||
/** | ||
* The map of known exploited vulnerabilities. | ||
*/ | ||
private Map<String, org.owasp.dependencycheck.data.knownexploited.json.Vulnerability> knownExploited = null; | ||
/** | ||
* The name of the analyzer. | ||
*/ | ||
private static final String ANALYZER_NAME = "Known Exploited Vulnerability Analyzer"; | ||
/** | ||
* The phase that this analyzer is intended to run in. | ||
*/ | ||
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_FINDING_ANALYSIS; | ||
|
||
/** | ||
* Returns the name of the analyzer. | ||
* | ||
* @return the name of the analyzer. | ||
*/ | ||
@Override | ||
public String getName() { | ||
return ANALYZER_NAME; | ||
} | ||
|
||
/** | ||
* Returns the phase that the analyzer is intended to run in. | ||
* | ||
* @return the phase that the analyzer is intended to run in. | ||
*/ | ||
@Override | ||
public AnalysisPhase getAnalysisPhase() { | ||
return ANALYSIS_PHASE; | ||
} | ||
|
||
/** | ||
* <p> | ||
* Returns the setting key to determine if the analyzer is enabled.</p> | ||
* | ||
* @return the key for the analyzer's enabled property | ||
*/ | ||
@Override | ||
protected String getAnalyzerEnabledSettingKey() { | ||
return Settings.KEYS.ANALYZER_KNOWN_EXPLOITED_ENABLED; | ||
} | ||
|
||
/** | ||
* The prepare method does nothing for this Analyzer. | ||
* | ||
* @param engine a reference the dependency-check engine | ||
* @throws InitializationException thrown if there is an exception | ||
*/ | ||
@Override | ||
public void prepareAnalyzer(Engine engine) throws InitializationException { | ||
try { | ||
this.knownExploited = engine.getDatabase().getknownExploitedVulnerabilities(); | ||
} catch (DatabaseException ex) { | ||
LOGGER.debug("Unable to load the known exploited vulnerabilities", ex); | ||
throw new InitializationException("Unable to load the known exploited vulnerabilities", ex); | ||
} | ||
} | ||
|
||
/** | ||
* Adds information about the known exploited vulnerabilities to the | ||
* analysis. | ||
* | ||
* @param dependency The dependency being analyzed | ||
* @param engine The scanning engine | ||
* @throws AnalysisException is thrown if there is an exception analyzing | ||
* the dependency. | ||
*/ | ||
@Override | ||
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { | ||
final Set<Vulnerability> vulns = dependency.getVulnerabilities(); | ||
for (Vulnerability v : vulns) { | ||
final org.owasp.dependencycheck.data.knownexploited.json.Vulnerability kev = knownExploited.get(v.getName()); | ||
if (kev != null) { | ||
v.setKnownExploitedVulnerability(kev); | ||
} | ||
} | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.