org.owasp.dependencycheck.analyzer

Class AbstractNpmAnalyzer

java.lang.Object

org.owasp.dependencycheck.analyzer.AbstractAnalyzer

org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer

All Implemented Interfaces:

java.io.FileFilter, Analyzer, FileTypeAnalyzer

Direct Known Subclasses:

NodeAuditAnalyzer, NodePackageAnalyzer, PnpmAuditAnalyzer, YarnAuditAnalyzer

@ThreadSafe
public abstract class AbstractNpmAnalyzer
extends AbstractFileTypeAnalyzer

An abstract NPM analyzer that contains common methods for concrete implementations.

Author:

Steve Springett

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	NPM_DEPENDENCY_ECOSYSTEM A descriptor for the type of dependencies processed or added by this analyzer.

Constructor Summary

Constructors

Constructor and Description
AbstractNpmAnalyzer()

Method Summary

Modifier and Type	Method and Description
boolean	accept(java.io.File pathname) Determines if the file can be analyzed by the analyzer.
protected Dependency	createDependency(Dependency dependency, java.lang.String name, java.lang.String version, java.lang.String scope) Construct a dependency object.
static java.lang.String	determineVersionFromMap(java.lang.String versionRange, java.util.Collection<java.lang.String> availableVersions) Give an NPM version range and a collection of versions, this method attempts to select a specific version from the collection that is in the range.
protected Dependency	findDependency(Engine engine, java.lang.String name, java.lang.String version) Locates the dependency from the list of dependencies that have been scanned by the engine.
void	gatherEvidence(javax.json.JsonObject json, Dependency dependency) Collects evidence from the given JSON for the associated dependency.
protected NodeAuditSearch	getSearcher() Returns the node audit search utility.
protected void	prepareFileTypeAnalyzer(Engine engine) Initializes the analyzer once before any analysis is performed.
protected void	processPackage(Engine engine, Dependency dependency, javax.json.JsonArray jsonArray, java.lang.String depType) Processes a part of package.json (as defined by JsonArray) and update the specified dependency with relevant info.
protected void	processPackage(Engine engine, Dependency dependency, javax.json.JsonObject jsonObject, java.lang.String depType) Processes a part of package.json (as defined by JsonObject) and update the specified dependency with relevant info.
protected void	processResults(java.util.List<Advisory> advisories, Engine engine, Dependency dependency, org.apache.commons.collections4.MultiValuedMap<java.lang.String,java.lang.String> dependencyMap) Processes the advisories creating the appropriate dependency objects and adding the resulting vulnerabilities.
protected void	replaceOrAddVulnerability(Dependency dependency, Vulnerability vuln) Evaluates if the vulnerability is already present; if it is the vulnerability is not added.
static boolean	shouldProcess(java.io.File pathname) Determines if the path contains "/node_modules/" or "/bower_components/" (i.e.

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

getFileFilter, getFilesMatched, newHashSet, prepareAnalyzer, setFilesMatched

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractAnalyzer

analyze, analyzeDependency, close, closeAnalyzer, getAnalyzerEnabledSettingKey, getSettings, initialize, isEnabled, prepare, setEnabled, supportsParallelProcessing

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.owasp.dependencycheck.analyzer.Analyzer

analyze, close, getAnalysisPhase, getName, initialize, isEnabled, prepare, supportsParallelProcessing

Field Detail

NPM_DEPENDENCY_ECOSYSTEM

public static final java.lang.String NPM_DEPENDENCY_ECOSYSTEM

A descriptor for the type of dependencies processed or added by this analyzer.

See Also:

Constant Field Values

Constructor Detail

AbstractNpmAnalyzer

public AbstractNpmAnalyzer()

Method Detail

accept

public boolean accept(java.io.File pathname)

Determines if the file can be analyzed by the analyzer.

Specified by:

accept in interface java.io.FileFilter

Overrides:

accept in class AbstractFileTypeAnalyzer

Parameters:

pathname - the path to the file

Returns:

true if the file can be analyzed by the given analyzer; otherwise false

shouldProcess

public static boolean shouldProcess(java.io.File pathname)
                             throws AnalysisException

Determines if the path contains "/node_modules/" or "/bower_components/" (i.e. it is a child module). This analyzer does not scan child modules.

Parameters:

pathname - the path to test

Returns:

true if the path does not contain "/node_modules/" or "/bower_components/"

Throws:

AnalysisException - thrown if the canonical path cannot be obtained from the given file

createDependency

protected Dependency createDependency(Dependency dependency,
                                      java.lang.String name,
                                      java.lang.String version,
                                      java.lang.String scope)

Construct a dependency object.

Parameters:

dependency - the parent dependency

name - the name of the dependency to create

version - the version of the dependency to create

scope - the scope of the dependency being created

Returns:

the generated dependency

processPackage

protected void processPackage(Engine engine,
                              Dependency dependency,
                              javax.json.JsonArray jsonArray,
                              java.lang.String depType)

Processes a part of package.json (as defined by JsonArray) and update the specified dependency with relevant info.

Parameters:

engine - the dependency-check engine

dependency - the Dependency to update

jsonArray - the jsonArray to parse

depType - the dependency type

processPackage

protected void processPackage(Engine engine,
                              Dependency dependency,
                              javax.json.JsonObject jsonObject,
                              java.lang.String depType)

Processes a part of package.json (as defined by JsonObject) and update the specified dependency with relevant info.

Parameters:

engine - the dependency-check engine

dependency - the Dependency to update

jsonObject - the jsonObject to parse

depType - the dependency type

findDependency

protected Dependency findDependency(Engine engine,
                                    java.lang.String name,
                                    java.lang.String version)

Locates the dependency from the list of dependencies that have been scanned by the engine.

Parameters:

engine - the dependency-check engine

name - the name of the dependency to find

version - the version of the dependency to find

Returns:

the identified dependency; otherwise null

gatherEvidence

public void gatherEvidence(javax.json.JsonObject json,
                           Dependency dependency)

Collects evidence from the given JSON for the associated dependency.

Parameters:

json - the JSON that contains the evidence to collect

dependency - the dependency to add the evidence too

prepareFileTypeAnalyzer

protected void prepareFileTypeAnalyzer(Engine engine)
                                throws InitializationException

Initializes the analyzer once before any analysis is performed.

Specified by:

prepareFileTypeAnalyzer in class AbstractFileTypeAnalyzer

Parameters:

engine - a reference to the dependency-check engine

Throws:

InitializationException - if there's an error during initialization

processResults

protected void processResults(java.util.List<Advisory> advisories,
                              Engine engine,
                              Dependency dependency,
                              org.apache.commons.collections4.MultiValuedMap<java.lang.String,java.lang.String> dependencyMap)
                       throws us.springett.parsers.cpe.exceptions.CpeValidationException

Processes the advisories creating the appropriate dependency objects and adding the resulting vulnerabilities.

Parameters:

advisories - a collection of advisories from npm

engine - a reference to the analysis engine

dependency - a reference to the package-lock.json dependency

dependencyMap - a collection of module/version pairs obtained from the package-lock file - used in case the advisories do not include a version number

Throws:

us.springett.parsers.cpe.exceptions.CpeValidationException - thrown when a CPE cannot be created

replaceOrAddVulnerability

protected void replaceOrAddVulnerability(Dependency dependency,
                                         Vulnerability vuln)

Evaluates if the vulnerability is already present; if it is the vulnerability is not added.

Parameters:

dependency - a reference to the dependency being analyzed

vuln - the vulnerability to add

getSearcher

protected NodeAuditSearch getSearcher()

Returns the node audit search utility.

Returns:

the node audit search utility

determineVersionFromMap

public static java.lang.String determineVersionFromMap(java.lang.String versionRange,
                                                       java.util.Collection<java.lang.String> availableVersions)

Give an NPM version range and a collection of versions, this method attempts to select a specific version from the collection that is in the range.

Parameters:

versionRange - the version range to evaluate

availableVersions - the collection of possible versions to select

Returns:

the selected range from the versionRange