org.owasp.dependencycheck.analyzer

Class JarAnalyzer

java.lang.Object

org.owasp.dependencycheck.analyzer.AbstractAnalyzer

org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

org.owasp.dependencycheck.analyzer.JarAnalyzer

All Implemented Interfaces:

java.io.FileFilter, Analyzer, FileTypeAnalyzer

public class JarAnalyzer
extends AbstractFileTypeAnalyzer

Used to load a JAR file and collect information that can be used to determine the associated CPE.

Author:

Jeremy Long

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	JarAnalyzer.ClassNameInformation Stores information about a class name.

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	DEPENDENCY_ECOSYSTEM A descriptor for the type of dependencies processed or added by this analyzer.

Constructor Summary

Constructors

Constructor and Description
JarAnalyzer()

Method Summary

Modifier and Type	Method and Description
boolean	accept(java.io.File pathname) Determines if the file can be analyzed by the analyzer.
static java.lang.String	addDescription(Dependency dependency, java.lang.String description, java.lang.String source, java.lang.String key) Adds a description to the given dependency.
protected static void	addMatchingValues(java.util.List<JarAnalyzer.ClassNameInformation> classes, java.lang.String value, Dependency dep, EvidenceType type) Cycles through the collection of class name information to see if parts of the package names are contained in the provided value.
void	analyzeDependency(Dependency dependency, Engine engine) Loads a specified JAR file and collects information from the manifest and checksums to identify the correct CPE information.
protected void	analyzePackageNames(java.util.List<JarAnalyzer.ClassNameInformation> classNames, Dependency dependency, boolean addPackagesAsEvidence) Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible vendor or product names.
protected boolean	analyzePOM(Dependency dependency, java.util.List<JarAnalyzer.ClassNameInformation> classes, Engine engine) Attempts to find a pom.xml within the JAR file.
void	closeAnalyzer() Deletes any files extracted from the JAR during analysis.
protected java.util.List<JarAnalyzer.ClassNameInformation>	collectClassNames(Dependency dependency) Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class names.
static void	extractLicense(Model pom, Dependency dependency) Extracts the license information from the pom and adds it to the dependency.
AnalysisPhase	getAnalysisPhase() Returns the phase that the analyzer is intended to run in.
protected java.lang.String	getAnalyzerEnabledSettingKey() Returns the key used in the properties file to reference the analyzer's enabled property.
protected java.io.FileFilter	getFileFilter() Returns the FileFilter.
java.lang.String	getName() Returns the name of the analyzer.
protected boolean	parseManifest(Dependency dependency, java.util.List<JarAnalyzer.ClassNameInformation> classInformation) Reads the manifest from the JAR file and collects the entries.
void	prepareFileTypeAnalyzer(Engine engine) Initializes the JarAnalyzer.
static boolean	setPomEvidence(Dependency dependency, Model pom, java.util.List<JarAnalyzer.ClassNameInformation> classes, boolean isMainPom) Sets evidence from the pom on the supplied dependency.

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

getFilesMatched, newHashSet, prepareAnalyzer, setFilesMatched

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractAnalyzer

analyze, close, getSettings, initialize, isEnabled, prepare, setEnabled, supportsParallelProcessing

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.owasp.dependencycheck.analyzer.Analyzer

analyze, close, initialize, isEnabled, prepare, supportsParallelProcessing

Field Detail

DEPENDENCY_ECOSYSTEM

public static final java.lang.String DEPENDENCY_ECOSYSTEM

A descriptor for the type of dependencies processed or added by this analyzer.

See Also:

Constant Field Values

Constructor Detail

JarAnalyzer

public JarAnalyzer()

Method Detail

getFileFilter

protected java.io.FileFilter getFileFilter()

Returns the FileFilter.

Specified by:

getFileFilter in class AbstractFileTypeAnalyzer

Returns:

the FileFilter

getName

public java.lang.String getName()

Returns the name of the analyzer.

Returns:

the name of the analyzer.

getAnalysisPhase

public AnalysisPhase getAnalysisPhase()

Returns the phase that the analyzer is intended to run in.

Returns:

the phase that the analyzer is intended to run in.

accept

public boolean accept(java.io.File pathname)

Description copied from class: AbstractFileTypeAnalyzer

Determines if the file can be analyzed by the analyzer.

Specified by:

accept in interface java.io.FileFilter

Overrides:

accept in class AbstractFileTypeAnalyzer

Parameters:

pathname - the path to the file

Returns:

true if the file can be analyzed by the given analyzer; otherwise false

getAnalyzerEnabledSettingKey

protected java.lang.String getAnalyzerEnabledSettingKey()

Returns the key used in the properties file to reference the analyzer's enabled property.

Specified by:

getAnalyzerEnabledSettingKey in class AbstractAnalyzer

Returns:

the analyzer's enabled property setting key

analyzeDependency

public void analyzeDependency(Dependency dependency,
                              Engine engine)
                       throws AnalysisException

Loads a specified JAR file and collects information from the manifest and checksums to identify the correct CPE information.

Specified by:

analyzeDependency in class AbstractAnalyzer

Parameters:

dependency - the dependency to analyze.

engine - the engine that is scanning the dependencies

Throws:

AnalysisException - is thrown if there is an error reading the JAR file.

analyzePOM

protected boolean analyzePOM(Dependency dependency,
                             java.util.List<JarAnalyzer.ClassNameInformation> classes,
                             Engine engine)
                      throws AnalysisException

Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence. This will attempt to interpolate the strings contained within the pom.properties if one exists.

Parameters:

dependency - the dependency being analyzed

classes - a collection of class name information

engine - the analysis engine, used to add additional dependencies

Returns:

whether or not evidence was added to the dependency

Throws:

AnalysisException - is thrown if there is an exception parsing the pom

setPomEvidence

public static boolean setPomEvidence(Dependency dependency,
                                     Model pom,
                                     java.util.List<JarAnalyzer.ClassNameInformation> classes,
                                     boolean isMainPom)

Sets evidence from the pom on the supplied dependency.

Parameters:

dependency - the dependency to set data on

pom - the information from the pom

classes - a collection of ClassNameInformation - containing data about the fully qualified class names within the JAR file being analyzed

isMainPom - a flag indicating if this is the primary pom.

Returns:

true if there was evidence within the pom that we could use; otherwise false

analyzePackageNames

protected void analyzePackageNames(java.util.List<JarAnalyzer.ClassNameInformation> classNames,
                                   Dependency dependency,
                                   boolean addPackagesAsEvidence)

Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible vendor or product names. If any are found they are stored in the packageVendor and packageProduct hashSets.

Parameters:

classNames - a list of class names

dependency - a dependency to analyze

addPackagesAsEvidence - a flag indicating whether or not package names should be added as evidence.

parseManifest

protected boolean parseManifest(Dependency dependency,
                                java.util.List<JarAnalyzer.ClassNameInformation> classInformation)
                         throws java.io.IOException

Reads the manifest from the JAR file and collects the entries. Some vendorKey entries are:

• Implementation Title
• Implementation Version
• Implementation Vendor
• Implementation VendorId
• Bundle Name
• Bundle Version
• Bundle Vendor
• Bundle Description
• Main Class

However, all but a handful of specific entries are read in.

Parameters:

dependency - A reference to the dependency

classInformation - a collection of class information

Returns:

whether evidence was identified parsing the manifest

Throws:

java.io.IOException - if there is an issue reading the JAR file

addDescription

public static java.lang.String addDescription(Dependency dependency,
                                              java.lang.String description,
                                              java.lang.String source,
                                              java.lang.String key)

Adds a description to the given dependency. If the description contains one of the following strings beyond 100 characters, then the description used will be trimmed to that position:

• "such as"
• "like "
• "will use "
• "* uses "

Parameters:

dependency - a dependency

description - the description

source - the source of the evidence

key - the "name" of the evidence

Returns:

if the description is trimmed, the trimmed version is returned; otherwise the original description is returned

prepareFileTypeAnalyzer

public void prepareFileTypeAnalyzer(Engine engine)
                             throws InitializationException

Initializes the JarAnalyzer.

Specified by:

prepareFileTypeAnalyzer in class AbstractFileTypeAnalyzer

Parameters:

engine - a reference to the dependency-check engine

Throws:

InitializationException - is thrown if there is an exception creating a temporary directory

closeAnalyzer

public void closeAnalyzer()

Deletes any files extracted from the JAR during analysis.

Overrides:

closeAnalyzer in class AbstractAnalyzer

collectClassNames

protected java.util.List<JarAnalyzer.ClassNameInformation> collectClassNames(Dependency dependency)

Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class names. This does not include core Java package names (i.e. java.* or javax.*).

Parameters:

dependency - the dependency being analyzed

Returns:

an list of fully qualified class names

addMatchingValues

protected static void addMatchingValues(java.util.List<JarAnalyzer.ClassNameInformation> classes,
                                        java.lang.String value,
                                        Dependency dep,
                                        EvidenceType type)

Cycles through the collection of class name information to see if parts of the package names are contained in the provided value. If found, it will be added as the HIGHEST confidence evidence because we have more then one source corroborating the value.

Parameters:

classes - a collection of class name information

value - the value to check to see if it contains a package name

dep - the dependency to add new entries too

type - the type of evidence (vendor, product, or version)

extractLicense

public static void extractLicense(Model pom,
                                  Dependency dependency)

Extracts the license information from the pom and adds it to the dependency.

Parameters:

pom - the pom object

dependency - the dependency to add license information too