org.owasp.dependencycheck.analyzer

Class NodePackageAnalyzer

java.lang.Object

org.owasp.dependencycheck.analyzer.AbstractAnalyzer

org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer

org.owasp.dependencycheck.analyzer.NodePackageAnalyzer

All Implemented Interfaces:

java.io.FileFilter, Analyzer, FileTypeAnalyzer

@ThreadSafe
public class NodePackageAnalyzer
extends AbstractNpmAnalyzer

Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the associated CPE.

Author:

Dale Visser

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	DEPENDENCY_ECOSYSTEM A descriptor for the type of dependencies processed or added by this analyzer.
static java.lang.String	NODE_MODULES_DIRNAME The name of the directory that contains node modules.
static java.lang.String	PACKAGE_JSON The file name to scan.
static java.lang.String	PACKAGE_LOCK_JSON The file name to scan.
static java.lang.String	SHRINKWRAP_JSON The file name to scan.

Fields inherited from class org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer

NPM_DEPENDENCY_ECOSYSTEM

Constructor Summary

Constructors

Constructor and Description
NodePackageAnalyzer()

Method Summary

Modifier and Type	Method and Description
protected void	analyzeDependency(Dependency dependency, Engine engine) Analyzes a given dependency.
AnalysisPhase	getAnalysisPhase() Returns the phase that the analyzer is intended to run in.
protected java.lang.String	getAnalyzerEnabledSettingKey() Returns the key used in the properties file to reference the enabled property for the analyzer.
protected java.io.FileFilter	getFileFilter() Returns the FileFilter
java.lang.String	getName() Returns the name of the analyzer.
protected void	prepareFileTypeAnalyzer(Engine engine) Performs validation on the configuration to ensure that the correct analyzers are in place.
static boolean	shouldSkipDependency(java.lang.String name, java.lang.String version) Checks if the given dependency should be skipped.
static boolean	shouldSkipDependency(java.lang.String name, java.lang.String version, boolean optional, boolean fileExist) should process the dependency ? Will return true if you need to skip it .

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer

accept, createDependency, determineVersionFromMap, findDependency, gatherEvidence, getSearcher, processPackage, processPackage, processResults, replaceOrAddVulnerability, shouldProcess

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

getFilesMatched, newHashSet, prepareAnalyzer, setFilesMatched

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractAnalyzer

analyze, close, closeAnalyzer, getSettings, initialize, isEnabled, prepare, setEnabled, supportsParallelProcessing

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.owasp.dependencycheck.analyzer.Analyzer

analyze, close, initialize, isEnabled, prepare, supportsParallelProcessing

Field Detail

DEPENDENCY_ECOSYSTEM

public static final java.lang.String DEPENDENCY_ECOSYSTEM

A descriptor for the type of dependencies processed or added by this analyzer.

See Also:

Constant Field Values

PACKAGE_JSON

public static final java.lang.String PACKAGE_JSON

The file name to scan.

See Also:

Constant Field Values

PACKAGE_LOCK_JSON

public static final java.lang.String PACKAGE_LOCK_JSON

The file name to scan.

See Also:

Constant Field Values

SHRINKWRAP_JSON

public static final java.lang.String SHRINKWRAP_JSON

The file name to scan.

See Also:

Constant Field Values

NODE_MODULES_DIRNAME

public static final java.lang.String NODE_MODULES_DIRNAME

The name of the directory that contains node modules.

See Also:

Constant Field Values

Constructor Detail

NodePackageAnalyzer

public NodePackageAnalyzer()

Method Detail

getFileFilter

protected java.io.FileFilter getFileFilter()

Returns the FileFilter

Specified by:

getFileFilter in class AbstractFileTypeAnalyzer

Returns:

the FileFilter

prepareFileTypeAnalyzer

protected void prepareFileTypeAnalyzer(Engine engine)
                                throws InitializationException

Performs validation on the configuration to ensure that the correct analyzers are in place.

Overrides:

prepareFileTypeAnalyzer in class AbstractNpmAnalyzer

Parameters:

engine - the dependency-check engine

Throws:

InitializationException - thrown if there is a configuration error

getName

public java.lang.String getName()

Returns the name of the analyzer.

Returns:

the name of the analyzer.

getAnalysisPhase

public AnalysisPhase getAnalysisPhase()

Returns the phase that the analyzer is intended to run in.

Returns:

the phase that the analyzer is intended to run in.

getAnalyzerEnabledSettingKey

protected java.lang.String getAnalyzerEnabledSettingKey()

Returns the key used in the properties file to reference the enabled property for the analyzer.

Specified by:

getAnalyzerEnabledSettingKey in class AbstractAnalyzer

Returns:

the enabled property setting key for the analyzer

analyzeDependency

protected void analyzeDependency(Dependency dependency,
                                 Engine engine)
                          throws AnalysisException

Description copied from class: AbstractAnalyzer

Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned, and added to the list of dependencies within the engine.

Specified by:

analyzeDependency in class AbstractAnalyzer

Parameters:

dependency - the dependency to analyze

engine - the engine scanning

Throws:

AnalysisException - thrown if there is an analysis exception

shouldSkipDependency

public static boolean shouldSkipDependency(java.lang.String name,
                                           java.lang.String version,
                                           boolean optional,
                                           boolean fileExist)

should process the dependency ? Will return true if you need to skip it . (e.g. dependency can't be read, or if npm audit doesn't handle it)

Parameters:

name - the name of the dependency

version - the version of the dependency

optional - is the dependency optional ?

fileExist - is the package.json available for this file ?

Returns:

should you skip this dependency ?

shouldSkipDependency

public static boolean shouldSkipDependency(java.lang.String name,
                                           java.lang.String version)

Checks if the given dependency should be skipped.

Parameters:

name - the name of the dependency to test

version - the version of the dependency to test

Returns:

true if the dependency should be skipped; otherwise false

See Also:

shouldSkipDependency(java.lang.String, java.lang.String, boolean, boolean)