All Downloads are FREE. Search and download functionalities are using the official Maven repository.

net.ossindex.common.request.PackageRequest Maven / Gradle / Ivy

/**
 * Copyright (c) 2017 Vör Security Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 * * Redistributions of source code must retain the above copyright
 * notice, this list of conditions and the following disclaimer.
 * * Redistributions in binary form must reproduce the above copyright
 * notice, this list of conditions and the following disclaimer in the
 * documentation and/or other materials provided with the distribution.
 * * Neither the name of the  nor the
 * names of its contributors may be used to endorse or promote products
 * derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL  BE LIABLE FOR ANY
 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
package net.ossindex.common.request;

import java.io.IOException;
import java.lang.reflect.Type;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;

import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.gson.reflect.TypeToken;
import net.ossindex.common.IPackageRequest;
import net.ossindex.common.PackageCoordinate;
import net.ossindex.common.PackageDescriptor;
import net.ossindex.common.VulnerabilityDescriptor;
import net.ossindex.common.filter.IVulnerabilityFilter;
import net.ossindex.common.filter.VulnerabilityFilterFactory;

/**
 * Perform a package request.
 *
 * @author Ken Duck
 */
public class PackageRequest implements IPackageRequest
{
  private final Gson gson = new GsonBuilder().disableHtmlEscaping().create();

  private final OssIndexHttpClient client;

  public PackageRequest(OssIndexHttpClient client) {
    this.client = client;
  }
  /**
   * Packages returned from the server are in the same order as the packages SENT to the server.
   */
  private List packages = new LinkedList();

  /**
   * We assume that the results for a path will be returned in the same order that they are requested from the server.
   * In other words there will be one path per package (see packages above).
   */
  private List> paths = new LinkedList<>();

  /**
   * List of all filters to apply
   */
  private List filters = new LinkedList<>();

  public void addVulnerabilityFilter(IVulnerabilityFilter filter) {
    filters.add(filter);
  }

  /*
   * (non-Javadoc)
   * @see net.ossindex.common.IPackageRequest#add(java.lang.String, java.lang.String, java.lang.String, java.lang.String)
   */
  @Override
  public PackageDescriptor add(String pm, String groupId, String artifactId, String version) {
    PackageCoordinate pkg = PackageCoordinate.newBuilder()
        .withFormat(pm)
        .withNamespace(groupId)
        .withName(artifactId)
        .withVersion(version)
        .build();
    return add(Collections.singletonList(pkg));
  }

  @Override
  public PackageDescriptor add(List path) {
    if (path != null && !path.isEmpty()) {
      PackageCoordinate pkg = path.get(path.size() - 1);
      // Build the descriptor for the query
      PackageDescriptor desc = new PackageDescriptor(pkg.getFormat(), pkg.getNamespace(), pkg.getName(),
          pkg.getVersion());

      // Add the package path to the packages and path lists, in the same order
      packages.add(desc);
      paths.add(path);

      return desc;
    }
    return null;
  }

  /*
   * (non-Javadoc)
   * @see net.ossindex.common.IPackageRequest#run()
   */
  @Override
  public Collection run() throws IOException {
    String data = gson.toJson(packages);
    // Perform the OSS Index query
    String response = client.performPostRequest("package", data);

    // Convert the results to Java objects
    Type listType = new TypeToken>() { }.getType();
    Collection results = gson.fromJson(response, listType);
    filterResults(results); // This will remove vulnerabilities from packages
    return results;
  }

  private void filterResults(final Collection pkgs) {
    if (!filters.isEmpty()) {
      Iterator pkgIt = pkgs.iterator();
      Iterator> pathIt = paths.iterator();
      while (pkgIt.hasNext()) {
        if (!pathIt.hasNext()) {
          throw new IllegalArgumentException("Server results do not match request");
        }
        PackageDescriptor pkg = pkgIt.next();
        List path = pathIt.next();
        filterPackage(pkg, path);
      }
    }
  }

  private void filterPackage(final PackageDescriptor pkg,
                             final List path)
  {
    List vulns = pkg.getVulnerabilities();
    if (vulns != null && !vulns.isEmpty()) {
      // Build a new list of vulnerabilities
      List filteredVulns = new LinkedList<>();

      // See if any vulnerabilities are filtered
      for (VulnerabilityDescriptor vuln : vulns) {
        String vid = Long.toString(vuln.getId());
        for (IVulnerabilityFilter filter : filters) {
          if (!VulnerabilityFilterFactory.shouldFilter(filter, path, vid)) {
            filteredVulns.add(vuln);
          }
        }
      }

      pkg.setVulnerabilities(filteredVulns);
    }
  }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy