org.owasp.dependencycheck.data.update.nvd.NvdCveParser Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of dependency-check-core Show documentation
Show all versions of dependency-check-core Show documentation
dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report.
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2018 Steve Springett. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.nvd;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonToken;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.Module;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectReader;
import com.fasterxml.jackson.databind.json.JsonMapper;
import com.fasterxml.jackson.module.blackbird.BlackbirdModule;
import com.fasterxml.jackson.module.afterburner.AfterburnerModule;
import java.io.EOFException;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import static java.nio.charset.StandardCharsets.UTF_8;
import java.util.zip.GZIPInputStream;
import java.util.zip.ZipException;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.exception.CorruptedDatastreamException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.owasp.dependencycheck.data.nvd.json.DefCveItem;
import org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.Utils;
/**
* Parser and processor of NVD CVE JSON data feeds.
*
* @author Jeremy Long
*/
public final class NvdCveParser {
/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(NvdCveParser.class);
/**
* A reference to the CVE DB.
*/
private final CveDB cveDB;
/**
* A reference to the ODC settings.
*/
private final Settings settings;
/**
* Creates a new NVD CVE JSON Parser.
*
* @param settings the dependency-check settings
* @param db a reference to the database
*/
public NvdCveParser(Settings settings, CveDB db) {
this.settings = settings;
this.cveDB = db;
}
/**
* Parses the NVD JSON file and inserts/updates data into the database.
*
* @param file the NVD JSON file to parse
* @throws UpdateException thrown if the file could not be read
* @throws CorruptedDatastreamException thrown if the file was found to be a
* corrupted download (ZipException or premature EOF)
*/
public void parse(File file) throws UpdateException, CorruptedDatastreamException {
LOGGER.debug("Parsing " + file.getName());
final Module module;
if (Utils.getJavaVersion() <= 8) {
module = new AfterburnerModule();
} else {
module = new BlackbirdModule();
}
final ObjectMapper objectMapper = JsonMapper.builder()
.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)
.addModule(module)
.build();
final ObjectReader objectReader = objectMapper.readerFor(DefCveItem.class);
try (InputStream fin = new FileInputStream(file);
InputStream in = new GZIPInputStream(fin);
InputStreamReader isr = new InputStreamReader(in, UTF_8);
JsonParser parser = objectReader.getFactory().createParser(isr)) {
final CveEcosystemMapper mapper = new CveEcosystemMapper();
init(parser);
while (parser.nextToken() == JsonToken.START_OBJECT) {
final DefCveItem cve = objectReader.readValue(parser);
cveDB.updateVulnerability(cve, mapper.getEcosystem(cve));
}
} catch (FileNotFoundException ex) {
LOGGER.error(ex.getMessage());
throw new UpdateException("Unable to find the NVD CVE file, `" + file + "`, to parse", ex);
} catch (ZipException | EOFException ex) {
throw new CorruptedDatastreamException("Error parsing NVD CVE file", ex);
} catch (IOException ex) {
LOGGER.error("Error reading NVD JSON data: {}", file);
LOGGER.debug("Error extracting the NVD JSON data from: " + file, ex);
throw new UpdateException("Unable to find the NVD CVE file to parse", ex);
}
}
void init(JsonParser parser) throws IOException {
JsonToken nextToken = parser.nextToken();
if (nextToken != JsonToken.START_OBJECT) {
throw new IOException("Expected " + JsonToken.START_OBJECT + ", got " + nextToken);
}
do {
nextToken = parser.nextToken();
if (nextToken == null) {
break;
}
if (nextToken.isStructStart()) {
if (nextToken == JsonToken.START_ARRAY) {
break;
} else {
parser.skipChildren();
}
}
} while (true);
}
}