Skip to content

Commit

Permalink
devonfw#103: fixed NPEs and other issues
Browse files Browse the repository at this point in the history
adjusted getCpeVendor and getCpeProduct to return the tool name instead of an empty string
removed unused urlEdition param from getCpeEdition
added workaround for intellij #1378
fixed NPE's (added checks for missing UrlUpdaters)
  • Loading branch information
jan-vcapgemini committed Feb 29, 2024
1 parent 69e1fdd commit 4d6766c
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 17 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -103,24 +103,23 @@ protected final String getToolWithEdition() {
*/
public String getCpeVendor() {

return "";
return getTool();
}

/**
* @return the product name of the tool as specified in the CPE (Common Platform Enumeration)
*/
public String getCpeProduct() {

return "";
return getTool();
}

/**
* @param urlEdition the {@link UrlEdition} to get the CPE (Common Platform Enumeration) edition for.
* @return the edition as specified in the CPE.
*/
public String getCpeEdition(String urlEdition) {
public String getCpeEdition() {

return "";
return getTool();
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,16 @@ public void updateAll() {
*/
public AbstractUrlUpdater retrieveUrlUpdater(String tool, String edition) {

return updaters.stream().filter(updater -> updater.getTool().equals(tool) && updater.getEdition().equals(edition))
.findFirst().orElse(null);
for (AbstractUrlUpdater updater : updaters) {
// TODO: fix this ugly hack for intellij see: https://github.com/devonfw/ide/issues/1378
if (updater.getTool().equals(tool) && edition.equals("intellij")) {
return updater;
}
if (updater.getTool().equals(tool) && updater.getEdition().equals(edition)) {
return updater;
}
}
return null;
}

public UrlRepository getUrlRepository() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
Expand Down Expand Up @@ -111,14 +112,17 @@ private static void run() {

initCvesToIgnore();
UpdateManager updateManager = new UpdateManager(context.getUrlsPath(), null);
Dependency[] dependencies = getDependenciesWithVulnerabilities(updateManager);
List<Dependency> dependencies = getDependenciesWithVulnerabilities(updateManager);
Set<Pair<String, String>> foundToolsAndEditions = new HashSet<>();
for (Dependency dependency : dependencies) {
String filePath = dependency.getFilePath();
Path parent = Paths.get(filePath).getParent();
String tool = parent.getParent().getParent().getFileName().toString();
String edition = parent.getParent().getFileName().toString();
AbstractUrlUpdater urlUpdater = updateManager.retrieveUrlUpdater(tool, edition);
if (urlUpdater == null) {
continue;
}
UrlSecurityJsonFile securityFile = context.getUrls().getEdition(tool, edition).getSecurityJsonFile();
boolean newlyAdded = foundToolsAndEditions.add(new Pair<>(tool, edition));
if (newlyAdded) { // to assure that the file is cleared only once per tool and edition
Expand Down Expand Up @@ -153,6 +157,7 @@ private static Map<String, String> buildCpeToUrlVersionMap(String tool, String e

List<String> sortedVersions = context.getUrls().getSortedVersions(tool, edition).stream()
.map(VersionIdentifier::toString).toList();

List<String> sortedCpeVersions = sortedVersions.stream().map(urlUpdater::mapUrlVersionToCpeVersion)
.collect(Collectors.toList());
Map<String, String> cpeToUrlVersion = MapUtil.createMapfromLists(sortedCpeVersions, sortedVersions);
Expand All @@ -163,13 +168,13 @@ private static Map<String, String> buildCpeToUrlVersionMap(String tool, String e
* Uses the {@link Engine OWASP engine} to scan the {@link AbstractIdeContext#getUrlsPath() ide-url} folder for
* dependencies and then runs {@link Engine#analyzeDependencies() analyzes} them to get the {@link Vulnerability
* vulnerabilities}.
*
*
* @param updateManager the {@link UpdateManager} to use to get the {@link AbstractUrlUpdater} of the tool to get CPE
* Vendor, CPE Product and CPE edition of the tool, as well as the
* {@link AbstractUrlUpdater#mapCpeVersionToUrlVersion(String) CPE naming of its version}
* @return the {@link Dependency dependencies} with associated {@link Vulnerability vulnerabilities}.
*/
private static Dependency[] getDependenciesWithVulnerabilities(UpdateManager updateManager) {
private static List<Dependency> getDependenciesWithVulnerabilities(UpdateManager updateManager) {

Settings settings = new Settings();
Engine engine = new Engine(settings);
Expand All @@ -189,8 +194,11 @@ private static Dependency[] getDependenciesWithVulnerabilities(UpdateManager upd
throw new RuntimeException(e);
}
Dependency[] dependencies = engine.getDependencies();
// remove dependencies without vulnerabilities
List<Dependency> dependenciesFiltered = Arrays.stream(dependencies)
.filter(dependency -> !dependency.getVulnerabilities().isEmpty()).toList();
engine.close();
return dependencies;
return dependenciesFiltered;
}

/**
Expand Down
17 changes: 11 additions & 6 deletions security/src/main/java/com/devonfw/tools/security/UrlAnalyzer.java
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
package com.devonfw.tools.security;

import com.devonfw.tools.ide.url.updater.AbstractUrlUpdater;
import com.devonfw.tools.ide.url.updater.UpdateManager;
import java.io.FileFilter;
import java.nio.file.Path;
import java.nio.file.Paths;

import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer;
import org.owasp.dependencycheck.analyzer.AnalysisPhase;
Expand All @@ -11,9 +13,8 @@
import org.owasp.dependencycheck.dependency.EvidenceType;
import org.owasp.dependencycheck.exception.InitializationException;

import java.io.FileFilter;
import java.nio.file.Path;
import java.nio.file.Paths;
import com.devonfw.tools.ide.url.updater.AbstractUrlUpdater;
import com.devonfw.tools.ide.url.updater.UpdateManager;

/**
* Analyzes file paths to detect tool, edition and version of software listed in a directory structure like this:
Expand Down Expand Up @@ -56,9 +57,13 @@ protected void analyzeDependency(Dependency dependency, Engine engine) {

AbstractUrlUpdater urlUpdater = this.updateManager.retrieveUrlUpdater(tool, edition);

if (urlUpdater == null) {
return;
}

String cpeVendor = urlUpdater.getCpeVendor();
String cpeProduct = urlUpdater.getCpeProduct();
String cpeEdition = urlUpdater.getCpeEdition(edition);
String cpeEdition = urlUpdater.getCpeEdition();
String cpeVersion = urlUpdater.mapUrlVersionToCpeVersion(versionFolder.getFileName().toString());

if (cpeVendor.isBlank() || cpeProduct.isBlank()) {
Expand Down

0 comments on commit 4d6766c

Please sign in to comment.