diff --git a/cli/src/main/java/com/devonfw/tools/ide/tool/java/JavaUrlUpdater.java b/cli/src/main/java/com/devonfw/tools/ide/tool/java/JavaUrlUpdater.java index c6a8714c7..ecad6ce41 100644 --- a/cli/src/main/java/com/devonfw/tools/ide/tool/java/JavaUrlUpdater.java +++ b/cli/src/main/java/com/devonfw/tools/ide/tool/java/JavaUrlUpdater.java @@ -26,17 +26,26 @@ protected String mapVersion(String version) { return super.mapVersion(version); } - protected String getCPEVendor() { + @Override + protected String getCpeVendor() { + + // return "vikwp"; return "eclipse"; } - protected String getCPEProduct() { + @Override + protected String getCpeProduct() { + + // return "vik_booking"; return "temurin"; } + @Override + protected String mapUrlVersionToCpeVersion(String version) { - - + // return "1.5.8"; + return version; + } @Override protected void addVersion(UrlVersion urlVersion) { diff --git a/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java b/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java index 4258c6a5e..ded51f75c 100644 --- a/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java +++ b/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java @@ -97,15 +97,18 @@ protected final String getToolWithEdition() { return tool + "/" + edition; } - protected String getCPEVendor() { + protected String getCpeVendor() { + return ""; } - protected String getCPEProduct() { + protected String getCpeProduct() { + return ""; } - protected String mapUrlVersionToCPEVersion(String version) { + protected String mapUrlVersionToCpeVersion(String version) { + return version; } diff --git a/cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java b/cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java index 22d6b0a9c..70788f5e9 100644 --- a/cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java +++ b/cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java @@ -57,13 +57,14 @@ public class UpdateManager extends AbstractProcessorWithTimeout { private final UrlRepository urlRepository; private final List updaters = Arrays.asList(new AndroidStudioUrlUpdater(), new AwsUrlUpdater(), - new AzureUrlUpdater(), new CobigenUrlUpdater(), new DockerDesktopUrlUpdater() , new DotNetUrlUpdater(), new EclipseCppUrlUpdater(), - new EclipseJavaUrlUpdater(), new GCloudUrlUpdater(), new GcViewerUrlUpdater(), new GhUrlUpdater(), - new GraalVmCommunityUpdater(), new GraalVmOracleUrlUpdater(), new GradleUrlUpdater(), new HelmUrlUpdater(), new IntellijUrlUpdater(), - new JavaUrlUpdater(), new JenkinsUrlUpdater(), new JmcUrlUpdater(), new KotlincUrlUpdater(), new KotlincNativeUrlUpdater(), - new LazyDockerUrlUpdater(), new MvnUrlUpdater(), new NodeUrlUpdater(), new NpmUrlUpdater(), new OcUrlUpdater(), - new PipUrlUpdater(), new PythonUrlUpdater(), new QuarkusUrlUpdater(), new DockerRancherDesktopUrlUpdater(), - new SonarUrlUpdater(), new TerraformUrlUpdater(), new TomcatUrlUpdater(), new VsCodeUrlUpdater()); + new AzureUrlUpdater(), new CobigenUrlUpdater(), new DockerDesktopUrlUpdater(), new DotNetUrlUpdater(), + new EclipseCppUrlUpdater(), new EclipseJavaUrlUpdater(), new GCloudUrlUpdater(), new GcViewerUrlUpdater(), + new GhUrlUpdater(), new GraalVmCommunityUpdater(), new GraalVmOracleUrlUpdater(), new GradleUrlUpdater(), + new HelmUrlUpdater(), new IntellijUrlUpdater(), new JavaUrlUpdater(), new JenkinsUrlUpdater(), + new JmcUrlUpdater(), new KotlincUrlUpdater(), new KotlincNativeUrlUpdater(), new LazyDockerUrlUpdater(), + new MvnUrlUpdater(), new NodeUrlUpdater(), new NpmUrlUpdater(), new OcUrlUpdater(), new PipUrlUpdater(), + new PythonUrlUpdater(), new QuarkusUrlUpdater(), new DockerRancherDesktopUrlUpdater(), new SonarUrlUpdater(), + new TerraformUrlUpdater(), new TomcatUrlUpdater(), new VsCodeUrlUpdater()); /** * The constructor. @@ -95,10 +96,22 @@ public void updateAll() { } } - public String getVendor(String tool) { - AbstractUrlUpdater matchedUpdater = (AbstractUrlUpdater) updaters.stream().filter(updater -> updater.getTool().equals(tool)).toArray()[0]; - return matchedUpdater.getCPEVendor(); -// updaters.stream().filter(updater -> updater.getTool().equals(tool)).findFirst().ifPresent(AbstractUrlUpdater::getVendor); + public String getCpeVendor(String tool) { + + return updaters.stream().filter(updater -> updater.getTool().equals(tool)).findFirst() + .map(AbstractUrlUpdater::getCpeVendor).orElse(null); + } + + public String getCpeProduct(String tool) { + + return updaters.stream().filter(updater -> updater.getTool().equals(tool)).findFirst() + .map(AbstractUrlUpdater::getCpeProduct).orElse(null); + } + + public String mapUrlVersionToCpeVersion(String tool, String urlVersion) { + + return updaters.stream().filter(updater -> updater.getTool().equals(tool)).findFirst() + .map(updater -> updater.mapUrlVersionToCpeVersion(urlVersion)).orElse(null); } } diff --git a/security/src/main/java/com/devonfw/tools/security/Main.java b/security/src/main/java/com/devonfw/tools/security/Main.java index 090247325..1f5ef29e0 100644 --- a/security/src/main/java/com/devonfw/tools/security/Main.java +++ b/security/src/main/java/com/devonfw/tools/security/Main.java @@ -1,183 +1,79 @@ package com.devonfw.tools.security; +import java.util.List; +import java.util.stream.Collectors; + import com.devonfw.tools.ide.context.IdeContext; import com.devonfw.tools.ide.context.IdeContextConsole; import com.devonfw.tools.ide.log.IdeLogLevel; -import com.devonfw.tools.ide.tool.ToolCommandlet; -import com.devonfw.tools.ide.url.model.folder.UrlVersion; -import com.devonfw.tools.ide.url.updater.AbstractUrlUpdater; import com.devonfw.tools.ide.url.updater.UpdateManager; -import com.devonfw.tools.ide.url.updater.UrlUpdater; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.AnalysisPhase; +import org.owasp.dependencycheck.analyzer.FileNameAnalyzer; import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer; import org.owasp.dependencycheck.dependency.*; import org.owasp.dependencycheck.exception.ExceptionCollection; -import org.owasp.dependencycheck.exception.ReportException; import org.owasp.dependencycheck.utils.Settings; - -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; - -import java.io.File; -import java.util.ArrayList; -import java.util.List; - public class Main { - // TODO is owasp dependence i main pomxlm correc tor should i move it to security pomxml - - public static void main(String[] args) throws ReportException { - - // TODO edit depedency check properties file to switch off analysers, this file is currently read only + public static void main(String[] args) { + // TODO edit dependency check properties file to switch off analysers, this file is currently read only // TODO maybe this can be done in pom.xml + // or simply remove it like FileNameAnalyzer was removed - //TODO, wenn eine cve gefunden wird. dann in ide cli prompten und auch die cve sagen, damit der user selbst entschienden kann ob es vielleicht doch nicht eine false positive is. weil zb der vendor nicht so richtig gemached worden ist + // TODO: note settings.setBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, false); - // TODO ~/.m2/repository/org/owasp/dependency-check-utils/8.4.2/data/7.0/odc.update.lock + // TODO ~/.m2/repository/org/owasp/dependency-check-utils/8.4.2/data/7.0/odc.update.lock // why is this not in projects dir but in user dir? Settings settings = new Settings(); - File dir; - - - settings.setBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, false); - - - try (Engine engine = new Engine(settings)) { - - // das brauche ich um die file endung zu akzeptieren - FileTypeAnalyzer myAnalyzer = new UrlAnalyzer(); - // engine.getAnalyzers().add(myAnalyzer); - engine.getFileTypeAnalyzers().add(myAnalyzer); -// engine.getAnalyzers(AnalysisPhase.INFORMATION_COLLECTION).add(new UrlAnalyzer()); - List dependencyList = engine.scan("C:\\projects\\_ide\\myUrls"); - System.out.println("size of dependencyList is " + dependencyList.size()); - - // add my infos to dependency - for (Dependency dependency : dependencyList) { - // TODO soll ich auch noch die ulr splitten und die zu evidence machen? - String filePath = dependency.getFilePath(); - Path parent = Paths.get(filePath).getParent(); - String tool = parent.getParent().getParent().getFileName().toString(); - String edition = parent.getParent().getFileName().toString(); - String version = parent.getFileName().toString(); - - - // TODO is versions od dependency updated when adding evidence? - - // from the context I want to get the JavaUrlUpdater - // UpdateManager updateManager = new UpdateManager(ideContext.getUrlsPath(), null); - // String vendor = updateManager.getVendor("java"); - - Evidence productEvidence = new Evidence("mysoure", "myname", tool, Confidence.HIGH); - dependency.addEvidence(EvidenceType.PRODUCT, productEvidence); - - Evidence editionEvidence = new Evidence("mysoure", "myname", edition, Confidence.HIGH); - dependency.addEvidence(EvidenceType.PRODUCT, editionEvidence); - - Evidence versionEvidence = new Evidence("mysoure", "myname", version, Confidence.HIGH); - dependency.addEvidence(EvidenceType.VERSION, versionEvidence); - - Evidence vendorEvidence = new Evidence("mysoure", "myname", "oracle", Confidence.HIGH); - dependency.addEvidence(EvidenceType.VENDOR, vendorEvidence); + Engine engine = new Engine(settings); // doesn't work with "try with resource" + IdeContext ideContext = new IdeContextConsole(IdeLogLevel.INFO, null, false); + UpdateManager updateManager = new UpdateManager(ideContext.getUrlsPath(), null); - } - - // TODO oder kann ich doch manche analyzer weg machen? - // welche sollen weg? - try { - engine.analyzeDependencies();// needed for db stuff which is private - for (Dependency dependency : engine.getDependencies()) { - engine.removeDependency(dependency); - for (EvidenceType type : EvidenceType.values()) { - for (Evidence evidence : dependency.getEvidence(type)) { - if (!evidence.getName().equals("myname")) { - dependency.removeEvidence(type, evidence); - } - } - } - engine.addDependency(dependency); - } - - } catch (ExceptionCollection e) { - throw new RuntimeException(e); - } - - // TODO dont do this with this method but try to do it by hand, since i cant seem to add my URL analyzer to the map of engine - // look at path and them extract name and version and vendor maybe from url - List exceptionsList = new ArrayList<>(); - ExceptionCollection exceptions = new ExceptionCollection(exceptionsList); - - dir = new File("C:\\projects\\devonfw\\report"); - engine.writeReports("applicationName", "groupId", "artifactId", "version", dir, "JSON", exceptions); - } + FileTypeAnalyzer myAnalyzer = new UrlAnalyzer(updateManager); + engine.getFileTypeAnalyzers().add(myAnalyzer); + engine.getAnalyzers(AnalysisPhase.INFORMATION_COLLECTION).add(myAnalyzer); + engine.getAnalyzers(AnalysisPhase.INFORMATION_COLLECTION) + .removeIf(analyzer -> analyzer instanceof FileNameAnalyzer); + engine.scan("C:\\projects\\_ide\\myUrls"); - String filename = dir.toString() + "\\dependency-check-report.json"; - Path filepath = Paths.get(filename); - // Read all lines from the file into a List - String formatted = ""; - try { - List lines = Files.readAllLines(filepath); - assert (lines.size() == 1); - formatted = formatJsonString(lines.get(0)); - - } catch (IOException e) { - throw new RuntimeException(e); - } - - Path newfilepath = filepath.getParent().resolve("dependency-check-report2.json"); try { - Files.delete(filepath); - } catch (IOException e) { + engine.analyzeDependencies();// needed for db stuff which is private + } catch (ExceptionCollection e) { throw new RuntimeException(e); } - try { - if (Files.exists(newfilepath)) { - Files.delete(newfilepath); + float minV2Severity = 0.0f; + float minV3Severity = 0.0f; + + for (Dependency dependency : engine.getDependencies()) { + List noSeverity = dependency.getVulnerabilities(true).stream() + .filter(v -> v.getCvssV2() == null && v.getCvssV3() == null).collect(Collectors.toList()); + List onlyV2Severity = dependency.getVulnerabilities(true).stream() + .filter(v -> v.getCvssV2() != null && v.getCvssV3() == null).collect(Collectors.toList()); + List hasV3Severity = dependency.getVulnerabilities(true).stream() + .filter(v -> v.getCvssV3() != null).collect(Collectors.toList()); + + if (!noSeverity.isEmpty()) { + System.out.println("no severity is not empty: " + dependency.getFileName()); + System.exit(1); } - } catch (IOException e) { - throw new RuntimeException(e); - } - try { - Files.write(newfilepath, formatted.getBytes()); - } catch (IOException e) { - throw new RuntimeException(e); - } - } + onlyV2Severity.removeIf(v -> v.getCvssV2().getScore() < minV3Severity); + hasV3Severity.removeIf(v -> v.getCvssV3().getBaseScore() < minV2Severity); - public static String formatJsonString(String jsonString) { - int level = 0; - StringBuilder formattedJson = new StringBuilder(); - int stringLength = jsonString.length(); - - for (int i = 0; i < stringLength; i++) { - char ch = jsonString.charAt(i); - - if (ch == '{' || ch == '[') { - formattedJson.append(ch).append("\n").append(getIndent(++level)); - } else if (ch == '}' || ch == ']') { - formattedJson.append("\n").append(getIndent(--level)).append(ch); - } else if (ch == ',') { - formattedJson.append(ch).append("\n").append(getIndent(level)); - } else { - formattedJson.append(ch); - } - } + System.out.println("There were vulnerabilities found in: " + dependency.getFileName()); + onlyV2Severity.forEach(v -> System.out.println("V2: " + v.getName() + " " + v.getCvssV2().getScore())); + hasV3Severity.forEach(v -> System.out.println("V3: " + v.getName() + " " + v.getCvssV3().getBaseScore())); - return formattedJson.toString(); - } + // TODO read min levels from console + // TODO list all vulnerabilities, so maybe description, all fields of cvssv3 and cvssv2, cve name, source, + // url of vulnerabilityIds, and vulnerableSoftware + // TODO take all vulnerabilities, or ask for another min level und update the numbers of vulnerabilities + // TODO write vulnerabilities to file -> new format? that includes CVE name? - private static String getIndent(int level) { - StringBuilder indent = new StringBuilder(); - for (int i = 0; i < level; i++) { - indent.append("\t"); } - return indent.toString(); } } \ No newline at end of file diff --git a/security/src/main/java/com/devonfw/tools/security/UrlAnalyzer.java b/security/src/main/java/com/devonfw/tools/security/UrlAnalyzer.java index 7f79c0047..dc384d822 100644 --- a/security/src/main/java/com/devonfw/tools/security/UrlAnalyzer.java +++ b/security/src/main/java/com/devonfw/tools/security/UrlAnalyzer.java @@ -1,55 +1,101 @@ package com.devonfw.tools.security; -import com.devonfw.tools.ide.os.SystemInfo; -import com.devonfw.tools.ide.os.SystemInfoImpl; +import java.io.FileFilter; +import java.nio.file.Path; +import java.nio.file.Paths; + +import com.devonfw.tools.ide.context.IdeContextConsole; +import com.devonfw.tools.ide.log.IdeLogLevel; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer; import org.owasp.dependencycheck.analyzer.AnalysisPhase; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; -import java.io.FileFilter; +import com.devonfw.tools.ide.context.IdeContext; +import com.devonfw.tools.ide.url.updater.UpdateManager; public class UrlAnalyzer extends AbstractFileTypeAnalyzer { - // The file filter used to filter supported files. - private FileFilter fileFilter = null; + // The file filter is used to filter supported files. + private FileFilter fileFilter = null; - public UrlAnalyzer() { + private static final String ANALYZER_NAME = "UrlAnalyzer"; - fileFilter = new UrlFileFilter(); + private final UpdateManager updateManager; + public UrlAnalyzer(UpdateManager updateManager) { - } + fileFilter = new UrlFileFilter(); + this.updateManager = updateManager; + } - @Override - protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - System.out.println("analyzeDependency"); - System.out.println("analyzeDependency"); - } + @Override + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - @Override - protected String getAnalyzerEnabledSettingKey() { - return null; - } - @Override - protected FileFilter getFileFilter() { - return fileFilter; - } - @Override - protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException { + String filePath = dependency.getFilePath(); + Path parent = Paths.get(filePath).getParent(); + String tool = parent.getParent().getParent().getFileName().toString(); + String edition = parent.getParent().getFileName().toString(); - } + String source = "UrlAnalyzer"; - @Override - public String getName() { - return null; - } + // adding vendor evidence + String vendor = updateManager.getCpeVendor(tool); + Evidence evidence = new Evidence(source, "CpeVendor", vendor, Confidence.HIGH); + dependency.addEvidence(EvidenceType.VENDOR, evidence); - @Override - public AnalysisPhase getAnalysisPhase() { - return null; + // adding product evidence + String product = updateManager.getCpeProduct(tool); + if (product == null) { + product = tool; } + evidence = new Evidence(source, "CpeProduct", product, Confidence.HIGH); + dependency.addEvidence(EvidenceType.PRODUCT, evidence); + + // adding version evidence + String version = updateManager.mapUrlVersionToCpeVersion(tool, parent.getFileName().toString()); + evidence = new Evidence(source, "CpeVersion", version, Confidence.HIGH); + dependency.addEvidence(EvidenceType.VERSION, evidence); + } + + @Override + public boolean isEnabled() { + + return true; + } + + @Override + protected String getAnalyzerEnabledSettingKey() { + // whether this Analyzer is enabled or not is not configurable but fixed by isEnabled() + return null; + } + + @Override + protected FileFilter getFileFilter() { + + return fileFilter; + } + + @Override + protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException { + // nothing to prepare here + } + + @Override + public String getName() { + + return ANALYZER_NAME; + } + + @Override + public AnalysisPhase getAnalysisPhase() { + + return AnalysisPhase.INFORMATION_COLLECTION; + } }