org.owasp.dependencycheck.analyzer

Class AbstractNpmAnalyzer

java.lang.Object

org.owasp.dependencycheck.analyzer.AbstractAnalyzer

org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer

All Implemented Interfaces:

FileFilter, Analyzer, FileTypeAnalyzer

Direct Known Subclasses:

NodeAuditAnalyzer, NodePackageAnalyzer

@ThreadSafe
public abstract class AbstractNpmAnalyzer
extends AbstractFileTypeAnalyzer

An abstract NPM analyzer that contains common methods for concrete implementations.

Author:

Steve Springett

Field Summary

Fields

Modifier and Type	Field and Description
static String	NPM_DEPENDENCY_ECOSYSTEM A descriptor for the type of dependencies processed or added by this analyzer.

Constructor Summary

Constructors

Constructor and Description
AbstractNpmAnalyzer()

Method Summary

Modifier and Type	Method and Description
boolean	accept(File pathname) Determines if the file can be analyzed by the analyzer.
protected Dependency	createDependency(Dependency dependency, String name, String version, String scope) Construct a dependency object.
protected Dependency	findDependency(Engine engine, String name, String version) Locates the dependency from the list of dependencies that have been scanned by the engine.
void	gatherEvidence(javax.json.JsonObject json, Dependency dependency) Collects evidence from the given JSON for the associated dependency.
protected void	processPackage(Engine engine, Dependency dependency, javax.json.JsonArray jsonArray, String depType) Processes a part of package.json (as defined by JsonArray) and update the specified dependency with relevant info.
protected void	processPackage(Engine engine, Dependency dependency, javax.json.JsonObject jsonObject, String depType) Processes a part of package.json (as defined by JsonObject) and update the specified dependency with relevant info.
protected boolean	shouldProcess(File pathname) Determines if the path contains "/node_modules/" or "/bower_components/" (i.e.

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

getFileFilter, getFilesMatched, newHashSet, prepareAnalyzer, prepareFileTypeAnalyzer, setFilesMatched

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractAnalyzer

analyze, analyzeDependency, close, closeAnalyzer, getAnalyzerEnabledSettingKey, getSettings, initialize, isEnabled, prepare, setEnabled, supportsParallelProcessing

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.owasp.dependencycheck.analyzer.Analyzer

analyze, close, getAnalysisPhase, getName, initialize, isEnabled, prepare, supportsParallelProcessing

Field Detail

NPM_DEPENDENCY_ECOSYSTEM

public static final String NPM_DEPENDENCY_ECOSYSTEM

A descriptor for the type of dependencies processed or added by this analyzer.

See Also:

Constant Field Values

Constructor Detail

AbstractNpmAnalyzer

public AbstractNpmAnalyzer()

Method Detail

accept

public boolean accept(File pathname)

Determines if the file can be analyzed by the analyzer.

Specified by:

accept in interface FileFilter

Overrides:

accept in class AbstractFileTypeAnalyzer

Parameters:

pathname - the path to the file

Returns:

true if the file can be analyzed by the given analyzer; otherwise false

shouldProcess

protected boolean shouldProcess(File pathname)
                         throws AnalysisException

Determines if the path contains "/node_modules/" or "/bower_components/" (i.e. it is a child module). This analyzer does not scan child modules.

Parameters:

pathname - the path to test

Returns:

true if the path does not contain "/node_modules/" or "/bower_components/"

Throws:

AnalysisException - thrown if the canonical path cannot be obtained from the given file

createDependency

protected Dependency createDependency(Dependency dependency,
                                      String name,
                                      String version,
                                      String scope)

Construct a dependency object.

Parameters:

dependency - the parent dependency

name - the name of the dependency to create

version - the version of the dependency to create

scope - the scope of the dependency being created

Returns:

the generated dependency

processPackage

protected void processPackage(Engine engine,
                              Dependency dependency,
                              javax.json.JsonArray jsonArray,
                              String depType)

Processes a part of package.json (as defined by JsonArray) and update the specified dependency with relevant info.

Parameters:

engine - the dependency-check engine

dependency - the Dependency to update

jsonArray - the jsonArray to parse

depType - the dependency type

processPackage

protected void processPackage(Engine engine,
                              Dependency dependency,
                              javax.json.JsonObject jsonObject,
                              String depType)

Processes a part of package.json (as defined by JsonObject) and update the specified dependency with relevant info.

Parameters:

engine - the dependency-check engine

dependency - the Dependency to update

jsonObject - the jsonObject to parse

depType - the dependency type

findDependency

protected Dependency findDependency(Engine engine,
                                    String name,
                                    String version)

Locates the dependency from the list of dependencies that have been scanned by the engine.

Parameters:

engine - the dependency-check engine

name - the name of the dependency to find

version - the version of the dependency to find

Returns:

the identified dependency; otherwise null

gatherEvidence

public void gatherEvidence(javax.json.JsonObject json,
                           Dependency dependency)

Collects evidence from the given JSON for the associated dependency.

Parameters:

json - the JSON that contains the evidence to collect

dependency - the dependency to add the evidence too