package org.openrewrite.csharp.dependencies;

import com.fasterxml.jackson.databind.MappingIterator;
import com.fasterxml.jackson.dataformat.csv.CsvMapper;
import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
import java.beans.ConstructorProperties;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.openrewrite.ExecutionContext;
import org.openrewrite.Option;
import org.openrewrite.ScanningRecipe;
import org.openrewrite.TreeVisitor;
import org.openrewrite.csharp.dependencies.table.VulnerabilityReport;
import org.openrewrite.csharp.dependencies.trait.PackageReference;
import org.openrewrite.internal.StringUtils;
import org.openrewrite.internal.lang.NonNull;
import org.openrewrite.internal.lang.Nullable;
import org.openrewrite.java.dependencies.Vulnerability;
import org.openrewrite.java.dependencies.internal.StaticVersionComparator;
import org.openrewrite.java.dependencies.internal.Version;
import org.openrewrite.java.dependencies.internal.VersionParser;
import org.openrewrite.marker.SearchResult;
import org.openrewrite.semver.LatestPatch;
import org.openrewrite.xml.tree.Xml;

/* loaded from: input_file:org/openrewrite/csharp/dependencies/DependencyVulnerabilityCheck.class */
public final class DependencyVulnerabilityCheck extends ScanningRecipe<Accumulator> {
    private final transient VersionParser versionParser = new VersionParser();
    private final transient VulnerabilityReport report = new VulnerabilityReport(this);

    @Option(displayName = "Add search markers", description = "Report each vulnerability as search result markers. When enabled you can see which dependencies are bringing in vulnerable transitives in the diff view. By default these markers are omitted, making it easier to see version upgrades within the diff.", required = false)
    private final Boolean addMarkers;
    private static final Comparator<Version> vc = new StaticVersionComparator();
    private static final LatestPatch latestPatch = new LatestPatch((String) null);

    /* loaded from: input_file:org/openrewrite/csharp/dependencies/DependencyVulnerabilityCheck$Accumulator.class */
    public static final class Accumulator {
        private final Map<String, List<Vulnerability>> db;
        private final Map<NameVersion, Set<Vulnerability>> vulnerabilities;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:org/openrewrite/csharp/dependencies/DependencyVulnerabilityCheck$Accumulator$NameVersion.class */
        public static final class NameVersion {
            private final String name;
            private final String version;

            @Generated
            @ConstructorProperties({"name", "version"})
            public NameVersion(String str, String str2) {
                this.name = str;
                this.version = str2;
            }

            @Generated
            public String getName() {
                return this.name;
            }

            @Generated
            public String getVersion() {
                return this.version;
            }

            @Generated
            public boolean equals(@Nullable Object obj) {
                if (obj == this) {
                    return true;
                }
                if (!(obj instanceof NameVersion)) {
                    return false;
                }
                NameVersion nameVersion = (NameVersion) obj;
                String name = getName();
                String name2 = nameVersion.getName();
                if (name == null) {
                    if (name2 != null) {
                        return false;
                    }
                } else if (!name.equals(name2)) {
                    return false;
                }
                String version = getVersion();
                String version2 = nameVersion.getVersion();
                return version == null ? version2 == null : version.equals(version2);
            }

            @Generated
            public int hashCode() {
                String name = getName();
                int hashCode = (1 * 59) + (name == null ? 43 : name.hashCode());
                String version = getVersion();
                return (hashCode * 59) + (version == null ? 43 : version.hashCode());
            }

            @NonNull
            @Generated
            public String toString() {
                return "DependencyVulnerabilityCheck.Accumulator.NameVersion(name=" + getName() + ", version=" + getVersion() + ")";
            }
        }

        @Generated
        @ConstructorProperties({"db", "vulnerabilities"})
        public Accumulator(Map<String, List<Vulnerability>> map, Map<NameVersion, Set<Vulnerability>> map2) {
            this.db = map;
            this.vulnerabilities = map2;
        }

        @Generated
        public Map<String, List<Vulnerability>> getDb() {
            return this.db;
        }

        @Generated
        public Map<NameVersion, Set<Vulnerability>> getVulnerabilities() {
            return this.vulnerabilities;
        }

        @Generated
        public boolean equals(@Nullable Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof Accumulator)) {
                return false;
            }
            Accumulator accumulator = (Accumulator) obj;
            Map<String, List<Vulnerability>> db = getDb();
            Map<String, List<Vulnerability>> db2 = accumulator.getDb();
            if (db == null) {
                if (db2 != null) {
                    return false;
                }
            } else if (!db.equals(db2)) {
                return false;
            }
            Map<NameVersion, Set<Vulnerability>> vulnerabilities = getVulnerabilities();
            Map<NameVersion, Set<Vulnerability>> vulnerabilities2 = accumulator.getVulnerabilities();
            return vulnerabilities == null ? vulnerabilities2 == null : vulnerabilities.equals(vulnerabilities2);
        }

        @Generated
        public int hashCode() {
            Map<String, List<Vulnerability>> db = getDb();
            int hashCode = (1 * 59) + (db == null ? 43 : db.hashCode());
            Map<NameVersion, Set<Vulnerability>> vulnerabilities = getVulnerabilities();
            return (hashCode * 59) + (vulnerabilities == null ? 43 : vulnerabilities.hashCode());
        }

        @NonNull
        @Generated
        public String toString() {
            return "DependencyVulnerabilityCheck.Accumulator(db=" + getDb() + ", vulnerabilities=" + getVulnerabilities() + ")";
        }
    }

    public String getDisplayName() {
        return "Find and fix vulnerable Nuget dependencies";
    }

    public String getDescription() {
        return "This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe **only** upgrades to the latest **patch** version.  If a minor or major upgrade is required to reach the fixed version, this recipe will not make any changes. Vulnerability information comes from the [GitHub Security Advisory Database](https://docs.github.com/en/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database), which aggregates vulnerability data from several public databases, including the [National Vulnerability Database](https://nvd.nist.gov/) maintained by the United States government. Dependencies following [Semantic Versioning](https://semver.org/) will see their _patch_ version updated where applicable.";
    }

    /* renamed from: getInitialValue, reason: merged with bridge method [inline-methods] */
    public Accumulator m1getInitialValue(ExecutionContext executionContext) {
        CsvMapper csvMapper = new CsvMapper();
        csvMapper.registerModule(new JavaTimeModule());
        HashMap hashMap = new HashMap();
        try {
            InputStream resourceAsStream = DependencyVulnerabilityCheck.class.getResourceAsStream("/advisories-nuget.csv");
            try {
                MappingIterator readValues = csvMapper.readerWithSchemaFor(Vulnerability.class).readValues(resourceAsStream);
                while (readValues.hasNextValue()) {
                    try {
                        Vulnerability vulnerability = (Vulnerability) readValues.nextValue();
                        ((List) hashMap.computeIfAbsent(vulnerability.getGroupArtifact(), str -> {
                            return new ArrayList();
                        })).add(vulnerability);
                    } catch (Throwable th) {
                        if (readValues != null) {
                            try {
                                readValues.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                }
                if (readValues != null) {
                    readValues.close();
                }
                if (resourceAsStream != null) {
                    resourceAsStream.close();
                }
                return new Accumulator(hashMap, new HashMap());
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public TreeVisitor<?, ExecutionContext> getScanner(Accumulator accumulator) {
        return new PackageReference.Matcher().asVisitor((packageReference, executionContext) -> {
            String include = packageReference.getInclude();
            for (Vulnerability vulnerability : (List) accumulator.db.getOrDefault(include, Collections.emptyList())) {
                String version = packageReference.getVersion();
                if (isVulnerable(version, vulnerability)) {
                    ((Set) accumulator.vulnerabilities.computeIfAbsent(new Accumulator.NameVersion(include, version), nameVersion -> {
                        return new LinkedHashSet();
                    })).add(vulnerability);
                    this.report.insertRow(executionContext, new VulnerabilityReport.Row(vulnerability.getCve(), include, version, vulnerability.getFixedVersion(), isFixWithPatchVersionUpdateOnly(version, vulnerability), vulnerability.getSummary(), vulnerability.getSeverity().toString(), 0, vulnerability.getCwes()));
                }
            }
            return packageReference.getTree();
        });
    }

    private boolean isVulnerable(String str, Vulnerability vulnerability) {
        Version transform = this.versionParser.transform(str);
        if (vc.compare(transform, this.versionParser.transform(vulnerability.getIntroducedVersion())) < 0) {
            return false;
        }
        String fixedVersion = vulnerability.getFixedVersion();
        return StringUtils.isBlank(fixedVersion) || vc.compare(transform, this.versionParser.transform(fixedVersion)) < 0;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isFixWithPatchVersionUpdateOnly(String str, Vulnerability vulnerability) {
        return !StringUtils.isBlank(vulnerability.getFixedVersion()) && latestPatch.isValid(str, vulnerability.getFixedVersion()) && latestPatch.compare(str, str, vulnerability.getFixedVersion()) < 0;
    }

    public TreeVisitor<?, ExecutionContext> getVisitor(Accumulator accumulator) {
        return new PackageReference.Matcher().asVisitor((packageReference, executionContext) -> {
            Xml.Tag tree = packageReference.getTree();
            String version = packageReference.getVersion();
            Map map = (Map) ((Set) accumulator.vulnerabilities.getOrDefault(new Accumulator.NameVersion(packageReference.getInclude(), packageReference.getVersion()), Collections.emptySet())).stream().collect(Collectors.partitioningBy(vulnerability -> {
                return isFixWithPatchVersionUpdateOnly(version, vulnerability);
            }));
            String str = (String) ((List) map.get(true)).stream().max(Comparator.comparing(vulnerability2 -> {
                return this.versionParser.transform(vulnerability2.getFixedVersion());
            }, vc)).map((v0) -> {
                return v0.getFixedVersion();
            }).orElse(null);
            if (str != null) {
                tree = packageReference.withVersion(str);
            }
            List list = (List) map.get(false);
            if (Boolean.TRUE.equals(this.addMarkers) && !list.isEmpty()) {
                tree = SearchResult.found(tree, "This dependency has the following vulnerabilities:\n" + ((String) list.stream().map(vulnerability3 -> {
                    Object[] objArr = new Object[4];
                    objArr[0] = vulnerability3.getCve();
                    objArr[1] = vulnerability3.getSeverity();
                    objArr[2] = StringUtils.isBlank(vulnerability3.getFixedVersion()) ? "" : ", fixed in " + vulnerability3.getFixedVersion();
                    objArr[3] = vulnerability3.getSummary();
                    return String.format("%s (%s severity%s) - %s", objArr);
                }).collect(Collectors.joining("\n"))));
            }
            return tree;
        });
    }

    @Generated
    @ConstructorProperties({"addMarkers"})
    public DependencyVulnerabilityCheck(Boolean bool) {
        this.addMarkers = bool;
    }

    @Generated
    public VersionParser getVersionParser() {
        return this.versionParser;
    }

    @Generated
    public VulnerabilityReport getReport() {
        return this.report;
    }

    @Generated
    public Boolean getAddMarkers() {
        return this.addMarkers;
    }

    @NonNull
    @Generated
    public String toString() {
        return "DependencyVulnerabilityCheck(versionParser=" + getVersionParser() + ", report=" + getReport() + ", addMarkers=" + getAddMarkers() + ")";
    }

    @Generated
    public boolean equals(@Nullable Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof DependencyVulnerabilityCheck)) {
            return false;
        }
        DependencyVulnerabilityCheck dependencyVulnerabilityCheck = (DependencyVulnerabilityCheck) obj;
        if (!dependencyVulnerabilityCheck.canEqual(this)) {
            return false;
        }
        Boolean addMarkers = getAddMarkers();
        Boolean addMarkers2 = dependencyVulnerabilityCheck.getAddMarkers();
        return addMarkers == null ? addMarkers2 == null : addMarkers.equals(addMarkers2);
    }

    @Generated
    protected boolean canEqual(@Nullable Object obj) {
        return obj instanceof DependencyVulnerabilityCheck;
    }

    @Generated
    public int hashCode() {
        Boolean addMarkers = getAddMarkers();
        return (1 * 59) + (addMarkers == null ? 43 : addMarkers.hashCode());
    }
}
