package org.owasp.dependencycheck.analyzer;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import org.apache.commons.lang3.StringUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.ossindex.OssindexClientFactory;
import org.owasp.dependencycheck.dependency.CvssV2;
import org.owasp.dependencycheck.dependency.CvssV3;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.dependency.VulnerableSoftwareBuilder;
import org.owasp.dependencycheck.dependency.naming.Identifier;
import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.sonatype.goodies.packageurl.InvalidException;
import org.sonatype.goodies.packageurl.PackageUrl;
import org.sonatype.ossindex.service.api.componentreport.ComponentReport;
import org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability;
import org.sonatype.ossindex.service.api.cvss.Cvss2Severity;
import org.sonatype.ossindex.service.api.cvss.Cvss2Vector;
import org.sonatype.ossindex.service.api.cvss.Cvss3Severity;
import org.sonatype.ossindex.service.api.cvss.Cvss3Vector;
import org.sonatype.ossindex.service.api.cvss.CvssVector;
import org.sonatype.ossindex.service.api.cvss.CvssVectorFactory;
import org.sonatype.ossindex.service.client.OssindexClient;
import org.sonatype.ossindex.service.client.transport.Transport;
import us.springett.parsers.cpe.exceptions.CpeValidationException;
import us.springett.parsers.cpe.values.Part;

/* loaded from: input_file:org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.class */
public class OssIndexAnalyzer extends AbstractAnalyzer {
    public static final String REFERENCE_TYPE = "OSSINDEX";
    private static Map<PackageUrl, ComponentReport> reports;
    private static final Logger LOG = LoggerFactory.getLogger(OssIndexAnalyzer.class);
    private static final Pattern CVE_PATTERN = Pattern.compile("\\bCVE-\\d{4}-\\d{4,10}\\b");
    private static final Object FETCH_MUTIX = new Object();

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public String getName() {
        return "Sonatype OSS Index Analyzer";
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.FINDING_ANALYSIS_PHASE2;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected String getAnalyzerEnabledSettingKey() {
        return "analyzer.ossindex.enabled";
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer, org.owasp.dependencycheck.analyzer.Analyzer
    public boolean supportsParallelProcessing() {
        return true;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected void closeAnalyzer() throws Exception {
        synchronized (FETCH_MUTIX) {
            reports = null;
        }
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
        synchronized (FETCH_MUTIX) {
            if (reports == null) {
                try {
                    requestDelay();
                    reports = requestReports(engine.getDependencies());
                } catch (Transport.TransportException e) {
                    String message = e.getMessage();
                    boolean z = getSettings().getBoolean("analyzer.ossindex.remote-error.warn-only", false);
                    setEnabled(false);
                    if (StringUtils.endsWith(message, "401")) {
                        LOG.error("Invalid credentials for the OSS Index, disabling the analyzer");
                        throw new AnalysisException("Invalid credentials provided for OSS Index", e);
                    }
                    if (StringUtils.endsWith(message, "403")) {
                        LOG.error("OSS Index access forbidden, disabling the analyzer");
                        throw new AnalysisException("OSS Index access forbidden", e);
                    }
                    if (StringUtils.endsWith(message, "429")) {
                        if (!z) {
                            throw new AnalysisException("OSS Index rate limit exceeded, disabling the analyzer", e);
                        }
                        LOG.warn("OSS Index rate limit exceeded, disabling the analyzer", e);
                    } else {
                        if (!z) {
                            LOG.debug("Error requesting component reports, disabling the analyzer", e);
                            throw new AnalysisException("Failed to request component-reports", e);
                        }
                        LOG.warn("Error requesting component reports, disabling the analyzer", e);
                    }
                } catch (Exception e2) {
                    LOG.debug("Error requesting component reports", e2);
                    throw new AnalysisException("Failed to request component-reports", e2);
                }
            }
            if (reports != null) {
                enrich(dependency);
            }
        }
    }

    private void requestDelay() throws InterruptedException {
        int i = getSettings().getInt("analyzer.ossindex.request.delay", 0);
        if (i > 0) {
            LOG.debug("Request delay: " + i);
            TimeUnit.SECONDS.sleep(i);
        }
    }

    @Nullable
    private PackageUrl parsePackageUrl(String str) {
        try {
            return PackageUrl.parse(str);
        } catch (InvalidException e) {
            LOG.debug("Invalid Package-URL: {}", str, e);
            return null;
        }
    }

    private Map<PackageUrl, ComponentReport> requestReports(Dependency[] dependencyArr) throws Exception {
        LOG.debug("Requesting component-reports for {} dependencies", Integer.valueOf(dependencyArr.length));
        ArrayList arrayList = new ArrayList();
        Arrays.stream(dependencyArr).forEach(dependency -> {
            Stream filter = dependency.getSoftwareIdentifiers().stream().filter(identifier -> {
                return identifier instanceof PurlIdentifier;
            }).map(identifier2 -> {
                return parsePackageUrl(identifier2.getValue());
            }).filter(packageUrl -> {
                return packageUrl != null && StringUtils.isNotBlank(packageUrl.getVersion());
            });
            arrayList.getClass();
            filter.forEach((v1) -> {
                r1.add(v1);
            });
        });
        if (arrayList.isEmpty()) {
            LOG.warn("Unable to determine Package-URL identifiers for {} dependencies", Integer.valueOf(dependencyArr.length));
            return Collections.emptyMap();
        }
        OssindexClient newOssIndexClient = newOssIndexClient();
        Throwable th = null;
        try {
            try {
                LOG.debug("OSS Index Analyzer submitting: " + arrayList);
                Map<PackageUrl, ComponentReport> requestComponentReports = newOssIndexClient.requestComponentReports(arrayList);
                if (newOssIndexClient != null) {
                    if (0 != 0) {
                        try {
                            newOssIndexClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newOssIndexClient.close();
                    }
                }
                return requestComponentReports;
            } finally {
            }
        } catch (Throwable th3) {
            if (newOssIndexClient != null) {
                if (th != null) {
                    try {
                        newOssIndexClient.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    newOssIndexClient.close();
                }
            }
            throw th3;
        }
    }

    OssindexClient newOssIndexClient() {
        return OssindexClientFactory.create(getSettings());
    }

    void enrich(Dependency dependency) {
        LOG.debug("Enrich dependency: {}", dependency);
        for (Identifier identifier : dependency.getSoftwareIdentifiers()) {
            if (identifier instanceof PurlIdentifier) {
                LOG.debug("  Package: {} -> {}", identifier, identifier.getConfidence());
                PackageUrl parsePackageUrl = parsePackageUrl(identifier.getValue());
                if (parsePackageUrl != null && StringUtils.isNotBlank(parsePackageUrl.getVersion())) {
                    try {
                        ComponentReport componentReport = reports.get(parsePackageUrl);
                        if (componentReport == null) {
                            LOG.debug("Missing component-report for: " + parsePackageUrl);
                        } else {
                            identifier.setUrl(componentReport.getReference().toString());
                            componentReport.getVulnerabilities().stream().map(componentReportVulnerability -> {
                                return transform(componentReport, componentReportVulnerability);
                            }).forEachOrdered(vulnerability -> {
                                Vulnerability orElse = dependency.getVulnerabilities().stream().filter(vulnerability -> {
                                    return vulnerability.getName().equals(vulnerability.getName());
                                }).findFirst().orElse(null);
                                if (orElse != null) {
                                    orElse.getReferences().addAll(vulnerability.getReferences());
                                } else {
                                    dependency.addVulnerability(vulnerability);
                                }
                            });
                        }
                    } catch (Exception e) {
                        LOG.warn("Failed to fetch component-report for: {}", parsePackageUrl, e);
                    }
                }
            }
        }
    }

    private Vulnerability transform(ComponentReport componentReport, ComponentReportVulnerability componentReportVulnerability) {
        Vulnerability vulnerability = new Vulnerability();
        vulnerability.setSource(Vulnerability.Source.OSSINDEX);
        if (componentReportVulnerability.getCve() != null) {
            vulnerability.setName(componentReportVulnerability.getCve());
        } else {
            String str = null;
            if (componentReportVulnerability.getTitle() != null) {
                Matcher matcher = CVE_PATTERN.matcher(componentReportVulnerability.getTitle());
                str = matcher.find() ? matcher.group() : componentReportVulnerability.getTitle();
            }
            if (str == null && componentReportVulnerability.getReference() != null) {
                Matcher matcher2 = CVE_PATTERN.matcher(componentReportVulnerability.getReference().toString());
                if (matcher2.find()) {
                    str = matcher2.group();
                }
            }
            vulnerability.setName(str != null ? str : componentReportVulnerability.getId());
        }
        vulnerability.setDescription(componentReportVulnerability.getDescription());
        vulnerability.addCwe(componentReportVulnerability.getCwe());
        float floatValue = componentReportVulnerability.getCvssScore() != null ? componentReportVulnerability.getCvssScore().floatValue() : -1.0f;
        if (componentReportVulnerability.getCvssVector() != null) {
            CvssVector create = CvssVectorFactory.create(componentReportVulnerability.getCvssVector());
            Map metrics = create.getMetrics();
            if (create instanceof Cvss2Vector) {
                vulnerability.setCvssV2(new CvssV2(floatValue, (String) metrics.get("AV"), (String) metrics.get("AC"), (String) metrics.get("Au"), (String) metrics.get("C"), (String) metrics.get("I"), (String) metrics.get("A"), Cvss2Severity.of(Float.valueOf(floatValue)).name()));
            } else if (create instanceof Cvss3Vector) {
                vulnerability.setCvssV3(new CvssV3((String) metrics.get("AV"), (String) metrics.get("AC"), (String) metrics.get("PR"), (String) metrics.get("UI"), (String) metrics.get("S"), (String) metrics.get("C"), (String) metrics.get("I"), (String) metrics.get("A"), floatValue, Cvss3Severity.of(Float.valueOf(floatValue)).name()));
            } else {
                LOG.warn("Unsupported CVSS vector: {}", create);
                vulnerability.setUnscoredSeverity(Float.toString(floatValue));
            }
        } else {
            LOG.debug("OSS has no vector for {}", vulnerability.getName());
            vulnerability.setUnscoredSeverity(Float.toString(floatValue));
        }
        vulnerability.addReference(REFERENCE_TYPE, componentReportVulnerability.getTitle(), componentReportVulnerability.getReference().toString());
        componentReportVulnerability.getExternalReferences().forEach(uri -> {
            vulnerability.addReference("OSSIndex", uri.toString(), uri.toString());
        });
        PackageUrl coordinates = componentReport.getCoordinates();
        try {
            VulnerableSoftware m120build = new VulnerableSoftwareBuilder().m152part(Part.APPLICATION).m150vendor(coordinates.getNamespaceAsString()).m149product(coordinates.getName()).m148version(coordinates.getVersion()).m120build();
            vulnerability.addVulnerableSoftware(m120build);
            vulnerability.setMatchedVulnerableSoftware(m120build);
        } catch (CpeValidationException e) {
            LOG.warn("Unable to construct vulnerable-software for: {}", coordinates, e);
        }
        return vulnerability;
    }
}
