package org.owasp.dependencycheck.data.nvdcve;

import edu.umd.cs.findbugs.annotations.SuppressWarnings;
import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.cli.HelpFormatter;
import org.h2.engine.Constants;
import org.owasp.dependencycheck.data.cwe.CweDB;
import org.owasp.dependencycheck.dependency.Reference;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
import org.owasp.dependencycheck.utils.Settings;

/* loaded from: input_file:WEB-INF/lib/dependency-check-core-1.0.3.jar:org/owasp/dependencycheck/data/nvdcve/CveDB.class */
public class CveDB {
    public static final String DB_STRUCTURE_RESOURCE = "data/initialize.sql";
    public static final String DB_SCHEMA_VERSION = "2.6";
    private Connection conn;
    public static final String DELETE_REFERENCE = "DELETE FROM reference WHERE cveid = ?";
    public static final String DELETE_SOFTWARE = "DELETE FROM software WHERE cveid = ?";
    public static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE cve = ?";
    public static final String CLEANUP_ORPHANS = "DELETE FROM CpeEntry WHERE id not in (SELECT CPEEntryId FROM Software); ";
    public static final String INSERT_REFERENCE = "INSERT INTO reference (cveid, name, url, source) VALUES (?, ?, ?, ?)";
    public static final String INSERT_SOFTWARE = "INSERT INTO software (cveid, cpeEntryId, previousVersion) VALUES (?, ?, ?)";
    public static final String INSERT_CPE = "INSERT INTO cpeEntry (cpe, vendor, product) VALUES (?, ?, ?)";
    public static final String SELECT_CPE_ID = "SELECT id FROM cpeEntry WHERE cpe = ?";
    public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cve, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
    public static final String UPDATE_VULNERABILITY = "UPDATE vulnerability SET description=?, cwe=?, cvssScore=?, cvssAccessVector=?, cvssAccessComplexity=?, cvssAuthentication=?, cvssConfidentialityImpact=?, cvssIntegrityImpact=?, cvssAvailabilityImpact=? WHERE id=?";
    public static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cve, cpe, previousVersion FROM software INNER JOIN vulnerability ON vulnerability.id = software.cveId INNER JOIN cpeEntry ON cpeEntry.id = software.cpeEntryId WHERE vendor = ? AND product = ?";
    public static final String SELECT_CPE_ENTRIES = "SELECT cpe FROM cpeEntry WHERE vendor = ? AND product = ?";
    public static final String SELECT_REFERENCE = "SELECT source, name, url FROM reference WHERE cveid = ?";
    public static final String SELECT_SOFTWARE = "SELECT cpe, previousVersion FROM software INNER JOIN cpeEntry ON software.cpeEntryId = cpeEntry.id WHERE cveid = ?";
    public static final String SELECT_VULNERABILITY = "SELECT id, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cve = ?";
    public static final String SELECT_VULNERABILITY_ID = "SELECT id FROM vulnerability WHERE cve = ?";

    @SuppressWarnings(value = {"DMI_EMPTY_DB_PASSWORD"}, justification = "Yes, I know... Blank password.")
    public void open() throws IOException, SQLException, DatabaseException, ClassNotFoundException {
        File file = new File(getDataDirectory().getCanonicalPath(), "cve.2.6");
        boolean z = !new File(new StringBuilder().append(file.getAbsolutePath()).append(Constants.SUFFIX_PAGE_FILE).toString()).exists();
        String format = String.format("jdbc:h2:file:%s;AUTO_SERVER=TRUE", file.getAbsolutePath());
        Class.forName("org.h2.Driver");
        this.conn = DriverManager.getConnection(format, "sa", "");
        if (z) {
            createTables();
        }
    }

    public void commit() throws SQLException {
        if (this.conn != null) {
            this.conn.commit();
        }
    }

    protected void finalize() throws Throwable {
        close();
        super.finalize();
    }

    public void close() {
        if (this.conn != null) {
            try {
                this.conn.close();
            } catch (SQLException e) {
                Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, "There was an error attempting to close the CveDB, see the log for more details.", (Throwable) e);
                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, (String) null, (Throwable) e);
            }
            this.conn = null;
        }
    }

    public Set<VulnerableSoftware> getCPEs(String str, String str2) {
        HashSet hashSet = new HashSet();
        ResultSet resultSet = null;
        PreparedStatement preparedStatement = null;
        try {
            try {
                preparedStatement = this.conn.prepareStatement(SELECT_CPE_ENTRIES);
                preparedStatement.setString(1, str);
                preparedStatement.setString(2, str2);
                resultSet = preparedStatement.executeQuery();
                while (resultSet.next()) {
                    VulnerableSoftware vulnerableSoftware = new VulnerableSoftware();
                    vulnerableSoftware.setCpe(resultSet.getString(1));
                    hashSet.add(vulnerableSoftware);
                }
                closeResultSet(resultSet);
                closeStatement(preparedStatement);
            } catch (SQLException e) {
                Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e);
                closeResultSet(resultSet);
                closeStatement(preparedStatement);
            }
            return hashSet;
        } catch (Throwable th) {
            closeResultSet(resultSet);
            closeStatement(preparedStatement);
            throw th;
        }
    }

    public List<Vulnerability> getVulnerabilities(String str) throws DatabaseException {
        ResultSet resultSet = null;
        VulnerableSoftware vulnerableSoftware = new VulnerableSoftware();
        try {
            vulnerableSoftware.parseName(str);
        } catch (UnsupportedEncodingException e) {
            Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, (String) null, (Throwable) e);
        }
        DependencyVersion parseDependencyVersion = parseDependencyVersion(vulnerableSoftware);
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        try {
            try {
                PreparedStatement prepareStatement = this.conn.prepareStatement(SELECT_CVE_FROM_SOFTWARE);
                prepareStatement.setString(1, vulnerableSoftware.getVendor());
                prepareStatement.setString(2, vulnerableSoftware.getProduct());
                resultSet = prepareStatement.executeQuery();
                while (resultSet.next()) {
                    String string = resultSet.getString(1);
                    String string2 = resultSet.getString(2);
                    String string3 = resultSet.getString(3);
                    if (!hashSet.contains(string) && isAffected(vulnerableSoftware.getVendor(), vulnerableSoftware.getProduct(), parseDependencyVersion, string2, string3)) {
                        hashSet.add(string);
                    }
                }
                closeResultSet(resultSet);
                closeStatement(prepareStatement);
                Iterator it = hashSet.iterator();
                while (it.hasNext()) {
                    arrayList.add(getVulnerability((String) it.next()));
                }
                closeResultSet(resultSet);
                return arrayList;
            } catch (SQLException e2) {
                throw new DatabaseException("Exception retrieving vulnerability for " + str, e2);
            }
        } catch (Throwable th) {
            closeResultSet(resultSet);
            throw th;
        }
    }

    private Vulnerability getVulnerability(String str) throws DatabaseException {
        String cweName;
        PreparedStatement preparedStatement = null;
        PreparedStatement preparedStatement2 = null;
        PreparedStatement preparedStatement3 = null;
        ResultSet resultSet = null;
        ResultSet resultSet2 = null;
        ResultSet resultSet3 = null;
        Vulnerability vulnerability = null;
        try {
            try {
                preparedStatement = this.conn.prepareStatement(SELECT_VULNERABILITY);
                preparedStatement.setString(1, str);
                resultSet = preparedStatement.executeQuery();
                if (resultSet.next()) {
                    vulnerability = new Vulnerability();
                    vulnerability.setName(str);
                    vulnerability.setDescription(resultSet.getString(2));
                    String string = resultSet.getString(3);
                    if (string != null && (cweName = CweDB.getCweName(string)) != null) {
                        string = string + " " + cweName;
                    }
                    int i = resultSet.getInt(1);
                    vulnerability.setCwe(string);
                    vulnerability.setCvssScore(resultSet.getFloat(4));
                    vulnerability.setCvssAccessVector(resultSet.getString(5));
                    vulnerability.setCvssAccessComplexity(resultSet.getString(6));
                    vulnerability.setCvssAuthentication(resultSet.getString(7));
                    vulnerability.setCvssConfidentialityImpact(resultSet.getString(8));
                    vulnerability.setCvssIntegrityImpact(resultSet.getString(9));
                    vulnerability.setCvssAvailabilityImpact(resultSet.getString(10));
                    preparedStatement2 = this.conn.prepareStatement(SELECT_REFERENCE);
                    preparedStatement2.setInt(1, i);
                    resultSet2 = preparedStatement2.executeQuery();
                    while (resultSet2.next()) {
                        vulnerability.addReference(resultSet2.getString(1), resultSet2.getString(2), resultSet2.getString(3));
                    }
                    preparedStatement3 = this.conn.prepareStatement(SELECT_SOFTWARE);
                    preparedStatement3.setInt(1, i);
                    resultSet3 = preparedStatement3.executeQuery();
                    while (resultSet3.next()) {
                        String string2 = resultSet3.getString(1);
                        String string3 = resultSet3.getString(2);
                        if (string3 == null) {
                            vulnerability.addVulnerableSoftware(string2);
                        } else {
                            vulnerability.addVulnerableSoftware(string2, string3);
                        }
                    }
                }
                closeResultSet(resultSet);
                closeResultSet(resultSet2);
                closeResultSet(resultSet3);
                closeStatement(preparedStatement);
                closeStatement(preparedStatement2);
                closeStatement(preparedStatement3);
                return vulnerability;
            } catch (SQLException e) {
                throw new DatabaseException("Error retrieving " + str, e);
            }
        } catch (Throwable th) {
            closeResultSet(resultSet);
            closeResultSet(resultSet2);
            closeResultSet(resultSet3);
            closeStatement(preparedStatement);
            closeStatement(preparedStatement2);
            closeStatement(preparedStatement3);
            throw th;
        }
    }

    /* JADX WARN: Finally extract failed */
    public void updateVulnerability(Vulnerability vulnerability) throws DatabaseException {
        try {
            try {
                PreparedStatement prepareStatement = this.conn.prepareStatement(SELECT_VULNERABILITY_ID);
                PreparedStatement prepareStatement2 = this.conn.prepareStatement(DELETE_REFERENCE);
                PreparedStatement prepareStatement3 = this.conn.prepareStatement(DELETE_SOFTWARE);
                PreparedStatement prepareStatement4 = this.conn.prepareStatement(UPDATE_VULNERABILITY);
                PreparedStatement prepareStatement5 = this.conn.prepareStatement(INSERT_VULNERABILITY, 1);
                PreparedStatement prepareStatement6 = this.conn.prepareStatement(INSERT_REFERENCE);
                PreparedStatement prepareStatement7 = this.conn.prepareStatement(SELECT_CPE_ID);
                PreparedStatement prepareStatement8 = this.conn.prepareStatement(INSERT_CPE, 1);
                PreparedStatement prepareStatement9 = this.conn.prepareStatement(INSERT_SOFTWARE);
                int i = 0;
                prepareStatement.setString(1, vulnerability.getName());
                ResultSet executeQuery = prepareStatement.executeQuery();
                if (executeQuery.next()) {
                    i = executeQuery.getInt(1);
                    prepareStatement2.setInt(1, i);
                    prepareStatement2.execute();
                    prepareStatement3.setInt(1, i);
                    prepareStatement3.execute();
                }
                closeResultSet(executeQuery);
                ResultSet resultSet = null;
                if (i != 0) {
                    prepareStatement4.setString(1, vulnerability.getDescription());
                    prepareStatement4.setString(2, vulnerability.getCwe());
                    prepareStatement4.setFloat(3, vulnerability.getCvssScore());
                    prepareStatement4.setString(4, vulnerability.getCvssAccessVector());
                    prepareStatement4.setString(5, vulnerability.getCvssAccessComplexity());
                    prepareStatement4.setString(6, vulnerability.getCvssAuthentication());
                    prepareStatement4.setString(7, vulnerability.getCvssConfidentialityImpact());
                    prepareStatement4.setString(8, vulnerability.getCvssIntegrityImpact());
                    prepareStatement4.setString(9, vulnerability.getCvssAvailabilityImpact());
                    prepareStatement4.setInt(10, i);
                    prepareStatement4.executeUpdate();
                } else {
                    prepareStatement5.setString(1, vulnerability.getName());
                    prepareStatement5.setString(2, vulnerability.getDescription());
                    prepareStatement5.setString(3, vulnerability.getCwe());
                    prepareStatement5.setFloat(4, vulnerability.getCvssScore());
                    prepareStatement5.setString(5, vulnerability.getCvssAccessVector());
                    prepareStatement5.setString(6, vulnerability.getCvssAccessComplexity());
                    prepareStatement5.setString(7, vulnerability.getCvssAuthentication());
                    prepareStatement5.setString(8, vulnerability.getCvssConfidentialityImpact());
                    prepareStatement5.setString(9, vulnerability.getCvssIntegrityImpact());
                    prepareStatement5.setString(10, vulnerability.getCvssAvailabilityImpact());
                    prepareStatement5.execute();
                    try {
                        try {
                            ResultSet generatedKeys = prepareStatement5.getGeneratedKeys();
                            generatedKeys.next();
                            i = generatedKeys.getInt(1);
                            closeResultSet(generatedKeys);
                            resultSet = null;
                        } catch (Throwable th) {
                            closeResultSet(null);
                            throw th;
                        }
                    } catch (SQLException e) {
                        throw new DatabaseException(String.format("Unable to retrieve id for new vulnerability for '%s'", vulnerability.getName()), e);
                    }
                }
                prepareStatement6.setInt(1, i);
                for (Reference reference : vulnerability.getReferences()) {
                    prepareStatement6.setString(2, reference.getName());
                    prepareStatement6.setString(3, reference.getUrl());
                    prepareStatement6.setString(4, reference.getSource());
                    prepareStatement6.execute();
                }
                for (VulnerableSoftware vulnerableSoftware : vulnerability.getVulnerableSoftware()) {
                    prepareStatement7.setString(1, vulnerableSoftware.getName());
                    try {
                        try {
                            resultSet = prepareStatement7.executeQuery();
                            int i2 = resultSet.next() ? resultSet.getInt(1) : 0;
                            closeResultSet(resultSet);
                            resultSet = null;
                            if (i2 == 0) {
                                prepareStatement8.setString(1, vulnerableSoftware.getName());
                                prepareStatement8.setString(2, vulnerableSoftware.getVendor());
                                prepareStatement8.setString(3, vulnerableSoftware.getProduct());
                                prepareStatement8.executeUpdate();
                                i2 = getGeneratedKey(prepareStatement8);
                            }
                            if (i2 == 0) {
                                throw new DatabaseException("Unable to retrieve cpeProductId - no data returned");
                            }
                            prepareStatement9.setInt(1, i);
                            prepareStatement9.setInt(2, i2);
                            if (vulnerableSoftware.getPreviousVersion() == null) {
                                prepareStatement9.setNull(3, 12);
                            } else {
                                prepareStatement9.setString(3, vulnerableSoftware.getPreviousVersion());
                            }
                            prepareStatement9.execute();
                        } catch (Throwable th2) {
                            closeResultSet(resultSet);
                            throw th2;
                        }
                    } catch (SQLException e2) {
                        throw new DatabaseException("Unable to get primary key for new cpe: " + vulnerableSoftware.getName(), e2);
                    }
                }
                closeStatement(prepareStatement);
                closeStatement(prepareStatement2);
                closeStatement(prepareStatement3);
                closeStatement(prepareStatement4);
                closeStatement(prepareStatement5);
                closeStatement(prepareStatement6);
                closeStatement(prepareStatement7);
                closeStatement(prepareStatement8);
                closeStatement(prepareStatement9);
            } catch (SQLException e3) {
                String format = String.format("Error updating '%s'", vulnerability.getName());
                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, (String) null, (Throwable) e3);
                throw new DatabaseException(format, e3);
            }
        } catch (Throwable th3) {
            closeStatement(null);
            closeStatement(null);
            closeStatement(null);
            closeStatement(null);
            closeStatement(null);
            closeStatement(null);
            closeStatement(null);
            closeStatement(null);
            closeStatement(null);
            throw th3;
        }
    }

    public static File getDataDirectory() throws IOException {
        File file = Settings.getFile(Settings.KEYS.CVE_DATA_DIRECTORY);
        if (file.exists() || file.mkdirs()) {
            return file;
        }
        throw new IOException("Unable to create NVD CVE Data directory");
    }

    public void cleanupDatabase() {
        PreparedStatement preparedStatement = null;
        try {
            try {
                preparedStatement = this.conn.prepareStatement(CLEANUP_ORPHANS);
                if (preparedStatement != null) {
                    preparedStatement.executeUpdate();
                }
                closeStatement(preparedStatement);
            } catch (SQLException e) {
                Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e);
                closeStatement(preparedStatement);
            }
        } catch (Throwable th) {
            closeStatement(preparedStatement);
            throw th;
        }
    }

    protected void createTables() throws SQLException, DatabaseException {
        BufferedReader bufferedReader = null;
        try {
            try {
                BufferedReader bufferedReader2 = new BufferedReader(new InputStreamReader(getClass().getClassLoader().getResourceAsStream(DB_STRUCTURE_RESOURCE), "UTF-8"));
                StringBuilder sb = new StringBuilder(2110);
                while (true) {
                    String readLine = bufferedReader2.readLine();
                    if (readLine == null) {
                        break;
                    } else {
                        sb.append(readLine);
                    }
                }
                Statement statement = null;
                try {
                    statement = this.conn.createStatement();
                    statement.execute(sb.toString());
                    closeStatement(statement);
                    if (bufferedReader2 != null) {
                        try {
                            bufferedReader2.close();
                        } catch (IOException e) {
                            Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, (String) null, (Throwable) e);
                        }
                    }
                } catch (Throwable th) {
                    closeStatement(statement);
                    throw th;
                }
            } catch (IOException e2) {
                throw new DatabaseException("Unable to create database schema", e2);
            }
        } catch (Throwable th2) {
            if (0 != 0) {
                try {
                    bufferedReader.close();
                } catch (IOException e3) {
                    Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, (String) null, (Throwable) e3);
                }
            }
            throw th2;
        }
    }

    private void closeStatement(Statement statement) {
        if (statement != null) {
            try {
                statement.close();
            } catch (SQLException e) {
                Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, statement.toString(), (Throwable) e);
            }
        }
    }

    private void closeResultSet(ResultSet resultSet) {
        if (resultSet != null) {
            try {
                resultSet.close();
            } catch (SQLException e) {
                Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, resultSet.toString(), (Throwable) e);
            }
        }
    }

    private int getGeneratedKey(PreparedStatement preparedStatement) throws DatabaseException {
        ResultSet resultSet = null;
        try {
            try {
                resultSet = preparedStatement.getGeneratedKeys();
                resultSet.next();
                int i = resultSet.getInt(1);
                closeResultSet(resultSet);
                return i;
            } catch (SQLException e) {
                throw new DatabaseException("Unable to get primary key for inserted row");
            }
        } catch (Throwable th) {
            closeResultSet(resultSet);
            throw th;
        }
    }

    private boolean isAffected(String str, String str2, DependencyVersion dependencyVersion, String str3, String str4) {
        boolean z = false;
        boolean z2 = "apache".equals(str) && "struts".equals(str2);
        DependencyVersion parseDependencyVersion = parseDependencyVersion(str3);
        boolean z3 = str4 == null ? false : !str4.isEmpty();
        if (dependencyVersion == null || HelpFormatter.DEFAULT_OPT_PREFIX.equals(dependencyVersion.toString())) {
            if (parseDependencyVersion == null || HelpFormatter.DEFAULT_OPT_PREFIX.equals(parseDependencyVersion.toString())) {
                z = true;
            }
        } else if (dependencyVersion.equals(parseDependencyVersion) || (z3 && dependencyVersion.compareTo(parseDependencyVersion) < 0)) {
            if (!z2) {
                z = true;
            } else if (dependencyVersion.getVersionParts().get(0).equals(parseDependencyVersion.getVersionParts().get(0))) {
                z = true;
            }
        }
        return z;
    }

    private DependencyVersion parseDependencyVersion(String str) {
        VulnerableSoftware vulnerableSoftware = new VulnerableSoftware();
        try {
            vulnerableSoftware.parseName(str);
        } catch (UnsupportedEncodingException e) {
            Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, (String) null, (Throwable) e);
        }
        return parseDependencyVersion(vulnerableSoftware);
    }

    private DependencyVersion parseDependencyVersion(VulnerableSoftware vulnerableSoftware) {
        DependencyVersion dependencyVersion;
        if (vulnerableSoftware.getVersion() == null || vulnerableSoftware.getVersion().length() <= 0) {
            dependencyVersion = new DependencyVersion(HelpFormatter.DEFAULT_OPT_PREFIX);
        } else {
            dependencyVersion = DependencyVersionUtil.parseVersion((vulnerableSoftware.getRevision() == null || vulnerableSoftware.getRevision().length() <= 0) ? vulnerableSoftware.getVersion() : String.format("%s.%s", vulnerableSoftware.getVersion(), vulnerableSoftware.getRevision()));
        }
        return dependencyVersion;
    }
}
