package org.owasp.dependencycheck.analyzer;

import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.Arrays;
import java.util.HashSet;
import javax.annotation.concurrent.ThreadSafe;
import javax.json.Json;
import javax.json.JsonException;
import javax.json.JsonReader;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.analyzer.exception.SearchException;
import org.owasp.dependencycheck.data.nodeaudit.Advisory;
import org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch;
import org.owasp.dependencycheck.data.nodeaudit.SanitizePackage;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:WEB-INF/lib/dependency-check-core-4.0.1.jar:org/owasp/dependencycheck/analyzer/NodeAuditAnalyzer.class */
public class NodeAuditAnalyzer extends AbstractNpmAnalyzer {
    public static final String DEFAULT_URL = "https://registry.npmjs.org/-/npm/v1/security/audits";
    public static final String DEPENDENCY_ECOSYSTEM = "npm";
    public static final String PACKAGE_LOCK_JSON = "package-lock.json";
    public static final String SHRINKWRAP_JSON = "npm-shrinkwrap.json";
    private NodeAuditSearch searcher;
    private static final Logger LOGGER = LoggerFactory.getLogger(NodeAuditAnalyzer.class);
    private static final FileFilter PACKAGE_JSON_FILTER = FileFilterBuilder.newInstance().addFilenames("package-lock.json", "npm-shrinkwrap.json").build();

    @Override // org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
    protected FileFilter getFileFilter() {
        return PACKAGE_JSON_FILTER;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
    public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
        LOGGER.debug("Initializing {}", getName());
        try {
            this.searcher = new NodeAuditSearch(getSettings());
            try {
                if (!engine.getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED)) {
                    LOGGER.warn("The Node Package Analyzer has been disabled; the resulting report will only  contain the known vulnerable dependency - not a bill of materials for the node project.");
                }
            } catch (InvalidSettingException e) {
                throw new InitializationException("Unable to read configuration settings", e);
            }
        } catch (MalformedURLException e2) {
            setEnabled(false);
            throw new InitializationException("The configured URL to NPM Audit API is malformed", e2);
        }
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public String getName() {
        return "Node Audit Analyzer";
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.FINDING_ANALYSIS;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
        if (dependency.getDisplayFileName().equals(dependency.getFileName())) {
            engine.removeDependency(dependency);
        }
        File actualFile = dependency.getActualFile();
        if (actualFile.isFile() && actualFile.length() != 0 && shouldProcess(actualFile)) {
            try {
                JsonReader createReader = Json.createReader(FileUtils.openInputStream(actualFile));
                Throwable th = null;
                try {
                    try {
                        for (Advisory advisory : this.searcher.submitPackage(SanitizePackage.sanitize(createReader.readObject()))) {
                            Vulnerability vulnerability = new Vulnerability();
                            vulnerability.setDescription(advisory.getOverview());
                            vulnerability.setName(String.valueOf(advisory.getId()));
                            vulnerability.setUnscoredSeverity(advisory.getSeverity());
                            vulnerability.setSource(Vulnerability.Source.NPM);
                            vulnerability.addReference("NPM", "Advisory " + advisory.getId() + ": " + advisory.getTitle(), advisory.getReferences());
                            VulnerableSoftware vulnerableSoftware = new VulnerableSoftware();
                            vulnerableSoftware.setName(advisory.getModuleName() + ":" + advisory.getVulnerableVersions());
                            vulnerability.setVulnerableSoftware(new HashSet(Arrays.asList(vulnerableSoftware)));
                            Dependency findDependency = findDependency(engine, advisory.getModuleName(), advisory.getVersion());
                            if (findDependency == null) {
                                Dependency createDependency = createDependency(dependency, advisory.getModuleName(), advisory.getVersion(), "transitive");
                                createDependency.addVulnerability(vulnerability);
                                engine.addDependency(createDependency);
                            } else {
                                findDependency.addVulnerability(vulnerability);
                            }
                        }
                        if (createReader != null) {
                            if (0 != 0) {
                                try {
                                    createReader.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                createReader.close();
                            }
                        }
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } catch (Throwable th4) {
                    if (createReader != null) {
                        if (th != null) {
                            try {
                                createReader.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            createReader.close();
                        }
                    }
                    throw th4;
                }
            } catch (SearchException e) {
                LOGGER.error("NodeAuditAnalyzer failed on {}", dependency.getActualFilePath());
                throw e;
            } catch (JsonException e2) {
                throw new AnalysisException(String.format("Failed to parse %s file from the NPM Audit API (NodeAuditAnalyzer).", actualFile.getPath()), e2);
            } catch (URLConnectionFailureException e3) {
                setEnabled(false);
                throw new AnalysisException("Failed to connect to the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.", e3);
            } catch (IOException e4) {
                LOGGER.debug("Error reading dependency or connecting to NPM Audit API", e4);
                setEnabled(false);
                throw new AnalysisException("Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.", e4);
            }
        }
    }
}
