-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Making a new Analyzer
An analyzer is created by implementing the org.codesecure.dependencycheck.analyzer.Analyzer interface. Dependency-check uses the Java ServiceLoader API to load the analyzers. So after implementing the Analyzer interface - the analyzer's fully qualified name needs to be added to the file: 'META-INF/services/org.codesecure.dependencycheck.analyzer.Analyzer'.
Considerations when building an Analyzer:
File Extensions: If you are creating an analyzer for a specific file type the getSupportedExtensions() method should return a lower case set of extensions. This is used by the Scanner to determine if a file being scanned should be converted into a Dependency. If the analyzer is meant to run on all Dependencies, but not actually cause any files scanned to be converted into Dependencies itself, then the getSupportedExtensions() method should return null.
The supportsExtension(String extension) method is then used by the Engine to determine if a Dependency found by the Scanner should be passed to the Analyzer in question.
Analysis Phase: This is one of the most important considerations when making an Analyzer. A description of the phases can be found on the Architecture page. In general, if you are building an Analyzer to support a new file type the analyzer would return INFORMATION_COLLECTION.
Analysis: The analysis phase is where all of the work of an Analyzer is performed. A Dependency object is passed in and the analyzer can modify the object by adding Evidence to one of the EvidenceCollections (vendor, product, version), adding an Identifier, or adding a Vulnerability.
Adding Evidence: After inspecting the file, if the Analyzer found 'evidence' that can be used later to help identify Identifiers or Vulnerabilities it can be added to one of three collections: dependency.getVendorEvidence(), dependency.getProductEvidence(), or dependency.getVersionEvidence(). Then the evidence can be added by calling addEvidence(String source, String name, String value, Evidence.Confidence confidence)
on the EvidenceCollection. An example would be from the JarAnalyzer; if the analyzer found the package name of 'org.apache....' then the analyzer might call dependency.getVendorEvidence().addEvidence('jar', 'package-name', 'apache', Evidence.Confidence.HIGH);
.
Adding an Identifier: If an identifier can be determined, such as a Common Platform Enumeration (CPE), then if can be added to the dependency by calling dependency.addIdentifier(String type, String value, String url)
.
Adding a Vulnerability: If an analyzer can determine a vulnerability by using the evidence or identifiers - then a vulnerability can be added by calling dependency.addVulnerability(Vulnerability vuln);
.