package org.owasp.dependencycheck.analyzer;

import com.sonatype.clm.dto.model.component.ComponentDisplayNameUtil;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import javax.annotation.concurrent.ThreadSafe;
import javax.json.Json;
import javax.json.JsonArray;
import javax.json.JsonException;
import javax.json.JsonObject;
import javax.json.JsonObjectBuilder;
import javax.json.JsonReader;
import javax.json.JsonString;
import javax.json.JsonValue;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nsp.Advisory;
import org.owasp.dependencycheck.data.nsp.NspSearch;
import org.owasp.dependencycheck.data.nsp.SanitizePackage;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceType;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
import org.owasp.dependencycheck.xml.pom.PomHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:org/owasp/dependencycheck/analyzer/NspAnalyzer.class */
public class NspAnalyzer extends AbstractFileTypeAnalyzer {
    public static final String DEFAULT_URL = "https://api.nodesecurity.io/check";
    private static final String PACKAGE_JSON = "package.json";
    private NspSearch searcher;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) NspAnalyzer.class);
    private static final FileFilter PACKAGE_JSON_FILTER = FileFilterBuilder.newInstance().addFilenames("package.json").build();

    @Override // org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
    protected FileFilter getFileFilter() {
        return PACKAGE_JSON_FILTER;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
    public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
        LOGGER.debug("Initializing {}", getName());
        try {
            this.searcher = new NspSearch(getSettings());
        } catch (MalformedURLException e) {
            setEnabled(false);
            throw new InitializationException("The configured URL to Node Security Platform is malformed", e);
        }
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public String getName() {
        return "Node Security Platform Analyzer";
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.FINDING_ANALYSIS;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED;
    }

    /* JADX WARN: Failed to calculate best type for var: r14v3 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r15v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException
     */
    /* JADX WARN: Not initialized variable reg: 14, insn: 0x0378: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r14 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:76:0x0378 */
    /* JADX WARN: Not initialized variable reg: 15, insn: 0x037d: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r15 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:78:0x037d */
    /* JADX WARN: Type inference failed for: r14v3, types: [javax.json.JsonReader] */
    /* JADX WARN: Type inference failed for: r15v0, types: [java.lang.Throwable] */
    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
        ?? r14;
        ?? r15;
        File actualFile = dependency.getActualFile();
        if (!actualFile.isFile() || actualFile.length() == 0) {
            return;
        }
        try {
            try {
                JsonReader createReader = Json.createReader(FileUtils.openInputStream(actualFile));
                Throwable th = null;
                if (actualFile.getCanonicalPath().contains(File.separator + "node_modules" + File.separator)) {
                    LOGGER.debug("Skipping analysis of node module: " + actualFile.getCanonicalPath());
                    if (createReader != null) {
                        if (0 == 0) {
                            createReader.close();
                            return;
                        }
                        try {
                            createReader.close();
                            return;
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                            return;
                        }
                    }
                    return;
                }
                JsonObject readObject = createReader.readObject();
                for (Advisory advisory : this.searcher.submitPackage(Json.createObjectBuilder().add("package", SanitizePackage.sanitize(readObject)).build())) {
                    Vulnerability vulnerability = new Vulnerability();
                    vulnerability.setCvssScore(advisory.getCvssScore());
                    vulnerability.setDescription(advisory.getOverview());
                    vulnerability.setName(String.valueOf(advisory.getId()));
                    vulnerability.setSource(Vulnerability.Source.NSP);
                    vulnerability.addReference("NSP", "Advisory " + advisory.getId() + ": " + advisory.getTitle(), advisory.getAdvisory());
                    VulnerableSoftware vulnerableSoftware = new VulnerableSoftware();
                    vulnerableSoftware.setUpdate(advisory.getPatchedVersions());
                    vulnerableSoftware.setName(advisory.getModule() + ":" + advisory.getVulnerableVersions());
                    vulnerability.setVulnerableSoftware(new HashSet(Arrays.asList(vulnerableSoftware)));
                    dependency.addVulnerability(vulnerability);
                }
                if (readObject.containsKey("name")) {
                    JsonValue jsonValue = readObject.get("name");
                    if (jsonValue instanceof JsonString) {
                        String string = ((JsonString) jsonValue).getString();
                        dependency.addEvidence(EvidenceType.PRODUCT, "package.json", "name", string, Confidence.HIGHEST);
                        dependency.addEvidence(EvidenceType.VENDOR, "package.json", "name_project", String.format("%s_project", string), Confidence.LOW);
                    } else {
                        LOGGER.warn("JSON value not string as expected: {}", jsonValue);
                    }
                }
                if (readObject.containsKey("dependencies")) {
                    processPackage(dependency, readObject.getJsonObject("dependencies"), "dependencies");
                }
                if (readObject.containsKey("devDependencies")) {
                    processPackage(dependency, readObject.getJsonObject("devDependencies"), "devDependencies");
                }
                if (readObject.containsKey("optionalDependencies")) {
                    processPackage(dependency, readObject.getJsonObject("optionalDependencies"), "optionalDependencies");
                }
                if (readObject.containsKey("peerDependencies")) {
                    processPackage(dependency, readObject.getJsonObject("peerDependencies"), "peerDependencies");
                }
                if (readObject.containsKey("bundleDependencies")) {
                    processPackage(dependency, readObject.getJsonArray("bundleDependencies"), "bundleDependencies");
                }
                if (readObject.containsKey("bundledDependencies")) {
                    processPackage(dependency, readObject.getJsonArray("bundledDependencies"), "bundledDependencies");
                }
                if (readObject.containsKey(PomHandler.LICENSE)) {
                    if (readObject.get(PomHandler.LICENSE) instanceof JsonString) {
                        dependency.setLicense(readObject.getString(PomHandler.LICENSE));
                    } else {
                        dependency.setLicense(readObject.getJsonObject(PomHandler.LICENSE).getString("type"));
                    }
                }
                addToEvidence(dependency, EvidenceType.PRODUCT, readObject, PomHandler.DESCRIPTION);
                addToEvidence(dependency, EvidenceType.VENDOR, readObject, "author");
                addToEvidence(dependency, EvidenceType.VERSION, readObject, "version");
                dependency.setDisplayFileName(String.format("%s/%s", actualFile.getParentFile().getName(), actualFile.getName()));
                if (createReader != null) {
                    if (0 != 0) {
                        try {
                            createReader.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        createReader.close();
                    }
                }
            } catch (Throwable th4) {
                if (r14 != 0) {
                    if (r15 != 0) {
                        try {
                            r14.close();
                        } catch (Throwable th5) {
                            r15.addSuppressed(th5);
                        }
                    } else {
                        r14.close();
                    }
                }
                throw th4;
            }
        } catch (IOException e) {
            LOGGER.debug("Error reading dependency or connecting to Node Security Platform - check API", (Throwable) e);
            setEnabled(false);
            throw new AnalysisException(e.getMessage(), e);
        } catch (JsonException e2) {
            throw new AnalysisException(String.format("Failed to parse %s file.", actualFile.getPath()), e2);
        } catch (URLConnectionFailureException e3) {
            setEnabled(false);
            throw new AnalysisException(e3.getMessage(), e3);
        }
    }

    private void processPackage(Dependency dependency, JsonArray jsonArray, String str) {
        JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
        Iterator it = jsonArray.getValuesAs(JsonString.class).iterator();
        while (it.hasNext()) {
            createObjectBuilder.add(((JsonString) it.next()).toString(), "");
        }
        processPackage(dependency, createObjectBuilder.build(), str);
    }

    private void processPackage(Dependency dependency, JsonObject jsonObject, String str) {
        for (int i = 0; i < jsonObject.size(); i++) {
            for (Map.Entry<String, JsonValue> entry : jsonObject.entrySet()) {
                Identifier identifier = new Identifier("npm", "Module", null, entry.getKey());
                identifier.setConfidence(Confidence.HIGHEST);
                String str2 = "";
                if (entry.getValue() != null && entry.getValue().getValueType() == JsonValue.ValueType.STRING) {
                    str2 = ((JsonString) entry.getValue()).getString();
                }
                Identifier identifier2 = new Identifier("npm", ComponentDisplayNameUtil.VERSION_LABEL, null, str2);
                identifier2.setConfidence(Confidence.HIGHEST);
                Identifier identifier3 = new Identifier("npm", "Scope", null, str);
                identifier2.setConfidence(Confidence.HIGHEST);
                Dependency dependency2 = new Dependency(new File(dependency.getActualFile() + "#" + entry.getKey()), true);
                dependency2.setDisplayFileName(entry.getKey());
                dependency2.addIdentifier(identifier);
                dependency2.addIdentifier(identifier2);
                dependency2.addIdentifier(identifier3);
                dependency.addRelatedDependency(dependency2);
            }
        }
    }

    private void addToEvidence(Dependency dependency, EvidenceType evidenceType, JsonObject jsonObject, String str) {
        if (jsonObject.containsKey(str)) {
            JsonValue jsonValue = jsonObject.get(str);
            if (jsonValue instanceof JsonString) {
                dependency.addEvidence(evidenceType, "package.json", str, ((JsonString) jsonValue).getString(), Confidence.HIGHEST);
                return;
            }
            if (!(jsonValue instanceof JsonObject)) {
                LOGGER.warn("JSON value not string or JSON object as expected: {}", jsonValue);
                return;
            }
            for (Map.Entry<String, JsonValue> entry : ((JsonObject) jsonValue).entrySet()) {
                String key = entry.getKey();
                JsonValue value = entry.getValue();
                if (value instanceof JsonString) {
                    dependency.addEvidence(evidenceType, "package.json", String.format("%s.%s", str, key), ((JsonString) value).getString(), Confidence.HIGHEST);
                } else {
                    LOGGER.warn("JSON sub-value not string as expected: {}", value);
                }
            }
        }
    }
}
