-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Architecture
jeremylong edited this page Jan 12, 2013
·
5 revisions
DependencyCheck is made up of four main components:
- Engine: this is the main controller that runs the other components listed below in the correct order.
- Scanner: this walks the files and directories specified by the "-scan" command line parameter and collects any file for which we have an Analyzer that can process it. These files are the base of a Dependency object.
- Analyzer: the core functionality of the application - analyzers process the dependencies adding information, if the can, to the Dependency object. The information added can be Evidence, Identifiers, or Vulnerabilities (discussed below).
- Report Generator: generates reports about the dependencies identified by the Analyzers - reports are generated using Velocity Templates.
Analysis happens seven phases (defined in org.codesecure.dependencycheck.analyze.AnalysisPhase).
- INITIAL - the initial analysis phase.
- INFORMATION_COLLECTION - the main phase where an Analyzer populates the Evidence Collections within the Dependency.
- PRE_IDENTIFIER_ANALYSIS - after all information has been collected, we may need to make changes.
- IDENTIFIER_ANALYSIS - this is when the dependencies are "identified" - currently only CPE identifiers are found (a CPE for Struts 2.1.2 would be: cpe:/a:apache:struts:2.1.2).
- POST_IDENTIFIER_ANALYSIS - runs after identifiers have been determined. One example is the SpringCleaningAnalyzer which removes identical CPE entries from the Spring Dependencies (such as Spring-Beans) and only leaves the identifier on Spring-Core.
- FINDING_ANALYSIS - Analyzers in this phase use the information collected in previous phases to determine if there are any publicly disclosed vulnerabilities. Currently, we are only using the NVD CVE data.
- FINAL - the last phase of analysis.
The scanner picks up individual files and creates an org.codesecure.dependencycheck.dependency.Dependency objects. There are a couple of ways to handle a single file that contains multiple Dependencies.
- Archives - Simply create an Analyzer that runs in the INITIAL phase that extracts the contents to a temp directory and call back to Engine's scanner to scan the new extracted contents.
- If there is a file that contains information on several Dependencies there are a couple of options. If the dependencies are already being picked up by the scanner (i.e. there is an analyzer that supports the file extension) then you can use a PRE_IDENTIFIER_ANALYSIS to add information to the other Dependencies. If the other dependencies are not being scanned then you can add them to the Dependency Collection (obtained from the Engine object in the analyze method of the Analyzer).