package org.owasp.dependencycheck.analyzer;

import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.annotation.concurrent.ThreadSafe;
import javax.json.Json;
import javax.json.JsonException;
import javax.json.JsonObject;
import javax.json.JsonReader;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.analyzer.exception.SearchException;
import org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException;
import org.owasp.dependencycheck.data.nodeaudit.Advisory;
import org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch;
import org.owasp.dependencycheck.data.nodeaudit.NpmPayloadBuilder;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Reference;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftwareBuilder;
import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
import org.owasp.dependencycheck.xml.pom.PomHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import us.springett.parsers.cpe.exceptions.CpeValidationException;
import us.springett.parsers.cpe.values.Part;

@ThreadSafe
/* loaded from: input_file:org/owasp/dependencycheck/analyzer/NodeAuditAnalyzer.class */
public class NodeAuditAnalyzer extends AbstractNpmAnalyzer {
    public static final String DEFAULT_URL = "https://registry.npmjs.org/-/npm/v1/security/audits";
    public static final String DEPENDENCY_ECOSYSTEM = "nodejs";
    public static final String PACKAGE_LOCK_JSON = "package-lock.json";
    public static final String SHRINKWRAP_JSON = "npm-shrinkwrap.json";
    private NodeAuditSearch searcher;
    private static final Logger LOGGER = LoggerFactory.getLogger(NodeAuditAnalyzer.class);
    private static final FileFilter PACKAGE_JSON_FILTER = FileFilterBuilder.newInstance().addFilenames("package-lock.json", "npm-shrinkwrap.json").build();

    @Override // org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
    protected FileFilter getFileFilter() {
        return PACKAGE_JSON_FILTER;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
    public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
        if (!isEnabled() || !getFilesMatched()) {
            setEnabled(false);
            return;
        }
        if (this.searcher == null) {
            LOGGER.debug("Initializing {}", getName());
            try {
                this.searcher = new NodeAuditSearch(getSettings());
                try {
                    if (!engine.getSettings().getBoolean("analyzer.node.package.enabled")) {
                        LOGGER.warn("The Node Package Analyzer has been disabled; the resulting report will only contain the known vulnerable dependency - not a bill of materials for the node project.");
                    }
                } catch (InvalidSettingException e) {
                    throw new InitializationException("Unable to read configuration settings", e);
                }
            } catch (MalformedURLException e2) {
                setEnabled(false);
                throw new InitializationException("The configured URL to NPM Audit API is malformed", e2);
            }
        }
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public String getName() {
        return "Node Audit Analyzer";
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.FINDING_ANALYSIS;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected String getAnalyzerEnabledSettingKey() {
        return "analyzer.node.audit.enabled";
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
        if (dependency.getDisplayFileName().equals(dependency.getFileName())) {
            engine.removeDependency(dependency);
        }
        File actualFile = dependency.getActualFile();
        if (actualFile.isFile() && actualFile.length() != 0 && shouldProcess(actualFile)) {
            File file = new File(actualFile.getParentFile(), NodePackageAnalyzer.PACKAGE_JSON);
            HashMap hashMap = new HashMap();
            try {
                processResults(file.isFile() ? analyzePackage(actualFile, file, dependency, hashMap) : legacyAnalysis(actualFile, dependency, hashMap), engine, dependency, hashMap);
            } catch (CpeValidationException e) {
                throw new UnexpectedAnalysisException((Throwable) e);
            }
        }
    }

    private void processResults(List<Advisory> list, Engine engine, Dependency dependency, Map<String, String> map) throws CpeValidationException {
        for (Advisory advisory : list) {
            Vulnerability vulnerability = new Vulnerability();
            vulnerability.setDescription(advisory.getOverview());
            vulnerability.setName(String.valueOf(advisory.getId()));
            vulnerability.setUnscoredSeverity(advisory.getSeverity());
            vulnerability.setSource(Vulnerability.Source.NPM);
            vulnerability.addReference("Advisory " + advisory.getId() + ": " + advisory.getTitle(), advisory.getReferences(), null);
            VulnerableSoftwareBuilder vulnerableSoftwareBuilder = new VulnerableSoftwareBuilder();
            vulnerableSoftwareBuilder.m139part(Part.APPLICATION).m136product(advisory.getModuleName().replace(" ", "_")).m135version(advisory.getVulnerableVersions().replace(" ", ""));
            vulnerability.addVulnerableSoftware(vulnerableSoftwareBuilder.m107build());
            String version = advisory.getVersion();
            if (version == null && map.containsKey(advisory.getModuleName())) {
                version = map.get(advisory.getModuleName());
            }
            Dependency findDependency = findDependency(engine, advisory.getModuleName(), version);
            if (findDependency == null) {
                Dependency createDependency = createDependency(dependency, advisory.getModuleName(), version, "transitive");
                createDependency.addVulnerability(vulnerability);
                engine.addDependency(createDependency);
            } else {
                replaceOrAddVulnerability(findDependency, vulnerability);
            }
        }
    }

    private void replaceOrAddVulnerability(Dependency dependency, Vulnerability vulnerability) {
        boolean z = false;
        Iterator<Vulnerability> it = dependency.getVulnerabilities().iterator();
        while (it.hasNext()) {
            for (Reference reference : it.next().getReferences()) {
                if (reference.getName() != null && vulnerability.getSource().toString().equals("NPM") && reference.getName().equals("https://nodesecurity.io/advisories/" + vulnerability.getName())) {
                    z = true;
                }
            }
        }
        if (z) {
            return;
        }
        dependency.addVulnerability(vulnerability);
    }

    /* JADX WARN: Failed to calculate best type for var: r13v4 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r13v4 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Failed to calculate best type for var: r14v1 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r14v1 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 13, insn: 0x00db: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r13 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:51:0x00db */
    /* JADX WARN: Not initialized variable reg: 14, insn: 0x00e0: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r14 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:53:0x00e0 */
    /* JADX WARN: Type inference failed for: r13v4, types: [javax.json.JsonReader] */
    /* JADX WARN: Type inference failed for: r14v1, types: [java.lang.Throwable] */
    private List<Advisory> analyzePackage(File file, File file2, Dependency dependency, Map<String, String> map) throws AnalysisException {
        ?? r13;
        ?? r14;
        try {
            try {
                JsonReader createReader = Json.createReader(FileUtils.openInputStream(file));
                Throwable th = null;
                JsonReader createReader2 = Json.createReader(FileUtils.openInputStream(file2));
                Throwable th2 = null;
                try {
                    try {
                        List<Advisory> submitPackage = this.searcher.submitPackage(NpmPayloadBuilder.build(createReader.readObject(), createReader2.readObject(), map, getSettings().getBoolean("analyzer.node.audit.skipdev", false)));
                        if (createReader2 != null) {
                            if (0 != 0) {
                                try {
                                    createReader2.close();
                                } catch (Throwable th3) {
                                    th2.addSuppressed(th3);
                                }
                            } else {
                                createReader2.close();
                            }
                        }
                        if (createReader != null) {
                            if (0 != 0) {
                                try {
                                    createReader.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                createReader.close();
                            }
                        }
                        return submitPackage;
                    } finally {
                    }
                } catch (Throwable th5) {
                    if (createReader2 != null) {
                        if (th2 != null) {
                            try {
                                createReader2.close();
                            } catch (Throwable th6) {
                                th2.addSuppressed(th6);
                            }
                        } else {
                            createReader2.close();
                        }
                    }
                    throw th5;
                }
            } catch (Throwable th7) {
                if (r13 != 0) {
                    if (r14 != 0) {
                        try {
                            r13.close();
                        } catch (Throwable th8) {
                            r14.addSuppressed(th8);
                        }
                    } else {
                        r13.close();
                    }
                }
                throw th7;
            }
        } catch (IOException e) {
            LOGGER.debug("Error reading dependency or connecting to NPM Audit API", e);
            setEnabled(false);
            throw new AnalysisException("Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.", e);
        } catch (SearchException e2) {
            if (new File(file.getParentFile(), "yarn.lock").exists()) {
                LOGGER.error("NodeAuditAnalyzer filed on " + dependency.getActualFilePath() + " - yarn.lock was identified if generated using synp the lock file may not be in the correct format.");
                throw new AnalysisException("msg", e2);
            }
            LOGGER.error("NodeAuditAnalyzer failed on {}", dependency.getActualFilePath());
            throw e2;
        } catch (JsonException e3) {
            throw new AnalysisException(String.format("Failed to parse %s file from the NPM Audit API (NodeAuditAnalyzer).", file.getPath()), e3);
        } catch (URLConnectionFailureException e4) {
            setEnabled(false);
            throw new AnalysisException("Failed to connect to the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.", e4);
        }
    }

    private List<Advisory> legacyAnalysis(File file, Dependency dependency, Map<String, String> map) throws AnalysisException {
        try {
            JsonReader createReader = Json.createReader(FileUtils.openInputStream(file));
            Throwable th = null;
            try {
                JsonObject readObject = createReader.readObject();
                String string = readObject.getString(PomHandler.NAME, "");
                String string2 = readObject.getString("version", "");
                if (!string.isEmpty()) {
                    dependency.setName(string);
                }
                if (!string2.isEmpty()) {
                    dependency.setVersion(string2);
                }
                List<Advisory> submitPackage = this.searcher.submitPackage(NpmPayloadBuilder.build(readObject, map));
                if (createReader != null) {
                    if (0 != 0) {
                        try {
                            createReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        createReader.close();
                    }
                }
                return submitPackage;
            } catch (Throwable th3) {
                if (createReader != null) {
                    if (0 != 0) {
                        try {
                            createReader.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        createReader.close();
                    }
                }
                throw th3;
            }
        } catch (JsonException e) {
            throw new AnalysisException(String.format("Failed to parse %s file from the NPM Audit API (NodeAuditAnalyzer).", file.getPath()), e);
        } catch (URLConnectionFailureException e2) {
            setEnabled(false);
            throw new AnalysisException("Failed to connect to the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.", e2);
        } catch (IOException e3) {
            LOGGER.debug("Error reading dependency or connecting to NPM Audit API", e3);
            setEnabled(false);
            throw new AnalysisException("Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.", e3);
        } catch (SearchException e4) {
            LOGGER.error("NodeAuditAnalyzer failed on {}", dependency.getActualFilePath());
            throw e4;
        }
    }
}
