package org.owasp.dependencycheck.analyzer;

import com.github.packageurl.MalformedPackageURLException;
import com.github.packageurl.PackageURLBuilder;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.nio.file.Paths;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.annotation.concurrent.ThreadSafe;
import javax.json.Json;
import javax.json.JsonException;
import javax.json.JsonObject;
import javax.json.JsonReader;
import javax.json.JsonString;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceType;
import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.utils.Checksum;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.xml.pom.PomHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.class */
public class NodePackageAnalyzer extends AbstractNpmAnalyzer {
    public static final String DEPENDENCY_ECOSYSTEM = "nodejs";
    private static final String ANALYZER_NAME = "Node.js Package Analyzer";
    public static final String PACKAGE_LOCK_JSON = "package-lock.json";
    public static final String SHRINKWRAP_JSON = "npm-shrinkwrap.json";
    private static final Logger LOGGER = LoggerFactory.getLogger(NodePackageAnalyzer.class);
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    public static final String PACKAGE_JSON = "package.json";
    private static final FileFilter PACKAGE_JSON_FILTER = FileFilterBuilder.newInstance().addFilenames(PACKAGE_JSON, "package-lock.json", "npm-shrinkwrap.json").build();

    @Override // org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
    protected FileFilter getFileFilter() {
        return PACKAGE_JSON_FILTER;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer, org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
    public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
        if (engine.getMode() != Engine.Mode.EVIDENCE_COLLECTION) {
            try {
                Settings settings = engine.getSettings();
                String[] array = settings.getArray("ecosystem.skip.cpeanalyzer");
                if (array != null) {
                    List asList = Arrays.asList(array);
                    if (!asList.contains("nodejs") || settings.getBoolean("analyzer.ossindex.enabled")) {
                        if (asList.contains("nodejs") && !settings.getBoolean("analyzer.node.audit.enabled")) {
                            LOGGER.warn("Using only the OSS Index Analyzer with Node.js can result in many false positives - please enable the Node Audit Analyzer.");
                        }
                    } else {
                        if (!settings.getBoolean("analyzer.node.audit.enabled")) {
                            throw new InitializationException("Invalid Configuration: enabling the Node Package Analyzer without using the Node Audit Analyzer or OSS Index Analyzer is not supported.");
                        }
                        if (!isNodeAuditEnabled(engine)) {
                            throw new InitializationException("Missing package.lock or npm-shrinkwrap.lock file: Unable to scan a node project without a package-lock.json or npm-shrinkwrap.json.");
                        }
                    }
                }
            } catch (InvalidSettingException e) {
                throw new InitializationException("Unable to read configuration settings", e);
            }
        }
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public String getName() {
        return ANALYZER_NAME;
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected String getAnalyzerEnabledSettingKey() {
        return "analyzer.node.package.enabled";
    }

    private boolean isNodeAuditEnabled(Engine engine) {
        for (Analyzer analyzer : engine.getAnalyzers()) {
            if ((analyzer instanceof NodeAuditAnalyzer) || (analyzer instanceof YarnAuditAnalyzer) || (analyzer instanceof PnpmAuditAnalyzer)) {
                if (analyzer.isEnabled()) {
                    try {
                        ((AbstractNpmAnalyzer) analyzer).prepareFileTypeAnalyzer(engine);
                    } catch (InitializationException e) {
                        LOGGER.debug("Error initializing the {}", analyzer.getName());
                    }
                }
                return analyzer.isEnabled();
            }
        }
        return false;
    }

    private boolean noLockFileExists(File file) {
        return (new File(file.getParentFile(), "package-lock.json").isFile() || new File(file.getParentFile(), "npm-shrinkwrap.json").isFile() || new File(file.getParentFile(), YarnAuditAnalyzer.YARN_PACKAGE_LOCK).isFile()) ? false : true;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
        String str;
        File actualFile = dependency.getActualFile();
        if (actualFile.isFile() && actualFile.length() != 0 && shouldProcess(actualFile)) {
            if (isNodeAuditEnabled(engine) && !"package-lock.json".equals(dependency.getFileName()) && !"npm-shrinkwrap.json".equals(dependency.getFileName())) {
                engine.removeDependency(dependency);
            }
            if (noLockFileExists(dependency.getActualFile())) {
                LOGGER.warn("No lock file exists - this will result in false negatives; please run `npm install --package-lock`");
            }
            File parentFile = actualFile.getParentFile();
            if (PACKAGE_JSON.equals(dependency.getFileName())) {
                File file = new File(parentFile, "package-lock.json");
                if (new File(parentFile, "npm-shrinkwrap.json").exists() || file.exists()) {
                    return;
                }
            } else if ("package-lock.json".equals(dependency.getFileName()) && new File(parentFile, "npm-shrinkwrap.json").exists()) {
                return;
            }
            if (!new File(parentFile, "node_modules").isDirectory()) {
                LOGGER.warn("Analyzing `{}` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check", actualFile);
                return;
            }
            try {
                JsonReader createReader = Json.createReader(FileUtils.openInputStream(actualFile));
                Throwable th = null;
                try {
                    try {
                        JsonObject readObject = createReader.readObject();
                        String string = readObject.getString(PomHandler.NAME, "");
                        String string2 = readObject.getString("version", "");
                        if (string.isEmpty()) {
                            if (createReader != null) {
                                if (0 == 0) {
                                    createReader.close();
                                    return;
                                }
                                try {
                                    createReader.close();
                                    return;
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                    return;
                                }
                            }
                            return;
                        }
                        dependency.setName(string);
                        if (string2.isEmpty()) {
                            str = string;
                        } else {
                            dependency.setVersion(string2);
                            str = String.format("%s:%s", string, string2);
                        }
                        processDependencies(readObject, parentFile, actualFile, str, engine);
                        if (createReader != null) {
                            if (0 != 0) {
                                try {
                                    createReader.close();
                                } catch (Throwable th3) {
                                    th.addSuppressed(th3);
                                }
                            } else {
                                createReader.close();
                            }
                        }
                    } catch (Throwable th4) {
                        th = th4;
                        throw th4;
                    }
                } catch (Throwable th5) {
                    if (createReader != null) {
                        if (th != null) {
                            try {
                                createReader.close();
                            } catch (Throwable th6) {
                                th.addSuppressed(th6);
                            }
                        } else {
                            createReader.close();
                        }
                    }
                    throw th5;
                }
            } catch (IOException e) {
                throw new AnalysisException("Problem occurred while reading dependency file.", e);
            } catch (JsonException e2) {
                LOGGER.warn("Failed to parse package.json file.", e2);
            }
        }
    }

    public static boolean shouldSkipDependency(String str, String str2, boolean z, boolean z2) {
        if (Objects.nonNull(str2) && str2.startsWith("npm:")) {
            LOGGER.warn("dependency skipped: package.json contain an alias for {} => {} npm audit doesn't support aliases", str, str2.replace("npm:", ""));
            return true;
        }
        if (z && !z2) {
            LOGGER.warn("dependency skipped: node module {} seems optional and not installed", str);
            return true;
        }
        if (!Objects.nonNull(str2)) {
            return false;
        }
        if (!str2.startsWith("file:") && !str2.matches("^[.~]{0,2}/.*")) {
            return false;
        }
        LOGGER.warn("dependency skipped: package.json contain an local node_module for {} seems to be located {} npm audit doesn't support locally referenced modules", str, str2);
        return true;
    }

    public static boolean shouldSkipDependency(String str, String str2) {
        return shouldSkipDependency(str, str2, false, true);
    }

    private void processDependencies(JsonObject jsonObject, File file, File file2, String str, Engine engine) throws AnalysisException {
        String string;
        if (jsonObject.containsKey("dependencies")) {
            JsonObject jsonObject2 = jsonObject.getJsonObject("dependencies");
            boolean z = getSettings().getBoolean("analyzer.node.package.skipdev", false);
            for (Map.Entry entry : jsonObject2.entrySet()) {
                String str2 = (String) entry.getKey();
                boolean z2 = false;
                boolean z3 = false;
                File file3 = Paths.get(file.getPath(), "node_modules", str2).toFile();
                File file4 = new File(file3, PACKAGE_JSON);
                JsonObject jsonObject3 = null;
                if (entry.getValue() instanceof JsonObject) {
                    jsonObject3 = (JsonObject) entry.getValue();
                    string = jsonObject3.getString("version");
                    z2 = jsonObject3.getBoolean("optional", false);
                    z3 = jsonObject3.getBoolean("dev", false);
                } else {
                    string = ((JsonString) entry.getValue()).getString();
                }
                if (!z3 || !z) {
                    if (shouldSkipDependency(str2, string, z2, file4.exists())) {
                        continue;
                    } else {
                        if (null != jsonObject3 && jsonObject3.containsKey("dependencies")) {
                            processDependencies(jsonObject3, file3, file2, String.format("%s/%s:%s", str, str2, string), engine);
                        }
                        int indexOf = str.indexOf("/");
                        Dependency dependency = new Dependency(new File(file2 + "?" + (indexOf > 0 ? str.substring(indexOf + 1) : "") + "/" + str2 + ":" + string), true);
                        dependency.addProjectReference(str);
                        dependency.setEcosystem("nodejs");
                        if (file4.exists()) {
                            try {
                                dependency.setMd5sum(Checksum.getMD5Checksum(file4));
                                dependency.setSha1sum(Checksum.getSHA1Checksum(file4));
                                dependency.setSha256sum(Checksum.getSHA256Checksum(file4));
                            } catch (IOException | NoSuchAlgorithmException e) {
                                LOGGER.debug("Error setting hashes:" + e.getMessage(), e);
                            }
                            try {
                                JsonReader createReader = Json.createReader(FileUtils.openInputStream(file4));
                                Throwable th = null;
                                try {
                                    try {
                                        gatherEvidence(createReader.readObject(), dependency);
                                        if (createReader != null) {
                                            if (0 != 0) {
                                                try {
                                                    createReader.close();
                                                } catch (Throwable th2) {
                                                    th.addSuppressed(th2);
                                                }
                                            } else {
                                                createReader.close();
                                            }
                                        }
                                    } catch (Throwable th3) {
                                        th = th3;
                                        throw th3;
                                        break;
                                    }
                                } catch (Throwable th4) {
                                    if (createReader != null) {
                                        if (th != null) {
                                            try {
                                                createReader.close();
                                            } catch (Throwable th5) {
                                                th.addSuppressed(th5);
                                            }
                                        } else {
                                            createReader.close();
                                        }
                                    }
                                    throw th4;
                                    break;
                                }
                            } catch (IOException e2) {
                                throw new AnalysisException("Problem occurred while reading dependency file.", e2);
                            } catch (JsonException e3) {
                                LOGGER.warn("Failed to parse package.json file from dependency.", e3);
                            }
                        } else {
                            LOGGER.warn("Unable to find node module: {}", file4);
                            dependency.setSha1sum(Checksum.getSHA1Checksum(String.format("%s:%s", str2, string)));
                            dependency.setSha256sum(Checksum.getSHA256Checksum(String.format("%s:%s", str2, string)));
                            dependency.setMd5sum(Checksum.getMD5Checksum(String.format("%s:%s", str2, string)));
                            dependency.addEvidence(EvidenceType.VENDOR, file2.getName(), PomHandler.NAME, str2, Confidence.HIGHEST);
                            dependency.addEvidence(EvidenceType.PRODUCT, file2.getName(), PomHandler.NAME, str2, Confidence.HIGHEST);
                            dependency.addEvidence(EvidenceType.VERSION, file2.getName(), "version", string, Confidence.HIGHEST);
                            dependency.setName(str2);
                            dependency.setVersion(string);
                            String format = String.format("%s:%s", str2, string);
                            dependency.setDisplayFileName(format);
                            dependency.setPackagePath(format);
                            try {
                                dependency.addSoftwareIdentifier(new PurlIdentifier(PackageURLBuilder.aPackageURL().withType("npm").withName(str2).withVersion(string).build(), Confidence.HIGHEST));
                            } catch (MalformedPackageURLException e4) {
                                LOGGER.debug("Unable to build package url for `" + format + "`", e4);
                            }
                        }
                        Dependency findDependency = findDependency(engine, str2, string);
                        if (findDependency == null) {
                            engine.addDependency(dependency);
                        } else if (findDependency.isVirtual()) {
                            DependencyMergingAnalyzer.mergeDependencies(dependency, findDependency, null);
                            engine.removeDependency(findDependency);
                            engine.addDependency(dependency);
                        } else {
                            DependencyBundlingAnalyzer.mergeDependencies(findDependency, dependency, null);
                        }
                    }
                }
            }
        }
    }
}
