package org.owasp.dependencycheck.analyzer;

import com.sonatype.clm.dto.model.component.ComponentDisplayNameUtil;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashMap;
import javax.annotation.concurrent.ThreadSafe;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.update.cpe.CPEHandler;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceType;
import org.owasp.dependencycheck.dependency.Reference;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.class */
public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
    public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle";
    private static final String ANALYZER_NAME = "Ruby Bundle Audit Analyzer";
    public static final String NAME = "Name: ";
    public static final String VERSION = "Version: ";
    public static final String ADVISORY = "Advisory: ";
    public static final String CRITICALITY = "Criticality: ";
    private CveDB cvedb = null;
    private boolean needToDisableGemspecAnalyzer = true;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) RubyBundleAuditAnalyzer.class);
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();

    @Override // org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
    protected FileFilter getFileFilter() {
        return FILTER;
    }

    private Process launchBundleAudit(File file) throws AnalysisException {
        if (!file.isDirectory()) {
            throw new AnalysisException(String.format("%s should have been a directory.", file.getAbsolutePath()));
        }
        ArrayList arrayList = new ArrayList();
        String string = getSettings().getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH);
        File file2 = null;
        if (string != null) {
            file2 = new File(string);
            if (!file2.isFile()) {
                LOGGER.warn("Supplied `bundleAudit` path is incorrect: {}", string);
                file2 = null;
            }
        }
        arrayList.add((file2 == null || !file2.isFile()) ? "bundle-audit" : file2.getAbsolutePath());
        arrayList.add(CPEHandler.Element.CHECK);
        arrayList.add("--verbose");
        ProcessBuilder processBuilder = new ProcessBuilder(arrayList);
        processBuilder.directory(file);
        try {
            LOGGER.info("Launching: {} from {}", arrayList, file);
            return processBuilder.start();
        } catch (IOException e) {
            throw new AnalysisException("bundle-audit initialization failure; this error can be ignored if you are not analyzing Ruby. Otherwise ensure that bundle-audit is installed and the path to bundle audit is correctly specified", e);
        }
    }

    /* JADX WARN: Failed to calculate best type for var: r11v4 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r12v1 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 11, insn: 0x0151: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r11 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:47:0x0151 */
    /* JADX WARN: Not initialized variable reg: 12, insn: 0x0156: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r12 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:49:0x0156 */
    /* JADX WARN: Type inference failed for: r11v4, types: [java.io.BufferedReader] */
    /* JADX WARN: Type inference failed for: r12v1, types: [java.lang.Throwable] */
    @Override // org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer
    public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
        if (engine != null) {
            this.cvedb = engine.getDatabase();
        }
        try {
            Process launchBundleAudit = launchBundleAudit(getSettings().getTempDirectory());
            try {
                int waitFor = launchBundleAudit.waitFor();
                if (0 == waitFor) {
                    setEnabled(false);
                    throw new InitializationException(String.format("Unexpected exit code from bundle-audit process. Disabling %s: %s", ANALYZER_NAME, Integer.valueOf(waitFor)));
                }
                try {
                    try {
                        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(launchBundleAudit.getErrorStream(), StandardCharsets.UTF_8));
                        Throwable th = null;
                        if (!bufferedReader.ready()) {
                            LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling {}", ANALYZER_NAME);
                            setEnabled(false);
                            throw new InitializationException("Bundle-audit error stream unexpectedly not ready.");
                        }
                        String readLine = bufferedReader.readLine();
                        if (readLine == null || !readLine.contains("Errno::ENOENT")) {
                            LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, readLine);
                            setEnabled(false);
                            throw new InitializationException("Unexpected bundle-audit output.");
                        }
                        if (bufferedReader != null) {
                            if (0 != 0) {
                                try {
                                    bufferedReader.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                bufferedReader.close();
                            }
                        }
                        if (isEnabled()) {
                            LOGGER.info("{} is enabled. It is necessary to manually run \"bundle-audit update\" occasionally to keep its database up to date.", ANALYZER_NAME);
                        }
                    } finally {
                    }
                } catch (UnsupportedEncodingException e) {
                    setEnabled(false);
                    throw new InitializationException("Unexpected bundle-audit encoding.", e);
                } catch (IOException e2) {
                    setEnabled(false);
                    throw new InitializationException("Unable to read bundle-audit output.", e2);
                }
            } catch (InterruptedException e3) {
                setEnabled(false);
                String format = String.format("Bundle-audit process was interrupted. Disabling %s", ANALYZER_NAME);
                Thread.currentThread().interrupt();
                throw new InitializationException(format);
            }
        } catch (IOException e4) {
            setEnabled(false);
            throw new InitializationException("Unable to create temporary file, the Ruby Bundle Audit Analyzer will be disabled", e4);
        } catch (AnalysisException e5) {
            setEnabled(false);
            throw new InitializationException(String.format("Exception from bundle-audit process: %s. Disabling %s", e5.getCause(), ANALYZER_NAME), e5);
        }
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public String getName() {
        return ANALYZER_NAME;
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
        if (this.needToDisableGemspecAnalyzer) {
            boolean z = true;
            String name = RubyGemspecAnalyzer.class.getName();
            for (FileTypeAnalyzer fileTypeAnalyzer : engine.getFileTypeAnalyzers()) {
                if (fileTypeAnalyzer instanceof RubyBundlerAnalyzer) {
                    ((RubyBundlerAnalyzer) fileTypeAnalyzer).setEnabled(false);
                    LOGGER.info("Disabled {} to avoid noisy duplicate results.", RubyBundlerAnalyzer.class.getName());
                } else if (fileTypeAnalyzer instanceof RubyGemspecAnalyzer) {
                    ((RubyGemspecAnalyzer) fileTypeAnalyzer).setEnabled(false);
                    LOGGER.info("Disabled {} to avoid noisy duplicate results.", name);
                    z = false;
                }
            }
            if (z) {
                LOGGER.warn("Did not find {}.", name);
            }
            this.needToDisableGemspecAnalyzer = false;
        }
        Process launchBundleAudit = launchBundleAudit(dependency.getActualFile().getParentFile());
        try {
            int waitFor = launchBundleAudit.waitFor();
            if (waitFor < 0 || waitFor > 1) {
                throw new AnalysisException(String.format("Unexpected exit code from bundle-audit process; exit code: %s", Integer.valueOf(waitFor)));
            }
            try {
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(launchBundleAudit.getErrorStream(), StandardCharsets.UTF_8));
                Throwable th = null;
                while (bufferedReader.ready()) {
                    try {
                        try {
                            LOGGER.warn(bufferedReader.readLine());
                        } catch (Throwable th2) {
                            th = th2;
                            throw th2;
                        }
                    } finally {
                    }
                }
                if (bufferedReader != null) {
                    if (0 != 0) {
                        try {
                            bufferedReader.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        bufferedReader.close();
                    }
                }
                BufferedReader bufferedReader2 = new BufferedReader(new InputStreamReader(launchBundleAudit.getInputStream(), StandardCharsets.UTF_8));
                Throwable th4 = null;
                try {
                    processBundlerAuditOutput(dependency, engine, bufferedReader2);
                    if (bufferedReader2 != null) {
                        if (0 != 0) {
                            try {
                                bufferedReader2.close();
                            } catch (Throwable th5) {
                                th4.addSuppressed(th5);
                            }
                        } else {
                            bufferedReader2.close();
                        }
                    }
                } finally {
                }
            } catch (IOException e) {
                LOGGER.warn("bundle-audit failure", (Throwable) e);
            }
        } catch (InterruptedException e2) {
            Thread.currentThread().interrupt();
            throw new AnalysisException("bundle-audit process interrupted", e2);
        }
    }

    private void processBundlerAuditOutput(Dependency dependency, Engine engine, BufferedReader bufferedReader) throws IOException {
        String readLine;
        String name = dependency.getActualFile().getParentFile().getName();
        String fileName = dependency.getFileName();
        String filePath = dependency.getFilePath();
        Dependency dependency2 = null;
        Vulnerability vulnerability = null;
        String str = null;
        HashMap hashMap = new HashMap();
        boolean z = false;
        while (bufferedReader.ready() && null != (readLine = bufferedReader.readLine())) {
            if (readLine.startsWith(NAME)) {
                z = false;
                str = readLine.substring(NAME.length());
                if (!hashMap.containsKey(str)) {
                    hashMap.put(str, createDependencyForGem(engine, name, fileName, filePath, str));
                }
                dependency2 = (Dependency) hashMap.get(str);
                LOGGER.debug("bundle-audit ({}): {}", name, readLine);
            } else if (readLine.startsWith(VERSION)) {
                vulnerability = createVulnerability(name, dependency2, str, readLine);
            } else if (readLine.startsWith(ADVISORY)) {
                setVulnerabilityName(name, dependency2, vulnerability, readLine);
            } else if (readLine.startsWith(CRITICALITY)) {
                addCriticalityToVulnerability(name, vulnerability, readLine);
            } else if (readLine.startsWith("URL: ")) {
                addReferenceToVulnerability(name, vulnerability, readLine);
            } else if (readLine.startsWith("Description:")) {
                z = true;
                if (null != vulnerability) {
                    vulnerability.setDescription("*** Vulnerability obtained from bundle-audit verbose report. Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0  indicates unknown). See link below for full details. *** ");
                }
            } else if (z && null != vulnerability) {
                vulnerability.setDescription(vulnerability.getDescription() + readLine + "\n");
            }
        }
    }

    private void setVulnerabilityName(String str, Dependency dependency, Vulnerability vulnerability, String str2) {
        String substring = str2.substring(ADVISORY.length());
        if (null != vulnerability) {
            vulnerability.setName(substring);
        }
        if (null != dependency) {
            dependency.addVulnerability(vulnerability);
        }
        LOGGER.debug("bundle-audit ({}): {}", str, str2);
    }

    private void addReferenceToVulnerability(String str, Vulnerability vulnerability, String str2) {
        String substring = str2.substring("URL: ".length());
        if (null != vulnerability) {
            Reference reference = new Reference();
            reference.setName(vulnerability.getName());
            reference.setSource("bundle-audit");
            reference.setUrl(substring);
            vulnerability.getReferences().add(reference);
        }
        LOGGER.debug("bundle-audit ({}): {}", str, str2);
    }

    private void addCriticalityToVulnerability(String str, Vulnerability vulnerability, String str2) {
        if (null != vulnerability) {
            String trim = str2.substring(CRITICALITY.length()).trim();
            float f = -1.0f;
            Vulnerability vulnerability2 = null;
            if (this.cvedb != null) {
                try {
                    vulnerability2 = this.cvedb.getVulnerability(vulnerability.getName());
                } catch (DatabaseException e) {
                    LOGGER.debug("Unable to look up vulnerability {}", vulnerability.getName());
                }
            }
            if (vulnerability2 != null) {
                f = vulnerability2.getCvssScore();
                vulnerability.setCvssAccessComplexity(vulnerability2.getCvssAccessComplexity());
                vulnerability.setCvssAccessVector(vulnerability2.getCvssAccessVector());
                vulnerability.setCvssAuthentication(vulnerability2.getCvssAuthentication());
                vulnerability.setCvssAvailabilityImpact(vulnerability2.getCvssAvailabilityImpact());
                vulnerability.setCvssConfidentialityImpact(vulnerability2.getCvssConfidentialityImpact());
                vulnerability.setCvssIntegrityImpact(vulnerability2.getCvssIntegrityImpact());
            } else if ("High".equalsIgnoreCase(trim)) {
                f = 8.5f;
            } else if ("Medium".equalsIgnoreCase(trim)) {
                f = 5.5f;
            } else if ("Low".equalsIgnoreCase(trim)) {
                f = 2.0f;
            }
            vulnerability.setCvssScore(f);
        }
        LOGGER.debug("bundle-audit ({}): {}", str, str2);
    }

    private Vulnerability createVulnerability(String str, Dependency dependency, String str2, String str3) {
        Vulnerability vulnerability = null;
        if (null != dependency) {
            String substring = str3.substring(VERSION.length());
            dependency.addEvidence(EvidenceType.VERSION, "bundler-audit", ComponentDisplayNameUtil.VERSION_LABEL, substring, Confidence.HIGHEST);
            vulnerability = new Vulnerability();
            vulnerability.setMatchedCPE(String.format("cpe:/a:%1$s_project:%1$s:%2$s::~~~ruby~~", str2, substring), null);
            vulnerability.setCvssAccessVector("-");
            vulnerability.setCvssAccessComplexity("-");
            vulnerability.setCvssAuthentication("-");
            vulnerability.setCvssAvailabilityImpact("-");
            vulnerability.setCvssConfidentialityImpact("-");
            vulnerability.setCvssIntegrityImpact("-");
        }
        LOGGER.debug("bundle-audit ({}): {}", str, str3);
        return vulnerability;
    }

    private Dependency createDependencyForGem(Engine engine, String str, String str2, String str3, String str4) throws IOException {
        try {
            File createTempFile = File.createTempFile(str4, "_Gemfile.lock", getSettings().getTempDirectory());
            String format = String.format("%s%c%s:%s", str, Character.valueOf(File.separatorChar), str2, str4);
            FileUtils.write(createTempFile, format, Charset.defaultCharset());
            Dependency dependency = new Dependency(createTempFile);
            dependency.setEcosystem("Ruby.Bundle");
            dependency.addEvidence(EvidenceType.PRODUCT, "bundler-audit", ComponentDisplayNameUtil.NAME_LABEL, str4, Confidence.HIGHEST);
            dependency.setDisplayFileName(format);
            dependency.setFileName(str2);
            dependency.setFilePath(str3);
            engine.addDependency(dependency);
            return dependency;
        } catch (IOException e) {
            throw new IOException("Unable to create temporary gem file");
        }
    }
}
