Vulnerabilities.java

/*
 * Zed Attack Proxy (ZAP) and its related class files.
 * 
 * ZAP is an HTTP/HTTPS proxy for assessing web application security.
 * 
 * Copyright 2010 psiinon@gmail.com
 * 
 * Licensed under the Apache License, Version 2.0 (the "License"); 
 * you may not use this file except in compliance with the License. 
 * You may obtain a copy of the License at 
 * 
 *   http://www.apache.org/licenses/LICENSE-2.0 
 *   
 * Unless required by applicable law or agreed to in writing, software 
 * distributed under the License is distributed on an "AS IS" BASIS, 
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
 * See the License for the specific language governing permissions and 
 * limitations under the License. 
 */
package org.zaproxy.zap.model;

import java.nio.file.Paths;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import org.parosproxy.paros.Constant;

public final class Vulnerabilities {
	
	private static List<Vulnerability> vulnerabilities;
	private static Map<String, Vulnerability> vulnerabilitiesMap;
	
	private Vulnerabilities() {
	}

	private static synchronized void init() {
		if (vulnerabilities == null) {
			VulnerabilitiesLoader loader = new VulnerabilitiesLoader(
					Paths.get(Constant.getZapInstall(), Constant.LANG_DIR),
					Constant.VULNERABILITIES_PREFIX,
					Constant.VULNERABILITIES_EXTENSION);
			List<Vulnerability> vulns = loader.load(Constant.getLocale());

			Map<String, Vulnerability> map = new HashMap<>();
			for (Vulnerability vulnerability : vulns) {
				map.put(vulnerability.getId(), vulnerability);
			}

			vulnerabilitiesMap = Collections.unmodifiableMap(map);
			vulnerabilities = vulns;
		}
	}

	/**
	 * Gets an unmodifiable {@code List} containing all the {@code Vulnerability} for the current active Locale. They are loaded
	 * from a XML file.
	 * <p>
	 * An empty {@code List} is returned if any error occurred while opening/parsing the XML file. The returned {@code List} is
	 * guaranteed to be <i>non</i> {@code null}.
	 * <p>
	 * <b>Note:</b> Trying to modify the list will result in an {@code UnsupportedOperationException}.
	 * 
	 * @return an unmodifiable {@code List} containing all the {@code Vulnerability} loaded, never {@code null}.
	 */
	public static List<Vulnerability> getAllVulnerabilities() {
		initializeIfEmpty();
		return vulnerabilities;
	}
	
	/**
	 * Returns the {@code Vulnerability} for the given WASC ID, or {@code null} if not available.
	 * <p>
	 * The WASC ID is in the form: <blockquote>"wasc_" + #ID</blockquote>
	 * <p>
	 * For example, "wasc_1", "wasc_2" or "wasc_48".
	 *
	 * @param id the WASC ID of the vulnerability, e.g. wasc_1
	 * @return the {@code Vulnerability} for the given WASC ID, or {@code null} if not available
	 */
	public static Vulnerability getVulnerability (String id) {
		initializeIfEmpty();
		return vulnerabilitiesMap.get(id);
	}

	private static void initializeIfEmpty() {
		if (vulnerabilities == null) {
			init();
		}
	}
	
	public static String getDescription(Vulnerability vuln) {
		if (vuln != null) {
			return vuln.getDescription();
		}
		return "Failed to load vulnerability description from file";
	}

	public static String getSolution(Vulnerability vuln) {
		if (vuln != null) {
			return vuln.getSolution();
		}
		return "Failed to load vulnerability solution from file";
	}

	public static String getReference(Vulnerability vuln) {
		if (vuln != null) {
			StringBuilder sb = new StringBuilder();
			for (String ref : vuln.getReferences()) {
				if (sb.length() > 0) {
					sb.append('\n');
				}
				sb.append(ref);
			}
			return sb.toString();
		}
		return "Failed to load vulnerability reference from file";
	}
}