package org.palladiosimulator.pcm.confidentiality.reverseengineering.staticcodeanalysis;

import com.google.gson.Gson;
import com.google.gson.JsonSyntaxException;
import java.io.IOException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.jsoup.Jsoup;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.AttackerFactory;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.CategorySpecification;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.attackSpecification.CVEID;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.attackSpecification.CVEVulnerability;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.attackSpecification.CWEID;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.attackSpecification.impl.AttackSpecificationFactoryImpl;
import org.palladiosimulator.pcm.confidentiality.reverseengineering.staticcodeanalysis.iface.IVulnerabilityDatabase;
import org.palladiosimulator.pcm.confidentiality.reverseengineering.staticcodeanalysis.iface.VulnerabilityDatabaseException;
import org.palladiosimulator.pcm.confidentiality.reverseengineering.staticcodeanalysis.nvd_rest_api.BaseMetricV3;
import org.palladiosimulator.pcm.confidentiality.reverseengineering.staticcodeanalysis.nvd_rest_api.CvssV3X;
import org.palladiosimulator.pcm.confidentiality.reverseengineering.staticcodeanalysis.nvd_rest_api.DefCveItem;
import org.palladiosimulator.pcm.confidentiality.reverseengineering.staticcodeanalysis.nvd_rest_api.NvdResponse;

/* loaded from: input_file:org/palladiosimulator/pcm/confidentiality/reverseengineering/staticcodeanalysis/NistVulnerabilityDatabase.class */
public class NistVulnerabilityDatabase implements IVulnerabilityDatabase {
    private static final Logger LOG = Logger.getLogger(NistVulnerabilityDatabase.class);
    private static final String API_ENTRY_POINT = "https://services.nvd.nist.gov/rest/json/cve/1.0/";
    private static final String API_KEY_PARAMETER = "?apiKey=";
    private static final String API_KEY_ENVIRONMENT_VARIABLE = "NIST_NVD_API_KEY";
    private static final int REQUESTS_PER_MINUTE_DEFAULT = 10;
    private static final int REQUESTS_PER_MINUTE_API_KEY = 100;
    private final Map<String, CVEVulnerability> cache;
    private final Map<Integer, CWEID> cweIds;
    private final CategorySpecification categorySpecification;
    private final String apiKey;
    private double requestsPerMinute;

    static {
        LOG.setLevel(Level.INFO);
    }

    public NistVulnerabilityDatabase() {
        this(null);
    }

    public NistVulnerabilityDatabase(String str) {
        this.cache = new HashMap();
        this.cweIds = new HashMap();
        this.categorySpecification = AttackerFactory.eINSTANCE.createCategorySpecification();
        this.requestsPerMinute = 10.0d;
        if (str == null || str.isBlank()) {
            this.apiKey = System.getenv().get(API_KEY_ENVIRONMENT_VARIABLE);
        } else {
            this.apiKey = str;
        }
        if (this.apiKey == null || this.apiKey.isBlank()) {
            this.requestsPerMinute = 10.0d;
        } else {
            this.requestsPerMinute = 100.0d;
        }
    }

    @Override // org.palladiosimulator.pcm.confidentiality.reverseengineering.staticcodeanalysis.iface.IVulnerabilityDatabase
    public CVEVulnerability getCVEVulnerability(String str, List<Integer> list) throws VulnerabilityDatabaseException {
        if (this.cache.containsKey(str)) {
            if (this.cache.get(str) == null) {
                throw new VulnerabilityDatabaseException("NVD API did not return any vulnerabilities!");
            }
            return this.cache.get(str);
        }
        try {
            Thread.sleep((long) (60000.0d / this.requestsPerMinute));
        } catch (InterruptedException e) {
        }
        String str2 = API_ENTRY_POINT + str;
        if (this.apiKey != null) {
            str2 = String.valueOf(str2) + API_KEY_PARAMETER + this.apiKey;
        }
        try {
            try {
                NvdResponse nvdResponse = (NvdResponse) new Gson().fromJson(Jsoup.connect(str2).ignoreContentType(true).ignoreHttpErrors(true).get().body().text(), NvdResponse.class);
                if (nvdResponse.getResult() == null || nvdResponse.getResult().getCVEItems().isEmpty()) {
                    this.cache.put(str, null);
                    throw new VulnerabilityDatabaseException("NVD API did not return any vulnerabilities!");
                }
                DefCveItem defCveItem = nvdResponse.getResult().getCVEItems().get(0);
                String id = defCveItem.getCve().getCVEDataMeta().getId();
                BaseMetricV3 baseMetricV3 = defCveItem.getImpact().getBaseMetricV3();
                if (baseMetricV3 == null) {
                    this.cache.put(str, null);
                    throw new VulnerabilityDatabaseException("Database did not return CVSS for the CVE!");
                }
                CVEVulnerability createCVEVulnFromCVSS = createCVEVulnFromCVSS(id, baseMetricV3.getCvssV3(), list);
                LOG.info("Database processed CVSS for " + str);
                this.cache.put(id, createCVEVulnFromCVSS);
                return createCVEVulnFromCVSS;
            } catch (JsonSyntaxException e2) {
                throw new VulnerabilityDatabaseException("Could not process NVD API response!", e2);
            }
        } catch (IOException e3) {
            throw new VulnerabilityDatabaseException("Could not contact NVD API!", e3);
        }
    }

    @Override // org.palladiosimulator.pcm.confidentiality.reverseengineering.staticcodeanalysis.iface.IVulnerabilityDatabase
    public CategorySpecification getCategorySpecification() {
        return this.categorySpecification;
    }

    private CVEVulnerability createCVEVulnFromCVSS(String str, CvssV3X cvssV3X, List<Integer> list) {
        CVEVulnerability createCVEVulnerability = AttackSpecificationFactoryImpl.eINSTANCE.createCVEVulnerability();
        setCveId(createCVEVulnerability, str);
        Iterator<Integer> it = list.iterator();
        while (it.hasNext()) {
            addCweId(createCVEVulnerability, it.next());
        }
        createCVEVulnerability.setAttackVector(CvssConverter.convert(cvssV3X.getAttackVector()));
        createCVEVulnerability.setPrivileges(CvssConverter.convert(cvssV3X.getPrivilegesRequired()));
        createCVEVulnerability.setConfidentialityImpact(CvssConverter.toConfImpact(cvssV3X.getConfidentialityImpact()));
        createCVEVulnerability.setIntegrityImpact(CvssConverter.toIntegImpact(cvssV3X.getIntegrityImpact()));
        createCVEVulnerability.setAvailabilityImpact(CvssConverter.toAvailImpact(cvssV3X.getAvailabilityImpact()));
        return createCVEVulnerability;
    }

    private void setCveId(CVEVulnerability cVEVulnerability, String str) {
        CVEID createCVEID = AttackSpecificationFactoryImpl.eINSTANCE.createCVEID();
        createCVEID.setEntityName(str);
        createCVEID.setCveID(str);
        cVEVulnerability.setEntityName(str);
        this.categorySpecification.getCategories().add(createCVEID);
        cVEVulnerability.setCveID(createCVEID);
    }

    private void addCweId(CVEVulnerability cVEVulnerability, Integer num) {
        CWEID createCWEID;
        if (this.cweIds.containsKey(num)) {
            createCWEID = this.cweIds.get(num);
        } else {
            createCWEID = AttackSpecificationFactoryImpl.eINSTANCE.createCWEID();
            createCWEID.setEntityName("CWE-" + num.toString());
            createCWEID.setCweID(num.intValue());
            this.categorySpecification.getCategories().add(createCWEID);
            this.cweIds.put(num, createCWEID);
        }
        cVEVulnerability.getCweID().add(createCWEID);
    }
}
