package org.palladiosimulator.retriever.vulnerability.core;

import com.google.gson.GsonBuilder;
import com.google.gson.JsonSyntaxException;
import java.io.IOException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.jsoup.Connection;
import org.jsoup.Jsoup;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.AttackerFactory;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.CategorySpecification;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.attackSpecification.CVEID;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.attackSpecification.CVEVulnerability;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.attackSpecification.CWEID;
import org.palladiosimulator.pcm.confidentiality.attackerSpecification.attackSpecification.impl.AttackSpecificationFactoryImpl;
import org.palladiosimulator.retriever.vulnerability.core.api.IVulnerabilityDatabase;
import org.palladiosimulator.retriever.vulnerability.core.api.VulnerabilityDatabaseException;
import org.palladiosimulator.retriever.vulnerability.core.nvd.CvssV31;
import org.palladiosimulator.retriever.vulnerability.core.nvd.CvssV31Data;
import org.palladiosimulator.retriever.vulnerability.core.nvd.DefCveItem;
import org.palladiosimulator.retriever.vulnerability.core.nvd.NvdResponse;

/* loaded from: input_file:org/palladiosimulator/retriever/vulnerability/core/NistVulnerabilityDatabase.class */
public class NistVulnerabilityDatabase implements IVulnerabilityDatabase {
    private static final Logger LOG = Logger.getLogger(NistVulnerabilityDatabase.class);
    private static final String API_ENTRY_POINT = "https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=";
    private static final String API_KEY_HEADER = "apiKey";
    private static final String API_KEY_ENVIRONMENT_VARIABLE = "NIST_NVD_API_KEY";
    private static final int REQUESTS_PER_MINUTE_DEFAULT = 10;
    private static final int REQUESTS_PER_MINUTE_API_KEY = 100;
    private final Map<String, CVEVulnerability> cache;
    private final Map<Integer, CWEID> cweIds;
    private final CategorySpecification categorySpecification;
    private final String apiKey;
    private double requestsPerMinute;

    static {
        LOG.setLevel(Level.INFO);
    }

    public NistVulnerabilityDatabase() {
        this(null);
    }

    public NistVulnerabilityDatabase(String str) {
        this.cache = new HashMap();
        this.cweIds = new HashMap();
        this.categorySpecification = AttackerFactory.eINSTANCE.createCategorySpecification();
        this.requestsPerMinute = 10.0d;
        if (str == null || str.isBlank()) {
            this.apiKey = System.getenv().get(API_KEY_ENVIRONMENT_VARIABLE);
        } else {
            this.apiKey = str;
        }
        if (this.apiKey == null || this.apiKey.isBlank()) {
            this.requestsPerMinute = 10.0d;
        } else {
            this.requestsPerMinute = 100.0d;
        }
    }

    @Override // org.palladiosimulator.retriever.vulnerability.core.api.IVulnerabilityDatabase
    public CVEVulnerability getCVEVulnerability(String str, List<Integer> list) throws VulnerabilityDatabaseException {
        if (this.cache.containsKey(str)) {
            if (this.cache.get(str) == null) {
                throw new VulnerabilityDatabaseException("NVD API did not return any vulnerabilities!");
            }
            return this.cache.get(str);
        }
        try {
            Thread.sleep((long) (90000.0d / this.requestsPerMinute));
        } catch (InterruptedException unused) {
        }
        try {
            Connection connect = Jsoup.connect(API_ENTRY_POINT + str);
            if (this.apiKey != null) {
                connect = connect.header(API_KEY_HEADER, this.apiKey);
            }
            String text = connect.ignoreContentType(true).ignoreHttpErrors(true).get().body().text();
            try {
                NvdResponse nvdResponse = (NvdResponse) new GsonBuilder().setDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS").create().fromJson(text, NvdResponse.class);
                if (nvdResponse.getVulnerabilities().isEmpty()) {
                    this.cache.put(str, null);
                    throw new VulnerabilityDatabaseException("NVD API did not return any vulnerabilities!");
                }
                DefCveItem defCveItem = nvdResponse.getVulnerabilities().get(0);
                String id = defCveItem.getCve().getId();
                List<CvssV31> cvssMetricV31 = defCveItem.getCve().getMetrics().getCvssMetricV31();
                if (cvssMetricV31 == null || cvssMetricV31.isEmpty()) {
                    this.cache.put(str, null);
                    throw new VulnerabilityDatabaseException("Database did not return CVSS for the CVE!");
                }
                CVEVulnerability createCVEVulnFromCVSS = createCVEVulnFromCVSS(id, cvssMetricV31.get(0).getCvssData(), list);
                LOG.info("Database processed CVSS for " + str);
                this.cache.put(id, createCVEVulnFromCVSS);
                return createCVEVulnFromCVSS;
            } catch (JsonSyntaxException e) {
                throw new VulnerabilityDatabaseException("Could not process NVD API response: " + e + "\nResponse was:\n" + text);
            }
        } catch (IOException e2) {
            throw new VulnerabilityDatabaseException("Could not contact NVD API!", e2);
        }
    }

    @Override // org.palladiosimulator.retriever.vulnerability.core.api.IVulnerabilityDatabase
    public CategorySpecification getCategorySpecification() {
        return this.categorySpecification;
    }

    private CVEVulnerability createCVEVulnFromCVSS(String str, CvssV31Data cvssV31Data, List<Integer> list) {
        CVEVulnerability createCVEVulnerability = AttackSpecificationFactoryImpl.eINSTANCE.createCVEVulnerability();
        setCveId(createCVEVulnerability, str);
        Iterator<Integer> it = list.iterator();
        while (it.hasNext()) {
            addCweId(createCVEVulnerability, it.next());
        }
        createCVEVulnerability.setAttackVector(CvssConverter.convert(cvssV31Data.getAttackVector()));
        createCVEVulnerability.setPrivileges(CvssConverter.convert(cvssV31Data.getPrivilegesRequired()));
        createCVEVulnerability.setConfidentialityImpact(CvssConverter.toConfImpact(cvssV31Data.getConfidentialityImpact()));
        createCVEVulnerability.setIntegrityImpact(CvssConverter.toIntegImpact(cvssV31Data.getIntegrityImpact()));
        createCVEVulnerability.setAvailabilityImpact(CvssConverter.toAvailImpact(cvssV31Data.getAvailabilityImpact()));
        return createCVEVulnerability;
    }

    private void setCveId(CVEVulnerability cVEVulnerability, String str) {
        CVEID createCVEID = AttackSpecificationFactoryImpl.eINSTANCE.createCVEID();
        createCVEID.setEntityName(str);
        createCVEID.setCveID(str);
        cVEVulnerability.setEntityName(str);
        this.categorySpecification.getCategories().add(createCVEID);
        cVEVulnerability.setCveID(createCVEID);
    }

    private void addCweId(CVEVulnerability cVEVulnerability, Integer num) {
        CWEID createCWEID;
        if (this.cweIds.containsKey(num)) {
            createCWEID = this.cweIds.get(num);
        } else {
            createCWEID = AttackSpecificationFactoryImpl.eINSTANCE.createCWEID();
            createCWEID.setEntityName("CWE-" + num.toString());
            createCWEID.setCweID(num.intValue());
            this.categorySpecification.getCategories().add(createCWEID);
            this.cweIds.put(num, createCWEID);
        }
        cVEVulnerability.getCweID().add(createCWEID);
    }
}
