true if auto-update is allowed; otherwise false
+ * @return true if auto-update is allowed; otherwise
+ * false
*/
public boolean isAutoUpdate() {
return line != null && !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
@@ -945,7 +985,8 @@ public final class CliParser {
/**
* Checks if the update only flag has been set.
*
- * @return true if the update only flag has been set; otherwise false.
+ * @return true if the update only flag has been set; otherwise
+ * false.
*/
public boolean isUpdateOnly() {
return line != null && line.hasOption(ARGUMENT.UPDATE_ONLY);
@@ -954,14 +995,16 @@ public final class CliParser {
/**
* Checks if the purge NVD flag has been set.
*
- * @return true if the purge nvd flag has been set; otherwise false.
+ * @return true if the purge nvd flag has been set; otherwise
+ * false.
*/
public boolean isPurge() {
return line != null && line.hasOption(ARGUMENT.PURGE_NVD);
}
/**
- * Returns the database driver name if specified; otherwise null is returned.
+ * Returns the database driver name if specified; otherwise null is
+ * returned.
*
* @return the database driver name if specified; otherwise null is returned
*/
@@ -970,7 +1013,8 @@ public final class CliParser {
}
/**
- * Returns the database driver path if specified; otherwise null is returned.
+ * Returns the database driver path if specified; otherwise null is
+ * returned.
*
* @return the database driver name if specified; otherwise null is returned
*/
@@ -979,34 +1023,41 @@ public final class CliParser {
}
/**
- * Returns the database connection string if specified; otherwise null is returned.
+ * Returns the database connection string if specified; otherwise null is
+ * returned.
*
- * @return the database connection string if specified; otherwise null is returned
+ * @return the database connection string if specified; otherwise null is
+ * returned
*/
public String getConnectionString() {
return line.getOptionValue(ARGUMENT.CONNECTION_STRING);
}
/**
- * Returns the database database user name if specified; otherwise null is returned.
+ * Returns the database database user name if specified; otherwise null is
+ * returned.
*
- * @return the database database user name if specified; otherwise null is returned
+ * @return the database database user name if specified; otherwise null is
+ * returned
*/
public String getDatabaseUser() {
return line.getOptionValue(ARGUMENT.DB_NAME);
}
/**
- * Returns the database database password if specified; otherwise null is returned.
+ * Returns the database database password if specified; otherwise null is
+ * returned.
*
- * @return the database database password if specified; otherwise null is returned
+ * @return the database database password if specified; otherwise null is
+ * returned
*/
public String getDatabasePassword() {
return line.getOptionValue(ARGUMENT.DB_PASSWORD);
}
/**
- * Returns the additional Extensions if specified; otherwise null is returned.
+ * Returns the additional Extensions if specified; otherwise null is
+ * returned.
*
* @return the additional Extensions; otherwise null is returned
*/
@@ -1028,7 +1079,17 @@ public final class CliParser {
}
/**
- * A collection of static final strings that represent the possible command line arguments.
+ * Returns true if the experimental analyzers are enabled.
+ *
+ * @return true if the experimental analyzers are enabled; otherwise false
+ */
+ public boolean isExperimentalEnabled() {
+ return line.hasOption(ARGUMENT.EXPERIMENTAL);
+ }
+
+ /**
+ * A collection of static final strings that represent the possible command
+ * line arguments.
*/
public static class ARGUMENT {
@@ -1041,50 +1102,61 @@ public final class CliParser {
*/
public static final String SCAN_SHORT = "s";
/**
- * The long CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
+ * The long CLI argument name specifying that the CPE/CVE/etc. data
+ * should not be automatically updated.
*/
public static final String DISABLE_AUTO_UPDATE = "noupdate";
/**
- * The short CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
+ * The short CLI argument name specifying that the CPE/CVE/etc. data
+ * should not be automatically updated.
*/
public static final String DISABLE_AUTO_UPDATE_SHORT = "n";
/**
- * The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
+ * The long CLI argument name specifying that only the update phase
+ * should be executed; no scan should be run.
*/
public static final String UPDATE_ONLY = "updateonly";
/**
- * The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
+ * The long CLI argument name specifying that only the update phase
+ * should be executed; no scan should be run.
*/
public static final String PURGE_NVD = "purge";
/**
- * The long CLI argument name specifying the directory to write the reports to.
+ * The long CLI argument name specifying the directory to write the
+ * reports to.
*/
public static final String OUT = "out";
/**
- * The short CLI argument name specifying the directory to write the reports to.
+ * The short CLI argument name specifying the directory to write the
+ * reports to.
*/
public static final String OUT_SHORT = "o";
/**
- * The long CLI argument name specifying the output format to write the reports to.
+ * The long CLI argument name specifying the output format to write the
+ * reports to.
*/
public static final String OUTPUT_FORMAT = "format";
/**
- * The short CLI argument name specifying the output format to write the reports to.
+ * The short CLI argument name specifying the output format to write the
+ * reports to.
*/
public static final String OUTPUT_FORMAT_SHORT = "f";
/**
- * The long CLI argument name specifying the name of the project to be scanned.
+ * The long CLI argument name specifying the name of the project to be
+ * scanned.
*/
public static final String PROJECT = "project";
/**
- * The long CLI argument name specifying the name of the application to be scanned.
+ * The long CLI argument name specifying the name of the application to
+ * be scanned.
*
* @deprecated project should be used instead
*/
@Deprecated
public static final String APP_NAME = "app";
/**
- * The short CLI argument name specifying the name of the application to be scanned.
+ * The short CLI argument name specifying the name of the application to
+ * be scanned.
*
* @deprecated project should be used instead
*/
@@ -1142,11 +1214,13 @@ public final class CliParser {
*/
public static final String CONNECTION_TIMEOUT = "connectiontimeout";
/**
- * The short CLI argument name for setting the location of an additional properties file.
+ * The short CLI argument name for setting the location of an additional
+ * properties file.
*/
public static final String PROP_SHORT = "P";
/**
- * The CLI argument name for setting the location of an additional properties file.
+ * The CLI argument name for setting the location of an additional
+ * properties file.
*/
public static final String PROP = "propertyfile";
/**
@@ -1170,7 +1244,8 @@ public final class CliParser {
*/
public static final String CVE_BASE_20 = "cveUrl20Base";
/**
- * The short CLI argument name for setting the location of the data directory.
+ * The short CLI argument name for setting the location of the data
+ * directory.
*/
public static final String DATA_DIRECTORY_SHORT = "d";
/**
@@ -1178,20 +1253,24 @@ public final class CliParser {
*/
public static final String VERBOSE_LOG = "log";
/**
- * The short CLI argument name for setting the location of the data directory.
+ * The short CLI argument name for setting the location of the data
+ * directory.
*/
public static final String VERBOSE_LOG_SHORT = "l";
/**
- * The CLI argument name for setting the depth of symbolic links that will be followed.
+ * The CLI argument name for setting the depth of symbolic links that
+ * will be followed.
*/
public static final String SYM_LINK_DEPTH = "symLink";
/**
- * The CLI argument name for setting the location of the suppression file.
+ * The CLI argument name for setting the location of the suppression
+ * file.
*/
public static final String SUPPRESSION_FILE = "suppression";
/**
- * The CLI argument name for setting the location of the suppression file.
+ * The CLI argument name for setting the location of the suppression
+ * file.
*/
public static final String CVE_VALID_FOR_HOURS = "cveValidForHours";
/**
@@ -1259,7 +1338,8 @@ public final class CliParser {
*/
public static final String NEXUS_URL = "nexus";
/**
- * Whether or not the defined proxy should be used when connecting to Nexus.
+ * Whether or not the defined proxy should be used when connecting to
+ * Nexus.
*/
public static final String NEXUS_USES_PROXY = "nexusUsesProxy";
/**
@@ -1279,11 +1359,13 @@ public final class CliParser {
*/
public static final String DB_DRIVER = "dbDriverName";
/**
- * The CLI argument name for setting the path to the database driver; in case it is not on the class path.
+ * The CLI argument name for setting the path to the database driver; in
+ * case it is not on the class path.
*/
public static final String DB_DRIVER_PATH = "dbDriverPath";
/**
- * The CLI argument name for setting the path to mono for .NET Assembly analysis on non-windows systems.
+ * The CLI argument name for setting the path to mono for .NET Assembly
+ * analysis on non-windows systems.
*/
public static final String PATH_TO_MONO = "mono";
/**
@@ -1295,8 +1377,13 @@ public final class CliParser {
*/
public static final String EXCLUDE = "exclude";
/**
- * The CLI argument name for setting the path to bundle-audit for Ruby bundle analysis.
+ * The CLI argument name for setting the path to bundle-audit for Ruby
+ * bundle analysis.
*/
public static final String PATH_TO_BUNDLE_AUDIT = "bundleAudit";
+ /**
+ * The CLI argument to enable the experimental analyzers.
+ */
+ private static final String EXPERIMENTAL = "enableExperimental";
}
}
diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md
index 66f37af01..486acadfd 100644
--- a/dependency-check-cli/src/site/markdown/arguments.md
+++ b/dependency-check-cli/src/site/markdown/arguments.md
@@ -18,7 +18,7 @@ Short | Argument Name | Parameter | Description | Requir
| \-\-advancedHelp | | Print the advanced help message. | Optional
\-v | \-\-version | | Print the version information. | Optional
| \-\-cveValidForHours | \- * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and - * version.
+ * Searches the Lucene CPE index to identify possible CPE entries associated + * with the supplied vendor, product, and version. * *- * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting factors to - * the search.
+ * If either the vendorWeightings or productWeightings lists have been + * populated this data is used to add weighting factors to the search. * * @param vendor the text used to search the vendor field * @param product the text used to search the product field - * @param vendorWeightings a list of strings to use to add weighting factors to the vendor field - * @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search + * @param vendorWeightings a list of strings to use to add weighting factors + * to the vendor field + * @param productWeightings Adds a list of strings that will be used to add + * weighting factors to the product search * @return a list of possible CPE values */ protected List- * Builds a Lucene search string by properly escaping data and constructing a valid search query.
+ * Builds a Lucene search string by properly escaping data and constructing + * a valid search query. * *- * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting factors to - * the search string generated.
+ * If either the possibleVendor or possibleProducts lists have been + * populated this data is used to add weighting factors to the search string + * generated. * * @param vendor text to search the vendor field * @param product text to search the product field - * @param vendorWeighting a list of strings to apply to the vendor to boost the terms weight - * @param productWeightings a list of strings to apply to the product to boost the terms weight + * @param vendorWeighting a list of strings to apply to the vendor to boost + * the terms weight + * @param productWeightings a list of strings to apply to the product to + * boost the terms weight * @return the Lucene query */ protected String buildSearch(String vendor, String product, @@ -327,13 +340,17 @@ public class CPEAnalyzer implements Analyzer { } /** - * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the word is - * within the list of weighted words then an additional weighting is applied to the term as it is appended into the query. + * This method constructs a Lucene query for a given field. The searchText + * is split into separate words and if the word is within the list of + * weighted words then an additional weighting is applied to the term as it + * is appended into the query. * * @param sb a StringBuilder that the query text will be appended to. - * @param field the field within the Lucene index that the query is searching. + * @param field the field within the Lucene index that the query is + * searching. * @param searchText text used to construct the query. - * @param weightedText a list of terms that will be considered higher importance when searching. + * @param weightedText a list of terms that will be considered higher + * importance when searching. * @return if the append was successful. */ private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Settrue if an identifier was added to the dependency; otherwise false
+ * @param currentConfidence the current confidence being used during
+ * analysis
+ * @return true if an identifier was added to the dependency;
+ * otherwise false
* @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
*/
protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
@@ -512,10 +538,11 @@ public class CPEAnalyzer implements Analyzer {
Confidence bestGuessConf = null;
boolean hasBroadMatch = false;
final List- * This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An - * example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path - * then these should be grouped into a single dependency under the core/main library.
+ * This analyzer ensures dependencies that should be grouped together, to remove + * excess noise from the report, are grouped. An example would be Spring, Spring + * Beans, Spring MVC, etc. If they are all for the same version and have the + * same relative path then these should be grouped into a single dependency + * under the core/main library. *- * Note, this grouping only works on dependencies with identified CVE entries
+ * Note, this grouping only works on dependencies with identified CVE + * entries * * @author Jeremy Long */ @@ -92,12 +95,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal // /** - * Analyzes a set of dependencies. If they have been found to have the same base path and the same set of identifiers they are - * likely related. The related dependencies are bundled into a single reportable item. + * Analyzes a set of dependencies. If they have been found to have the same + * base path and the same set of identifiers they are likely related. The + * related dependencies are bundled into a single reportable item. * * @param ignore this analyzer ignores the dependency being analyzed * @param engine the engine that is scanning the dependencies - * @throws AnalysisException is thrown if there is an error reading the JAR file. + * @throws AnalysisException is thrown if there is an error reading the JAR + * file. */ @Override public void analyze(Dependency ignore, Engine engine) throws AnalysisException { @@ -167,10 +172,11 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal * Adds the relatedDependency to the dependency's related dependencies. * * @param dependency the main dependency - * @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the source of - * dependencies to remove - * @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this function - * adds to this collection + * @param relatedDependency a collection of dependencies to be removed from + * the main analysis loop, this is the source of dependencies to remove + * @param dependenciesToRemove a collection of dependencies that will be + * removed from the main analysis loop, this function adds to this + * collection */ private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Settrue if the leftPath is the shortest; otherwise false
+ * @return true if the leftPath is the shortest; otherwise
+ * false
*/
protected boolean firstPathIsShortest(String left, String right) {
final String leftPath = left.replace('\\', '/');
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Experimental.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Experimental.java
new file mode 100644
index 000000000..8f5a3842a
--- /dev/null
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Experimental.java
@@ -0,0 +1,34 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Annotation used to flag an analyzer as experimental.
+ *
+ * @author jeremy long
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.TYPE)
+public @interface Experimental {
+
+}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
index 570e63ff0..fcaaeb102 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
@@ -67,11 +67,13 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
}
//
- // Python init files
- private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[] {
+ /**
+ * Python init files
+ */
+ private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{
"__init__.py",
"__init__.pyc",
- "__init__.pyo"
+ "__init__.pyo",
});
/**
@@ -79,7 +81,8 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
*
* @param dependency the dependency to analyze.
* @param engine the engine that is scanning the dependencies
- * @throws AnalysisException is thrown if there is an error reading the JAR file.
+ * @throws AnalysisException is thrown if there is an error reading the JAR
+ * file.
*/
@Override
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
@@ -105,13 +108,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
fileName, Confidence.MEDIUM);
}
- //add as vendor and product evidence
-// if (fileName.contains("-")) {
-// dependency.getProductEvidence().addEvidence("file", "name",
-// fileName, Confidence.HIGHEST);
-// dependency.getVendorEvidence().addEvidence("file", "name",
-// fileName, Confidence.HIGHEST);
-// } else
if (!IGNORED_FILES.accept(f)) {
dependency.getProductEvidence().addEvidence("file", "name",
fileName, Confidence.HIGH);
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
index 51bf51724..da6fb6078 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -29,7 +29,6 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
-import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
@@ -60,7 +59,8 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
- * Used to load a JAR file and collect information that can be used to determine the associated CPE.
+ * Used to load a JAR file and collect information that can be used to determine
+ * the associated CPE.
*
* @author Jeremy Long
*/
@@ -72,7 +72,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final Logger LOGGER = LoggerFactory.getLogger(JarAnalyzer.class);
/**
- * The count of directories created during analysis. This is used for creating temporary directories.
+ * The count of directories created during analysis. This is used for
+ * creating temporary directories.
*/
private static int dirCount = 0;
/**
@@ -80,7 +81,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final String NEWLINE = System.getProperty("line.separator");
/**
- * A list of values in the manifest to ignore as they only result in false positives.
+ * A list of values in the manifest to ignore as they only result in false
+ * positives.
*/
private static final Set- * Reads the manifest from the JAR file and collects the entries. Some vendorKey entries are:
+ * Reads the manifest from the JAR file and collects the entries. Some + * vendorKey entries are: *- * Stores information about a given class name. This class will keep the fully qualified class name and a list of the - * important parts of the package structure. Up to the first four levels of the package structure are stored, excluding a - * leading "org" or "com". Example:
+ * Stores information about a given class name. This class will keep the + * fully qualified class name and a list of the important parts of the + * package structure. Up to the first four levels of the package + * structure are stored, excluding a leading "org" or "com". + * Example: *ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer");
* System.out.println(obj.getName());
* for (String p : obj.getPackageStructure())
@@ -1169,7 +1192,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
this.name = name;
}
/**
- * Up to the first four levels of the package structure, excluding a leading "org" or "com".
+ * Up to the first four levels of the package structure, excluding a
+ * leading "org" or "com".
*/
private final ArrayList packageStructure = new ArrayList();
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
index 85326f392..52b9afe11 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
@@ -45,6 +45,7 @@ import javax.json.JsonValue;
*
* @author Dale Visser
*/
+@Experimental
public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
/**
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
index 56e894841..bcc7728d7 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
@@ -39,6 +39,9 @@ import java.util.regex.Pattern;
*/
public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
+ /**
+ * Hexadecimal.
+ */
private static final int HEXADECIMAL = 16;
/**
* Filename to analyze. All other .h files get removed from consideration.
@@ -49,17 +52,47 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
* Filter that detects files named "__init__.py".
*/
private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build();
+ /**
+ * Open SSL Version number pattern.
+ */
private static final Pattern VERSION_PATTERN = Pattern.compile(
"define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL
| Pattern.CASE_INSENSITIVE);
+ /**
+ * The offset of the major version number.
+ */
private static final int MAJOR_OFFSET = 28;
+ /**
+ * The mask for the minor version number.
+ */
private static final long MINOR_MASK = 0x0ff00000L;
+ /**
+ * The offset of the minor version number.
+ */
private static final int MINOR_OFFSET = 20;
+ /**
+ * The max for the fix version.
+ */
private static final long FIX_MASK = 0x000ff000L;
+ /**
+ * The offset for the fix version.
+ */
private static final int FIX_OFFSET = 12;
+ /**
+ * The mask for the patch version.
+ */
private static final long PATCH_MASK = 0x00000ff0L;
+ /**
+ * The offset for the patch version.
+ */
private static final int PATCH_OFFSET = 4;
+ /**
+ * Number of letters.
+ */
private static final int NUM_LETTERS = 26;
+ /**
+ * The status mask.
+ */
private static final int STATUS_MASK = 0x0000000f;
/**
@@ -124,7 +157,8 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
*
* @param dependency the dependency being analyzed
* @param engine the engine being used to perform the scan
- * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
+ * @throws AnalysisException thrown if there is an unrecoverable error
+ * analyzing the dependency
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
@@ -167,6 +201,11 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
}
}
+ /**
+ * Returns the setting for the analyzer enabled setting key.
+ *
+ * @return the setting for the analyzer enabled setting key
+ */
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_OPENSSL_ENABLED;
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
index 96b6d0656..5fdadf0e6 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
@@ -50,6 +50,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
*
* @author Dale Visser
*/
+@Experimental
public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
/**
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
index 527892bce..e0b8aa9ab 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
@@ -39,10 +39,12 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
- * Used to analyze a Python package, and collect information that can be used to determine the associated CPE.
+ * Used to analyze a Python package, and collect information that can be used to
+ * determine the associated CPE.
*
* @author Dale Visser
*/
+@Experimental
public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
/**
@@ -166,7 +168,8 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
*
* @param dependency the dependency being analyzed
* @param engine the engine being used to perform the scan
- * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
+ * @throws AnalysisException thrown if there is an unrecoverable error
+ * analyzing the dependency
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
@@ -175,21 +178,20 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
final File parent = file.getParentFile();
final String parentName = parent.getName();
if (INIT_PY_FILTER.accept(file)) {
- //by definition, the containing folder of __init__.py is considered the package, even the file is empty:
- //"The __init__.py files are required to make Python treat the directories as containing packages"
- //see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html;
+ //by definition, the containing folder of __init__.py is considered the package, even the file is empty:
+ //"The __init__.py files are required to make Python treat the directories as containing packages"
+ //see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html;
dependency.setDisplayFileName(parentName + "/__init__.py");
dependency.getProductEvidence().addEvidence(file.getName(),
"PackageName", parentName, Confidence.HIGHEST);
-
+
final File[] fileList = parent.listFiles(PY_FILTER);
if (fileList != null) {
for (final File sourceFile : fileList) {
analyzeFileContents(dependency, sourceFile);
}
}
- }
- else {
+ } else {
// copy, alter and set in case some other thread is iterating over
final List dependencies = new ArrayList(
engine.getDependencies());
@@ -199,8 +201,9 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
- * This should gather information from leading docstrings, file comments, and assignments to __version__, __title__,
- * __summary__, __uri__, __url__, __home*page__, __author__, and their all caps equivalents.
+ * This should gather information from leading docstrings, file comments,
+ * and assignments to __version__, __title__, __summary__, __uri__, __url__,
+ * __home*page__, __author__, and their all caps equivalents.
*
* @param dependency the dependency being analyzed
* @param file the file name to analyze
@@ -291,7 +294,8 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
- * Gather evidence from a Python source file using the given string assignment regex pattern.
+ * Gather evidence from a Python source file using the given string
+ * assignment regex pattern.
*
* @param pattern to scan contents with
* @param contents of Python source file
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
index c8f1a9ccb..9134e688c 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -27,7 +27,6 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -48,6 +47,7 @@ import org.slf4j.LoggerFactory;
*
* @author Dale Visser
*/
+@Experimental
public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzer.class);
@@ -61,17 +61,31 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
-
- private static final FileFilter FILTER
- = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
+ /**
+ * The filter defining which files will be analyzed.
+ */
+ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
+ /**
+ * Name.
+ */
public static final String NAME = "Name: ";
+ /**
+ * Version.
+ */
public static final String VERSION = "Version: ";
+ /**
+ * Advisory.
+ */
public static final String ADVISORY = "Advisory: ";
+ /**
+ * Criticality.
+ */
public static final String CRITICALITY = "Criticality: ";
- public CveDB cvedb;
- //instance.open();
- //Vulnerability result = instance.getVulnerability("CVE-2015-3225");
+ /**
+ * The DAL.
+ */
+ private CveDB cvedb;
/**
* @return a filter that accepts files named Gemfile.lock
@@ -84,7 +98,10 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Launch bundle-audit.
*
+ * @param folder directory that contains bundle audit
* @return a handle to the process
+ * @throws AnalysisException thrown when there is an issue launching bundle
+ * audit
*/
private Process launchBundleAudit(File folder) throws AnalysisException {
if (!folder.isDirectory()) {
@@ -134,7 +151,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
throw ae;
}
- int exitValue = process.waitFor();
+ final int exitValue = process.waitFor();
if (0 == exitValue) {
LOGGER.warn("Unexpected exit code from bundle-audit process. Disabling {}: {}", ANALYZER_NAME, exitValue);
setEnabled(false);
@@ -206,6 +223,13 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
*/
private boolean needToDisableGemspecAnalyzer = true;
+ /**
+ * Determines if the analyzer can analyze the given file type.
+ *
+ * @param dependency the dependency to determine if it can analyze
+ * @param engine the dependency-check engine
+ * @throws AnalysisException thrown if there is an analysis exception.
+ */
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
throws AnalysisException {
@@ -213,11 +237,10 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
boolean failed = true;
final String className = RubyGemspecAnalyzer.class.getName();
for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
- if (analyzer instanceof RubyBundlerAnalyzer) {
+ if (analyzer instanceof RubyBundlerAnalyzer) {
((RubyBundlerAnalyzer) analyzer).setEnabled(false);
LOGGER.info("Disabled " + RubyBundlerAnalyzer.class.getName() + " to avoid noisy duplicate results.");
- }
- else if (analyzer instanceof RubyGemspecAnalyzer) {
+ } else if (analyzer instanceof RubyGemspecAnalyzer) {
((RubyGemspecAnalyzer) analyzer).setEnabled(false);
LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
failed = false;
@@ -236,10 +259,11 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
throw new AnalysisException("bundle-audit process interrupted", ie);
}
BufferedReader rdr = null;
+ BufferedReader errReader = null;
try {
- BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
+ errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
while (errReader.ready()) {
- String error = errReader.readLine();
+ final String error = errReader.readLine();
LOGGER.warn(error);
}
rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
@@ -247,6 +271,13 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
} catch (IOException ioe) {
LOGGER.warn("bundle-audit failure", ioe);
} finally {
+ if (errReader != null) {
+ try {
+ errReader.close();
+ } catch (IOException ioe) {
+ LOGGER.warn("bundle-audit close failure", ioe);
+ }
+ }
if (null != rdr) {
try {
rdr.close();
@@ -258,6 +289,14 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
}
+ /**
+ * Processes the bundler audit output.
+ *
+ * @param original the dependency
+ * @param engine the dependency-check engine
+ * @param rdr the reader of the report
+ * @throws IOException thrown if the report cannot be read.
+ */
private void processBundlerAuditOutput(Dependency original, Engine engine, BufferedReader rdr) throws IOException {
final String parentName = original.getActualFile().getParentFile().getName();
final String fileName = original.getFileName();
@@ -280,7 +319,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
dependency = map.get(gem);
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
} else if (nextLine.startsWith(VERSION)) {
- vulnerability = createVulnerability(parentName, dependency, vulnerability, gem, nextLine);
+ vulnerability = createVulnerability(parentName, dependency, gem, nextLine);
} else if (nextLine.startsWith(ADVISORY)) {
setVulnerabilityName(parentName, dependency, vulnerability, nextLine);
} else if (nextLine.startsWith(CRITICALITY)) {
@@ -290,7 +329,9 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
} else if (nextLine.startsWith("Description:")) {
appendToDescription = true;
if (null != vulnerability) {
- vulnerability.setDescription("*** Vulnerability obtained from bundle-audit verbose report. Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0 indicates unknown). See link below for full details. *** ");
+ vulnerability.setDescription("*** Vulnerability obtained from bundle-audit verbose report. "
+ + "Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0 "
+ + " indicates unknown). See link below for full details. *** ");
}
} else if (appendToDescription) {
if (null != vulnerability) {
@@ -300,6 +341,14 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
}
}
+ /**
+ * Sets the vulnerability name.
+ *
+ * @param parentName the parent name
+ * @param dependency the dependency
+ * @param vulnerability the vulnerability
+ * @param nextLine the line to parse
+ */
private void setVulnerabilityName(String parentName, Dependency dependency, Vulnerability vulnerability, String nextLine) {
final String advisory = nextLine.substring((ADVISORY.length()));
if (null != vulnerability) {
@@ -311,10 +360,17 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
}
+ /**
+ * Adds a reference to the vulnerability.
+ *
+ * @param parentName the parent name
+ * @param vulnerability the vulnerability
+ * @param nextLine the line to parse
+ */
private void addReferenceToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
final String url = nextLine.substring(("URL: ").length());
if (null != vulnerability) {
- Reference ref = new Reference();
+ final Reference ref = new Reference();
ref.setName(vulnerability.getName());
ref.setSource("bundle-audit");
ref.setUrl(url);
@@ -323,6 +379,13 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
}
+ /**
+ * Adds the criticality to the vulnerability
+ *
+ * @param parentName the parent name
+ * @param vulnerability the vulnerability
+ * @param nextLine the line to parse
+ */
private void addCriticalityToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
if (null != vulnerability) {
final String criticality = nextLine.substring(CRITICALITY.length()).trim();
@@ -347,7 +410,17 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
}
- private Vulnerability createVulnerability(String parentName, Dependency dependency, Vulnerability vulnerability, String gem, String nextLine) {
+ /**
+ * Creates a vulnerability.
+ *
+ * @param parentName the parent name
+ * @param dependency the dependency
+ * @param gem the gem name
+ * @param nextLine the line to parse
+ * @return the vulnerability
+ */
+ private Vulnerability createVulnerability(String parentName, Dependency dependency, String gem, String nextLine) {
+ Vulnerability vulnerability = null;
if (null != dependency) {
final String version = nextLine.substring(VERSION.length());
dependency.getVersionEvidence().addEvidence(
@@ -370,6 +443,17 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
return vulnerability;
}
+ /**
+ * Creates the dependency based off of the gem.
+ *
+ * @param engine the engine used for scanning
+ * @param parentName the gem parent
+ * @param fileName the file name
+ * @param filePath the file path
+ * @param gem the gem name
+ * @return the dependency to add
+ * @throws IOException thrown if a temporary gem file could not be written
+ */
private Dependency createDependencyForGem(Engine engine, String parentName, String fileName, String filePath, String gem) throws IOException {
final File gemFile = new File(Settings.getTempDirectory(), gem + "_Gemfile.lock");
gemFile.createNewFile();
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java
index 05bfddb89..32e39b6b9 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java
@@ -25,35 +25,43 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
/**
- * This analyzer accepts the fully resolved .gemspec created by the Ruby bundler (http://bundler.io)
- * for better evidence results. It also tries to resolve the dependency packagePath
- * to where the gem is actually installed. Then during {@link AnalysisPhase.PRE_FINDING_ANALYSIS}
- * {@link DependencyBundlingAnalyzer} will merge two .gemspec dependencies together if
- * Dependency.getPackagePath() are the same.
- *
- * Ruby bundler creates new .gemspec files under a folder called "specifications" at deploy time,
- * in addition to the original .gemspec files from source. The bundler generated
- * .gemspec files always contain fully resolved attributes thus provide more accurate
- * evidences, whereas the original .gemspec from source often contain variables for attributes
- * that can't be used for evidences.
- *
- * Note this analyzer share the same {@link Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED} as
- * {@link RubyGemspecAnalyzer}, so it will enabled/disabled with {@link RubyGemspecAnalyzer}.
+ * This analyzer accepts the fully resolved .gemspec created by the Ruby bundler
+ * (http://bundler.io) for better evidence results. It also tries to resolve the
+ * dependency packagePath to where the gem is actually installed. Then during {@link org.owasp.dependencycheck.analyzer.AnalysisPhase#PRE_FINDING_ANALYSIS}
+ * {@link DependencyBundlingAnalyzer} will merge two .gemspec dependencies
+ * together if Dependency.getPackagePath() are the same.
+ *
+ * Ruby bundler creates new .gemspec files under a folder called
+ * "specifications" at deploy time, in addition to the original .gemspec files
+ * from source. The bundler generated .gemspec files always contain fully
+ * resolved attributes thus provide more accurate evidences, whereas the
+ * original .gemspec from source often contain variables for attributes that
+ * can't be used for evidences.
+ *
+ * Note this analyzer share the same
+ * {@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_RUBY_GEMSPEC_ENABLED} as
+ * {@link RubyGemspecAnalyzer}, so it will enabled/disabled with
+ * {@link RubyGemspecAnalyzer}.
*
* @author Bianca Jiang (biancajiang@gmail.com)
*/
+@Experimental
public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
/**
* The name of the analyzer.
*/
private static final String ANALYZER_NAME = "Ruby Bundler Analyzer";
-
- //Folder name that contains .gemspec files created by "bundle install"
- private static final String SPECIFICATIONS = "specifications";
-
- //Folder name that contains the gems by "bundle install"
- private static final String GEMS = "gems";
+
+ /**
+ * Folder name that contains .gemspec files created by "bundle install"
+ */
+ private static final String SPECIFICATIONS = "specifications";
+
+ /**
+ * Folder name that contains the gems by "bundle install"
+ */
+ private static final String GEMS = "gems";
/**
* Returns the name of the analyzer.
@@ -66,61 +74,66 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
}
/**
- * Only accept *.gemspec files generated by "bundle install --deployment" under "specifications" folder.
+ * Only accept *.gemspec files generated by "bundle install --deployment"
+ * under "specifications" folder.
+ *
+ * @param pathname the path name to test
+ * @return true if the analyzer can process the given file; otherwise false
*/
- @Override
+ @Override
public boolean accept(File pathname) {
-
+
boolean accepted = super.accept(pathname);
- if(accepted == true) {
- File parentDir = pathname.getParentFile();
- accepted = parentDir != null && parentDir.getName().equals(SPECIFICATIONS);
+ if (accepted) {
+ final File parentDir = pathname.getParentFile();
+ accepted = parentDir != null && parentDir.getName().equals(SPECIFICATIONS);
}
-
+
return accepted;
}
-
- @Override
+
+ @Override
protected void analyzeFileType(Dependency dependency, Engine engine)
throws AnalysisException {
super.analyzeFileType(dependency, engine);
-
+
//find the corresponding gem folder for this .gemspec stub by "bundle install --deployment"
- File gemspecFile = dependency.getActualFile();
- String gemFileName = gemspecFile.getName();
+ final File gemspecFile = dependency.getActualFile();
+ final String gemFileName = gemspecFile.getName();
final String gemName = gemFileName.substring(0, gemFileName.lastIndexOf(".gemspec"));
- File specificationsDir = gemspecFile.getParentFile();
- if(specificationsDir != null && specificationsDir.getName().equals(SPECIFICATIONS) && specificationsDir.exists()) {
- File parentDir = specificationsDir.getParentFile();
- if(parentDir != null && parentDir.exists()) {
- File gemsDir = new File(parentDir, GEMS);
- if(gemsDir != null && gemsDir.exists()) {
- File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() {
- public boolean accept(File dir, String name) {
- return name.equals(gemName);
- }
- });
-
- if(matchingFiles.length > 0) {
- String gemPath = matchingFiles[0].getAbsolutePath();
- if(dependency.getActualFilePath().equals(dependency.getFilePath())) {
- if(gemPath != null)
- dependency.setPackagePath(gemPath);
- } else {
- //.gemspec's actualFilePath and filePath are different when it's from a compressed file
- //in which case actualFilePath is the temp directory used by decompression.
- //packagePath should use the filePath of the identified gem file in "gems" folder
- File gemspecStub = new File(dependency.getFilePath());
- File specDir = gemspecStub.getParentFile();
- if(specDir != null && specDir.getName().equals(SPECIFICATIONS)) {
- File gemsDir2 = new File(specDir.getParentFile(), GEMS);
- File packageDir = new File(gemsDir2, gemName);
- dependency.setPackagePath(packageDir.getAbsolutePath());
- }
- }
- }
- }
- }
- }
- }
+ final File specificationsDir = gemspecFile.getParentFile();
+ if (specificationsDir != null && specificationsDir.getName().equals(SPECIFICATIONS) && specificationsDir.exists()) {
+ final File parentDir = specificationsDir.getParentFile();
+ if (parentDir != null && parentDir.exists()) {
+ final File gemsDir = new File(parentDir, GEMS);
+ if (gemsDir.exists()) {
+ final File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() {
+ public boolean accept(File dir, String name) {
+ return name.equals(gemName);
+ }
+ });
+
+ if (matchingFiles != null && matchingFiles.length > 0) {
+ final String gemPath = matchingFiles[0].getAbsolutePath();
+ if (dependency.getActualFilePath().equals(dependency.getFilePath())) {
+ if (gemPath != null) {
+ dependency.setPackagePath(gemPath);
+ }
+ } else {
+ //.gemspec's actualFilePath and filePath are different when it's from a compressed file
+ //in which case actualFilePath is the temp directory used by decompression.
+ //packagePath should use the filePath of the identified gem file in "gems" folder
+ final File gemspecStub = new File(dependency.getFilePath());
+ final File specDir = gemspecStub.getParentFile();
+ if (specDir != null && specDir.getName().equals(SPECIFICATIONS)) {
+ final File gemsDir2 = new File(specDir.getParentFile(), GEMS);
+ final File packageDir = new File(gemsDir2, gemName);
+ dependency.setPackagePath(packageDir.getAbsolutePath());
+ }
+ }
+ }
+ }
+ }
+ }
+ }
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
index 8bad7cab2..43b373d0f 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
@@ -34,15 +34,23 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/**
- * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE. Regular
- * expressions are used to parse the well-defined Ruby syntax that forms the specification.
+ * Used to analyze Ruby Gem specifications and collect information that can be
+ * used to determine the associated CPE. Regular expressions are used to parse
+ * the well-defined Ruby syntax that forms the specification.
*
* @author Dale Visser
*/
+@Experimental
public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
+ /**
+ * The logger.
+ */
+ private static final Logger LOGGER = LoggerFactory.getLogger(RubyGemspecAnalyzer.class);
/**
* The name of the analyzer.
*/
@@ -53,13 +61,22 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+ /**
+ * The gemspec file extension.
+ */
private static final String GEMSPEC = "gemspec";
- private static final FileFilter FILTER
- = FileFilterBuilder.newInstance().addExtensions(GEMSPEC).build();
- //TODO: support Rakefile
- //= FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
+ /**
+ * The file filter containing the list of file extensions that can be
+ * analyzed.
+ */
+ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(GEMSPEC).build();
+ //TODO: support Rakefile
+ //= FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
+ /**
+ * The name of the version file.
+ */
private static final String VERSION_FILE_NAME = "VERSION";
/**
@@ -96,7 +113,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
- * Returns the key used in the properties file to reference the analyzer's enabled property.
+ * Returns the key used in the properties file to reference the analyzer's
+ * enabled property.
*
* @return the analyzer's enabled property setting key
*/
@@ -108,8 +126,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The capture group #1 is the block variable.
*/
- private static final Pattern GEMSPEC_BLOCK_INIT
- = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
+ private static final Pattern GEMSPEC_BLOCK_INIT = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
@@ -125,7 +142,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
if (matcher.find()) {
contents = contents.substring(matcher.end());
final String blockVariable = matcher.group(1);
-
+
final EvidenceCollection vendor = dependency.getVendorEvidence();
final EvidenceCollection product = dependency.getProductEvidence();
final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST);
@@ -138,71 +155,90 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
addStringEvidence(vendor, contents, blockVariable, "email", "emails?", Confidence.MEDIUM);
addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST);
addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST);
-
- String value = addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, "version", "version", Confidence.HIGHEST);
- if(value.length() < 1)
- addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence());
+
+ final String value = addStringEvidence(dependency.getVersionEvidence(), contents,
+ blockVariable, "version", "version", Confidence.HIGHEST);
+ if (value.length() < 1) {
+ addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence());
+ }
}
-
+
setPackagePath(dependency);
}
+ /**
+ * Adds the specified evidence to the given evidence collection.
+ *
+ * @param evidences the collection to add the evidence to
+ * @param contents the evidence contents
+ * @param blockVariable the variable
+ * @param field the field
+ * @param fieldPattern the field pattern
+ * @param confidence the confidence of the evidence
+ * @return the evidence string value added
+ */
private String addStringEvidence(EvidenceCollection evidences, String contents,
String blockVariable, String field, String fieldPattern, Confidence confidence) {
String value = "";
-
- //capture array value between [ ]
- final Matcher arrayMatcher = Pattern.compile(
+
+ //capture array value between [ ]
+ final Matcher arrayMatcher = Pattern.compile(
String.format("\\s*?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
- if(arrayMatcher.find()) {
- String arrayValue = arrayMatcher.group(1);
- value = arrayValue.replaceAll("['\"]", "").trim(); //strip quotes
- }
- //capture single value between quotes
- else {
- final Matcher matcher = Pattern.compile(
- String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
- if (matcher.find()) {
- value = matcher.group(2);
- }
- }
- if(value.length() > 0)
- evidences.addEvidence(GEMSPEC, field, value, confidence);
-
+ if (arrayMatcher.find()) {
+ final String arrayValue = arrayMatcher.group(1);
+ value = arrayValue.replaceAll("['\"]", "").trim(); //strip quotes
+ } else { //capture single value between quotes
+ final Matcher matcher = Pattern.compile(
+ String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
+ if (matcher.find()) {
+ value = matcher.group(2);
+ }
+ }
+ if (value.length() > 0) {
+ evidences.addEvidence(GEMSPEC, field, value, confidence);
+ }
+
return value;
}
-
- private String addEvidenceFromVersionFile(File dependencyFile, EvidenceCollection versionEvidences) {
- String value = null;
- File parentDir = dependencyFile.getParentFile();
- if(parentDir != null) {
- File[] matchingFiles = parentDir.listFiles(new FilenameFilter() {
- public boolean accept(File dir, String name) {
- return name.contains(VERSION_FILE_NAME);
- }
- });
-
- for(int i = 0; i < matchingFiles.length; i++) {
- try {
- List lines = FileUtils.readLines(matchingFiles[i]);
- if(lines.size() == 1) { //TODO other checking?
- value = lines.get(0).trim();
- versionEvidences.addEvidence(GEMSPEC, "version", value, Confidence.HIGH);
- }
-
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- }
-
- return value;
+
+ /**
+ * Adds evidence from the version file.
+ *
+ * @param dependencyFile the dependency being analyzed
+ * @param versionEvidences the version evidence
+ */
+ private void addEvidenceFromVersionFile(File dependencyFile, EvidenceCollection versionEvidences) {
+ final File parentDir = dependencyFile.getParentFile();
+ if (parentDir != null) {
+ final File[] matchingFiles = parentDir.listFiles(new FilenameFilter() {
+ public boolean accept(File dir, String name) {
+ return name.contains(VERSION_FILE_NAME);
+ }
+ });
+ for (File f : matchingFiles) {
+ try {
+ final List lines = FileUtils.readLines(f, Charset.defaultCharset());
+ if (lines.size() == 1) { //TODO other checking?
+ final String value = lines.get(0).trim();
+ versionEvidences.addEvidence(GEMSPEC, "version", value, Confidence.HIGH);
+ }
+ } catch (IOException e) {
+ LOGGER.debug("Error reading gemspec", e);
+ }
+ }
+ }
}
-
+
+ /**
+ * Sets the package path on the dependency.
+ *
+ * @param dep the dependency to alter
+ */
private void setPackagePath(Dependency dep) {
- File file = new File(dep.getFilePath());
- String parent = file.getParent();
- if(parent != null)
- dep.setPackagePath(parent);
+ final File file = new File(dep.getFilePath());
+ final String parent = file.getParent();
+ if (parent != null) {
+ dep.setPackagePath(parent);
+ }
}
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
index 037da7564..82e738b0c 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -69,10 +69,19 @@ public class CveDB {
private ResourceBundle statementBundle = null;
/**
- * Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling
- * the close method.
- *
- * @throws DatabaseException thrown if there is an exception opening the database.
+ * Creates a new CveDB object and opens the database
+ * connection. Note, the connection must be closed by the caller by calling
+ * the close method. ======= Does the underlying connection support batch
+ * operations?
+ */
+ private boolean batchSupported;
+
+ /**
+ * Creates a new CveDB object and opens the database connection. Note, the
+ * connection must be closed by the caller by calling the close method.
+ *
+ * @throws DatabaseException thrown if there is an exception opening the
+ * database.
*/
public CveDB() throws DatabaseException {
super();
@@ -80,6 +89,7 @@ public class CveDB {
open();
try {
final String databaseProductName = conn.getMetaData().getDatabaseProductName();
+ batchSupported = conn.getMetaData().supportsBatchUpdates();
LOGGER.debug("Database dialect: {}", databaseProductName);
final Locale dbDialect = new Locale(databaseProductName);
statementBundle = ResourceBundle.getBundle("data/dbStatements", dbDialect);
@@ -103,9 +113,11 @@ public class CveDB {
}
/**
- * Opens the database connection. If the database does not exist, it will create a new one.
+ * Opens the database connection. If the database does not exist, it will
+ * create a new one.
*
- * @throws DatabaseException thrown if there is an error opening the database connection
+ * @throws DatabaseException thrown if there is an error opening the
+ * database connection
*/
public final void open() throws DatabaseException {
if (!isOpen()) {
@@ -114,7 +126,8 @@ public class CveDB {
}
/**
- * Closes the DB4O database. Close should be called on this object when it is done being used.
+ * Closes the DB4O database. Close should be called on this object when it
+ * is done being used.
*/
public void close() {
if (conn != null) {
@@ -165,7 +178,8 @@ public class CveDB {
super.finalize();
}
/**
- * Database properties object containing the 'properties' from the database table.
+ * Database properties object containing the 'properties' from the database
+ * table.
*/
private DatabaseProperties databaseProperties;
@@ -179,11 +193,13 @@ public class CveDB {
}
/**
- * Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned
- * list will include all versions of the product that are registered in the NVD CVE data.
+ * Searches the CPE entries in the database and retrieves all entries for a
+ * given vendor and product combination. The returned list will include all
+ * versions of the product that are registered in the NVD CVE data.
*
* @param vendor the identified vendor name of the dependency being analyzed
- * @param product the identified name of the product of the dependency being analyzed
+ * @param product the identified name of the product of the dependency being
+ * analyzed
* @return a set of vulnerable software
*/
public Set getCPEs(String vendor, String product) {
@@ -215,7 +231,8 @@ public class CveDB {
* Returns the entire list of vendor/product combinations.
*
* @return the entire list of vendor/product combinations
- * @throws DatabaseException thrown when there is an error retrieving the data from the DB
+ * @throws DatabaseException thrown when there is an error retrieving the
+ * data from the DB
*/
public Set> getVendorProductList() throws DatabaseException {
final Set> data = new HashSet>();
@@ -380,6 +397,7 @@ public class CveDB {
ResultSet rsR = null;
ResultSet rsS = null;
Vulnerability vuln = null;
+
try {
psV = getConnection().prepareStatement(statementBundle.getString("SELECT_VULNERABILITY"));
psV.setString(1, cve);
@@ -438,7 +456,8 @@ public class CveDB {
}
/**
- * Updates the vulnerability within the database. If the vulnerability does not exist it will be added.
+ * Updates the vulnerability within the database. If the vulnerability does
+ * not exist it will be added.
*
* @param vuln the vulnerability to add to the database
* @throws DatabaseException is thrown if the database
@@ -484,6 +503,7 @@ public class CveDB {
}
DBUtils.closeResultSet(rs);
rs = null;
+
if (vulnerabilityId != 0) {
if (vuln.getDescription().contains("** REJECT **")) {
deleteVulnerability.setInt(1, vulnerabilityId);
@@ -525,13 +545,24 @@ public class CveDB {
rs = null;
}
}
- insertReference.setInt(1, vulnerabilityId);
+
for (Reference r : vuln.getReferences()) {
+ insertReference.setInt(1, vulnerabilityId);
insertReference.setString(2, r.getName());
insertReference.setString(3, r.getUrl());
insertReference.setString(4, r.getSource());
- insertReference.execute();
+
+ if (batchSupported) {
+ insertReference.addBatch();
+ } else {
+ insertReference.execute();
+ }
}
+
+ if (batchSupported) {
+ insertReference.executeBatch();
+ }
+
for (VulnerableSoftware s : vuln.getVulnerableSoftware()) {
int cpeProductId = 0;
selectCpeId.setString(1, s.getName());
@@ -560,17 +591,33 @@ public class CveDB {
insertSoftware.setInt(1, vulnerabilityId);
insertSoftware.setInt(2, cpeProductId);
+
if (s.getPreviousVersion() == null) {
insertSoftware.setNull(3, java.sql.Types.VARCHAR);
} else {
insertSoftware.setString(3, s.getPreviousVersion());
}
- insertSoftware.execute();
+ if (batchSupported) {
+ insertSoftware.addBatch();
+ } else {
+ try {
+ insertSoftware.execute();
+ } catch (SQLException ex) {
+ if (ex.getMessage().contains("Duplicate entry")) {
+ final String msg = String.format("Duplicate software key identified in '%s:%s'", vuln.getName(), s.getName());
+ LOGGER.debug(msg, ex);
+ } else {
+ throw ex;
+ }
+ }
+ }
+ }
+ if (batchSupported) {
+ insertSoftware.executeBatch();
}
-
} catch (SQLException ex) {
final String msg = String.format("Error updating '%s'", vuln.getName());
- LOGGER.debug("", ex);
+ LOGGER.debug(msg, ex);
throw new DatabaseException(msg, ex);
} finally {
DBUtils.closeStatement(selectVulnerabilityId);
@@ -623,8 +670,9 @@ public class CveDB {
}
/**
- * It is possible that orphaned rows may be generated during database updates. This should be called after all updates have
- * been completed to ensure orphan entries are removed.
+ * It is possible that orphaned rows may be generated during database
+ * updates. This should be called after all updates have been completed to
+ * ensure orphan entries are removed.
*/
public void cleanupDatabase() {
PreparedStatement ps = null;
@@ -642,13 +690,17 @@ public class CveDB {
}
/**
- * Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null, non-empty
- * string passed to the previous version argument indicates that all previous versions are affected.
+ * Determines if the given identifiedVersion is affected by the given cpeId
+ * and previous version flag. A non-null, non-empty string passed to the
+ * previous version argument indicates that all previous versions are
+ * affected.
*
* @param vendor the vendor of the dependency being analyzed
* @param product the product name of the dependency being analyzed
- * @param vulnerableSoftware a map of the vulnerable software with a boolean indicating if all previous versions are affected
- * @param identifiedVersion the identified version of the dependency being analyzed
+ * @param vulnerableSoftware a map of the vulnerable software with a boolean
+ * indicating if all previous versions are affected
+ * @param identifiedVersion the identified version of the dependency being
+ * analyzed
* @return true if the identified version is affected, otherwise false
*/
Entry getMatchingSoftware(Map vulnerableSoftware, String vendor, String product,
@@ -715,7 +767,8 @@ public class CveDB {
}
/**
- * Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is returned.
+ * Parses the version (including revision) from a CPE identifier. If no
+ * version is identified then a '-' is returned.
*
* @param cpeStr a cpe identifier
* @return a dependency version
@@ -732,7 +785,8 @@ public class CveDB {
}
/**
- * Takes a CPE and parses out the version number. If no version is identified then a '-' is returned.
+ * Takes a CPE and parses out the version number. If no version is
+ * identified then a '-' is returned.
*
* @param cpe a cpe object
* @return a dependency version
@@ -771,7 +825,8 @@ public class CveDB {
}
/**
- * This method is only referenced in unused code and will likely break on MySQL if ever used due to the MERGE statement.
+ * This method is only referenced in unused code and will likely break on
+ * MySQL if ever used due to the MERGE statement.
*
* Merges CPE entries into the database.
*
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
index 0a3bd196f..8aa06c797 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
@@ -60,9 +60,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
/**
*
- * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
+ * Downloads the latest NVD CVE XML file from the web and imports it into
+ * the current CVE Database.
*
- * @throws UpdateException is thrown if there is an error updating the database
+ * @throws UpdateException is thrown if there is an error updating the
+ * database
*/
@Override
public void update() throws UpdateException {
@@ -76,6 +78,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
if (autoUpdate && checkUpdate()) {
final UpdateableNvdCve updateable = getUpdatesNeeded();
+ getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(System.currentTimeMillis()));
if (updateable.isUpdateNeeded()) {
performUpdate(updateable);
}
@@ -98,12 +101,15 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
/**
- * Checks if the NVD CVE XML files were last checked recently. As an optimization, we can avoid repetitive checks against the
- * NVD. Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again. A database property
- * stores the timestamp of the last check.
+ * Checks if the NVD CVE XML files were last checked recently. As an
+ * optimization, we can avoid repetitive checks against the NVD. Setting
+ * CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before
+ * checking again. A database property stores the timestamp of the last
+ * check.
*
* @return true to proceed with the check, or false to skip.
- * @throws UpdateException thrown when there is an issue checking for updates.
+ * @throws UpdateException thrown when there is an issue checking for
+ * updates.
*/
private boolean checkUpdate() throws UpdateException {
boolean proceed = true;
@@ -115,9 +121,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
final long now = System.currentTimeMillis();
proceed = (now - lastChecked) > msValid;
- if (proceed) {
- getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(now));
- } else {
+ if (!proceed) {
LOGGER.info("Skipping NVD check since last check was within {} hours.", validForHours);
LOGGER.debug("Last NVD was at {}, and now {} is within {} ms.",
lastChecked, now, msValid);
@@ -147,11 +151,13 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
/**
- * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
+ * Downloads the latest NVD CVE XML file from the web and imports it into
+ * the current CVE Database.
*
- * @param updateable a collection of NVD CVE data file references that need to be downloaded and processed to update the
+ * @param updateable a collection of NVD CVE data file references that need
+ * to be downloaded and processed to update the database
+ * @throws UpdateException is thrown if there is an error updating the
* database
- * @throws UpdateException is thrown if there is an error updating the database
*/
public void performUpdate(UpdateableNvdCve updateable) throws UpdateException {
int maxUpdates = 0;
@@ -245,13 +251,18 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
/**
- * Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last update
- * date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to be updated.
+ * Determines if the index needs to be updated. This is done by fetching the
+ * NVD CVE meta data and checking the last update date. If the data needs to
+ * be refreshed this method will return the NvdCveUrl for the files that
+ * need to be updated.
*
* @return the collection of files that need to be updated
- * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta data is incorrect
- * @throws DownloadFailedException is thrown if there is an error. downloading the NVD CVE download data file
- * @throws UpdateException Is thrown if there is an issue with the last updated properties file
+ * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta
+ * data is incorrect
+ * @throws DownloadFailedException is thrown if there is an error.
+ * downloading the NVD CVE download data file
+ * @throws UpdateException Is thrown if there is an issue with the last
+ * updated properties file
*/
protected final UpdateableNvdCve getUpdatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException {
UpdateableNvdCve updates = null;
@@ -315,9 +326,12 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
* Retrieves the timestamps from the NVD CVE meta data file.
*
* @return the timestamp from the currently published nvdcve downloads page
- * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data is incorrect.
- * @throws DownloadFailedException thrown if there is an error downloading the nvd cve meta data file
- * @throws InvalidDataException thrown if there is an exception parsing the timestamps
+ * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data
+ * is incorrect.
+ * @throws DownloadFailedException thrown if there is an error downloading
+ * the nvd cve meta data file
+ * @throws InvalidDataException thrown if there is an exception parsing the
+ * timestamps
* @throws InvalidSettingException thrown if the settings are invalid
*/
private UpdateableNvdCve retrieveCurrentTimestampsFromWeb()
@@ -339,5 +353,4 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
return updates;
}
-
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
index 1ec66a517..020c2263c 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
@@ -261,6 +261,7 @@ public class DownloadTask implements Callable> {
try {
is.close();
} catch (IOException ex) {
+ LOGGER.debug("Error closing stream", ex);
}
}
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java
index e2b60db7a..25fc95f9b 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java
@@ -254,17 +254,16 @@ public class NvdCve20Handler extends DefaultHandler {
* @throws IOException thrown if there is an IOException with the CPE Index
*/
private void saveEntry(Vulnerability vuln) throws DatabaseException, CorruptIndexException, IOException {
- if (cveDB == null) {
- return;
- }
final String cveName = vuln.getName();
- if (prevVersionVulnMap.containsKey(cveName)) {
+ if (prevVersionVulnMap != null && prevVersionVulnMap.containsKey(cveName)) {
final List vulnSoftware = prevVersionVulnMap.get(cveName);
for (VulnerableSoftware vs : vulnSoftware) {
vuln.updateVulnerableSoftware(vs);
}
}
- cveDB.updateVulnerability(vuln);
+ if (cveDB != null) {
+ cveDB.updateVulnerability(vuln);
+ }
}
//
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
index 37e6c5bb1..5e0d03eed 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -36,9 +36,10 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
- * A program dependency. This object is one of the core components within DependencyCheck. It is used to collect information about
- * the dependency in the form of evidence. The Evidence is then used to determine if there are any known, published,
- * vulnerabilities associated with the program dependency.
+ * A program dependency. This object is one of the core components within
+ * DependencyCheck. It is used to collect information about the dependency in
+ * the form of evidence. The Evidence is then used to determine if there are any
+ * known, published, vulnerabilities associated with the program dependency.
*
* @author Jeremy Long
*/
@@ -72,17 +73,31 @@ public class Dependency implements Serializable, Comparable {
* The file name of the dependency.
*/
private String fileName;
-
+
+ /**
+ * The package path.
+ */
private String packagePath;
+
+ /**
+ * Returns the package path.
+ *
+ * @return the package path
+ */
public String getPackagePath() {
- return packagePath;
- }
+ return packagePath;
+ }
- public void setPackagePath(String packagePath) {
- this.packagePath = packagePath;
- }
+ /**
+ * Sets the package path.
+ *
+ * @param packagePath the package path
+ */
+ public void setPackagePath(String packagePath) {
+ this.packagePath = packagePath;
+ }
- /**
+ /**
* The md5 hash of the dependency.
*/
private String md5sum;
@@ -144,10 +159,12 @@ public class Dependency implements Serializable, Comparable {
}
/**
- * Returns the file name of the dependency with the backslash escaped for use in JavaScript. This is a complete hack as I
- * could not get the replace to work in the template itself.
+ * Returns the file name of the dependency with the backslash escaped for
+ * use in JavaScript. This is a complete hack as I could not get the replace
+ * to work in the template itself.
*
- * @return the file name of the dependency with the backslash escaped for use in JavaScript
+ * @return the file name of the dependency with the backslash escaped for
+ * use in JavaScript
*/
public String getFileNameForJavaScript() {
return this.fileName.replace("\\", "\\\\");
@@ -199,9 +216,9 @@ public class Dependency implements Serializable, Comparable {
* @param filePath the file path of the dependency
*/
public void setFilePath(String filePath) {
- if(this.packagePath == null || this.packagePath.equals(this.filePath))
- this.packagePath = filePath;
-
+ if (this.packagePath == null || this.packagePath.equals(this.filePath)) {
+ this.packagePath = filePath;
+ }
this.filePath = filePath;
}
@@ -220,7 +237,8 @@ public class Dependency implements Serializable, Comparable {
}
/**
- * Returns the file name to display in reports; if no display file name has been set it will default to the actual file name.
+ * Returns the file name to display in reports; if no display file name has
+ * been set it will default to the actual file name.
*
* @return the file name to display
*/
@@ -235,8 +253,9 @@ public class Dependency implements Serializable, Comparable {
*
* Gets the file path of the dependency.
*
- * NOTE: This may not be the actual path of the file on disk. The actual path of the file on disk can be obtained via
- * the getActualFilePath().
+ * NOTE: This may not be the actual path of the file on disk. The
+ * actual path of the file on disk can be obtained via the
+ * getActualFilePath().
*
* @return the file path of the dependency
*/
@@ -299,7 +318,8 @@ public class Dependency implements Serializable, Comparable {
}
/**
- * Adds an entry to the list of detected Identifiers for the dependency file.
+ * Adds an entry to the list of detected Identifiers for the dependency
+ * file.
*
* @param type the type of identifier (such as CPE)
* @param value the value of the identifier
@@ -311,7 +331,8 @@ public class Dependency implements Serializable, Comparable {
}
/**
- * Adds an entry to the list of detected Identifiers for the dependency file.
+ * Adds an entry to the list of detected Identifiers for the dependency
+ * file.
*
* @param type the type of identifier (such as CPE)
* @param value the value of the identifier
@@ -362,7 +383,8 @@ public class Dependency implements Serializable, Comparable {
}
/**
- * Adds an entry to the list of detected Identifiers for the dependency file.
+ * Adds an entry to the list of detected Identifiers for the dependency
+ * file.
*
* @param identifier the identifier to add
*/
@@ -594,8 +616,9 @@ public class Dependency implements Serializable, Comparable {
private Set relatedDependencies = new TreeSet();
/**
- * Get the value of {@link #relatedDependencies}. This field is used to collect other dependencies which really represent the
- * same dependency, and may be presented as one item in reports.
+ * Get the value of {@link #relatedDependencies}. This field is used to
+ * collect other dependencies which really represent the same dependency,
+ * and may be presented as one item in reports.
*
* @return the value of relatedDependencies
*/
@@ -654,9 +677,11 @@ public class Dependency implements Serializable, Comparable {
}
/**
- * Adds a related dependency. The internal collection is normally a {@link java.util.TreeSet}, which relies on
- * {@link #compareTo(Dependency)}. A consequence of this is that if you attempt to add a dependency with the same file path
- * (modulo character case) as one that is already in the collection, it won't get added.
+ * Adds a related dependency. The internal collection is normally a
+ * {@link java.util.TreeSet}, which relies on
+ * {@link #compareTo(Dependency)}. A consequence of this is that if you
+ * attempt to add a dependency with the same file path (modulo character
+ * case) as one that is already in the collection, it won't get added.
*
* @param dependency a reference to the related dependency
*/
@@ -706,7 +731,8 @@ public class Dependency implements Serializable, Comparable {
}
/**
- * Implementation of the Comparable<Dependency> interface. The comparison is solely based on the file path.
+ * Implementation of the Comparable<Dependency> interface. The
+ * comparison is solely based on the file path.
*
* @param o a dependency to compare
* @return an integer representing the natural ordering
@@ -776,12 +802,14 @@ public class Dependency implements Serializable, Comparable {
}
/**
- * Standard toString() implementation showing the filename, actualFilePath, and filePath.
+ * Standard toString() implementation showing the filename, actualFilePath,
+ * and filePath.
*
* @return the string representation of the file
*/
@Override
public String toString() {
- return "Dependency{ fileName='" + fileName + "', actualFilePath='" + actualFilePath + "', filePath='" + filePath + "', packagePath='" + packagePath + "'}";
+ return "Dependency{ fileName='" + fileName + "', actualFilePath='" + actualFilePath
+ + "', filePath='" + filePath + "', packagePath='" + packagePath + "'}";
}
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
index e8db33f17..5be391a27 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
@@ -20,7 +20,8 @@ package org.owasp.dependencycheck.dependency;
import java.io.Serializable;
/**
- * An external reference for a vulnerability. This contains a name, URL, and a source.
+ * An external reference for a vulnerability. This contains a name, URL, and a
+ * source.
*
* @author Jeremy Long
*/
@@ -97,6 +98,11 @@ public class Reference implements Serializable, Comparable {
this.source = source;
}
+ @Override
+ public String toString() {
+ return "Reference: { name='" + this.name + "', url='" + this.url + "', source='" + this.source + "' }";
+ }
+
@Override
public boolean equals(Object obj) {
if (obj == null) {
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
index 9fc097401..3de3f99ee 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
@@ -21,6 +21,7 @@ import java.io.Serializable;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
+import java.util.Iterator;
/**
* Contains the information about a vulnerability.
@@ -33,6 +34,7 @@ public class Vulnerability implements Serializable, Comparable {
* The serial version uid.
*/
private static final long serialVersionUID = 307319490326651052L;
+
/**
* The name of the vulnerability.
*/
@@ -383,6 +385,24 @@ public class Vulnerability implements Serializable, Comparable {
return hash;
}
+ @Override
+ public String toString() {
+ final StringBuilder sb = new StringBuilder("Vulnerability ");
+ sb.append(this.name);
+ sb.append("\nReferences:\n");
+ for (Iterator i = this.references.iterator(); i.hasNext();) {
+ sb.append("=> ");
+ sb.append(i.next());
+ sb.append("\n");
+ }
+ sb.append("\nSoftware:\n");
+ for (Iterator i = this.vulnerableSoftware.iterator(); i.hasNext();) {
+ sb.append("=> ");
+ sb.append(i.next());
+ sb.append("\n");
+ }
+ return sb.toString();
+ }
/**
* Compares two vulnerabilities.
*
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
index 521cff011..05dde8126 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
@@ -138,7 +138,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
return false;
}
final VulnerableSoftware other = (VulnerableSoftware) obj;
- if ((this.getName() == null) ? (other.getName() != null) : !this.getName().equals(other.getName())) {
+ if ((this.name == null) ? (other.getName() != null) : !this.name.equals(other.getName())) {
return false;
}
return true;
@@ -152,7 +152,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
@Override
public int hashCode() {
int hash = 7;
- hash = 83 * hash + (this.getName() != null ? this.getName().hashCode() : 0);
+ hash = 83 * hash + (this.name != null ? this.name.hashCode() : 0);
return hash;
}
@@ -163,7 +163,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
*/
@Override
public String toString() {
- return "VulnerableSoftware{ name=" + name + ", previousVersion=" + previousVersion + '}';
+ return "VulnerableSoftware{" + name + "[" + previousVersion + "]}";
}
/**
@@ -175,28 +175,19 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
@Override
public int compareTo(VulnerableSoftware vs) {
int result = 0;
- final String[] left = this.getName().split(":");
+ final String[] left = this.name.split(":");
final String[] right = vs.getName().split(":");
final int max = (left.length <= right.length) ? left.length : right.length;
if (max > 0) {
for (int i = 0; result == 0 && i < max; i++) {
- final String[] subLeft = left[i].split("\\.");
- final String[] subRight = right[i].split("\\.");
+ final String[] subLeft = left[i].split("(\\.|-)");
+ final String[] subRight = right[i].split("(\\.|-)");
final int subMax = (subLeft.length <= subRight.length) ? subLeft.length : subRight.length;
if (subMax > 0) {
for (int x = 0; result == 0 && x < subMax; x++) {
if (isPositiveInteger(subLeft[x]) && isPositiveInteger(subRight[x])) {
try {
result = Long.valueOf(subLeft[x]).compareTo(Long.valueOf(subRight[x]));
-// final long iLeft = Long.parseLong(subLeft[x]);
-// final long iRight = Long.parseLong(subRight[x]);
-// if (iLeft != iRight) {
-// if (iLeft > iRight) {
-// result = 2;
-// } else {
-// result = -2;
-// }
-// }
} catch (NumberFormatException ex) {
//ignore the exception - they obviously aren't numbers
if (!subLeft[x].equalsIgnoreCase(subRight[x])) {
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
index e4956ed1b..4d368fb3c 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
@@ -25,7 +25,6 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.util.List;
-import java.util.logging.Level;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@@ -110,7 +109,8 @@ public class SuppressionParser {
*
* @param inputStream an InputStream containing suppression rues
* @return a list of suppression rules
- * @throws SuppressionParseException if the xml cannot be parsed
+ * @throws SuppressionParseException thrown if the xml cannot be parsed
+ * @throws SAXException thrown if the xml cannot be parsed
*/
public List parseSuppressionRules(InputStream inputStream) throws SuppressionParseException, SAXException {
try {
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java
index 2cecff585..1a78294f7 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java
@@ -260,7 +260,7 @@ public class Model {
public void addLicense(License license) {
licenses.add(license);
}
-
+
/**
* The project URL.
*/
@@ -272,17 +272,17 @@ public class Model {
* @return the value of projectURL
*/
public String getProjectURL() {
- return projectURL;
- }
+ return projectURL;
+ }
/**
* Set the value of projectURL.
*
- * @param parentVersion new value of projectURL
+ * @param projectURL new value of projectURL
*/
- public void setProjectURL(String projectURL) {
- this.projectURL = projectURL;
- }
+ public void setProjectURL(String projectURL) {
+ this.projectURL = projectURL;
+ }
/**
* Process the Maven properties file and interpolate all properties.
@@ -308,11 +308,14 @@ public class Model {
/**
*
- * A utility function that will interpolate strings based on values given in the properties file. It will also interpolate the
- * strings contained within the properties file so that properties can reference other properties.
+ * A utility function that will interpolate strings based on values given in
+ * the properties file. It will also interpolate the strings contained
+ * within the properties file so that properties can reference other
+ * properties.
*
- * Note: if there is no property found the reference will be removed. In other words, if the interpolated string will
- * be replaced with an empty string.
+ * Note: if there is no property found the reference will be removed.
+ * In other words, if the interpolated string will be replaced with an empty
+ * string.
*
*
* Example:
@@ -329,7 +332,8 @@ public class Model {
*
*
* @param text the string that contains references to properties.
- * @param properties a collection of properties that may be referenced within the text.
+ * @param properties a collection of properties that may be referenced
+ * within the text.
* @return the interpolated text.
*/
public static String interpolateString(String text, Properties properties) {
@@ -340,8 +344,9 @@ public class Model {
return substitutor.replace(text);
}
- /**
- * Utility class that can provide values from a Properties object to a StrSubstitutor.
+ /**
+ * Utility class that can provide values from a Properties object to a
+ * StrSubstitutor.
*/
private static class PropertyLookup extends StrLookup {
diff --git a/dependency-check-core/src/main/resources/data/dbStatements_h2.properties b/dependency-check-core/src/main/resources/data/dbStatements_h2.properties
index aea9f986a..59b4204c5 100644
--- a/dependency-check-core/src/main/resources/data/dbStatements_h2.properties
+++ b/dependency-check-core/src/main/resources/data/dbStatements_h2.properties
@@ -13,3 +13,4 @@
# limitations under the License.
MERGE_PROPERTY=MERGE INTO properties (id, value) KEY(id) VALUES(?, ?)
+CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id IN (SELECT id FROM cpeEntry LEFT JOIN software ON cpeEntry.id = software.CPEEntryId WHERE software.CPEEntryId IS NULL)
diff --git a/dependency-check-core/src/main/resources/data/initialize_mysql.sql b/dependency-check-core/src/main/resources/data/initialize_mysql.sql
index 25bc5bd66..67e7b1a56 100644
--- a/dependency-check-core/src/main/resources/data/initialize_mysql.sql
+++ b/dependency-check-core/src/main/resources/data/initialize_mysql.sql
@@ -54,4 +54,4 @@ DELIMITER ;
GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
-UPDATE Properties SET value='3.0' WHERE ID='version';
+UPDATE properties SET value='3.0' WHERE ID='version';
diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
index 4bec87b70..f4bd0c491 100644
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -319,4 +319,98 @@
true
*/
@@ -640,8 +661,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
/**
- * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
- * required to change the proxy url, port, and connection timeout.
+ * Takes the properties supplied and updates the dependency-check settings.
+ * Additionally, this sets the system properties required to change the
+ * proxy url, port, and connection timeout.
*/
protected void populateSettings() {
Settings.initialize();
@@ -667,6 +689,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+ Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
+
if (externalReport != null) {
getLog().warn("The 'externalReport' option was set; this configuration option has been removed. "
+ "Please update the dependency-check-maven plugin's configuration");
@@ -795,10 +819,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
/**
- * Tests is the artifact should be included in the scan (i.e. is the dependency in a scope that is being scanned).
+ * Tests is the artifact should be included in the scan (i.e. is the
+ * dependency in a scope that is being scanned).
*
* @param a the Artifact to test
- * @return true if the artifact is in an excluded scope; otherwise false
+ * @return true if the artifact is in an excluded scope;
+ * otherwise false
*/
protected boolean excludeFromScan(Artifact a) {
if (skipTestScope && Artifact.SCOPE_TEST.equals(a.getScope())) {
@@ -814,10 +840,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
/**
- * Returns a reference to the current project. This method is used instead of auto-binding the project via component
- * annotation in concrete implementations of this. If the child has a @Component MavenProject project; defined
- * then the abstract class (i.e. this class) will not have access to the current project (just the way Maven works with the
- * binding).
+ * Returns a reference to the current project. This method is used instead
+ * of auto-binding the project via component annotation in concrete
+ * implementations of this. If the child has a
+ * @Component MavenProject project; defined then the abstract
+ * class (i.e. this class) will not have access to the current project (just
+ * the way Maven works with the binding).
*
* @return returns a reference to the current project
*/
@@ -886,11 +914,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
//writeDataFile(). This key is used in
- * the MavenProject.(set|get)ContextValue.
+ * Returns the key used to store the path to the data file that is saved by
+ * writeDataFile(). This key is used in the
+ * MavenProject.(set|get)ContextValue.
*
* @return the key used to store the path to the data file
*/
@@ -973,8 +1004,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
/**
- * Returns the key used to store the path to the output directory. When generating the report in the
- * executeAggregateReport() the output directory should be obtained by using this key.
+ * Returns the key used to store the path to the output directory. When
+ * generating the report in the executeAggregateReport() the
+ * output directory should be obtained by using this key.
*
* @return the key used to store the path to the output directory
*/
@@ -983,7 +1015,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
/**
- * Writes the scan data to disk. This is used to serialize the scan data between the "check" and "aggregate" phase.
+ * Writes the scan data to disk. This is used to serialize the scan data
+ * between the "check" and "aggregate" phase.
*
* @param mp the mMven project for which the data file was created
* @param writeTo the directory to write the data file
@@ -1000,7 +1033,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
file = new File(writeTo, dataFileName);
}
final File parent = file.getParentFile();
- if (!parent.isDirectory() && parent.mkdirs()) {
+ if (!parent.isDirectory() && !parent.mkdirs()) {
getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.",
parent.getAbsolutePath()));
}
@@ -1037,12 +1070,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
/**
- * Reads the serialized scan data from disk. This is used to serialize the scan data between the "check" and "aggregate"
- * phase.
+ * Reads the serialized scan data from disk. This is used to serialize the
+ * scan data between the "check" and "aggregate" phase.
*
* @param project the Maven project to read the data file from
- * @return a Engine object populated with dependencies if the serialized data file exists; otherwise
- * null is returned
+ * @return a Engine object populated with dependencies if the
+ * serialized data file exists; otherwise null is returned
*/
protected List