patch for issue #229 and false negative for spring security

Former-commit-id: 8c9cd15ab06a88f675241fe75f1fe193634eddf0
2026-01-15 00:03:43 +01:00 · 2015-06-14 15:50:14 -04:00
parent 25f2eb69b9
commit 02209fc039
1 changed files with 18 additions and 7 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -89,22 +89,27 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                "spring-core",
                Confidence.HIGH);

-        final Evidence springTest4 = new Evidence("Manifest",
-                "Bundle-Vendor",
-                "SpringSource",
-                Confidence.HIGH);
-
-        final Evidence springTest5 = new Evidence("jar",
+        final Evidence springTest4 = new Evidence("jar",
                "package name",
                "springframework",
                Confidence.LOW);

+        final Evidence springSecurityTest1 = new Evidence("Manifest",
+                "Bundle-Name",
+                "Spring Security Core",
+                Confidence.MEDIUM);
+
+        final Evidence springSecurityTest2 = new Evidence("pom",
+                "artifactid",
+                "spring-security-core",
+                Confidence.HIGH);
+
        //springsource/vware problem
        final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
        final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();

        if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
-                || (dependency.getFileName().contains("spring") && (product.contains(springTest5) || vendor.contains(springTest5)))) {
+                || (dependency.getFileName().contains("spring") && product.contains(springTest4))) {
            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
@@ -117,6 +122,12 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
        }

+        if (product.contains(springSecurityTest1) || product.contains(springSecurityTest2)) {
+            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_security", Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
+        }
+
        //sun/oracle problem
        final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
        final List<Evidence> newEntries = new ArrayList<Evidence>();