From 02209fc03969e1254d0b0aab0f1706c456dc7c04 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 14 Jun 2015 15:50:14 -0400
Subject: [PATCH] patch for issue #229 and false negative for spring security

Former-commit-id: 8c9cd15ab06a88f675241fe75f1fe193634eddf0
---
 .../analyzer/HintAnalyzer.java                | 25 +++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
index 2b9231da3..fd9297ad5 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -89,22 +89,27 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                 "spring-core",
                 Confidence.HIGH);
 
-        final Evidence springTest4 = new Evidence("Manifest",
-                "Bundle-Vendor",
-                "SpringSource",
-                Confidence.HIGH);
-
-        final Evidence springTest5 = new Evidence("jar",
+        final Evidence springTest4 = new Evidence("jar",
                 "package name",
                 "springframework",
                 Confidence.LOW);
 
+        final Evidence springSecurityTest1 = new Evidence("Manifest",
+                "Bundle-Name",
+                "Spring Security Core",
+                Confidence.MEDIUM);
+
+        final Evidence springSecurityTest2 = new Evidence("pom",
+                "artifactid",
+                "spring-security-core",
+                Confidence.HIGH);
+
         //springsource/vware problem
         final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
         final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
 
         if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
-                || (dependency.getFileName().contains("spring") && (product.contains(springTest5) || vendor.contains(springTest5)))) {
+                || (dependency.getFileName().contains("spring") && product.contains(springTest4))) {
             dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
@@ -117,6 +122,12 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
         }
 
+        if (product.contains(springSecurityTest1) || product.contains(springSecurityTest2)) {
+            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_security", Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
+        }
+
         //sun/oracle problem
         final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
         final List<Evidence> newEntries = new ArrayList<Evidence>();