Suppress all mappings to python:python CPEs coming from site-packages or dist-packages.

Added command-line options to disable Python scanning.


Former-commit-id: cf8f1188f77316e7974a02d4dabf156462b9e1d2

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -252,6 +252,8 @@ public class App {
         final String suppressionFile = cli.getSuppressionFile();
         final boolean jarDisabled = cli.isJarDisabled();
         final boolean archiveDisabled = cli.isArchiveDisabled();
+        final boolean pyDistDisabled = cli.isPythonDistributionDisabled();
+        final boolean pyPkgDisabled = cli.isPythonPackageDisabled();
         final boolean assemblyDisabled = cli.isAssemblyDisabled();
         final boolean nuspecDisabled = cli.isNuspecDisabled();
         final boolean centralDisabled = cli.isCentralDisabled();
@@ -317,6 +319,8 @@ public class App {
         //File Type Analyzer Settings
         Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled);
         Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !pyDistDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !pyPkgDisabled);
         Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled);
         Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled);
 

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -20,6 +20,7 @@ package org.owasp.dependencycheck;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.util.logging.Logger;
+
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.HelpFormatter;
@@ -327,6 +328,12 @@ public final class CliParser {
                 .withDescription("Disable the .NET Assembly Analyzer.")
                 .create();
 
+        final Option disablePythonDistributionAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_PY_DIST)
+                .withDescription("Disable the Python Distribution Analyzer.").create();
+
+        final Option disablePythonPackageAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_PY_PKG)
+                .withDescription("Disable the Python Package Analyzer.").create();
+
         final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL)
                 .withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
                         + "the Nexus Analyzer.")
@@ -369,6 +376,8 @@ public final class CliParser {
                 .addOption(disableJarAnalyzer)
                 .addOption(disableArchiveAnalyzer)
                 .addOption(disableAssemblyAnalyzer)
+                .addOption(disablePythonDistributionAnalyzer)
+                .addOption(disablePythonPackageAnalyzer)
                 .addOption(disableNuspecAnalyzer)
                 .addOption(disableCentralAnalyzer)
                 .addOption(disableNexusAnalyzer)
@@ -458,6 +467,24 @@ public final class CliParser {
         return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
     }
 
+    /**
+     * Returns true if the disablePyDist command line argument was specified.
+     *
+     * @return true if the disablePyDist command line argument was specified; otherwise false
+     */
+    public boolean isPythonDistributionDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_DIST);
+    }
+
+    /**
+     * Returns true if the disablePyPkg command line argument was specified.
+     *
+     * @return true if the disablePyPkg command line argument was specified; otherwise false
+     */
+    public boolean isPythonPackageDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_PKG);
+    }
+
     /**
      * Returns true if the disableNexus command line argument was specified.
      *
@@ -899,6 +926,14 @@ public final class CliParser {
          * Disables the Archive Analyzer.
          */
         public static final String DISABLE_ARCHIVE = "disableArchive";
+        /**
+         * Disables the Python Distribution Analyzer.
+         */
+        public static final String DISABLE_PY_DIST = "disablePyDist";
+        /**
+         * Disables the Python Package Analyzer.
+         */
+        public static final String DISABLE_PY_PKG = "disablePyPkg";
         /**
          * Disables the Assembly Analyzer.
          */

dependency-check-cli/src/site/markdown/arguments.md

@@ -23,6 +23,8 @@ Short  | Argument Name        | Paramete
 -------|-----------------------|-----------------|----------------------------------------------------------------------------------|-------------------
  \-P   | \-\-propertyfile      | \<file\>        | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp;
        | \-\-updateonly        |                 | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp;
+       | \-\-disablePyDist     |                 | Sets whether the Python Distribution Analyzer will be used.                      | false
+       | \-\-disablePyPkg      |                 | Sets whether the Python Package Analyzer will be used.                           | false
        | \-\-disableArchive    |                 | Sets whether the Archive Analyzer will be used.                                  | false
        | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
        | \-\-disableJar        |                 | Sets whether the Jar Analyzer will be used.                                      | false

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -23,8 +23,6 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FilenameFilter;
 import java.net.MalformedURLException;
-import java.util.Arrays;
-import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -33,7 +31,6 @@ import java.util.regex.Pattern;
 import javax.mail.MessagingException;
 import javax.mail.internet.InternetHeaders;
 
-import org.apache.commons.collections.iterators.ReverseListIterator;
 import org.apache.commons.io.filefilter.NameFileFilter;
 import org.apache.commons.io.filefilter.SuffixFileFilter;
 import org.apache.commons.io.input.AutoCloseInputStream;
@@ -273,16 +270,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
 				.getVendorEvidence();
 		if (StringUtils.isNotBlank(url)) {
 			if (UrlStringUtils.isUrl(url)) {
-				try {
-					vendorEvidence.addEvidence(METADATA, "vendor",
-							(String) (new ReverseListIterator(
-									Arrays.asList(UrlStringUtils
-											.extractImportantUrlData(url).get(0)
-											.split(Pattern.quote("."))))).next(),
-							Confidence.MEDIUM);
-				} catch (MalformedURLException mue) {
-					LOGGER.fine("URL didn't parse: " + mue.getMessage());
-				}
+				vendorEvidence.addEvidence(METADATA, "vendor", url,
+						Confidence.MEDIUM);
 			}
 		}
 		addPropertyToEvidence(headers, vendorEvidence, "Author", Confidence.LOW);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -179,7 +179,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
 	 * This should gather information from leading docstrings, file comments,
 	 * and assignments to __version__, __title__, __summary__, __uri__, __url__,
 	 * __home*page__, __author__, and their all caps equivalents.
-	 * 
+	 *
 	 * @return whether evidence was found
 	 */
 	private boolean analyzeFileContents(Dependency dependency, File file)
@@ -239,14 +239,10 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
 		final Matcher matcher = pattern.matcher(contents);
 		boolean found = false;
 		if (matcher.find()) {
-			final String value = matcher.group(4);
-			if (UrlStringUtils.isUrl(value)) {
+			final String url = matcher.group(4);
+			if (UrlStringUtils.isUrl(url)) {
 				found = true;
-				final List<String> urlData = UrlStringUtils
-						.extractImportantUrlData(value);
-				for (final String part : urlData) {
-					evidence.addEvidence(source, name, part, Confidence.MEDIUM);
-				}
+				evidence.addEvidence(source, name, url, Confidence.MEDIUM);
 			}
 		}
 		return found;

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -83,5 +83,11 @@
         <gav regex="true">org\.opensaml:xmltooling:.*</gav>
         <cpe>cpe:/a:internet2:opensaml</cpe>
     </suppress>
-
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives for python:python.
+        ]]></notes>
+        <filePath regex="true">.*\b(site|dist)-packages\b.*</filePath>
+        <cpe>cpe:/a:python:python</cpe>
+    </suppress>
 </suppressions>