Suppress all mappings to python:python CPEs coming from site-packages or dist-packages.

Added command-line options to disable Python scanning.


Former-commit-id: cf8f1188f77316e7974a02d4dabf156462b9e1d2

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -23,8 +23,6 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FilenameFilter;
 import java.net.MalformedURLException;
-import java.util.Arrays;
-import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -33,7 +31,6 @@ import java.util.regex.Pattern;
 import javax.mail.MessagingException;
 import javax.mail.internet.InternetHeaders;
 
-import org.apache.commons.collections.iterators.ReverseListIterator;
 import org.apache.commons.io.filefilter.NameFileFilter;
 import org.apache.commons.io.filefilter.SuffixFileFilter;
 import org.apache.commons.io.input.AutoCloseInputStream;
@@ -273,16 +270,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
 				.getVendorEvidence();
 		if (StringUtils.isNotBlank(url)) {
 			if (UrlStringUtils.isUrl(url)) {
-				try {
-					vendorEvidence.addEvidence(METADATA, "vendor",
-							(String) (new ReverseListIterator(
-									Arrays.asList(UrlStringUtils
-											.extractImportantUrlData(url).get(0)
-											.split(Pattern.quote("."))))).next(),
-							Confidence.MEDIUM);
-				} catch (MalformedURLException mue) {
-					LOGGER.fine("URL didn't parse: " + mue.getMessage());
-				}
+				vendorEvidence.addEvidence(METADATA, "vendor", url,
+						Confidence.MEDIUM);
 			}
 		}
 		addPropertyToEvidence(headers, vendorEvidence, "Author", Confidence.LOW);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -179,7 +179,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
 	 * This should gather information from leading docstrings, file comments,
 	 * and assignments to __version__, __title__, __summary__, __uri__, __url__,
 	 * __home*page__, __author__, and their all caps equivalents.
-	 * 
+	 *
 	 * @return whether evidence was found
 	 */
 	private boolean analyzeFileContents(Dependency dependency, File file)
@@ -239,14 +239,10 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
 		final Matcher matcher = pattern.matcher(contents);
 		boolean found = false;
 		if (matcher.find()) {
-			final String value = matcher.group(4);
-			if (UrlStringUtils.isUrl(value)) {
+			final String url = matcher.group(4);
+			if (UrlStringUtils.isUrl(url)) {
 				found = true;
-				final List<String> urlData = UrlStringUtils
-						.extractImportantUrlData(value);
-				for (final String part : urlData) {
-					evidence.addEvidence(source, name, part, Confidence.MEDIUM);
-				}
+				evidence.addEvidence(source, name, url, Confidence.MEDIUM);
 			}
 		}
 		return found;

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -83,5 +83,11 @@
         <gav regex="true">org\.opensaml:xmltooling:.*</gav>
         <cpe>cpe:/a:internet2:opensaml</cpe>
     </suppress>
-
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives for python:python.
+        ]]></notes>
+        <filePath regex="true">.*\b(site|dist)-packages\b.*</filePath>
+        <cpe>cpe:/a:python:python</cpe>
+    </suppress>
 </suppressions>