mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-24 10:01:35 +01:00
added package name scanning back in if no other data was found
Former-commit-id: d33a1fd126179ac5e191420541cf796c77c71c45
This commit is contained in:
Jeremy Long
@@ -171,6 +171,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
return ANALYSIS_PHASE;
|
return ANALYSIS_PHASE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private boolean evidenceFound;
|
||||||
/**
|
/**
|
||||||
* Loads a specified JAR file and collects information from the manifest and
|
* Loads a specified JAR file and collects information from the manifest and
|
||||||
* checksums to identify the correct CPE information.
|
* checksums to identify the correct CPE information.
|
||||||
@@ -181,13 +182,16 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
* file.
|
* file.
|
||||||
*/
|
*/
|
||||||
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
|
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
|
||||||
|
evidenceFound = false;
|
||||||
try {
|
try {
|
||||||
parseManifest(dependency);
|
evidenceFound |= parseManifest(dependency);
|
||||||
if (Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN)) {
|
evidenceFound |= analyzePOM(dependency);
|
||||||
|
if (Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN) ||
|
||||||
|
!evidenceFound) {
|
||||||
|
//if no evidence was found - "they" likely stripped stuff, package names may be all we have.
|
||||||
analyzePackageNames(dependency);
|
analyzePackageNames(dependency);
|
||||||
}
|
}
|
||||||
analyzePOM(dependency);
|
|
||||||
//addPredefinedData(dependency); //this has been moved to its own analyzer (HintAnalyzer)
|
|
||||||
} catch (IOException ex) {
|
} catch (IOException ex) {
|
||||||
throw new AnalysisException("Exception occurred reading the JAR file.", ex);
|
throw new AnalysisException("Exception occurred reading the JAR file.", ex);
|
||||||
} catch (JAXBException ex) {
|
} catch (JAXBException ex) {
|
||||||
@@ -205,9 +209,10 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
* @throws IOException is thrown if there is an error reading the zip file.
|
* @throws IOException is thrown if there is an error reading the zip file.
|
||||||
* @throws JAXBException is thrown if there is an error extracting the model (aka pom).
|
* @throws JAXBException is thrown if there is an error extracting the model (aka pom).
|
||||||
* @throws AnalysisException is thrown if there is an exception parsing the pom.
|
* @throws AnalysisException is thrown if there is an exception parsing the pom.
|
||||||
|
* @return whether or not evidence was added to the dependency
|
||||||
*/
|
*/
|
||||||
protected void analyzePOM(Dependency dependency) throws IOException, JAXBException, AnalysisException {
|
protected boolean analyzePOM(Dependency dependency) throws IOException, JAXBException, AnalysisException {
|
||||||
|
boolean foundSomething = false;
|
||||||
Properties pomProperties = null;
|
Properties pomProperties = null;
|
||||||
Model pom = null;
|
Model pom = null;
|
||||||
FileInputStream fs = null;
|
FileInputStream fs = null;
|
||||||
@@ -259,33 +264,39 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
//group id
|
//group id
|
||||||
String groupid = interpolateString(pom.getGroupId(), pomProperties);
|
String groupid = interpolateString(pom.getGroupId(), pomProperties);
|
||||||
if (groupid != null) {
|
if (groupid != null) {
|
||||||
|
foundSomething = true;
|
||||||
dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Evidence.Confidence.HIGH);
|
dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Evidence.Confidence.HIGH);
|
||||||
dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Evidence.Confidence.LOW);
|
dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Evidence.Confidence.LOW);
|
||||||
}
|
}
|
||||||
//artifact id
|
//artifact id
|
||||||
String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
|
String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
|
||||||
if (artifactid != null) {
|
if (artifactid != null) {
|
||||||
|
foundSomething = true;
|
||||||
dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.HIGH);
|
dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.HIGH);
|
||||||
}
|
}
|
||||||
//version
|
//version
|
||||||
String version = interpolateString(pom.getVersion(), pomProperties);
|
String version = interpolateString(pom.getVersion(), pomProperties);
|
||||||
if (version != null) {
|
if (version != null) {
|
||||||
|
foundSomething = true;
|
||||||
dependency.getVersionEvidence().addEvidence("pom", "version", version, Evidence.Confidence.HIGH);
|
dependency.getVersionEvidence().addEvidence("pom", "version", version, Evidence.Confidence.HIGH);
|
||||||
}
|
}
|
||||||
// org name
|
// org name
|
||||||
Organization org = pom.getOrganization();
|
Organization org = pom.getOrganization();
|
||||||
if (org != null && org.getName() != null) {
|
if (org != null && org.getName() != null) {
|
||||||
|
foundSomething = true;
|
||||||
String orgName = interpolateString(org.getName(), pomProperties);
|
String orgName = interpolateString(org.getName(), pomProperties);
|
||||||
dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Evidence.Confidence.HIGH);
|
dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Evidence.Confidence.HIGH);
|
||||||
}
|
}
|
||||||
//pom name
|
//pom name
|
||||||
String pomName = interpolateString(pom.getName(), pomProperties);
|
String pomName = interpolateString(pom.getName(), pomProperties);
|
||||||
if (pomName != null) {
|
if (pomName != null) {
|
||||||
|
foundSomething = true;
|
||||||
dependency.getProductEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH);
|
dependency.getProductEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH);
|
||||||
}
|
}
|
||||||
|
|
||||||
//Description
|
//Description
|
||||||
if (pom.getDescription() != null) {
|
if (pom.getDescription() != null) {
|
||||||
|
foundSomething = true;
|
||||||
String description = interpolateString(pom.getDescription(), pomProperties);
|
String description = interpolateString(pom.getDescription(), pomProperties);
|
||||||
dependency.setDescription(description);
|
dependency.setDescription(description);
|
||||||
dependency.getProductEvidence().addEvidence("pom", "description", description, Evidence.Confidence.MEDIUM);
|
dependency.getProductEvidence().addEvidence("pom", "description", description, Evidence.Confidence.MEDIUM);
|
||||||
@@ -321,6 +332,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return foundSomething;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -492,9 +504,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
* However, all but a handful of specific entries are read in.
|
* However, all but a handful of specific entries are read in.
|
||||||
*
|
*
|
||||||
* @param dependency A reference to the dependency.
|
* @param dependency A reference to the dependency.
|
||||||
|
* @return whether evidence was identified parsing the manifest.
|
||||||
* @throws IOException if there is an issue reading the JAR file.
|
* @throws IOException if there is an issue reading the JAR file.
|
||||||
*/
|
*/
|
||||||
protected void parseManifest(Dependency dependency) throws IOException {
|
protected boolean parseManifest(Dependency dependency) throws IOException {
|
||||||
|
boolean foundSomething = false;
|
||||||
JarFile jar = null;
|
JarFile jar = null;
|
||||||
try {
|
try {
|
||||||
jar = new JarFile(dependency.getActualFilePath());
|
jar = new JarFile(dependency.getActualFilePath());
|
||||||
@@ -504,7 +518,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE,
|
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE,
|
||||||
"Jar file '{0}' does not contain a manifest.",
|
"Jar file '{0}' does not contain a manifest.",
|
||||||
dependency.getFileName());
|
dependency.getFileName());
|
||||||
return;
|
return false;
|
||||||
}
|
}
|
||||||
Attributes atts = manifest.getMainAttributes();
|
Attributes atts = manifest.getMainAttributes();
|
||||||
|
|
||||||
@@ -518,23 +532,32 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
String key = entry.getKey().toString();
|
String key = entry.getKey().toString();
|
||||||
String value = atts.getValue(key);
|
String value = atts.getValue(key);
|
||||||
if (key.equals(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
|
if (key.equals(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
|
||||||
|
foundSomething = true;
|
||||||
productEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
|
productEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
|
||||||
} else if (key.equals(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
|
} else if (key.equals(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
|
||||||
|
foundSomething = true;
|
||||||
versionEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
|
versionEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
|
||||||
} else if (key.equals(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
|
} else if (key.equals(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
|
||||||
|
foundSomething = true;
|
||||||
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
|
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
|
||||||
} else if (key.equals(Attributes.Name.IMPLEMENTATION_VENDOR_ID.toString())) {
|
} else if (key.equals(Attributes.Name.IMPLEMENTATION_VENDOR_ID.toString())) {
|
||||||
|
foundSomething = true;
|
||||||
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
||||||
} else if (key.equals(BUNDLE_DESCRIPTION)) {
|
} else if (key.equals(BUNDLE_DESCRIPTION)) {
|
||||||
|
foundSomething = true;
|
||||||
productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
||||||
dependency.setDescription(value);
|
dependency.setDescription(value);
|
||||||
} else if (key.equals(BUNDLE_NAME)) {
|
} else if (key.equals(BUNDLE_NAME)) {
|
||||||
|
foundSomething = true;
|
||||||
productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
||||||
} else if (key.equals(BUNDLE_VENDOR)) {
|
} else if (key.equals(BUNDLE_VENDOR)) {
|
||||||
|
foundSomething = true;
|
||||||
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
|
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
|
||||||
} else if (key.equals(BUNDLE_VERSION)) {
|
} else if (key.equals(BUNDLE_VERSION)) {
|
||||||
|
foundSomething = true;
|
||||||
versionEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
|
versionEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
|
||||||
} else if (key.equals(Attributes.Name.MAIN_CLASS.toString())) {
|
} else if (key.equals(Attributes.Name.MAIN_CLASS.toString())) {
|
||||||
|
foundSomething = true;
|
||||||
productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
||||||
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
||||||
} else {
|
} else {
|
||||||
@@ -543,6 +566,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
if (!IGNORE_LIST.contains(key) && !key.endsWith("jdk")
|
if (!IGNORE_LIST.contains(key) && !key.endsWith("jdk")
|
||||||
&& !key.contains("lastmodified") && !key.endsWith("package")) {
|
&& !key.contains("lastmodified") && !key.endsWith("package")) {
|
||||||
|
|
||||||
|
foundSomething = true;
|
||||||
if (key.contains("version")) {
|
if (key.contains("version")) {
|
||||||
versionEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
versionEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
|
||||||
} else if (key.contains("title")) {
|
} else if (key.contains("title")) {
|
||||||
@@ -579,6 +603,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
jar.close();
|
jar.close();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return foundSomething;
|
||||||
}
|
}
|
||||||
|
|
||||||
private void addDescription(Dependency d, String description) {
|
private void addDescription(Dependency d, String description) {
|
||||||
|
|||||||
Reference in New Issue
Block a user