mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 15:53:36 +01:00
expanded hint rules so that they can remove evidence
This commit is contained in:
Jeremy Long
@@ -82,6 +82,7 @@ public class HintAnalyzer extends AbstractAnalyzer {
|
||||
public AnalysisPhase getAnalysisPhase() {
|
||||
return ANALYSIS_PHASE;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Returns the setting key to determine if the analyzer is enabled.</p>
|
||||
@@ -134,29 +135,38 @@ public class HintAnalyzer extends AbstractAnalyzer {
|
||||
@Override
|
||||
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
|
||||
for (HintRule hint : hints.getHintRules()) {
|
||||
boolean shouldAdd = false;
|
||||
boolean matchFound = false;
|
||||
for (Evidence given : hint.getGivenVendor()) {
|
||||
if (dependency.getVendorEvidence().getEvidence().contains(given)) {
|
||||
shouldAdd = true;
|
||||
matchFound = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!shouldAdd) {
|
||||
if (!matchFound) {
|
||||
for (Evidence given : hint.getGivenProduct()) {
|
||||
if (dependency.getProductEvidence().getEvidence().contains(given)) {
|
||||
shouldAdd = true;
|
||||
matchFound = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!shouldAdd) {
|
||||
for (PropertyType pt : hint.getFilenames()) {
|
||||
if (pt.matches(dependency.getFileName())) {
|
||||
shouldAdd = true;
|
||||
if (!matchFound) {
|
||||
for (Evidence given : hint.getGivenVersion()) {
|
||||
if (dependency.getVersionEvidence().getEvidence().contains(given)) {
|
||||
matchFound = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (shouldAdd) {
|
||||
if (!matchFound) {
|
||||
for (PropertyType pt : hint.getFilenames()) {
|
||||
if (pt.matches(dependency.getFileName())) {
|
||||
matchFound = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (matchFound) {
|
||||
for (Evidence e : hint.getAddVendor()) {
|
||||
dependency.getVendorEvidence().addEvidence(e);
|
||||
}
|
||||
@@ -166,6 +176,21 @@ public class HintAnalyzer extends AbstractAnalyzer {
|
||||
for (Evidence e : hint.getAddVersion()) {
|
||||
dependency.getVersionEvidence().addEvidence(e);
|
||||
}
|
||||
for (Evidence e : hint.getRemoveVendor()) {
|
||||
if (dependency.getVendorEvidence().getEvidence().contains(e)) {
|
||||
dependency.getVendorEvidence().getEvidence().remove(e);
|
||||
}
|
||||
}
|
||||
for (Evidence e : hint.getRemoveProduct()) {
|
||||
if (dependency.getProductEvidence().getEvidence().contains(e)) {
|
||||
dependency.getProductEvidence().getEvidence().remove(e);
|
||||
}
|
||||
}
|
||||
for (Evidence e : hint.getRemoveVersion()) {
|
||||
if (dependency.getVersionEvidence().getEvidence().contains(e)) {
|
||||
dependency.getVersionEvidence().getEvidence().remove(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -183,108 +208,6 @@ public class HintAnalyzer extends AbstractAnalyzer {
|
||||
for (Evidence e : newEntries) {
|
||||
dependency.getVendorEvidence().addEvidence(e);
|
||||
}
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="Old implementation">
|
||||
/*
|
||||
final Evidence springTest1 = new Evidence("Manifest",
|
||||
"Implementation-Title",
|
||||
"Spring Framework",
|
||||
Confidence.HIGH);
|
||||
|
||||
final Evidence springTest2 = new Evidence("Manifest",
|
||||
"Implementation-Title",
|
||||
"org.springframework.core",
|
||||
Confidence.HIGH);
|
||||
|
||||
final Evidence springTest3 = new Evidence("Manifest",
|
||||
"Implementation-Title",
|
||||
"spring-core",
|
||||
Confidence.HIGH);
|
||||
|
||||
final Evidence springTest4 = new Evidence("jar",
|
||||
"package name",
|
||||
"springframework",
|
||||
Confidence.LOW);
|
||||
|
||||
final Evidence springSecurityTest1 = new Evidence("Manifest",
|
||||
"Bundle-Name",
|
||||
"Spring Security Core",
|
||||
Confidence.MEDIUM);
|
||||
|
||||
final Evidence springSecurityTest2 = new Evidence("pom",
|
||||
"artifactid",
|
||||
"spring-security-core",
|
||||
Confidence.HIGH);
|
||||
|
||||
final Evidence symfony = new Evidence("composer.lock",
|
||||
"vendor",
|
||||
"symfony",
|
||||
Confidence.HIGHEST);
|
||||
|
||||
final Evidence zendframeworkVendor = new Evidence("composer.lock",
|
||||
"vendor",
|
||||
"zendframework",
|
||||
Confidence.HIGHEST);
|
||||
|
||||
final Evidence zendframeworkProduct = new Evidence("composer.lock",
|
||||
"product",
|
||||
"zendframework",
|
||||
Confidence.HIGHEST);
|
||||
|
||||
//springsource/vware problem
|
||||
final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
|
||||
final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
|
||||
|
||||
if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
|
||||
|| (dependency.getFileName().contains("spring") && product.contains(springTest4))) {
|
||||
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
|
||||
}
|
||||
|
||||
if (vendor.contains(springTest4)) {
|
||||
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
|
||||
}
|
||||
|
||||
if (product.contains(springSecurityTest1) || product.contains(springSecurityTest2)) {
|
||||
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_security", Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
|
||||
}
|
||||
|
||||
if (vendor.contains(symfony)) {
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "sensiolabs", Confidence.HIGHEST);
|
||||
}
|
||||
|
||||
if (vendor.contains(zendframeworkVendor)) {
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "zend", Confidence.HIGHEST);
|
||||
}
|
||||
|
||||
if (product.contains(zendframeworkProduct)) {
|
||||
dependency.getProductEvidence().addEvidence("hint analyzer", "vendor", "zend_framework", Confidence.HIGHEST);
|
||||
}
|
||||
|
||||
//sun/oracle problem
|
||||
final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
|
||||
final List<Evidence> newEntries = new ArrayList<Evidence>();
|
||||
while (itr.hasNext()) {
|
||||
final Evidence e = itr.next();
|
||||
if ("sun".equalsIgnoreCase(e.getValue(false))) {
|
||||
final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "oracle", e.getConfidence());
|
||||
newEntries.add(newEvidence);
|
||||
} else if ("oracle".equalsIgnoreCase(e.getValue(false))) {
|
||||
final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "sun", e.getConfidence());
|
||||
newEntries.add(newEvidence);
|
||||
}
|
||||
}
|
||||
for (Evidence e : newEntries) {
|
||||
dependency.getVendorEvidence().addEvidence(e);
|
||||
}
|
||||
*/
|
||||
//</editor-fold>
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -45,6 +45,11 @@ public class HintHandler extends DefaultHandler {
|
||||
* Element name.
|
||||
*/
|
||||
private static final String ADD = "add";
|
||||
/**
|
||||
* Element name.
|
||||
*/
|
||||
private static final String REMOVE = "remove";
|
||||
|
||||
/**
|
||||
* Element name.
|
||||
*/
|
||||
@@ -139,16 +144,25 @@ public class HintHandler extends DefaultHandler {
|
||||
* The current rule being read.
|
||||
*/
|
||||
private HintRule rule;
|
||||
|
||||
/**
|
||||
* Internal type to track the parent node state.
|
||||
*/
|
||||
enum ParentType {
|
||||
ADD,
|
||||
GIVEN,
|
||||
REMOVE
|
||||
}
|
||||
/**
|
||||
* The current state of the parent node (to differentiate between 'add' and
|
||||
* 'given').
|
||||
*/
|
||||
private boolean inAddNode = false;
|
||||
private ParentType nodeType = ParentType.GIVEN;
|
||||
|
||||
/**
|
||||
* Handles the start element event.
|
||||
*
|
||||
* @param uri the uri of the element being processed
|
||||
* @param uri the URI of the element being processed
|
||||
* @param localName the local name of the element being processed
|
||||
* @param qName the qName of the element being processed
|
||||
* @param attr the attributes of the element being processed
|
||||
@@ -159,41 +173,81 @@ public class HintHandler extends DefaultHandler {
|
||||
if (HINT.equals(qName)) {
|
||||
rule = new HintRule();
|
||||
} else if (ADD.equals(qName)) {
|
||||
inAddNode = true;
|
||||
nodeType = ParentType.ADD;
|
||||
} else if (GIVEN.equals(qName)) {
|
||||
inAddNode = false;
|
||||
nodeType = ParentType.GIVEN;
|
||||
} else if (REMOVE.equals(qName)) {
|
||||
nodeType = ParentType.REMOVE;
|
||||
} else if (EVIDENCE.equals(qName)) {
|
||||
final String hintType = attr.getValue(TYPE);
|
||||
if (VENDOR.equals(hintType)) {
|
||||
if (inAddNode) {
|
||||
rule.addAddVendor(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
} else {
|
||||
rule.addGivenVendor(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
if (null != nodeType) switch (nodeType) {
|
||||
case ADD:
|
||||
rule.addAddVendor(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
break;
|
||||
case REMOVE:
|
||||
rule.addRemoveVendor(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
break;
|
||||
case GIVEN:
|
||||
rule.addGivenVendor(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
} else if (PRODUCT.equals(hintType)) {
|
||||
if (inAddNode) {
|
||||
rule.addAddProduct(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
} else {
|
||||
rule.addGivenProduct(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
if (null != nodeType) switch (nodeType) {
|
||||
case ADD:
|
||||
rule.addAddProduct(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
break;
|
||||
case REMOVE:
|
||||
rule.addRemoveProduct(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
break;
|
||||
case GIVEN:
|
||||
rule.addGivenProduct(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
} else if (VERSION.equals(hintType)) {
|
||||
if (inAddNode) {
|
||||
rule.addAddVersion(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
if (null != nodeType) switch (nodeType) {
|
||||
case ADD:
|
||||
rule.addAddVersion(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
break;
|
||||
case REMOVE:
|
||||
rule.addRemoveVersion(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
break;
|
||||
case GIVEN:
|
||||
rule.addGivenVersion(attr.getValue(SOURCE),
|
||||
attr.getValue(NAME),
|
||||
attr.getValue(VALUE),
|
||||
Confidence.valueOf(attr.getValue(CONFIDENCE)));
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
} else if (FILE_NAME.equals(qName)) {
|
||||
|
||||
@@ -64,7 +64,12 @@ public class HintParser {
|
||||
/**
|
||||
* The schema for the hint XML files.
|
||||
*/
|
||||
private static final String HINT_SCHEMA = "schema/dependency-hint.1.1.xsd";
|
||||
private static final String HINT_SCHEMA = "schema/dependency-hint.1.2.xsd";
|
||||
|
||||
/**
|
||||
* The schema for the hint XML files.
|
||||
*/
|
||||
private static final String HINT_SCHEMA_OLD = "schema/dependency-hint.1.1.xsd";
|
||||
|
||||
/**
|
||||
* Parses the given XML file and returns a list of the hints contained.
|
||||
@@ -82,7 +87,23 @@ public class HintParser {
|
||||
LOGGER.debug("", ex);
|
||||
throw new HintParseException(ex);
|
||||
} catch (SAXException ex) {
|
||||
throw new HintParseException(ex);
|
||||
try {
|
||||
if (fis != null) {
|
||||
try {
|
||||
fis.close();
|
||||
} catch (IOException ex1) {
|
||||
LOGGER.debug("Unable to close stream", ex1);
|
||||
}
|
||||
}
|
||||
fis = new FileInputStream(file);
|
||||
} catch (FileNotFoundException ex1) {
|
||||
throw new HintParseException(ex1);
|
||||
}
|
||||
try {
|
||||
return parseHints(fis, HINT_SCHEMA_OLD);
|
||||
} catch (SAXException ex1) {
|
||||
throw new HintParseException(ex);
|
||||
}
|
||||
} finally {
|
||||
if (fis != null) {
|
||||
try {
|
||||
@@ -104,9 +125,23 @@ public class HintParser {
|
||||
* @throws SAXException thrown if the XML cannot be parsed
|
||||
*/
|
||||
public Hints parseHints(InputStream inputStream) throws HintParseException, SAXException {
|
||||
return parseHints(inputStream, HINT_SCHEMA);
|
||||
}
|
||||
|
||||
/**
|
||||
* Parses the given XML stream and returns a list of the hint rules
|
||||
* contained.
|
||||
*
|
||||
* @param inputStream an InputStream containing hint rules
|
||||
* @param schema the XSD to use to validate the XML against
|
||||
* @return a list of hint rules
|
||||
* @throws HintParseException thrown if the XML cannot be parsed
|
||||
* @throws SAXException thrown if the XML cannot be parsed
|
||||
*/
|
||||
private Hints parseHints(InputStream inputStream, String schema) throws HintParseException, SAXException {
|
||||
InputStream schemaStream = null;
|
||||
try {
|
||||
schemaStream = this.getClass().getClassLoader().getResourceAsStream(HINT_SCHEMA);
|
||||
schemaStream = this.getClass().getClassLoader().getResourceAsStream(schema);
|
||||
final HintHandler handler = new HintHandler();
|
||||
final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream);
|
||||
final XMLReader xmlReader = saxParser.getXMLReader();
|
||||
|
||||
@@ -36,6 +36,43 @@ public class HintRule {
|
||||
* The list of file names to match.
|
||||
*/
|
||||
private final List<PropertyType> filenames = new ArrayList<PropertyType>();
|
||||
/**
|
||||
* The list of vendor evidence that is being matched.
|
||||
*/
|
||||
private final List<Evidence> givenVendor = new ArrayList<Evidence>();
|
||||
/**
|
||||
* The list of product evidence that is being matched.
|
||||
*/
|
||||
private final List<Evidence> givenProduct = new ArrayList<Evidence>();
|
||||
/**
|
||||
* The list of product evidence that is being matched.
|
||||
*/
|
||||
private final List<Evidence> givenVersion = new ArrayList<Evidence>();
|
||||
/**
|
||||
* The list of vendor hints to add.
|
||||
*/
|
||||
private final List<Evidence> addVendor = new ArrayList<Evidence>();
|
||||
/**
|
||||
* The list of product evidence to add.
|
||||
*/
|
||||
private final List<Evidence> addProduct = new ArrayList<Evidence>();
|
||||
/**
|
||||
* The list of version evidence to add.
|
||||
*/
|
||||
private final List<Evidence> addVersion = new ArrayList<Evidence>();
|
||||
|
||||
/**
|
||||
* The list of vendor hints to add.
|
||||
*/
|
||||
private final List<Evidence> removeVendor = new ArrayList<Evidence>();
|
||||
/**
|
||||
* The list of product evidence to add.
|
||||
*/
|
||||
private final List<Evidence> removeProduct = new ArrayList<Evidence>();
|
||||
/**
|
||||
* The list of version evidence to add.
|
||||
*/
|
||||
private final List<Evidence> removeVersion = new ArrayList<Evidence>();
|
||||
|
||||
/**
|
||||
* Adds the filename evidence to the collection.
|
||||
@@ -54,10 +91,6 @@ public class HintRule {
|
||||
public List<PropertyType> getFilenames() {
|
||||
return filenames;
|
||||
}
|
||||
/**
|
||||
* The list of product evidence that is being matched.
|
||||
*/
|
||||
private final List<Evidence> givenProduct = new ArrayList<Evidence>();
|
||||
|
||||
/**
|
||||
* Adds a given product to the list of evidence to matched.
|
||||
@@ -80,20 +113,6 @@ public class HintRule {
|
||||
return givenProduct;
|
||||
}
|
||||
|
||||
/**
|
||||
* The list of vendor evidence that is being matched.
|
||||
*/
|
||||
private final List<Evidence> givenVendor = new ArrayList<Evidence>();
|
||||
|
||||
/**
|
||||
* The list of product evidence to add.
|
||||
*/
|
||||
private final List<Evidence> addProduct = new ArrayList<Evidence>();
|
||||
/**
|
||||
* The list of version evidence to add.
|
||||
*/
|
||||
private final List<Evidence> addVersion = new ArrayList<Evidence>();
|
||||
|
||||
/**
|
||||
* Adds a given vendors to the list of evidence to matched.
|
||||
*
|
||||
@@ -157,11 +176,6 @@ public class HintRule {
|
||||
return addVersion;
|
||||
}
|
||||
|
||||
/**
|
||||
* The list of vendor hints to add.
|
||||
*/
|
||||
private final List<Evidence> addVendor = new ArrayList<Evidence>();
|
||||
|
||||
/**
|
||||
* Adds a given vendor to the list of evidence to add when matched.
|
||||
*
|
||||
@@ -182,4 +196,81 @@ public class HintRule {
|
||||
public List<Evidence> getAddVendor() {
|
||||
return addVendor;
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a given vendor to the list of evidence to remove when matched.
|
||||
*
|
||||
* @param source the source of the evidence
|
||||
* @param name the name of the evidence
|
||||
* @param value the value of the evidence
|
||||
* @param confidence the confidence of the evidence
|
||||
*/
|
||||
public void addRemoveVendor(String source, String name, String value, Confidence confidence) {
|
||||
removeVendor.add(new Evidence(source, name, value, confidence));
|
||||
}
|
||||
/**
|
||||
* Get the value of removeVendor.
|
||||
*
|
||||
* @return the value of removeVendor
|
||||
*/
|
||||
public List<Evidence> getRemoveVendor() {
|
||||
return removeVendor;
|
||||
}
|
||||
/**
|
||||
* Adds a given product to the list of evidence to remove when matched.
|
||||
*
|
||||
* @param source the source of the evidence
|
||||
* @param name the name of the evidence
|
||||
* @param value the value of the evidence
|
||||
* @param confidence the confidence of the evidence
|
||||
*/
|
||||
public void addRemoveProduct(String source, String name, String value, Confidence confidence) {
|
||||
removeProduct.add(new Evidence(source, name, value, confidence));
|
||||
}
|
||||
/**
|
||||
* Get the value of removeProduct.
|
||||
*
|
||||
* @return the value of removeProduct
|
||||
*/
|
||||
public List<Evidence> getRemoveProduct() {
|
||||
return removeProduct;
|
||||
}
|
||||
/**
|
||||
* Adds a given version to the list of evidence to remove when matched.
|
||||
*
|
||||
* @param source the source of the evidence
|
||||
* @param name the name of the evidence
|
||||
* @param value the value of the evidence
|
||||
* @param confidence the confidence of the evidence
|
||||
*/
|
||||
public void addRemoveVersion(String source, String name, String value, Confidence confidence) {
|
||||
removeVersion.add(new Evidence(source, name, value, confidence));
|
||||
}
|
||||
/**
|
||||
* Get the value of removeVersion.
|
||||
*
|
||||
* @return the value of removeVersion
|
||||
*/
|
||||
public List<Evidence> getRemoveVersion() {
|
||||
return removeVersion;
|
||||
}
|
||||
/**
|
||||
* Adds a given version to the list of evidence to matche.
|
||||
*
|
||||
* @param source the source of the evidence
|
||||
* @param name the name of the evidence
|
||||
* @param value the value of the evidence
|
||||
* @param confidence the confidence of the evidence
|
||||
*/
|
||||
public void addGivenVersion(String source, String name, String value, Confidence confidence) {
|
||||
givenVersion.add(new Evidence(source, name, value, confidence));
|
||||
}
|
||||
/**
|
||||
* Get the value of givenVersion.
|
||||
*
|
||||
* @return the value of givenVersion
|
||||
*/
|
||||
public List<Evidence> getGivenVersion() {
|
||||
return givenVersion;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
|
||||
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
|
||||
<hint>
|
||||
<given>
|
||||
<given><!-- NOTE: these are OR conditions -->
|
||||
<evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
|
||||
<evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/>
|
||||
<evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/>
|
||||
|
||||
@@ -0,0 +1,76 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<xs:schema id="hints"
|
||||
xmlns:xs="http://www.w3.org/2001/XMLSchema"
|
||||
elementFormDefault="qualified"
|
||||
targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd"
|
||||
xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
|
||||
|
||||
<xs:simpleType name="type">
|
||||
<xs:restriction base="xs:string">
|
||||
<xs:enumeration value="vendor"/>
|
||||
<xs:enumeration value="product"/>
|
||||
<xs:enumeration value="version"/>
|
||||
</xs:restriction>
|
||||
</xs:simpleType>
|
||||
<xs:simpleType name="confidence">
|
||||
<xs:restriction base="xs:string">
|
||||
<xs:enumeration value="HIGHEST"/>
|
||||
<xs:enumeration value="HIGH"/>
|
||||
<xs:enumeration value="MEDIUM"/>
|
||||
<xs:enumeration value="LOW"/>
|
||||
</xs:restriction>
|
||||
</xs:simpleType>
|
||||
<xs:complexType name="evidence">
|
||||
<xs:attribute name="type" use="required" type="dc:type"/>
|
||||
<xs:attribute name="source" use="required" type="xs:string"/>
|
||||
<xs:attribute name="name" use="required" type="xs:string"/>
|
||||
<xs:attribute name="value" use="required" type="xs:string"/>
|
||||
<xs:attribute name="confidence" use="required" type="dc:confidence"/>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="fileName">
|
||||
<xs:attribute name="contains" use="required" type="xs:string"/>
|
||||
<xs:attribute name="regex" use="optional" type="xs:boolean" default="false"/>
|
||||
<xs:attribute name="caseSensitive" use="optional" type="xs:boolean" default="false"/>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="given">
|
||||
<xs:choice minOccurs="1" maxOccurs="unbounded">
|
||||
<xs:element name="evidence" type="dc:evidence"/>
|
||||
<xs:element name="fileName" type="dc:fileName"/>
|
||||
</xs:choice>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="add">
|
||||
<xs:sequence minOccurs="1" maxOccurs="unbounded">
|
||||
<xs:element name="evidence" type="dc:evidence"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="remove">
|
||||
<xs:sequence minOccurs="1" maxOccurs="unbounded">
|
||||
<xs:element name="evidence" type="dc:evidence"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="hint">
|
||||
<xs:sequence minOccurs="1" maxOccurs="1">
|
||||
<xs:element name="given" type="dc:given"/>
|
||||
<xs:choice minOccurs="1" maxOccurs="1">
|
||||
<xs:element name="add" type="dc:add"/>
|
||||
<xs:element name="remove" type="dc:remove"/>
|
||||
</xs:choice>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="duplicatingHint">
|
||||
<xs:attribute name="value" use="required" type="xs:string"/>
|
||||
<xs:attribute name="duplicate" use="required" type="xs:string"/>
|
||||
</xs:complexType>
|
||||
<xs:element name="hints">
|
||||
<xs:complexType>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="hint" type="dc:hint"/>
|
||||
</xs:sequence>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="vendorDuplicatingHint" type="dc:duplicatingHint"/>
|
||||
</xs:sequence>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
</xs:schema>
|
||||
@@ -108,5 +108,32 @@ public class HintAnalyzerTest extends BaseDBTestCase {
|
||||
//assertTrue(evidence.contains(springTest4));
|
||||
//assertTrue(evidence.contains(springTest5));
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of analyze method, of class HintAnalyzer.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyze_1() throws Exception {
|
||||
File path = BaseTest.getResourceAsFile(this, "hints_12.xml");
|
||||
Settings.setString(Settings.KEYS.HINTS_FILE, path.getPath());
|
||||
HintAnalyzer instance = new HintAnalyzer();
|
||||
instance.initialize();
|
||||
Dependency d = new Dependency();
|
||||
d.getVersionEvidence().addEvidence("version source", "given version name", "1.2.3", Confidence.HIGH);
|
||||
d.getVersionEvidence().addEvidence("hint analyzer", "remove version name", "value", Confidence.HIGH);
|
||||
d.getVendorEvidence().addEvidence("hint analyzer", "remove vendor name", "vendor", Confidence.HIGH);
|
||||
d.getProductEvidence().addEvidence("hint analyzer", "remove product name", "product", Confidence.HIGH);
|
||||
d.getVersionEvidence().addEvidence("hint analyzer", "other version name", "value", Confidence.HIGH);
|
||||
d.getVendorEvidence().addEvidence("hint analyzer", "other vendor name", "vendor", Confidence.HIGH);
|
||||
d.getProductEvidence().addEvidence("hint analyzer", "other product name", "product", Confidence.HIGH);
|
||||
|
||||
assertEquals("vendor evidence mismatch",2, d.getVendorEvidence().size());
|
||||
assertEquals("product evidence mismatch",2, d.getProductEvidence().size());
|
||||
assertEquals("version evidence mismatch",3, d.getVersionEvidence().size());
|
||||
instance.analyze(d, null);
|
||||
assertEquals("vendor evidence mismatch",1, d.getVendorEvidence().size());
|
||||
assertEquals("product evidence mismatch",1, d.getProductEvidence().size());
|
||||
assertEquals("version evidence mismatch",2, d.getVersionEvidence().size());
|
||||
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -32,11 +32,6 @@ import javax.xml.parsers.SAXParserFactory;
|
||||
import org.junit.Test;
|
||||
import static org.junit.Assert.*;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.xml.suppression.SuppressionErrorHandler;
|
||||
import org.owasp.dependencycheck.xml.suppression.SuppressionHandler;
|
||||
import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
|
||||
import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
|
||||
import org.xml.sax.Attributes;
|
||||
import org.xml.sax.InputSource;
|
||||
import org.xml.sax.SAXException;
|
||||
import org.xml.sax.SAXNotRecognizedException;
|
||||
|
||||
@@ -39,18 +39,7 @@ public class HintParserTest extends BaseTest {
|
||||
Hints results = instance.parseHints(file);
|
||||
assertEquals("Two duplicating hints should have been read", 2, results.getVendorDuplicatingHintRules().size());
|
||||
assertEquals("Two hint rules should have been read", 2, results.getHintRules().size());
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of parseHints method, of class HintParser.
|
||||
*/
|
||||
@Test
|
||||
public void testParseHints_InputStream() throws Exception {
|
||||
InputStream ins = BaseTest.getResourceAsStream(this, "hints.xml");
|
||||
HintParser instance = new HintParser();
|
||||
Hints results = instance.parseHints(ins);
|
||||
assertEquals("Two duplicating hints should have been read", 2, results.getVendorDuplicatingHintRules().size());
|
||||
assertEquals("Two hint rules should have been read", 2, results.getHintRules().size());
|
||||
assertEquals("One add product should have been read", 1, results.getHintRules().get(0).getAddProduct().size());
|
||||
assertEquals("One add vendor should have been read", 1, results.getHintRules().get(0).getAddVendor().size());
|
||||
assertEquals("Two file name should have been read", 2, results.getHintRules().get(1).getFilenames().size());
|
||||
@@ -65,9 +54,57 @@ public class HintParserTest extends BaseTest {
|
||||
assertEquals("file name 1 should not be a regex", false, results.getHintRules().get(1).getFilenames().get(0).isRegex());
|
||||
assertEquals("file name 2 should be case sensitive", true, results.getHintRules().get(1).getFilenames().get(1).isCaseSensitive());
|
||||
assertEquals("file name 2 should be a regex", true, results.getHintRules().get(1).getFilenames().get(1).isRegex());
|
||||
|
||||
|
||||
|
||||
assertEquals("sun duplicating vendor", "sun", results.getVendorDuplicatingHintRules().get(0).getValue());
|
||||
assertEquals("sun duplicates vendor oracle", "oracle", results.getVendorDuplicatingHintRules().get(0).getDuplicate());
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of parseHints method, of class HintParser.
|
||||
*/
|
||||
@Test
|
||||
public void testParseHints_InputStream() throws Exception {
|
||||
InputStream ins = BaseTest.getResourceAsStream(this, "hints_12.xml");
|
||||
HintParser instance = new HintParser();
|
||||
Hints results = instance.parseHints(ins);
|
||||
assertEquals("Zero duplicating hints should have been read", 0, results.getVendorDuplicatingHintRules().size());
|
||||
assertEquals("Two hint rules should have been read", 2, results.getHintRules().size());
|
||||
|
||||
assertEquals("One given product should have been read in hint 0", 1, results.getHintRules().get(0).getGivenProduct().size());
|
||||
assertEquals("One given vendor should have been read in hint 0", 1, results.getHintRules().get(0).getGivenVendor().size());
|
||||
assertEquals("One given version should have been read in hint 0", 1, results.getHintRules().get(0).getGivenVersion().size());
|
||||
|
||||
assertEquals("One add product should have been read in hint 0", 1, results.getHintRules().get(0).getAddProduct().size());
|
||||
assertEquals("One add vendor should have been read in hint 0", 1, results.getHintRules().get(0).getAddVendor().size());
|
||||
assertEquals("One add version should have been read in hint 0", 1, results.getHintRules().get(0).getAddVersion().size());
|
||||
assertEquals("Zero remove product should have been read in hint 0", 0, results.getHintRules().get(0).getRemoveProduct().size());
|
||||
assertEquals("Zero remove vendor should have been read in hint 0", 0, results.getHintRules().get(0).getRemoveVendor().size());
|
||||
assertEquals("Zero remove version should have been read in hint 0", 0, results.getHintRules().get(0).getRemoveVersion().size());
|
||||
|
||||
assertEquals("Zero given product should have been read in hint 1", 0, results.getHintRules().get(1).getGivenProduct().size());
|
||||
assertEquals("Zero given vendor should have been read in hint 1", 0, results.getHintRules().get(1).getGivenVendor().size());
|
||||
assertEquals("One given version should have been read in hint 1", 1, results.getHintRules().get(1).getGivenVersion().size());
|
||||
|
||||
assertEquals("One remove product should have been read in hint 1", 1, results.getHintRules().get(1).getRemoveProduct().size());
|
||||
assertEquals("One remove vendor should have been read in hint 1", 1, results.getHintRules().get(1).getRemoveVendor().size());
|
||||
assertEquals("One remove version should have been read in hint 1", 1, results.getHintRules().get(1).getRemoveVersion().size());
|
||||
assertEquals("Zero add product should have been read in hint 1", 0, results.getHintRules().get(1).getAddProduct().size());
|
||||
assertEquals("Zero add vendor should have been read in hint 1", 0, results.getHintRules().get(1).getAddVendor().size());
|
||||
assertEquals("Zero add version should have been read in hint 1", 0, results.getHintRules().get(1).getAddVersion().size());
|
||||
|
||||
assertEquals("add product name not found in hint 0", "add product name", results.getHintRules().get(0).getAddProduct().get(0).getName());
|
||||
assertEquals("add vendor name not found in hint 0", "add vendor name", results.getHintRules().get(0).getAddVendor().get(0).getName());
|
||||
assertEquals("add version name not found in hint 0", "add version name", results.getHintRules().get(0).getAddVersion().get(0).getName());
|
||||
|
||||
assertEquals("given product name not found in hint 0", "given product name", results.getHintRules().get(0).getGivenProduct().get(0).getName());
|
||||
assertEquals("given vendor name not found in hint 0", "given vendor name", results.getHintRules().get(0).getGivenVendor().get(0).getName());
|
||||
assertEquals("given version name not found in hint 0", "given version name", results.getHintRules().get(0).getGivenVersion().get(0).getName());
|
||||
|
||||
assertEquals("given version name not found in hint 1", "given version name", results.getHintRules().get(1).getGivenVersion().get(0).getName());
|
||||
|
||||
assertEquals("add product name not found in hint 1", "remove product name", results.getHintRules().get(1).getRemoveProduct().get(0).getName());
|
||||
assertEquals("add vendor name not found in hint 1", "remove vendor name", results.getHintRules().get(1).getRemoveVendor().get(0).getName());
|
||||
assertEquals("add version name not found in hint 1", "remove version name", results.getHintRules().get(1).getRemoveVersion().get(0).getName());
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
25
dependency-check-core/src/test/resources/hints_12.xml
Normal file
25
dependency-check-core/src/test/resources/hints_12.xml
Normal file
@@ -0,0 +1,25 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
|
||||
<hint>
|
||||
<given><!-- NOTE: These are OR conditions -->
|
||||
<evidence type="product" source="product source" name="given product name" value="value" confidence="HIGH"/>
|
||||
<evidence type="vendor" source="vendor source" name="given vendor name" value="value" confidence="HIGH"/>
|
||||
<evidence type="version" source="version source" name="given version name" value="value" confidence="HIGH"/>
|
||||
</given>
|
||||
<add>
|
||||
<evidence type="product" source="hint analyzer" name="add product name" value="product" confidence="HIGH"/>
|
||||
<evidence type="vendor" source="hint analyzer" name="add vendor name" value="vendor" confidence="HIGH"/>
|
||||
<evidence type="version" source="hint analyzer" name="add version name" value="value" confidence="HIGH"/>
|
||||
</add>
|
||||
</hint>
|
||||
<hint>
|
||||
<given>
|
||||
<evidence type="version" source="version source" name="given version name" value="1.2.3" confidence="HIGH"/>
|
||||
</given>
|
||||
<remove>
|
||||
<evidence type="product" source="hint analyzer" name="remove product name" value="product" confidence="HIGH"/>
|
||||
<evidence type="vendor" source="hint analyzer" name="remove vendor name" value="vendor" confidence="HIGH"/>
|
||||
<evidence type="version" source="hint analyzer" name="remove version name" value="value" confidence="HIGH"/>
|
||||
</remove>
|
||||
</hint>
|
||||
</hints>
|
||||
Reference in New Issue
Block a user