From 0e0a4bb0b427b031bcc205b1e9b38d79c9244bba Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 4 Feb 2017 09:20:47 -0500
Subject: [PATCH] expanded hint rules so that they can remove evidence

---
 .../analyzer/HintAnalyzer.java                | 145 ++++--------------
 .../xml/hints/HintHandler.java                | 112 ++++++++++----
 .../dependencycheck/xml/hints/HintParser.java |  41 ++++-
 .../dependencycheck/xml/hints/HintRule.java   | 137 ++++++++++++++---
 .../resources/dependencycheck-base-hint.xml   |   4 +-
 .../resources/schema/dependency-hint.1.2.xsd  |  76 +++++++++
 .../analyzer/HintAnalyzerTest.java            |  29 +++-
 .../xml/hints/HintHandlerTest.java            |   5 -
 .../xml/hints/HintParserTest.java             |  63 ++++++--
 .../src/test/resources/hints_12.xml           |  25 +++
 10 files changed, 450 insertions(+), 187 deletions(-)
 create mode 100644 dependency-check-core/src/main/resources/schema/dependency-hint.1.2.xsd
 create mode 100644 dependency-check-core/src/test/resources/hints_12.xml

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
index 588c99d84..f3194c19b 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -82,6 +82,7 @@ public class HintAnalyzer extends AbstractAnalyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+
     /**
      * <p>
      * Returns the setting key to determine if the analyzer is enabled.</p>
@@ -134,29 +135,38 @@ public class HintAnalyzer extends AbstractAnalyzer {
     @Override
     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         for (HintRule hint : hints.getHintRules()) {
-            boolean shouldAdd = false;
+            boolean matchFound = false;
             for (Evidence given : hint.getGivenVendor()) {
                 if (dependency.getVendorEvidence().getEvidence().contains(given)) {
-                    shouldAdd = true;
+                    matchFound = true;
                     break;
                 }
             }
-            if (!shouldAdd) {
+            if (!matchFound) {
                 for (Evidence given : hint.getGivenProduct()) {
                     if (dependency.getProductEvidence().getEvidence().contains(given)) {
-                        shouldAdd = true;
+                        matchFound = true;
                         break;
                     }
                 }
             }
-            if (!shouldAdd) {
-                for (PropertyType pt : hint.getFilenames()) {
-                    if (pt.matches(dependency.getFileName())) {
-                        shouldAdd = true;
+            if (!matchFound) {
+                for (Evidence given : hint.getGivenVersion()) {
+                    if (dependency.getVersionEvidence().getEvidence().contains(given)) {
+                        matchFound = true;
+                        break;
                     }
                 }
             }
-            if (shouldAdd) {
+            if (!matchFound) {
+                for (PropertyType pt : hint.getFilenames()) {
+                    if (pt.matches(dependency.getFileName())) {
+                        matchFound = true;
+                        break;
+                    }
+                }
+            }
+            if (matchFound) {
                 for (Evidence e : hint.getAddVendor()) {
                     dependency.getVendorEvidence().addEvidence(e);
                 }
@@ -166,6 +176,21 @@ public class HintAnalyzer extends AbstractAnalyzer {
                 for (Evidence e : hint.getAddVersion()) {
                     dependency.getVersionEvidence().addEvidence(e);
                 }
+                for (Evidence e : hint.getRemoveVendor()) {
+                    if (dependency.getVendorEvidence().getEvidence().contains(e)) {
+                        dependency.getVendorEvidence().getEvidence().remove(e);
+                    }
+                }
+                for (Evidence e : hint.getRemoveProduct()) {
+                    if (dependency.getProductEvidence().getEvidence().contains(e)) {
+                        dependency.getProductEvidence().getEvidence().remove(e);
+                    }
+                }
+                for (Evidence e : hint.getRemoveVersion()) {
+                    if (dependency.getVersionEvidence().getEvidence().contains(e)) {
+                        dependency.getVersionEvidence().getEvidence().remove(e);
+                    }
+                }
             }
         }
 
@@ -183,108 +208,6 @@ public class HintAnalyzer extends AbstractAnalyzer {
         for (Evidence e : newEntries) {
             dependency.getVendorEvidence().addEvidence(e);
         }
-
-        //<editor-fold defaultstate="collapsed" desc="Old implementation">
-        /*
-        final Evidence springTest1 = new Evidence("Manifest",
-                "Implementation-Title",
-                "Spring Framework",
-                Confidence.HIGH);
-
-        final Evidence springTest2 = new Evidence("Manifest",
-                "Implementation-Title",
-                "org.springframework.core",
-                Confidence.HIGH);
-
-        final Evidence springTest3 = new Evidence("Manifest",
-                "Implementation-Title",
-                "spring-core",
-                Confidence.HIGH);
-
-        final Evidence springTest4 = new Evidence("jar",
-                "package name",
-                "springframework",
-                Confidence.LOW);
-
-        final Evidence springSecurityTest1 = new Evidence("Manifest",
-                "Bundle-Name",
-                "Spring Security Core",
-                Confidence.MEDIUM);
-
-        final Evidence springSecurityTest2 = new Evidence("pom",
-                "artifactid",
-                "spring-security-core",
-                Confidence.HIGH);
-
-        final Evidence symfony = new Evidence("composer.lock",
-            "vendor",
-            "symfony",
-            Confidence.HIGHEST);
-
-        final Evidence zendframeworkVendor = new Evidence("composer.lock",
-            "vendor",
-            "zendframework",
-            Confidence.HIGHEST);
-
-        final Evidence zendframeworkProduct = new Evidence("composer.lock",
-            "product",
-            "zendframework",
-            Confidence.HIGHEST);
-
-        //springsource/vware problem
-        final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
-        final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
-
-        if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
-                || (dependency.getFileName().contains("spring") && product.contains(springTest4))) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
-        }
-
-        if (vendor.contains(springTest4)) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
-        }
-
-        if (product.contains(springSecurityTest1) || product.contains(springSecurityTest2)) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_security", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
-        }
-
-        if (vendor.contains(symfony)) {
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "sensiolabs", Confidence.HIGHEST);
-        }
-
-        if (vendor.contains(zendframeworkVendor)) {
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "zend", Confidence.HIGHEST);
-        }
-
-        if (product.contains(zendframeworkProduct)) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "vendor", "zend_framework", Confidence.HIGHEST);
-        }
-
-        //sun/oracle problem
-        final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
-        final List<Evidence> newEntries = new ArrayList<Evidence>();
-        while (itr.hasNext()) {
-            final Evidence e = itr.next();
-            if ("sun".equalsIgnoreCase(e.getValue(false))) {
-                final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "oracle", e.getConfidence());
-                newEntries.add(newEvidence);
-            } else if ("oracle".equalsIgnoreCase(e.getValue(false))) {
-                final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "sun", e.getConfidence());
-                newEntries.add(newEvidence);
-            }
-        }
-        for (Evidence e : newEntries) {
-            dependency.getVendorEvidence().addEvidence(e);
-        }
-         */
-        //</editor-fold>
     }
 
     /**
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java
index 0608f5fa1..269d6d168 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java
@@ -45,6 +45,11 @@ public class HintHandler extends DefaultHandler {
      * Element name.
      */
     private static final String ADD = "add";
+    /**
+     * Element name.
+     */
+    private static final String REMOVE = "remove";
+
     /**
      * Element name.
      */
@@ -139,16 +144,25 @@ public class HintHandler extends DefaultHandler {
      * The current rule being read.
      */
     private HintRule rule;
+
+    /**
+     * Internal type to track the parent node state.
+     */
+    enum ParentType {
+        ADD,
+        GIVEN,
+        REMOVE
+    }
     /**
      * The current state of the parent node (to differentiate between 'add' and
      * 'given').
      */
-    private boolean inAddNode = false;
+    private ParentType nodeType = ParentType.GIVEN;
 
     /**
      * Handles the start element event.
      *
-     * @param uri the uri of the element being processed
+     * @param uri the URI of the element being processed
      * @param localName the local name of the element being processed
      * @param qName the qName of the element being processed
      * @param attr the attributes of the element being processed
@@ -159,41 +173,81 @@ public class HintHandler extends DefaultHandler {
         if (HINT.equals(qName)) {
             rule = new HintRule();
         } else if (ADD.equals(qName)) {
-            inAddNode = true;
+            nodeType = ParentType.ADD;
         } else if (GIVEN.equals(qName)) {
-            inAddNode = false;
+            nodeType = ParentType.GIVEN;
+        } else if (REMOVE.equals(qName)) {
+            nodeType = ParentType.REMOVE;
         } else if (EVIDENCE.equals(qName)) {
             final String hintType = attr.getValue(TYPE);
             if (VENDOR.equals(hintType)) {
-                if (inAddNode) {
-                    rule.addAddVendor(attr.getValue(SOURCE),
-                            attr.getValue(NAME),
-                            attr.getValue(VALUE),
-                            Confidence.valueOf(attr.getValue(CONFIDENCE)));
-                } else {
-                    rule.addGivenVendor(attr.getValue(SOURCE),
-                            attr.getValue(NAME),
-                            attr.getValue(VALUE),
-                            Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                if (null != nodeType) switch (nodeType) {
+                    case ADD:
+                        rule.addAddVendor(attr.getValue(SOURCE),
+                                attr.getValue(NAME),
+                                attr.getValue(VALUE),
+                                Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                        break;
+                    case REMOVE:
+                        rule.addRemoveVendor(attr.getValue(SOURCE),
+                                attr.getValue(NAME),
+                                attr.getValue(VALUE),
+                                Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                        break;
+                    case GIVEN:
+                        rule.addGivenVendor(attr.getValue(SOURCE),
+                                attr.getValue(NAME),
+                                attr.getValue(VALUE),
+                                Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                        break;
+                    default:
+                        break;
                 }
             } else if (PRODUCT.equals(hintType)) {
-                if (inAddNode) {
-                    rule.addAddProduct(attr.getValue(SOURCE),
-                            attr.getValue(NAME),
-                            attr.getValue(VALUE),
-                            Confidence.valueOf(attr.getValue(CONFIDENCE)));
-                } else {
-                    rule.addGivenProduct(attr.getValue(SOURCE),
-                            attr.getValue(NAME),
-                            attr.getValue(VALUE),
-                            Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                if (null != nodeType) switch (nodeType) {
+                    case ADD:
+                        rule.addAddProduct(attr.getValue(SOURCE),
+                                attr.getValue(NAME),
+                                attr.getValue(VALUE),
+                                Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                        break;
+                    case REMOVE:
+                        rule.addRemoveProduct(attr.getValue(SOURCE),
+                                attr.getValue(NAME),
+                                attr.getValue(VALUE),
+                                Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                        break;
+                    case GIVEN:
+                        rule.addGivenProduct(attr.getValue(SOURCE),
+                                attr.getValue(NAME),
+                                attr.getValue(VALUE),
+                                Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                        break;
+                    default:
+                        break;
                 }
             } else if (VERSION.equals(hintType)) {
-                if (inAddNode) {
-                    rule.addAddVersion(attr.getValue(SOURCE),
-                            attr.getValue(NAME),
-                            attr.getValue(VALUE),
-                            Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                if (null != nodeType) switch (nodeType) {
+                    case ADD:
+                        rule.addAddVersion(attr.getValue(SOURCE),
+                                attr.getValue(NAME),
+                                attr.getValue(VALUE),
+                                Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                        break;
+                    case REMOVE:
+                        rule.addRemoveVersion(attr.getValue(SOURCE),
+                                attr.getValue(NAME),
+                                attr.getValue(VALUE),
+                                Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                        break;
+                    case GIVEN:
+                        rule.addGivenVersion(attr.getValue(SOURCE),
+                                attr.getValue(NAME),
+                                attr.getValue(VALUE),
+                                Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                        break;
+                    default:
+                        break;
                 }
             }
         } else if (FILE_NAME.equals(qName)) {
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
index 8d7afada9..ce881759c 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
@@ -64,7 +64,12 @@ public class HintParser {
     /**
      * The schema for the hint XML files.
      */
-    private static final String HINT_SCHEMA = "schema/dependency-hint.1.1.xsd";
+    private static final String HINT_SCHEMA = "schema/dependency-hint.1.2.xsd";
+
+    /**
+     * The schema for the hint XML files.
+     */
+    private static final String HINT_SCHEMA_OLD = "schema/dependency-hint.1.1.xsd";
 
     /**
      * Parses the given XML file and returns a list of the hints contained.
@@ -82,7 +87,23 @@ public class HintParser {
             LOGGER.debug("", ex);
             throw new HintParseException(ex);
         } catch (SAXException ex) {
-            throw new HintParseException(ex);
+            try {
+                if (fis != null) {
+                    try {
+                        fis.close();
+                    } catch (IOException ex1) {
+                        LOGGER.debug("Unable to close stream", ex1);
+                    }
+                }
+                fis = new FileInputStream(file);
+            } catch (FileNotFoundException ex1) {
+                throw new HintParseException(ex1);
+            }
+            try {
+                return parseHints(fis, HINT_SCHEMA_OLD);
+            } catch (SAXException ex1) {
+                throw new HintParseException(ex);
+            }
         } finally {
             if (fis != null) {
                 try {
@@ -104,9 +125,23 @@ public class HintParser {
      * @throws SAXException thrown if the XML cannot be parsed
      */
     public Hints parseHints(InputStream inputStream) throws HintParseException, SAXException {
+        return parseHints(inputStream, HINT_SCHEMA);
+    }
+
+    /**
+     * Parses the given XML stream and returns a list of the hint rules
+     * contained.
+     *
+     * @param inputStream an InputStream containing hint rules
+     * @param schema the XSD to use to validate the XML against
+     * @return a list of hint rules
+     * @throws HintParseException thrown if the XML cannot be parsed
+     * @throws SAXException thrown if the XML cannot be parsed
+     */
+    private Hints parseHints(InputStream inputStream, String schema) throws HintParseException, SAXException {
         InputStream schemaStream = null;
         try {
-            schemaStream = this.getClass().getClassLoader().getResourceAsStream(HINT_SCHEMA);
+            schemaStream = this.getClass().getClassLoader().getResourceAsStream(schema);
             final HintHandler handler = new HintHandler();
             final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream);
             final XMLReader xmlReader = saxParser.getXMLReader();
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java
index 7290ba26e..dc9d5f38e 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java
@@ -36,6 +36,43 @@ public class HintRule {
      * The list of file names to match.
      */
     private final List<PropertyType> filenames = new ArrayList<PropertyType>();
+    /**
+     * The list of vendor evidence that is being matched.
+     */
+    private final List<Evidence> givenVendor = new ArrayList<Evidence>();
+    /**
+     * The list of product evidence that is being matched.
+     */
+    private final List<Evidence> givenProduct = new ArrayList<Evidence>();
+    /**
+     * The list of product evidence that is being matched.
+     */
+    private final List<Evidence> givenVersion = new ArrayList<Evidence>();
+    /**
+     * The list of vendor hints to add.
+     */
+    private final List<Evidence> addVendor = new ArrayList<Evidence>();
+    /**
+     * The list of product evidence to add.
+     */
+    private final List<Evidence> addProduct = new ArrayList<Evidence>();
+    /**
+     * The list of version evidence to add.
+     */
+    private final List<Evidence> addVersion = new ArrayList<Evidence>();
+
+    /**
+     * The list of vendor hints to add.
+     */
+    private final List<Evidence> removeVendor = new ArrayList<Evidence>();
+    /**
+     * The list of product evidence to add.
+     */
+    private final List<Evidence> removeProduct = new ArrayList<Evidence>();
+    /**
+     * The list of version evidence to add.
+     */
+    private final List<Evidence> removeVersion = new ArrayList<Evidence>();
 
     /**
      * Adds the filename evidence to the collection.
@@ -54,10 +91,6 @@ public class HintRule {
     public List<PropertyType> getFilenames() {
         return filenames;
     }
-    /**
-     * The list of product evidence that is being matched.
-     */
-    private final List<Evidence> givenProduct = new ArrayList<Evidence>();
 
     /**
      * Adds a given product to the list of evidence to matched.
@@ -80,20 +113,6 @@ public class HintRule {
         return givenProduct;
     }
 
-    /**
-     * The list of vendor evidence that is being matched.
-     */
-    private final List<Evidence> givenVendor = new ArrayList<Evidence>();
-
-    /**
-     * The list of product evidence to add.
-     */
-    private final List<Evidence> addProduct = new ArrayList<Evidence>();
-    /**
-     * The list of version evidence to add.
-     */
-    private final List<Evidence> addVersion = new ArrayList<Evidence>();
-
     /**
      * Adds a given vendors to the list of evidence to matched.
      *
@@ -157,11 +176,6 @@ public class HintRule {
         return addVersion;
     }
 
-    /**
-     * The list of vendor hints to add.
-     */
-    private final List<Evidence> addVendor = new ArrayList<Evidence>();
-
     /**
      * Adds a given vendor to the list of evidence to add when matched.
      *
@@ -182,4 +196,81 @@ public class HintRule {
     public List<Evidence> getAddVendor() {
         return addVendor;
     }
+
+    /**
+     * Adds a given vendor to the list of evidence to remove when matched.
+     *
+     * @param source the source of the evidence
+     * @param name the name of the evidence
+     * @param value the value of the evidence
+     * @param confidence the confidence of the evidence
+     */
+    public void addRemoveVendor(String source, String name, String value, Confidence confidence) {
+        removeVendor.add(new Evidence(source, name, value, confidence));
+    }
+    /**
+     * Get the value of removeVendor.
+     *
+     * @return the value of removeVendor
+     */
+    public List<Evidence> getRemoveVendor() {
+        return removeVendor;
+    }
+    /**
+     * Adds a given product to the list of evidence to remove when matched.
+     *
+     * @param source the source of the evidence
+     * @param name the name of the evidence
+     * @param value the value of the evidence
+     * @param confidence the confidence of the evidence
+     */
+    public void addRemoveProduct(String source, String name, String value, Confidence confidence) {
+        removeProduct.add(new Evidence(source, name, value, confidence));
+    }
+    /**
+     * Get the value of removeProduct.
+     *
+     * @return the value of removeProduct
+     */
+    public List<Evidence> getRemoveProduct() {
+        return removeProduct;
+    }
+    /**
+     * Adds a given version to the list of evidence to remove when matched.
+     *
+     * @param source the source of the evidence
+     * @param name the name of the evidence
+     * @param value the value of the evidence
+     * @param confidence the confidence of the evidence
+     */
+    public void addRemoveVersion(String source, String name, String value, Confidence confidence) {
+        removeVersion.add(new Evidence(source, name, value, confidence));
+    }
+    /**
+     * Get the value of removeVersion.
+     *
+     * @return the value of removeVersion
+     */
+    public List<Evidence> getRemoveVersion() {
+        return removeVersion;
+    }
+    /**
+     * Adds a given version to the list of evidence to matche.
+     *
+     * @param source the source of the evidence
+     * @param name the name of the evidence
+     * @param value the value of the evidence
+     * @param confidence the confidence of the evidence
+     */
+    public void addGivenVersion(String source, String name, String value, Confidence confidence) {
+        givenVersion.add(new Evidence(source, name, value, confidence));
+    }
+    /**
+     * Get the value of givenVersion.
+     *
+     * @return the value of givenVersion
+     */
+    public List<Evidence> getGivenVersion() {
+        return givenVersion;
+    }
 }
diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml b/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml
index 6c441db13..a7a45d05e 100644
--- a/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
+<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
     <hint>
-        <given>
+        <given><!-- NOTE: these are OR conditions -->
             <evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
             <evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/>
             <evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/>
diff --git a/dependency-check-core/src/main/resources/schema/dependency-hint.1.2.xsd b/dependency-check-core/src/main/resources/schema/dependency-hint.1.2.xsd
new file mode 100644
index 000000000..cc912609c
--- /dev/null
+++ b/dependency-check-core/src/main/resources/schema/dependency-hint.1.2.xsd
@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema id="hints"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           elementFormDefault="qualified"
+           targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd"
+           xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
+	   
+    <xs:simpleType name="type">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="vendor"/>
+            <xs:enumeration value="product"/>
+            <xs:enumeration value="version"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:simpleType name="confidence">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="HIGHEST"/>
+            <xs:enumeration value="HIGH"/>
+            <xs:enumeration value="MEDIUM"/>
+            <xs:enumeration value="LOW"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:complexType name="evidence">
+        <xs:attribute name="type" use="required" type="dc:type"/>
+        <xs:attribute name="source" use="required" type="xs:string"/>
+        <xs:attribute name="name" use="required" type="xs:string"/>
+        <xs:attribute name="value" use="required" type="xs:string"/>
+        <xs:attribute name="confidence" use="required" type="dc:confidence"/>
+    </xs:complexType>
+    <xs:complexType name="fileName">
+        <xs:attribute name="contains" use="required" type="xs:string"/>
+        <xs:attribute name="regex" use="optional" type="xs:boolean" default="false"/>
+        <xs:attribute name="caseSensitive" use="optional" type="xs:boolean" default="false"/>
+    </xs:complexType>
+    <xs:complexType name="given">
+        <xs:choice minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="evidence" type="dc:evidence"/>
+            <xs:element name="fileName" type="dc:fileName"/>
+        </xs:choice>
+    </xs:complexType>
+    <xs:complexType name="add">
+        <xs:sequence minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="evidence" type="dc:evidence"/>
+        </xs:sequence>
+    </xs:complexType>
+    <xs:complexType name="remove">
+        <xs:sequence minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="evidence" type="dc:evidence"/>
+        </xs:sequence>
+    </xs:complexType>
+    <xs:complexType name="hint">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="given" type="dc:given"/>
+            <xs:choice minOccurs="1" maxOccurs="1">
+                <xs:element name="add" type="dc:add"/>
+                <xs:element name="remove" type="dc:remove"/>
+            </xs:choice>
+        </xs:sequence>
+    </xs:complexType>
+    <xs:complexType name="duplicatingHint">
+        <xs:attribute name="value" use="required" type="xs:string"/>
+        <xs:attribute name="duplicate" use="required" type="xs:string"/>
+    </xs:complexType>	
+    <xs:element name="hints">
+        <xs:complexType>
+            <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                    <xs:element name="hint" type="dc:hint"/>
+                </xs:sequence>
+                <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                    <xs:element name="vendorDuplicatingHint" type="dc:duplicatingHint"/>
+                </xs:sequence>
+            </xs:sequence>
+        </xs:complexType>
+    </xs:element>
+</xs:schema>
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
index bf8cf07c1..e8e133da8 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
@@ -108,5 +108,32 @@ public class HintAnalyzerTest extends BaseDBTestCase {
         //assertTrue(evidence.contains(springTest4));
         //assertTrue(evidence.contains(springTest5));
     }
-
+    /**
+     * Test of analyze method, of class HintAnalyzer.
+     */
+    @Test
+    public void testAnalyze_1() throws Exception {
+        File path = BaseTest.getResourceAsFile(this, "hints_12.xml");
+        Settings.setString(Settings.KEYS.HINTS_FILE, path.getPath());
+        HintAnalyzer instance = new HintAnalyzer();
+        instance.initialize();
+        Dependency d = new Dependency();
+        d.getVersionEvidence().addEvidence("version source", "given version name", "1.2.3", Confidence.HIGH);
+        d.getVersionEvidence().addEvidence("hint analyzer", "remove version name", "value", Confidence.HIGH);
+        d.getVendorEvidence().addEvidence("hint analyzer", "remove vendor name", "vendor", Confidence.HIGH);
+        d.getProductEvidence().addEvidence("hint analyzer", "remove product name", "product", Confidence.HIGH);
+        d.getVersionEvidence().addEvidence("hint analyzer", "other version name", "value", Confidence.HIGH);
+        d.getVendorEvidence().addEvidence("hint analyzer", "other vendor name", "vendor", Confidence.HIGH);
+        d.getProductEvidence().addEvidence("hint analyzer", "other product name", "product", Confidence.HIGH);
+        
+        assertEquals("vendor evidence mismatch",2, d.getVendorEvidence().size());
+        assertEquals("product evidence mismatch",2, d.getProductEvidence().size());
+        assertEquals("version evidence mismatch",3, d.getVersionEvidence().size());
+        instance.analyze(d, null);
+        assertEquals("vendor evidence mismatch",1, d.getVendorEvidence().size());
+        assertEquals("product evidence mismatch",1, d.getProductEvidence().size());
+        assertEquals("version evidence mismatch",2, d.getVersionEvidence().size());
+        
+        
+    }
 }
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java
index 2d06c3a69..138c8e39b 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java
@@ -32,11 +32,6 @@ import javax.xml.parsers.SAXParserFactory;
 import org.junit.Test;
 import static org.junit.Assert.*;
 import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.xml.suppression.SuppressionErrorHandler;
-import org.owasp.dependencycheck.xml.suppression.SuppressionHandler;
-import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
-import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
-import org.xml.sax.Attributes;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXNotRecognizedException;
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintParserTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintParserTest.java
index 6b5df4404..7c6432cc4 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintParserTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintParserTest.java
@@ -39,18 +39,7 @@ public class HintParserTest extends BaseTest {
         Hints results = instance.parseHints(file);
         assertEquals("Two duplicating hints should have been read", 2, results.getVendorDuplicatingHintRules().size());
         assertEquals("Two hint rules should have been read", 2, results.getHintRules().size());
-    }
 
-    /**
-     * Test of parseHints method, of class HintParser.
-     */
-    @Test
-    public void testParseHints_InputStream() throws Exception {
-        InputStream ins = BaseTest.getResourceAsStream(this, "hints.xml");
-        HintParser instance = new HintParser();
-        Hints results = instance.parseHints(ins);
-        assertEquals("Two duplicating hints should have been read", 2, results.getVendorDuplicatingHintRules().size());
-        assertEquals("Two hint rules should have been read", 2, results.getHintRules().size());
         assertEquals("One add product should have been read", 1, results.getHintRules().get(0).getAddProduct().size());
         assertEquals("One add vendor should have been read", 1, results.getHintRules().get(0).getAddVendor().size());
         assertEquals("Two file name should have been read", 2, results.getHintRules().get(1).getFilenames().size());
@@ -65,9 +54,57 @@ public class HintParserTest extends BaseTest {
         assertEquals("file name 1 should not be a regex", false, results.getHintRules().get(1).getFilenames().get(0).isRegex());
         assertEquals("file name 2 should be case sensitive", true, results.getHintRules().get(1).getFilenames().get(1).isCaseSensitive());
         assertEquals("file name 2 should be a regex", true, results.getHintRules().get(1).getFilenames().get(1).isRegex());
-        
-        
+               
         assertEquals("sun duplicating vendor", "sun", results.getVendorDuplicatingHintRules().get(0).getValue());
         assertEquals("sun duplicates vendor oracle", "oracle", results.getVendorDuplicatingHintRules().get(0).getDuplicate());
     }
+
+    /**
+     * Test of parseHints method, of class HintParser.
+     */
+    @Test
+    public void testParseHints_InputStream() throws Exception {
+        InputStream ins = BaseTest.getResourceAsStream(this, "hints_12.xml");
+        HintParser instance = new HintParser();
+        Hints results = instance.parseHints(ins);
+        assertEquals("Zero duplicating hints should have been read", 0, results.getVendorDuplicatingHintRules().size());
+        assertEquals("Two hint rules should have been read", 2, results.getHintRules().size());
+
+        assertEquals("One given product should have been read in hint 0", 1, results.getHintRules().get(0).getGivenProduct().size());
+        assertEquals("One given vendor should have been read in hint 0", 1, results.getHintRules().get(0).getGivenVendor().size());
+        assertEquals("One given version should have been read in hint 0", 1, results.getHintRules().get(0).getGivenVersion().size());
+                
+        assertEquals("One add product should have been read in hint 0", 1, results.getHintRules().get(0).getAddProduct().size());
+        assertEquals("One add vendor should have been read in hint 0", 1, results.getHintRules().get(0).getAddVendor().size());
+        assertEquals("One add version should have been read in hint 0", 1, results.getHintRules().get(0).getAddVersion().size());
+        assertEquals("Zero remove product should have been read in hint 0", 0, results.getHintRules().get(0).getRemoveProduct().size());
+        assertEquals("Zero remove vendor should have been read in hint 0", 0, results.getHintRules().get(0).getRemoveVendor().size());
+        assertEquals("Zero remove version should have been read in hint 0", 0, results.getHintRules().get(0).getRemoveVersion().size());
+                
+        assertEquals("Zero given product should have been read in hint 1", 0, results.getHintRules().get(1).getGivenProduct().size());
+        assertEquals("Zero given vendor should have been read in hint 1", 0, results.getHintRules().get(1).getGivenVendor().size());
+        assertEquals("One given version should have been read in hint 1", 1, results.getHintRules().get(1).getGivenVersion().size());
+        
+        assertEquals("One remove product should have been read in hint 1", 1, results.getHintRules().get(1).getRemoveProduct().size());
+        assertEquals("One remove vendor should have been read in hint 1", 1, results.getHintRules().get(1).getRemoveVendor().size());
+        assertEquals("One remove version should have been read in hint 1", 1, results.getHintRules().get(1).getRemoveVersion().size());
+        assertEquals("Zero add product should have been read in hint 1", 0, results.getHintRules().get(1).getAddProduct().size());
+        assertEquals("Zero add vendor should have been read in hint 1", 0, results.getHintRules().get(1).getAddVendor().size());
+        assertEquals("Zero add version should have been read in hint 1", 0, results.getHintRules().get(1).getAddVersion().size());
+
+        assertEquals("add product name not found in hint 0", "add product name", results.getHintRules().get(0).getAddProduct().get(0).getName());
+        assertEquals("add vendor name not found in hint 0", "add vendor name", results.getHintRules().get(0).getAddVendor().get(0).getName());
+        assertEquals("add version name not found in hint 0", "add version name", results.getHintRules().get(0).getAddVersion().get(0).getName());
+        
+        assertEquals("given product name not found in hint 0", "given product name", results.getHintRules().get(0).getGivenProduct().get(0).getName());
+        assertEquals("given vendor name not found in hint 0", "given vendor name", results.getHintRules().get(0).getGivenVendor().get(0).getName());
+        assertEquals("given version name not found in hint 0", "given version name", results.getHintRules().get(0).getGivenVersion().get(0).getName());
+
+        assertEquals("given version name not found in hint 1", "given version name", results.getHintRules().get(1).getGivenVersion().get(0).getName());
+
+        assertEquals("add product name not found in hint 1", "remove product name", results.getHintRules().get(1).getRemoveProduct().get(0).getName());
+        assertEquals("add vendor name not found in hint 1", "remove vendor name", results.getHintRules().get(1).getRemoveVendor().get(0).getName());
+        assertEquals("add version name not found in hint 1", "remove version name", results.getHintRules().get(1).getRemoveVersion().get(0).getName());
+        
+    }
 }
diff --git a/dependency-check-core/src/test/resources/hints_12.xml b/dependency-check-core/src/test/resources/hints_12.xml
new file mode 100644
index 000000000..2e5699abb
--- /dev/null
+++ b/dependency-check-core/src/test/resources/hints_12.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
+    <hint>
+        <given><!-- NOTE: These are OR conditions -->
+            <evidence type="product" source="product source" name="given product name" value="value" confidence="HIGH"/>
+            <evidence type="vendor" source="vendor source" name="given vendor name" value="value" confidence="HIGH"/>
+            <evidence type="version" source="version source" name="given version name" value="value" confidence="HIGH"/>
+        </given>
+        <add>
+            <evidence type="product" source="hint analyzer" name="add product name" value="product" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="add vendor name" value="vendor" confidence="HIGH"/>
+            <evidence type="version" source="hint analyzer" name="add version name" value="value" confidence="HIGH"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <evidence type="version" source="version source" name="given version name" value="1.2.3" confidence="HIGH"/>
+        </given>
+        <remove>
+            <evidence type="product" source="hint analyzer" name="remove product name" value="product" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="remove vendor name" value="vendor" confidence="HIGH"/>
+            <evidence type="version" source="hint analyzer" name="remove version name" value="value" confidence="HIGH"/>
+        </remove>
+    </hint>
+</hints>
\ No newline at end of file