github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-22 09:09:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

expanded hint rules so that they can remove evidence

Browse Source
This commit is contained in:
Jeremy Long
2017-02-04 09:20:47 -05:00
parent 5333083a78
commit 0e0a4bb0b4
10 changed files with 450 additions and 187 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -82,6 +82,7 @@ public class HintAnalyzer extends AbstractAnalyzer {
public AnalysisPhase getAnalysisPhase() { public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE; return ANALYSIS_PHASE;
} }
/** /**
* <p> * <p>
* Returns the setting key to determine if the analyzer is enabled.</p> * Returns the setting key to determine if the analyzer is enabled.</p>
@@ -134,29 +135,38 @@ public class HintAnalyzer extends AbstractAnalyzer {
@Override @Override
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
for (HintRule hint : hints.getHintRules()) { for (HintRule hint : hints.getHintRules()) {
boolean shouldAdd = false; boolean matchFound = false;
for (Evidence given : hint.getGivenVendor()) { for (Evidence given : hint.getGivenVendor()) {
if (dependency.getVendorEvidence().getEvidence().contains(given)) { if (dependency.getVendorEvidence().getEvidence().contains(given)) {
shouldAdd = true; matchFound = true;
break; break;
} }
} }
if (!shouldAdd) { if (!matchFound) {
for (Evidence given : hint.getGivenProduct()) { for (Evidence given : hint.getGivenProduct()) {
if (dependency.getProductEvidence().getEvidence().contains(given)) { if (dependency.getProductEvidence().getEvidence().contains(given)) {
shouldAdd = true; matchFound = true;
break; break;
} }
} }
} }
if (!shouldAdd) { if (!matchFound) {
for (PropertyType pt : hint.getFilenames()) { for (Evidence given : hint.getGivenVersion()) {
if (pt.matches(dependency.getFileName())) { if (dependency.getVersionEvidence().getEvidence().contains(given)) {
shouldAdd = true; matchFound = true;
break;
} }
} }
} }
if (shouldAdd) { if (!matchFound) {
for (PropertyType pt : hint.getFilenames()) {
if (pt.matches(dependency.getFileName())) {
matchFound = true;
break;
}
}
}
if (matchFound) {
for (Evidence e : hint.getAddVendor()) { for (Evidence e : hint.getAddVendor()) {
dependency.getVendorEvidence().addEvidence(e); dependency.getVendorEvidence().addEvidence(e);
} }
@@ -166,6 +176,21 @@ public class HintAnalyzer extends AbstractAnalyzer {
for (Evidence e : hint.getAddVersion()) { for (Evidence e : hint.getAddVersion()) {
dependency.getVersionEvidence().addEvidence(e); dependency.getVersionEvidence().addEvidence(e);
} }
for (Evidence e : hint.getRemoveVendor()) {
if (dependency.getVendorEvidence().getEvidence().contains(e)) {
dependency.getVendorEvidence().getEvidence().remove(e);
}
}
for (Evidence e : hint.getRemoveProduct()) {
if (dependency.getProductEvidence().getEvidence().contains(e)) {
dependency.getProductEvidence().getEvidence().remove(e);
}
}
for (Evidence e : hint.getRemoveVersion()) {
if (dependency.getVersionEvidence().getEvidence().contains(e)) {
dependency.getVersionEvidence().getEvidence().remove(e);
}
}
} }
} }
@@ -183,108 +208,6 @@ public class HintAnalyzer extends AbstractAnalyzer {
for (Evidence e : newEntries) { for (Evidence e : newEntries) {
dependency.getVendorEvidence().addEvidence(e); dependency.getVendorEvidence().addEvidence(e);
} }
//<editor-fold defaultstate="collapsed" desc="Old implementation">
/*
final Evidence springTest1 = new Evidence("Manifest",
"Implementation-Title",
"Spring Framework",
Confidence.HIGH);
final Evidence springTest2 = new Evidence("Manifest",
"Implementation-Title",
"org.springframework.core",
Confidence.HIGH);
final Evidence springTest3 = new Evidence("Manifest",
"Implementation-Title",
"spring-core",
Confidence.HIGH);
final Evidence springTest4 = new Evidence("jar",
"package name",
"springframework",
Confidence.LOW);
final Evidence springSecurityTest1 = new Evidence("Manifest",
"Bundle-Name",
"Spring Security Core",
Confidence.MEDIUM);
final Evidence springSecurityTest2 = new Evidence("pom",
"artifactid",
"spring-security-core",
Confidence.HIGH);
final Evidence symfony = new Evidence("composer.lock",
"vendor",
"symfony",
Confidence.HIGHEST);
final Evidence zendframeworkVendor = new Evidence("composer.lock",
"vendor",
"zendframework",
Confidence.HIGHEST);
final Evidence zendframeworkProduct = new Evidence("composer.lock",
"product",
"zendframework",
Confidence.HIGHEST);
//springsource/vware problem
final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
|| (dependency.getFileName().contains("spring") && product.contains(springTest4))) {
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
}
if (vendor.contains(springTest4)) {
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
}
if (product.contains(springSecurityTest1) || product.contains(springSecurityTest2)) {
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_security", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
}
if (vendor.contains(symfony)) {
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "sensiolabs", Confidence.HIGHEST);
}
if (vendor.contains(zendframeworkVendor)) {
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "zend", Confidence.HIGHEST);
}
if (product.contains(zendframeworkProduct)) {
dependency.getProductEvidence().addEvidence("hint analyzer", "vendor", "zend_framework", Confidence.HIGHEST);
}
//sun/oracle problem
final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
final List<Evidence> newEntries = new ArrayList<Evidence>();
while (itr.hasNext()) {
final Evidence e = itr.next();
if ("sun".equalsIgnoreCase(e.getValue(false))) {
final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "oracle", e.getConfidence());
newEntries.add(newEvidence);
} else if ("oracle".equalsIgnoreCase(e.getValue(false))) {
final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "sun", e.getConfidence());
newEntries.add(newEvidence);
}
}
for (Evidence e : newEntries) {
dependency.getVendorEvidence().addEvidence(e);
}
*/
//</editor-fold>
} }
/** /**

112
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java
View File

@@ -45,6 +45,11 @@ public class HintHandler extends DefaultHandler {
* Element name. * Element name.
*/ */
private static final String ADD = "add"; private static final String ADD = "add";
/**
* Element name.
*/
private static final String REMOVE = "remove";
/** /**
* Element name. * Element name.
*/ */
@@ -139,16 +144,25 @@ public class HintHandler extends DefaultHandler {
* The current rule being read. * The current rule being read.
*/ */
private HintRule rule; private HintRule rule;
/**
* Internal type to track the parent node state.
*/
enum ParentType {
ADD,
GIVEN,
REMOVE
}
/** /**
* The current state of the parent node (to differentiate between 'add' and * The current state of the parent node (to differentiate between 'add' and
* 'given'). * 'given').
*/ */
private boolean inAddNode = false; private ParentType nodeType = ParentType.GIVEN;
/** /**
* Handles the start element event. * Handles the start element event.
* *
* @param uri the uri of the element being processed * @param uri the URI of the element being processed
* @param localName the local name of the element being processed * @param localName the local name of the element being processed
* @param qName the qName of the element being processed * @param qName the qName of the element being processed
* @param attr the attributes of the element being processed * @param attr the attributes of the element being processed
@@ -159,41 +173,81 @@ public class HintHandler extends DefaultHandler {
if (HINT.equals(qName)) { if (HINT.equals(qName)) {
rule = new HintRule(); rule = new HintRule();
} else if (ADD.equals(qName)) { } else if (ADD.equals(qName)) {
inAddNode = true; nodeType = ParentType.ADD;
} else if (GIVEN.equals(qName)) { } else if (GIVEN.equals(qName)) {
inAddNode = false; nodeType = ParentType.GIVEN;
} else if (REMOVE.equals(qName)) {
nodeType = ParentType.REMOVE;
} else if (EVIDENCE.equals(qName)) { } else if (EVIDENCE.equals(qName)) {
final String hintType = attr.getValue(TYPE); final String hintType = attr.getValue(TYPE);
if (VENDOR.equals(hintType)) { if (VENDOR.equals(hintType)) {
if (inAddNode) { if (null != nodeType) switch (nodeType) {
rule.addAddVendor(attr.getValue(SOURCE), case ADD:
attr.getValue(NAME), rule.addAddVendor(attr.getValue(SOURCE),
attr.getValue(VALUE), attr.getValue(NAME),
Confidence.valueOf(attr.getValue(CONFIDENCE))); attr.getValue(VALUE),
} else { Confidence.valueOf(attr.getValue(CONFIDENCE)));
rule.addGivenVendor(attr.getValue(SOURCE), break;
attr.getValue(NAME), case REMOVE:
attr.getValue(VALUE), rule.addRemoveVendor(attr.getValue(SOURCE),
Confidence.valueOf(attr.getValue(CONFIDENCE))); attr.getValue(NAME),
attr.getValue(VALUE),
Confidence.valueOf(attr.getValue(CONFIDENCE)));
break;
case GIVEN:
rule.addGivenVendor(attr.getValue(SOURCE),
attr.getValue(NAME),
attr.getValue(VALUE),
Confidence.valueOf(attr.getValue(CONFIDENCE)));
break;
default:
break;
} }
} else if (PRODUCT.equals(hintType)) { } else if (PRODUCT.equals(hintType)) {
if (inAddNode) { if (null != nodeType) switch (nodeType) {
rule.addAddProduct(attr.getValue(SOURCE), case ADD:
attr.getValue(NAME), rule.addAddProduct(attr.getValue(SOURCE),
attr.getValue(VALUE), attr.getValue(NAME),
Confidence.valueOf(attr.getValue(CONFIDENCE))); attr.getValue(VALUE),
} else { Confidence.valueOf(attr.getValue(CONFIDENCE)));
rule.addGivenProduct(attr.getValue(SOURCE), break;
attr.getValue(NAME), case REMOVE:
attr.getValue(VALUE), rule.addRemoveProduct(attr.getValue(SOURCE),
Confidence.valueOf(attr.getValue(CONFIDENCE))); attr.getValue(NAME),
attr.getValue(VALUE),
Confidence.valueOf(attr.getValue(CONFIDENCE)));
break;
case GIVEN:
rule.addGivenProduct(attr.getValue(SOURCE),
attr.getValue(NAME),
attr.getValue(VALUE),
Confidence.valueOf(attr.getValue(CONFIDENCE)));
break;
default:
break;
} }
} else if (VERSION.equals(hintType)) { } else if (VERSION.equals(hintType)) {
if (inAddNode) { if (null != nodeType) switch (nodeType) {
rule.addAddVersion(attr.getValue(SOURCE), case ADD:
attr.getValue(NAME), rule.addAddVersion(attr.getValue(SOURCE),
attr.getValue(VALUE), attr.getValue(NAME),
Confidence.valueOf(attr.getValue(CONFIDENCE))); attr.getValue(VALUE),
Confidence.valueOf(attr.getValue(CONFIDENCE)));
break;
case REMOVE:
rule.addRemoveVersion(attr.getValue(SOURCE),
attr.getValue(NAME),
attr.getValue(VALUE),
Confidence.valueOf(attr.getValue(CONFIDENCE)));
break;
case GIVEN:
rule.addGivenVersion(attr.getValue(SOURCE),
attr.getValue(NAME),
attr.getValue(VALUE),
Confidence.valueOf(attr.getValue(CONFIDENCE)));
break;
default:
break;
} }
} }
} else if (FILE_NAME.equals(qName)) { } else if (FILE_NAME.equals(qName)) {

41
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
View File

@@ -64,7 +64,12 @@ public class HintParser {
/** /**
* The schema for the hint XML files. * The schema for the hint XML files.
*/ */
private static final String HINT_SCHEMA = "schema/dependency-hint.1.1.xsd"; private static final String HINT_SCHEMA = "schema/dependency-hint.1.2.xsd";
/**
* The schema for the hint XML files.
*/
private static final String HINT_SCHEMA_OLD = "schema/dependency-hint.1.1.xsd";
/** /**
* Parses the given XML file and returns a list of the hints contained. * Parses the given XML file and returns a list of the hints contained.
@@ -82,7 +87,23 @@ public class HintParser {
LOGGER.debug("", ex); LOGGER.debug("", ex);
throw new HintParseException(ex); throw new HintParseException(ex);
} catch (SAXException ex) { } catch (SAXException ex) {
throw new HintParseException(ex); try {
if (fis != null) {
try {
fis.close();
} catch (IOException ex1) {
LOGGER.debug("Unable to close stream", ex1);
}
}
fis = new FileInputStream(file);
} catch (FileNotFoundException ex1) {
throw new HintParseException(ex1);
}
try {
return parseHints(fis, HINT_SCHEMA_OLD);
} catch (SAXException ex1) {
throw new HintParseException(ex);
}
} finally { } finally {
if (fis != null) { if (fis != null) {
try { try {
@@ -104,9 +125,23 @@ public class HintParser {
* @throws SAXException thrown if the XML cannot be parsed * @throws SAXException thrown if the XML cannot be parsed
*/ */
public Hints parseHints(InputStream inputStream) throws HintParseException, SAXException { public Hints parseHints(InputStream inputStream) throws HintParseException, SAXException {
return parseHints(inputStream, HINT_SCHEMA);
}
/**
* Parses the given XML stream and returns a list of the hint rules
* contained.
*
* @param inputStream an InputStream containing hint rules
* @param schema the XSD to use to validate the XML against
* @return a list of hint rules
* @throws HintParseException thrown if the XML cannot be parsed
* @throws SAXException thrown if the XML cannot be parsed
*/
private Hints parseHints(InputStream inputStream, String schema) throws HintParseException, SAXException {
InputStream schemaStream = null; InputStream schemaStream = null;
try { try {
schemaStream = this.getClass().getClassLoader().getResourceAsStream(HINT_SCHEMA); schemaStream = this.getClass().getClassLoader().getResourceAsStream(schema);
final HintHandler handler = new HintHandler(); final HintHandler handler = new HintHandler();
final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream); final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream);
final XMLReader xmlReader = saxParser.getXMLReader(); final XMLReader xmlReader = saxParser.getXMLReader();

137
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java
View File

@@ -36,6 +36,43 @@ public class HintRule {
* The list of file names to match. * The list of file names to match.
*/ */
private final List<PropertyType> filenames = new ArrayList<PropertyType>(); private final List<PropertyType> filenames = new ArrayList<PropertyType>();
/**
* The list of vendor evidence that is being matched.
*/
private final List<Evidence> givenVendor = new ArrayList<Evidence>();
/**
* The list of product evidence that is being matched.
*/
private final List<Evidence> givenProduct = new ArrayList<Evidence>();
/**
* The list of product evidence that is being matched.
*/
private final List<Evidence> givenVersion = new ArrayList<Evidence>();
/**
* The list of vendor hints to add.
*/
private final List<Evidence> addVendor = new ArrayList<Evidence>();
/**
* The list of product evidence to add.
*/
private final List<Evidence> addProduct = new ArrayList<Evidence>();
/**
* The list of version evidence to add.
*/
private final List<Evidence> addVersion = new ArrayList<Evidence>();
/**
* The list of vendor hints to add.
*/
private final List<Evidence> removeVendor = new ArrayList<Evidence>();
/**
* The list of product evidence to add.
*/
private final List<Evidence> removeProduct = new ArrayList<Evidence>();
/**
* The list of version evidence to add.
*/
private final List<Evidence> removeVersion = new ArrayList<Evidence>();
/** /**
* Adds the filename evidence to the collection. * Adds the filename evidence to the collection.
@@ -54,10 +91,6 @@ public class HintRule {
public List<PropertyType> getFilenames() { public List<PropertyType> getFilenames() {
return filenames; return filenames;
} }
/**
* The list of product evidence that is being matched.
*/
private final List<Evidence> givenProduct = new ArrayList<Evidence>();
/** /**
* Adds a given product to the list of evidence to matched. * Adds a given product to the list of evidence to matched.
@@ -80,20 +113,6 @@ public class HintRule {
return givenProduct; return givenProduct;
} }
/**
* The list of vendor evidence that is being matched.
*/
private final List<Evidence> givenVendor = new ArrayList<Evidence>();
/**
* The list of product evidence to add.
*/
private final List<Evidence> addProduct = new ArrayList<Evidence>();
/**
* The list of version evidence to add.
*/
private final List<Evidence> addVersion = new ArrayList<Evidence>();
/** /**
* Adds a given vendors to the list of evidence to matched. * Adds a given vendors to the list of evidence to matched.
* *
@@ -157,11 +176,6 @@ public class HintRule {
return addVersion; return addVersion;
} }
/**
* The list of vendor hints to add.
*/
private final List<Evidence> addVendor = new ArrayList<Evidence>();
/** /**
* Adds a given vendor to the list of evidence to add when matched. * Adds a given vendor to the list of evidence to add when matched.
* *
@@ -182,4 +196,81 @@ public class HintRule {
public List<Evidence> getAddVendor() { public List<Evidence> getAddVendor() {
return addVendor; return addVendor;
} }
/**
* Adds a given vendor to the list of evidence to remove when matched.
*
* @param source the source of the evidence
* @param name the name of the evidence
* @param value the value of the evidence
* @param confidence the confidence of the evidence
*/
public void addRemoveVendor(String source, String name, String value, Confidence confidence) {
removeVendor.add(new Evidence(source, name, value, confidence));
}
/**
* Get the value of removeVendor.
*
* @return the value of removeVendor
*/
public List<Evidence> getRemoveVendor() {
return removeVendor;
}
/**
* Adds a given product to the list of evidence to remove when matched.
*
* @param source the source of the evidence
* @param name the name of the evidence
* @param value the value of the evidence
* @param confidence the confidence of the evidence
*/
public void addRemoveProduct(String source, String name, String value, Confidence confidence) {
removeProduct.add(new Evidence(source, name, value, confidence));
}
/**
* Get the value of removeProduct.
*
* @return the value of removeProduct
*/
public List<Evidence> getRemoveProduct() {
return removeProduct;
}
/**
* Adds a given version to the list of evidence to remove when matched.
*
* @param source the source of the evidence
* @param name the name of the evidence
* @param value the value of the evidence
* @param confidence the confidence of the evidence
*/
public void addRemoveVersion(String source, String name, String value, Confidence confidence) {
removeVersion.add(new Evidence(source, name, value, confidence));
}
/**
* Get the value of removeVersion.
*
* @return the value of removeVersion
*/
public List<Evidence> getRemoveVersion() {
return removeVersion;
}
/**
* Adds a given version to the list of evidence to matche.
*
* @param source the source of the evidence
* @param name the name of the evidence
* @param value the value of the evidence
* @param confidence the confidence of the evidence
*/
public void addGivenVersion(String source, String name, String value, Confidence confidence) {
givenVersion.add(new Evidence(source, name, value, confidence));
}
/**
* Get the value of givenVersion.
*
* @return the value of givenVersion
*/
public List<Evidence> getGivenVersion() {
return givenVersion;
}
} }

4
dependency-check-core/src/main/resources/dependencycheck-base-hint.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd"> <hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
<hint> <hint>
<given> <given><!-- NOTE: these are OR conditions -->
<evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/> <evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
<evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/> <evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/>
<evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/> <evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/>

76
dependency-check-core/src/main/resources/schema/dependency-hint.1.2.xsd Normal file
View File

@@ -0,0 +1,76 @@
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema id="hints"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd"
xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
<xs:simpleType name="type">
<xs:restriction base="xs:string">
<xs:enumeration value="vendor"/>
<xs:enumeration value="product"/>
<xs:enumeration value="version"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="confidence">
<xs:restriction base="xs:string">
<xs:enumeration value="HIGHEST"/>
<xs:enumeration value="HIGH"/>
<xs:enumeration value="MEDIUM"/>
<xs:enumeration value="LOW"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="evidence">
<xs:attribute name="type" use="required" type="dc:type"/>
<xs:attribute name="source" use="required" type="xs:string"/>
<xs:attribute name="name" use="required" type="xs:string"/>
<xs:attribute name="value" use="required" type="xs:string"/>
<xs:attribute name="confidence" use="required" type="dc:confidence"/>
</xs:complexType>
<xs:complexType name="fileName">
<xs:attribute name="contains" use="required" type="xs:string"/>
<xs:attribute name="regex" use="optional" type="xs:boolean" default="false"/>
<xs:attribute name="caseSensitive" use="optional" type="xs:boolean" default="false"/>
</xs:complexType>
<xs:complexType name="given">
<xs:choice minOccurs="1" maxOccurs="unbounded">
<xs:element name="evidence" type="dc:evidence"/>
<xs:element name="fileName" type="dc:fileName"/>
</xs:choice>
</xs:complexType>
<xs:complexType name="add">
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element name="evidence" type="dc:evidence"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="remove">
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element name="evidence" type="dc:evidence"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="hint">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="given" type="dc:given"/>
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="add" type="dc:add"/>
<xs:element name="remove" type="dc:remove"/>
</xs:choice>
</xs:sequence>
</xs:complexType>
<xs:complexType name="duplicatingHint">
<xs:attribute name="value" use="required" type="xs:string"/>
<xs:attribute name="duplicate" use="required" type="xs:string"/>
</xs:complexType>
<xs:element name="hints">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="hint" type="dc:hint"/>
</xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="vendorDuplicatingHint" type="dc:duplicatingHint"/>
</xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>

29
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
View File

@@ -108,5 +108,32 @@ public class HintAnalyzerTest extends BaseDBTestCase {
//assertTrue(evidence.contains(springTest4)); //assertTrue(evidence.contains(springTest4));
//assertTrue(evidence.contains(springTest5)); //assertTrue(evidence.contains(springTest5));
} }
/**
* Test of analyze method, of class HintAnalyzer.
*/
@Test
public void testAnalyze_1() throws Exception {
File path = BaseTest.getResourceAsFile(this, "hints_12.xml");
Settings.setString(Settings.KEYS.HINTS_FILE, path.getPath());
HintAnalyzer instance = new HintAnalyzer();
instance.initialize();
Dependency d = new Dependency();
d.getVersionEvidence().addEvidence("version source", "given version name", "1.2.3", Confidence.HIGH);
d.getVersionEvidence().addEvidence("hint analyzer", "remove version name", "value", Confidence.HIGH);
d.getVendorEvidence().addEvidence("hint analyzer", "remove vendor name", "vendor", Confidence.HIGH);
d.getProductEvidence().addEvidence("hint analyzer", "remove product name", "product", Confidence.HIGH);
d.getVersionEvidence().addEvidence("hint analyzer", "other version name", "value", Confidence.HIGH);
d.getVendorEvidence().addEvidence("hint analyzer", "other vendor name", "vendor", Confidence.HIGH);
d.getProductEvidence().addEvidence("hint analyzer", "other product name", "product", Confidence.HIGH);
assertEquals("vendor evidence mismatch",2, d.getVendorEvidence().size());
assertEquals("product evidence mismatch",2, d.getProductEvidence().size());
assertEquals("version evidence mismatch",3, d.getVersionEvidence().size());
instance.analyze(d, null);
assertEquals("vendor evidence mismatch",1, d.getVendorEvidence().size());
assertEquals("product evidence mismatch",1, d.getProductEvidence().size());
assertEquals("version evidence mismatch",2, d.getVersionEvidence().size());
}
} }

5
dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java
View File

@@ -32,11 +32,6 @@ import javax.xml.parsers.SAXParserFactory;
import org.junit.Test; import org.junit.Test;
import static org.junit.Assert.*; import static org.junit.Assert.*;
import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.xml.suppression.SuppressionErrorHandler;
import org.owasp.dependencycheck.xml.suppression.SuppressionHandler;
import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
import org.xml.sax.Attributes;
import org.xml.sax.InputSource; import org.xml.sax.InputSource;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
import org.xml.sax.SAXNotRecognizedException; import org.xml.sax.SAXNotRecognizedException;

63
dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintParserTest.java
View File

@@ -39,18 +39,7 @@ public class HintParserTest extends BaseTest {
Hints results = instance.parseHints(file); Hints results = instance.parseHints(file);
assertEquals("Two duplicating hints should have been read", 2, results.getVendorDuplicatingHintRules().size()); assertEquals("Two duplicating hints should have been read", 2, results.getVendorDuplicatingHintRules().size());
assertEquals("Two hint rules should have been read", 2, results.getHintRules().size()); assertEquals("Two hint rules should have been read", 2, results.getHintRules().size());
}
/**
* Test of parseHints method, of class HintParser.
*/
@Test
public void testParseHints_InputStream() throws Exception {
InputStream ins = BaseTest.getResourceAsStream(this, "hints.xml");
HintParser instance = new HintParser();
Hints results = instance.parseHints(ins);
assertEquals("Two duplicating hints should have been read", 2, results.getVendorDuplicatingHintRules().size());
assertEquals("Two hint rules should have been read", 2, results.getHintRules().size());
assertEquals("One add product should have been read", 1, results.getHintRules().get(0).getAddProduct().size()); assertEquals("One add product should have been read", 1, results.getHintRules().get(0).getAddProduct().size());
assertEquals("One add vendor should have been read", 1, results.getHintRules().get(0).getAddVendor().size()); assertEquals("One add vendor should have been read", 1, results.getHintRules().get(0).getAddVendor().size());
assertEquals("Two file name should have been read", 2, results.getHintRules().get(1).getFilenames().size()); assertEquals("Two file name should have been read", 2, results.getHintRules().get(1).getFilenames().size());
@@ -65,9 +54,57 @@ public class HintParserTest extends BaseTest {
assertEquals("file name 1 should not be a regex", false, results.getHintRules().get(1).getFilenames().get(0).isRegex()); assertEquals("file name 1 should not be a regex", false, results.getHintRules().get(1).getFilenames().get(0).isRegex());
assertEquals("file name 2 should be case sensitive", true, results.getHintRules().get(1).getFilenames().get(1).isCaseSensitive()); assertEquals("file name 2 should be case sensitive", true, results.getHintRules().get(1).getFilenames().get(1).isCaseSensitive());
assertEquals("file name 2 should be a regex", true, results.getHintRules().get(1).getFilenames().get(1).isRegex()); assertEquals("file name 2 should be a regex", true, results.getHintRules().get(1).getFilenames().get(1).isRegex());
assertEquals("sun duplicating vendor", "sun", results.getVendorDuplicatingHintRules().get(0).getValue()); assertEquals("sun duplicating vendor", "sun", results.getVendorDuplicatingHintRules().get(0).getValue());
assertEquals("sun duplicates vendor oracle", "oracle", results.getVendorDuplicatingHintRules().get(0).getDuplicate()); assertEquals("sun duplicates vendor oracle", "oracle", results.getVendorDuplicatingHintRules().get(0).getDuplicate());
} }
/**
* Test of parseHints method, of class HintParser.
*/
@Test
public void testParseHints_InputStream() throws Exception {
InputStream ins = BaseTest.getResourceAsStream(this, "hints_12.xml");
HintParser instance = new HintParser();
Hints results = instance.parseHints(ins);
assertEquals("Zero duplicating hints should have been read", 0, results.getVendorDuplicatingHintRules().size());
assertEquals("Two hint rules should have been read", 2, results.getHintRules().size());
assertEquals("One given product should have been read in hint 0", 1, results.getHintRules().get(0).getGivenProduct().size());
assertEquals("One given vendor should have been read in hint 0", 1, results.getHintRules().get(0).getGivenVendor().size());
assertEquals("One given version should have been read in hint 0", 1, results.getHintRules().get(0).getGivenVersion().size());
assertEquals("One add product should have been read in hint 0", 1, results.getHintRules().get(0).getAddProduct().size());
assertEquals("One add vendor should have been read in hint 0", 1, results.getHintRules().get(0).getAddVendor().size());
assertEquals("One add version should have been read in hint 0", 1, results.getHintRules().get(0).getAddVersion().size());
assertEquals("Zero remove product should have been read in hint 0", 0, results.getHintRules().get(0).getRemoveProduct().size());
assertEquals("Zero remove vendor should have been read in hint 0", 0, results.getHintRules().get(0).getRemoveVendor().size());
assertEquals("Zero remove version should have been read in hint 0", 0, results.getHintRules().get(0).getRemoveVersion().size());
assertEquals("Zero given product should have been read in hint 1", 0, results.getHintRules().get(1).getGivenProduct().size());
assertEquals("Zero given vendor should have been read in hint 1", 0, results.getHintRules().get(1).getGivenVendor().size());
assertEquals("One given version should have been read in hint 1", 1, results.getHintRules().get(1).getGivenVersion().size());
assertEquals("One remove product should have been read in hint 1", 1, results.getHintRules().get(1).getRemoveProduct().size());
assertEquals("One remove vendor should have been read in hint 1", 1, results.getHintRules().get(1).getRemoveVendor().size());
assertEquals("One remove version should have been read in hint 1", 1, results.getHintRules().get(1).getRemoveVersion().size());
assertEquals("Zero add product should have been read in hint 1", 0, results.getHintRules().get(1).getAddProduct().size());
assertEquals("Zero add vendor should have been read in hint 1", 0, results.getHintRules().get(1).getAddVendor().size());
assertEquals("Zero add version should have been read in hint 1", 0, results.getHintRules().get(1).getAddVersion().size());
assertEquals("add product name not found in hint 0", "add product name", results.getHintRules().get(0).getAddProduct().get(0).getName());
assertEquals("add vendor name not found in hint 0", "add vendor name", results.getHintRules().get(0).getAddVendor().get(0).getName());
assertEquals("add version name not found in hint 0", "add version name", results.getHintRules().get(0).getAddVersion().get(0).getName());
assertEquals("given product name not found in hint 0", "given product name", results.getHintRules().get(0).getGivenProduct().get(0).getName());
assertEquals("given vendor name not found in hint 0", "given vendor name", results.getHintRules().get(0).getGivenVendor().get(0).getName());
assertEquals("given version name not found in hint 0", "given version name", results.getHintRules().get(0).getGivenVersion().get(0).getName());
assertEquals("given version name not found in hint 1", "given version name", results.getHintRules().get(1).getGivenVersion().get(0).getName());
assertEquals("add product name not found in hint 1", "remove product name", results.getHintRules().get(1).getRemoveProduct().get(0).getName());
assertEquals("add vendor name not found in hint 1", "remove vendor name", results.getHintRules().get(1).getRemoveVendor().get(0).getName());
assertEquals("add version name not found in hint 1", "remove version name", results.getHintRules().get(1).getRemoveVersion().get(0).getName());
}
} }

25
dependency-check-core/src/test/resources/hints_12.xml Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
<hint>
<given><!-- NOTE: These are OR conditions -->
<evidence type="product" source="product source" name="given product name" value="value" confidence="HIGH"/>
<evidence type="vendor" source="vendor source" name="given vendor name" value="value" confidence="HIGH"/>
<evidence type="version" source="version source" name="given version name" value="value" confidence="HIGH"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="add product name" value="product" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="add vendor name" value="vendor" confidence="HIGH"/>
<evidence type="version" source="hint analyzer" name="add version name" value="value" confidence="HIGH"/>
</add>
</hint>
<hint>
<given>
<evidence type="version" source="version source" name="given version name" value="1.2.3" confidence="HIGH"/>
</given>
<remove>
<evidence type="product" source="hint analyzer" name="remove product name" value="product" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="remove vendor name" value="vendor" confidence="HIGH"/>
<evidence type="version" source="hint analyzer" name="remove version name" value="value" confidence="HIGH"/>
</remove>
</hint>
</hints>