From 176d3ddefa4ab501c8abb30fa5016333f69df72b Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 4 Sep 2016 19:09:08 -0400
Subject: [PATCH] temporary fix for issue #534

---
 .../analyzer/HintAnalyzer.java                |   3 +
 .../xml/hints/HintHandler.java                |  39 +++-
 .../dependencycheck/xml/hints/HintParser.java |   2 +-
 .../dependencycheck/xml/hints/HintRule.java   |  35 +++-
 .../resources/dependencycheck-base-hint.xml   | 191 +++++++++++-------
 .../resources/schema/dependency-hint.1.1.xsd  |  82 ++++++++
 .../xml/hints/HintHandlerTest.java            |   2 +-
 .../src/test/resources/hints.xml              |   2 +-
 pom.xml                                       |   2 +-
 9 files changed, 265 insertions(+), 93 deletions(-)
 create mode 100644 dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
index 506896dfa..beddaf39f 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -154,6 +154,9 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                 for (Evidence e : hint.getAddProduct()) {
                     dependency.getProductEvidence().addEvidence(e);
                 }
+                for (Evidence e : hint.getAddVersion()) {
+                    dependency.getVersionEvidence().addEvidence(e);
+                }
             }
         }
 
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java
index 9634fb3d2..0608f5fa1 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java
@@ -62,9 +62,17 @@ public class HintHandler extends DefaultHandler {
      */
     private static final String DUPLICATE = "duplicate";
     /**
-     * Attribute name.
+     * Attribute value.
      */
     private static final String VENDOR = "vendor";
+    /**
+     * Attribute value.
+     */
+    private static final String PRODUCT = "product";
+    /**
+     * Attribute value.
+     */
+    private static final String VERSION = "version";
     /**
      * Attribute name.
      */
@@ -168,16 +176,25 @@ public class HintHandler extends DefaultHandler {
                             attr.getValue(VALUE),
                             Confidence.valueOf(attr.getValue(CONFIDENCE)));
                 }
-            } else if (inAddNode) {
-                rule.addAddProduct(attr.getValue(SOURCE),
-                        attr.getValue(NAME),
-                        attr.getValue(VALUE),
-                        Confidence.valueOf(attr.getValue(CONFIDENCE)));
-            } else {
-                rule.addGivenProduct(attr.getValue(SOURCE),
-                        attr.getValue(NAME),
-                        attr.getValue(VALUE),
-                        Confidence.valueOf(attr.getValue(CONFIDENCE)));
+            } else if (PRODUCT.equals(hintType)) {
+                if (inAddNode) {
+                    rule.addAddProduct(attr.getValue(SOURCE),
+                            attr.getValue(NAME),
+                            attr.getValue(VALUE),
+                            Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                } else {
+                    rule.addGivenProduct(attr.getValue(SOURCE),
+                            attr.getValue(NAME),
+                            attr.getValue(VALUE),
+                            Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                }
+            } else if (VERSION.equals(hintType)) {
+                if (inAddNode) {
+                    rule.addAddVersion(attr.getValue(SOURCE),
+                            attr.getValue(NAME),
+                            attr.getValue(VALUE),
+                            Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                }
             }
         } else if (FILE_NAME.equals(qName)) {
             final PropertyType pt = new PropertyType();
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
index 7f5c3ae0a..96a35bdc9 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
@@ -64,7 +64,7 @@ public class HintParser {
     /**
      * The schema for the hint XML files.
      */
-    private static final String HINT_SCHEMA = "schema/dependency-hint.1.0.xsd";
+    private static final String HINT_SCHEMA = "schema/dependency-hint.1.1.xsd";
 
     /**
      * Parses the given XML file and returns a list of the hints contained.
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java
index 1d9df8d4d..7290ba26e 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java
@@ -85,6 +85,15 @@ public class HintRule {
      */
     private final List<Evidence> givenVendor = new ArrayList<Evidence>();
 
+    /**
+     * The list of product evidence to add.
+     */
+    private final List<Evidence> addProduct = new ArrayList<Evidence>();
+    /**
+     * The list of version evidence to add.
+     */
+    private final List<Evidence> addVersion = new ArrayList<Evidence>();
+
     /**
      * Adds a given vendors to the list of evidence to matched.
      *
@@ -106,11 +115,6 @@ public class HintRule {
         return givenVendor;
     }
 
-    /**
-     * The list of product evidence to add.
-     */
-    private final List<Evidence> addProduct = new ArrayList<Evidence>();
-
     /**
      * Adds a given product to the list of evidence to add when matched.
      *
@@ -132,6 +136,27 @@ public class HintRule {
         return addProduct;
     }
 
+    /**
+     * Adds a given version to the list of evidence to add when matched.
+     *
+     * @param source the source of the evidence
+     * @param name the name of the evidence
+     * @param value the value of the evidence
+     * @param confidence the confidence of the evidence
+     */
+    public void addAddVersion(String source, String name, String value, Confidence confidence) {
+        addVersion.add(new Evidence(source, name, value, confidence));
+    }
+
+    /**
+     * Get the value of addVersion.
+     *
+     * @return the value of addVersion
+     */
+    public List<Evidence> getAddVersion() {
+        return addVersion;
+    }
+
     /**
      * The list of vendor hints to add.
      */
diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml b/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml
index 4e1d870a6..5d3dacdaa 100644
--- a/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml
@@ -1,75 +1,120 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.0.xsd">
-	<hint>
-		<given>
-			<evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
-			<evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/>
-			<evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/>
-		</given>
-		<add>
-			<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
-		</add>
-	</hint>
-	<hint>
-		<given>
-			<evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
-			<fileName contains="spring"/>	
-		</given>
-		<add>
-			<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
-		</add>
-	</hint>
-	<hint>
-		<given>
-			<evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
-		</given>
-		<add>
-			<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
-		</add>
-	</hint>
-	<hint>
-		<given>
-			<evidence type="product" source="Manifest" name="Bundle-Name" value="Spring Security Core" confidence="MEDIUM"/>
-			<evidence type="product" source="pom" name="artifactid" value="spring-security-core" confidence="HIGH"/>	
-		</given>
-		<add>
-			<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
-		</add>
-	</hint>
-	<hint>
-		<given>
-			<evidence type="vendor" source="composer.lock" name="vendor" value="symfony" confidence="HIGHEST"/>
-		</given>
-		<add>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="sensiolabs" confidence="HIGHEST"/>
-		</add>
-	</hint>		
-	<hint>
-		<given>
-			<evidence type="vendor" source="composer.lock" name="vendor" value="zendframework" confidence="HIGHEST"/>
-		</given>
-		<add>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="zend" confidence="HIGHEST"/>
-		</add>
-	</hint>	
-	<hint>
-		<given>
-			<evidence type="product" source="composer.lock" name="product" value="zendframework" confidence="HIGHEST"/>
-		</given>
-		<add>
-			<evidence type="vendor" source="hint analyzer" name="vendor" value="zend_framework" confidence="HIGHEST"/>
-		</add>
-	</hint>	
-	<vendorDuplicatingHint value="sun" duplicate="oracle"/>	
-	<vendorDuplicatingHint value="oracle" duplicate="sun"/>	
+<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
+    <hint>
+        <given>
+            <evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
+            <evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/>
+            <evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/>
+        </given>
+        <add>
+            <evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
+            <fileName contains="spring"/>	
+        </given>
+        <add>
+            <evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
+        </given>
+        <add>
+            <evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <evidence type="product" source="Manifest" name="Bundle-Name" value="Spring Security Core" confidence="MEDIUM"/>
+            <evidence type="product" source="pom" name="artifactid" value="spring-security-core" confidence="HIGH"/>	
+        </given>
+        <add>
+            <evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <evidence type="vendor" source="composer.lock" name="vendor" value="symfony" confidence="HIGHEST"/>
+        </given>
+        <add>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="sensiolabs" confidence="HIGHEST"/>
+        </add>
+    </hint>		
+    <hint>
+        <given>
+            <evidence type="vendor" source="composer.lock" name="vendor" value="zendframework" confidence="HIGHEST"/>
+        </given>
+        <add>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="zend" confidence="HIGHEST"/>
+        </add>
+    </hint>	
+    <hint>
+        <given>
+            <evidence type="product" source="composer.lock" name="product" value="zendframework" confidence="HIGHEST"/>
+        </given>
+        <add>
+            <evidence type="vendor" source="hint analyzer" name="vendor" value="zend_framework" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    
+    <!-- begin hack for temporary patch of issue #534-->
+    <hint>
+        <given>
+            <fileName regex="true" contains=".*hibernate-validator-5\.0\..*"/>
+        </given>
+        <add>
+            <evidence type="version" source="hint" name="version" value="5.0" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <fileName regex="true" contains=".*hibernate-validator-5\.1\.[01].*"/>
+        </given>
+        <add>
+            <evidence type="version" source="hint" name="version" value="5.1" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <fileName regex="true" contains=".*hibernate-validator-4\.1\..*"/>
+        </given>
+        <add>
+            <evidence type="version" source="hint" name="version" value="4.1.0" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <fileName regex="true" contains=".*hibernate-validator-4\.2\.0.*"/>
+        </given>
+        <add>
+            <evidence type="version" source="hint" name="version" value="4.2.0" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <fileName regex="true" contains=".*hibernate-validator-4\.3\.[01]\..*"/>
+        </given>
+        <add>
+            <evidence type="version" source="hint" name="version" value="4.3.0" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    <!-- end hack for temporary patch of issue #534-->
+    
+    
+    <vendorDuplicatingHint value="sun" duplicate="oracle"/>	
+    <vendorDuplicatingHint value="oracle" duplicate="sun"/>	
 </hints>
\ No newline at end of file
diff --git a/dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd b/dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd
new file mode 100644
index 000000000..63390044a
--- /dev/null
+++ b/dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema id="hints"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           elementFormDefault="qualified"
+           targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd"
+           xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
+	   
+    <xs:simpleType name="givenType">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="vendor"/>
+            <xs:enumeration value="product"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:simpleType name="addType">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="vendor"/>
+            <xs:enumeration value="product"/>
+            <xs:enumeration value="version"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:simpleType name="confidence">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="HIGHEST"/>
+            <xs:enumeration value="HIGH"/>
+            <xs:enumeration value="MEDIUM"/>
+            <xs:enumeration value="LOW"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:complexType name="givenEvidence">
+        <xs:attribute name="type" use="required" type="dc:givenType"/>
+        <xs:attribute name="source" use="required" type="xs:string"/>
+        <xs:attribute name="name" use="required" type="xs:string"/>
+        <xs:attribute name="value" use="required" type="xs:string"/>
+        <xs:attribute name="confidence" use="required" type="dc:confidence"/>
+    </xs:complexType>
+    <xs:complexType name="addEvidence">
+        <xs:attribute name="type" use="required" type="dc:addType"/>
+        <xs:attribute name="source" use="required" type="xs:string"/>
+        <xs:attribute name="name" use="required" type="xs:string"/>
+        <xs:attribute name="value" use="required" type="xs:string"/>
+        <xs:attribute name="confidence" use="required" type="dc:confidence"/>
+    </xs:complexType>
+    <xs:complexType name="fileName">
+        <xs:attribute name="contains" use="required" type="xs:string"/>
+        <xs:attribute name="regex" use="optional" type="xs:boolean" default="false"/>
+        <xs:attribute name="caseSensitive" use="optional" type="xs:boolean" default="false"/>
+    </xs:complexType>
+    <xs:complexType name="given">
+        <xs:choice minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="evidence" type="dc:givenEvidence"/>
+            <xs:element name="fileName" type="dc:fileName"/>
+        </xs:choice>
+    </xs:complexType>
+    <xs:complexType name="add">
+        <xs:sequence minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="evidence" type="dc:addEvidence"/>
+        </xs:sequence>
+    </xs:complexType>	
+    <xs:complexType name="hint">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="given" type="dc:given"/>
+            <xs:element name="add" type="dc:add"/>
+        </xs:sequence>
+    </xs:complexType>
+    <xs:complexType name="duplicatingHint">
+        <xs:attribute name="value" use="required" type="xs:string"/>
+        <xs:attribute name="duplicate" use="required" type="xs:string"/>
+    </xs:complexType>
+	
+    <xs:element name="hints">
+        <xs:complexType>
+            <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                    <xs:element name="hint" type="dc:hint"/>
+                </xs:sequence>
+                <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                    <xs:element name="vendorDuplicatingHint" type="dc:duplicatingHint"/>
+                </xs:sequence>
+            </xs:sequence>
+        </xs:complexType>
+    </xs:element>
+</xs:schema>
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java
index 0b055fb1d..2d06c3a69 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java
@@ -52,7 +52,7 @@ public class HintHandlerTest extends BaseTest {
     @Test
     public void testHandler() throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException, SAXException, FileNotFoundException, UnsupportedEncodingException, IOException {
         File file = BaseTest.getResourceAsFile(this, "hints.xml");
-        File schema = BaseTest.getResourceAsFile(this, "schema/dependency-hint.1.0.xsd");
+        File schema = BaseTest.getResourceAsFile(this, "schema/dependency-hint.1.1.xsd");
         HintHandler handler = new HintHandler();
 
         SAXParserFactory factory = SAXParserFactory.newInstance();
diff --git a/dependency-check-core/src/test/resources/hints.xml b/dependency-check-core/src/test/resources/hints.xml
index 000028414..bf739a083 100644
--- a/dependency-check-core/src/test/resources/hints.xml
+++ b/dependency-check-core/src/test/resources/hints.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.0.xsd">
+<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
 	<hint>
 		<given>
 			<evidence type="product" source="product source" name="given product name" value="value" confidence="HIGH"/>
diff --git a/pom.xml b/pom.xml
index dc275a75d..9a774c09f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -360,7 +360,7 @@ Copyright (c) 2012 - Jeremy Long
                             <target name="copy xsd to site">
                                 <copy file="dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd" todir="target/site/"/>
                                 <copy file="dependency-check-core/src/main/resources/schema/dependency-suppression.1.1.xsd" todir="target/site/"/>
-                                <copy file="dependency-check-core/src/main/resources/schema/dependency-hint.1.0.xsd" todir="target/site/"/>
+                                <copy file="dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd" todir="target/site/"/>
                             </target>
                         </configuration>
                     </execution>