temporary fix for issue #534

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -154,6 +154,9 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                 for (Evidence e : hint.getAddProduct()) {
                     dependency.getProductEvidence().addEvidence(e);
                 }
+                for (Evidence e : hint.getAddVersion()) {
+                    dependency.getVersionEvidence().addEvidence(e);
+                }
             }
         }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java

@@ -62,9 +62,17 @@ public class HintHandler extends DefaultHandler {
      */
     private static final String DUPLICATE = "duplicate";
     /**
-     * Attribute name.
+     * Attribute value.
      */
     private static final String VENDOR = "vendor";
+    /**
+     * Attribute value.
+     */
+    private static final String PRODUCT = "product";
+    /**
+     * Attribute value.
+     */
+    private static final String VERSION = "version";
     /**
      * Attribute name.
      */
@@ -168,7 +176,8 @@ public class HintHandler extends DefaultHandler {
                             attr.getValue(VALUE),
                             Confidence.valueOf(attr.getValue(CONFIDENCE)));
                 }
-            } else if (inAddNode) {
+            } else if (PRODUCT.equals(hintType)) {
+                if (inAddNode) {
                     rule.addAddProduct(attr.getValue(SOURCE),
                             attr.getValue(NAME),
                             attr.getValue(VALUE),
@@ -179,6 +188,14 @@ public class HintHandler extends DefaultHandler {
                             attr.getValue(VALUE),
                             Confidence.valueOf(attr.getValue(CONFIDENCE)));
                 }
+            } else if (VERSION.equals(hintType)) {
+                if (inAddNode) {
+                    rule.addAddVersion(attr.getValue(SOURCE),
+                            attr.getValue(NAME),
+                            attr.getValue(VALUE),
+                            Confidence.valueOf(attr.getValue(CONFIDENCE)));
+                }
+            }
         } else if (FILE_NAME.equals(qName)) {
             final PropertyType pt = new PropertyType();
             pt.setValue(attr.getValue(CONTAINS));

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java

@@ -64,7 +64,7 @@ public class HintParser {
     /**
      * The schema for the hint XML files.
      */
-    private static final String HINT_SCHEMA = "schema/dependency-hint.1.0.xsd";
+    private static final String HINT_SCHEMA = "schema/dependency-hint.1.1.xsd";
 
     /**
      * Parses the given XML file and returns a list of the hints contained.

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java

@@ -85,6 +85,15 @@ public class HintRule {
      */
     private final List<Evidence> givenVendor = new ArrayList<Evidence>();
 
+    /**
+     * The list of product evidence to add.
+     */
+    private final List<Evidence> addProduct = new ArrayList<Evidence>();
+    /**
+     * The list of version evidence to add.
+     */
+    private final List<Evidence> addVersion = new ArrayList<Evidence>();
+
     /**
      * Adds a given vendors to the list of evidence to matched.
      *
@@ -106,11 +115,6 @@ public class HintRule {
         return givenVendor;
     }
 
-    /**
-     * The list of product evidence to add.
-     */
-    private final List<Evidence> addProduct = new ArrayList<Evidence>();
-
     /**
      * Adds a given product to the list of evidence to add when matched.
      *
@@ -132,6 +136,27 @@ public class HintRule {
         return addProduct;
     }
 
+    /**
+     * Adds a given version to the list of evidence to add when matched.
+     *
+     * @param source the source of the evidence
+     * @param name the name of the evidence
+     * @param value the value of the evidence
+     * @param confidence the confidence of the evidence
+     */
+    public void addAddVersion(String source, String name, String value, Confidence confidence) {
+        addVersion.add(new Evidence(source, name, value, confidence));
+    }
+
+    /**
+     * Get the value of addVersion.
+     *
+     * @return the value of addVersion
+     */
+    public List<Evidence> getAddVersion() {
+        return addVersion;
+    }
+
     /**
      * The list of vendor hints to add.
      */

dependency-check-core/src/main/resources/dependencycheck-base-hint.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.0.xsd">
+<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
     <hint>
         <given>
             <evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
@@ -70,6 +70,51 @@
             <evidence type="vendor" source="hint analyzer" name="vendor" value="zend_framework" confidence="HIGHEST"/>
         </add>
     </hint>
+    
+    <!-- begin hack for temporary patch of issue #534-->
+    <hint>
+        <given>
+            <fileName regex="true" contains=".*hibernate-validator-5\.0\..*"/>
+        </given>
+        <add>
+            <evidence type="version" source="hint" name="version" value="5.0" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <fileName regex="true" contains=".*hibernate-validator-5\.1\.[01].*"/>
+        </given>
+        <add>
+            <evidence type="version" source="hint" name="version" value="5.1" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <fileName regex="true" contains=".*hibernate-validator-4\.1\..*"/>
+        </given>
+        <add>
+            <evidence type="version" source="hint" name="version" value="4.1.0" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <fileName regex="true" contains=".*hibernate-validator-4\.2\.0.*"/>
+        </given>
+        <add>
+            <evidence type="version" source="hint" name="version" value="4.2.0" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    <hint>
+        <given>
+            <fileName regex="true" contains=".*hibernate-validator-4\.3\.[01]\..*"/>
+        </given>
+        <add>
+            <evidence type="version" source="hint" name="version" value="4.3.0" confidence="HIGHEST"/>
+        </add>
+    </hint>
+    <!-- end hack for temporary patch of issue #534-->
+    
+    
     <vendorDuplicatingHint value="sun" duplicate="oracle"/>	
     <vendorDuplicatingHint value="oracle" duplicate="sun"/>	
 </hints>

dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd

@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema id="hints"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           elementFormDefault="qualified"
+           targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd"
+           xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
+	   
+    <xs:simpleType name="givenType">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="vendor"/>
+            <xs:enumeration value="product"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:simpleType name="addType">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="vendor"/>
+            <xs:enumeration value="product"/>
+            <xs:enumeration value="version"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:simpleType name="confidence">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="HIGHEST"/>
+            <xs:enumeration value="HIGH"/>
+            <xs:enumeration value="MEDIUM"/>
+            <xs:enumeration value="LOW"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:complexType name="givenEvidence">
+        <xs:attribute name="type" use="required" type="dc:givenType"/>
+        <xs:attribute name="source" use="required" type="xs:string"/>
+        <xs:attribute name="name" use="required" type="xs:string"/>
+        <xs:attribute name="value" use="required" type="xs:string"/>
+        <xs:attribute name="confidence" use="required" type="dc:confidence"/>
+    </xs:complexType>
+    <xs:complexType name="addEvidence">
+        <xs:attribute name="type" use="required" type="dc:addType"/>
+        <xs:attribute name="source" use="required" type="xs:string"/>
+        <xs:attribute name="name" use="required" type="xs:string"/>
+        <xs:attribute name="value" use="required" type="xs:string"/>
+        <xs:attribute name="confidence" use="required" type="dc:confidence"/>
+    </xs:complexType>
+    <xs:complexType name="fileName">
+        <xs:attribute name="contains" use="required" type="xs:string"/>
+        <xs:attribute name="regex" use="optional" type="xs:boolean" default="false"/>
+        <xs:attribute name="caseSensitive" use="optional" type="xs:boolean" default="false"/>
+    </xs:complexType>
+    <xs:complexType name="given">
+        <xs:choice minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="evidence" type="dc:givenEvidence"/>
+            <xs:element name="fileName" type="dc:fileName"/>
+        </xs:choice>
+    </xs:complexType>
+    <xs:complexType name="add">
+        <xs:sequence minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="evidence" type="dc:addEvidence"/>
+        </xs:sequence>
+    </xs:complexType>	
+    <xs:complexType name="hint">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="given" type="dc:given"/>
+            <xs:element name="add" type="dc:add"/>
+        </xs:sequence>
+    </xs:complexType>
+    <xs:complexType name="duplicatingHint">
+        <xs:attribute name="value" use="required" type="xs:string"/>
+        <xs:attribute name="duplicate" use="required" type="xs:string"/>
+    </xs:complexType>
+	
+    <xs:element name="hints">
+        <xs:complexType>
+            <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                    <xs:element name="hint" type="dc:hint"/>
+                </xs:sequence>
+                <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                    <xs:element name="vendorDuplicatingHint" type="dc:duplicatingHint"/>
+                </xs:sequence>
+            </xs:sequence>
+        </xs:complexType>
+    </xs:element>
+</xs:schema>

dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java

@@ -52,7 +52,7 @@ public class HintHandlerTest extends BaseTest {
     @Test
     public void testHandler() throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException, SAXException, FileNotFoundException, UnsupportedEncodingException, IOException {
         File file = BaseTest.getResourceAsFile(this, "hints.xml");
-        File schema = BaseTest.getResourceAsFile(this, "schema/dependency-hint.1.0.xsd");
+        File schema = BaseTest.getResourceAsFile(this, "schema/dependency-hint.1.1.xsd");
         HintHandler handler = new HintHandler();
 
         SAXParserFactory factory = SAXParserFactory.newInstance();

dependency-check-core/src/test/resources/hints.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.0.xsd">
+<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
 	<hint>
 		<given>
 			<evidence type="product" source="product source" name="given product name" value="value" confidence="HIGH"/>

pom.xml

@@ -360,7 +360,7 @@ Copyright (c) 2012 - Jeremy Long
                             <target name="copy xsd to site">
                                 <copy file="dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd" todir="target/site/"/>
                                 <copy file="dependency-check-core/src/main/resources/schema/dependency-suppression.1.1.xsd" todir="target/site/"/>
-                                <copy file="dependency-check-core/src/main/resources/schema/dependency-hint.1.0.xsd" todir="target/site/"/>
+                                <copy file="dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd" todir="target/site/"/>
                             </target>
                         </configuration>
                     </execution>