Merge branch 'upmaster' into remove-dependency-extension-property

Former-commit-id: b06adaf9fa3031c27be08523b9689ae58d0cc322
2026-05-01 12:44:33 +02:00 · 2015-07-19 08:06:43 -04:00
parent 005e401c7f dc466f1480
commit 1b8dc71980
32 changed files with 703 additions and 143 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -154,9 +154,11 @@ public class CPEAnalyzer implements Analyzer {
    public void close() {
        if (cpe != null) {
            cpe.close();
+            cpe = null;
        }
        if (cve != null) {
            cve.close();
+            cve = null;
        }
    }

--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
@@ -0,0 +1,172 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.apache.commons.io.FileUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
+
+import java.io.File;
+import java.io.FileFilter;
+import java.io.IOException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Used to analyze OpenSSL source code present in the file system.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
+
+    private static final int HEXADECIMAL = 16;
+    /**
+     * Filename to analyze. All other .h files get removed from consideration.
+     */
+    private static final String OPENSSLV_H = "opensslv.h";
+
+    /**
+     * Filter that detects files named "__init__.py".
+     */
+    private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build();
+    private static final Pattern VERSION_PATTERN = Pattern.compile(
+            "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL
+                    | Pattern.CASE_INSENSITIVE);
+    private static final int MAJOR_OFFSET = 28;
+    private static final long MINOR_MASK = 0x0ff00000L;
+    private static final int MINOR_OFFSET = 20;
+    private static final long FIX_MASK = 0x000ff000L;
+    private static final int FIX_OFFSET = 12;
+    private static final long PATCH_MASK = 0x00000ff0L;
+    private static final int PATCH_OFFSET = 4;
+    private static final int NUM_LETTERS = 26;
+    private static final int STATUS_MASK = 0x0000000f;
+
+    static String getOpenSSLVersion(long openSSLVersionConstant) {
+        long major = openSSLVersionConstant >>> MAJOR_OFFSET;
+        long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
+        long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
+        long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET;
+        String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" :
+                String.valueOf((char) (patchLevel + 'a' - 1));
+        int statusCode = (int) (openSSLVersionConstant & STATUS_MASK);
+        String status = 0xf == statusCode ? "" :
+                (0 == statusCode ? "-dev" : "-beta" + statusCode);
+        return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status);
+    }
+
+    /**
+     * Returns the name of the Python Package Analyzer.
+     *
+     * @return the name of the analyzer
+     */
+    @Override
+    public String getName() {
+        return "OpenSSL Source Analyzer";
+    }
+
+    /**
+     * Tell that we are used for information collection.
+     *
+     * @return INFORMATION_COLLECTION
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return AnalysisPhase.INFORMATION_COLLECTION;
+    }
+
+    /**
+     * Returns the set of supported file extensions.
+     *
+     * @return the set of supported file extensions
+     */
+    @Override
+    protected FileFilter getFileFilter() {
+        return OPENSSLV_FILTER;
+    }
+
+    /**
+     * No-op initializer implementation.
+     *
+     * @throws Exception never thrown
+     */
+    @Override
+    protected void initializeFileTypeAnalyzer() throws Exception {
+        // Nothing to do here.
+    }
+
+    /**
+     * Analyzes python packages and adds evidence to the dependency.
+     *
+     * @param dependency the dependency being analyzed
+     * @param engine     the engine being used to perform the scan
+     * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
+     */
+    @Override
+    protected void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        final File file = dependency.getActualFile();
+        final String parentName = file.getParentFile().getName();
+        boolean found = false;
+        final String contents = getFileContents(file);
+        if (!contents.isEmpty()) {
+            final Matcher matcher = VERSION_PATTERN.matcher(contents);
+            if (matcher.find()) {
+                dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant",
+                        getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH);
+                found = true;
+            }
+        }
+        if (found) {
+            dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H);
+            dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST);
+            dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST);
+        } else {
+            engine.getDependencies().remove(dependency);
+        }
+    }
+
+    /**
+     * Retrieves the contents of a given file.
+     *
+     * @param actualFile the file to read
+     * @return the contents of the file
+     * @throws AnalysisException thrown if there is an IO Exception
+     */
+    private String getFileContents(final File actualFile)
+            throws AnalysisException {
+        String contents;
+        try {
+            contents = FileUtils.readFileToString(actualFile).trim();
+        } catch (IOException e) {
+            throw new AnalysisException(
+                    "Problem occurred while reading dependency file.", e);
+        }
+        return contents;
+    }
+
+
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_OPENSSL_ENABLED;
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java
@@ -58,6 +58,8 @@ public abstract class BaseUpdater {
        if (cveDB != null) {
            try {
                cveDB.close();
+                cveDB = null;
+                properties = null;
            } catch (Throwable ignore) {
                LOGGER.trace("Error closing the database", ignore);
            }
@@ -76,11 +78,11 @@ public abstract class BaseUpdater {
        try {
            cveDB = new CveDB();
            cveDB.open();
+            properties = cveDB.getDatabaseProperties();
        } catch (DatabaseException ex) {
            closeDataStores();
            LOGGER.debug("Database Exception opening databases", ex);
            throw new UpdateException("Error updating the database, please see the log file for more details.");
        }
-        properties = cveDB.getDatabaseProperties();
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
@@ -97,7 +97,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
            final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
            if (updateNeeded) {
                LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
-                    updateToVersion);
+                        updateToVersion);
            }
        } catch (DatabaseException ex) {
            LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
@@ -115,8 +115,8 @@ public class EngineVersionCheck implements CachedWebDataSource {
     * @param properties the database properties object
     * @param currentVersion the current version of dependency-check
     * @return <code>true</code> if a newer version of the database has been released; otherwise <code>false</code>
-     * @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the
-     * local database.
+     * @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the local
+     * database.
     */
    protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
            String currentVersion) throws UpdateException {
@@ -172,6 +172,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
        if (cveDB != null) {
            try {
                cveDB.close();
+                cveDB = null;
            } catch (Throwable ignore) {
                LOGGER.trace("Error closing the cveDB", ignore);
            }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
@@ -141,13 +141,13 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
    }

    /**
-     * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms.
-     * This is a way of combining evidence from multiple sources to boost the confidence of the given evidence.
+     * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. This is a way
+     * of combining evidence from multiple sources to boost the confidence of the given evidence.
     *
-     * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the
-     * package names within the JAR file we may add these package names to the "weighted" strings collection to boost
-     * the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the
-     * collection AND in the weighted strings; as such, we will boost the confidence of the term Apache.
+     * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package
+     * names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the
+     * Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted
+     * strings; as such, we will boost the confidence of the term Apache.
     *
     * @param str to add to the weighting collection.
     */
@@ -156,8 +156,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
    }

    /**
-     * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in
-     * another location.
+     * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
+     * location.
     *
     * @return Set<String>
     */
@@ -322,11 +322,11 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
        final Set<Evidence> ret = new TreeSet<Evidence>();
        for (EvidenceCollection col : ec) {
            for (Evidence e : col) {
-                if (e.isUsed()) {
-                    final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null);
-                    newEvidence.setUsed(true);
-                    ret.add(newEvidence);
-                }
+                //if (e.isUsed()) {
+                final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null);
+                newEvidence.setUsed(true);
+                ret.add(newEvidence);
+                //}
            }
        }
        return ret;
@@ -357,11 +357,11 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {

    /**
     * <p>
-     * Takes a string that may contain a fully qualified domain and it will return the string having removed the query
-     * string, the protocol, the sub-domain of 'www', and the file extension of the path.</p>
+     * Takes a string that may contain a fully qualified domain and it will return the string having removed the query string, the
+     * protocol, the sub-domain of 'www', and the file extension of the path.</p>
     * <p>
-     * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file
-     * extension, etc. may produce false positives.
+     * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file extension, etc.
+     * may produce false positives.
     *
     * <p>
     * Example, given the following input:</p>
--- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
+++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
@@ -14,4 +14,5 @@ org.owasp.dependencycheck.analyzer.NuspecAnalyzer
 org.owasp.dependencycheck.analyzer.AssemblyAnalyzer
 org.owasp.dependencycheck.analyzer.PythonDistributionAnalyzer
 org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer
-org.owasp.dependencycheck.analyzer.AutoconfAnalyzer
+org.owasp.dependencycheck.analyzer.AutoconfAnalyzer
+org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -138,4 +138,19 @@
        <gav regex="true">com.microsoft.bingads:microsoft.bingads:.*</gav>
        <cpe>cpe:/a:microsoft:bing</cpe>
    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Oracle Jersey is flagged as glassfish.
+        ]]></notes>
+        <gav regex="true">.*jersey.*</gav>
+        <cpe>cpe:/a:oracle:glassfish_server</cpe>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Oracle HK2 is flagged as glassfish.
+        ]]></notes>
+        <gav regex="true">.*\bhk2\b.*</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
 </suppressions>
--- a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd
+++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
+<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
    <xs:element name="analysis">
        <xs:complexType>
            <xs:sequence minOccurs="0" maxOccurs="unbounded">
@@ -111,6 +111,8 @@
                                                                <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
                                                                <xs:element name="value" type="xs:string" minOccurs="1" maxOccurs="1" />
                                                            </xs:sequence>
+                                                            <xs:attribute name="type" type="xs:string" use="required" />
+                                                            <xs:attribute name="confidence" type="xs:string" use="required" />
                                                        </xs:complexType>
                                                    </xs:element>
                                                </xs:sequence>
--- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
@@ -560,7 +560,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                        <th class="sortable" data-sort="int" title="The highest CVE Severity">Highest Severity</th>
                        <th class="sortable" data-sort="int" title="The number of Common Vulnerability and Exposure (CVE) entries">CVE Count</th>
                        <th class="sortable" data-sort="string" title="The confidence rating dependency-check has for the identified CPE">CPE Confidence</th>
-                        <th class="sortable" data-sort="int" title="The count of evidence used to identify the CPE">Evidence Count</th>
+                        <th class="sortable" data-sort="int" title="The count of evidence collected to identify the CPE">Evidence Count</th>
                    </tr></thead>
                    #foreach($dependency in $dependencies)
                    #set($lnkcnt=$lnkcnt+1)
--- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl
@@ -18,7 +18,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@author Jeremy Long <jeremy.long@owasp.org>
@version 1.1
 *#<?xml version="1.0"?>
-<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
+<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
    <scanInfo>
        <engineVersion>$version</engineVersion>
 #foreach($prop in $properties.getMetaData().entrySet())
@@ -68,8 +68,22 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            </relatedDependencies>
 #end
            <evidenceCollected>
-#foreach($evidence in $dependency.getEvidenceForDisplay())
-                <evidence>
+#foreach($evidence in $dependency.getVendorEvidence())
+                <evidence type="vendor" confidence="$enc.xml($evidence.getConfidence().toString())">
+                    <source>$enc.xml($evidence.getSource())</source>
+                    <name>$enc.xml($evidence.getName())</name>
+                    <value>$enc.xml($evidence.getValue().trim())</value>
+                </evidence>
+#end
+#foreach($evidence in $dependency.getProductEvidence())
+                <evidence type="product" confidence="$enc.xml($evidence.getConfidence().toString())">
+                    <source>$enc.xml($evidence.getSource())</source>
+                    <name>$enc.xml($evidence.getName())</name>
+                    <value>$enc.xml($evidence.getValue().trim())</value>
+                </evidence>
+#end
+#foreach($evidence in $dependency.getVersionEvidence())
+                <evidence type="version" confidence="$enc.xml($evidence.getConfidence().toString())">
                    <source>$enc.xml($evidence.getSource())</source>
                    <name>$enc.xml($evidence.getName())</name>
                    <value>$enc.xml($evidence.getValue().trim())</value>