bundle the same SWIFT package by different analyzers

2026-01-13 23:33:37 +01:00 · 2016-05-06 13:43:05 -04:00
parent dc7245ff6e
commit 1e7bbfa7c1
6 changed files with 50 additions and 18 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java
@@ -114,7 +114,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
-        return Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED;
+        return Settings.KEYS.ANALYZER_COCOAPODS_ENABLED;
    }

    @Override
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
@@ -112,6 +112,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                    final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
                    while (subIterator.hasNext()) {
                        final Dependency nextDependency = subIterator.next();
+                        Dependency main = null;
                        if (hashesMatch(dependency, nextDependency) && !containedInWar(dependency.getFilePath())
                                && !containedInWar(nextDependency.getFilePath())) {
                            if (firstPathIsShortest(dependency.getFilePath(), nextDependency.getFilePath())) {
@@ -138,8 +139,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
                            }
-                        } else if ( isSameRubyGem(dependency, nextDependency) ) {
-                        	Dependency main = getMainGemspecDependency(dependency, nextDependency);
+                        } else if ( (main = getMainGemspecDependency(dependency, nextDependency)) != null ) {
+                        	if (main == dependency) {
+                        		mergeDependencies(dependency, nextDependency, dependenciesToRemove);
+                        	} else {
+                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
+                            }
+                        } else if ( (main = getMainSwiftDependency(dependency, nextDependency)) != null) {
                        	if (main == dependency) {
                        		mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                        	} else {
@@ -348,6 +355,33 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        }
        return null;
    }
+    
+    /**
+     * Bundling same swift dependencies with the same packagePath but identified by different analyzers.
+     */
+    private boolean isSameSwiftPackage(Dependency dependency1, Dependency dependency2) {
+    	if (dependency1 == null || dependency2 == null ||
+    		(!dependency1.getFileName().endsWith(".podspec") &&
+    		!dependency1.getFileName().equals("Package.swift")) ||
+    		(!dependency2.getFileName().endsWith(".podspec") &&
+    		!dependency2.getFileName().equals("Package.swift")) ||
+    		dependency1.getPackagePath() == null ||
+    		dependency2.getPackagePath() == null) {
+            return false;
+        }
+        if (dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath()))
+        	return true;
+
+       	return false;
+    }
+    private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) {
+    	if (isSameSwiftPackage(dependency1, dependency2)) {
+    		if(dependency1.getFileName().endsWith(".podspec"))
+    			return dependency1;
+            return dependency2;
+        }
+        return null;
+    }

    /**
     * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java
@@ -21,14 +21,9 @@ import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
-import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;

-import javax.json.JsonObject;
-import javax.json.JsonString;
-import javax.json.JsonValue;
-
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -37,8 +32,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;

 /**
 * @author Bianca Xue Jiang
@@ -119,7 +112,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
-        return Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED;
+        return Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED;
    }

    @Override
@@ -149,8 +142,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
            if (!name.isEmpty()) {
                vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST);
            }
-            setPackagePath(dependency);
        }
+        setPackagePath(dependency);
    }
    
    private String addStringEvidence(EvidenceCollection evidences,
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -102,6 +102,8 @@ analyzer.nuspec.enabled=true
 analyzer.openssl.enabled=true
 analyzer.central.enabled=true
 analyzer.nexus.enabled=false
+analyzer.cocoapods.enabled=true
+analyzer.swift.package.manager.enabled=true
 #whether the nexus analyzer uses the proxy
 analyzer.nexus.proxy=true

--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java
@@ -117,12 +117,7 @@ public class SwiftAnalyzersTest extends BaseTest {
        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                "swift/Gloss/Package.swift"));
        spmAnalyzer.analyze(result, null);
-        System.out.println(result.getProductEvidence().toString());
-        
-//        assertThat(vendorString, containsString("Carlos Vidal"));
-//        assertThat(vendorString, containsString("https://github.com/nakiostudio/EasyPeasy"));
-//        assertThat(vendorString, containsString("MIT"));
+
        assertThat(result.getProductEvidence().toString(), containsString("Gloss"));
-//        assertThat(result.getVersionEvidence().toString(), containsString("0.2.3"));
    }
 }
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -253,6 +253,14 @@ public final class Settings {
         * The properties key for whether the OpenSSL analyzer is enabled.
         */
        public static final String ANALYZER_OPENSSL_ENABLED = "analyzer.openssl.enabled";
+        /**
+         * The properties key for whether the cocoapods analyzer is enabled.
+         */
+        public static final String ANALYZER_COCOAPODS_ENABLED = "analyzer.cocoapods.enabled";
+        /**
+         * The properties key for whether the SWIFT package manager analyzer is enabled.
+         */
+        public static final String ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED = "analyzer.swift.package.manager.enabled";
        /**
         * The properties key for the Central search URL.
         */