From 1e7bbfa7c1df6eccf139d6aa38e7c2d266609aed Mon Sep 17 00:00:00 2001 From: bjiang Date: Fri, 6 May 2016 13:43:05 -0400 Subject: [PATCH] bundle the same SWIFT package by different analyzers --- .../analyzer/CocoaPodsAnalyzer.java | 2 +- .../analyzer/DependencyBundlingAnalyzer.java | 38 ++++++++++++++++++- .../analyzer/SwiftPackageManagerAnalyzer.java | 11 +----- .../main/resources/dependencycheck.properties | 2 + .../analyzer/SwiftAnalyzersTest.java | 7 +--- .../owasp/dependencycheck/utils/Settings.java | 8 ++++ 6 files changed, 50 insertions(+), 18 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java index b46c8ac1e..9b6d0d27a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java @@ -114,7 +114,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { */ @Override protected String getAnalyzerEnabledSettingKey() { - return Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED; + return Settings.KEYS.ANALYZER_COCOAPODS_ENABLED; } @Override diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index fd6911e6f..8a877c87a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -112,6 +112,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal final ListIterator subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex()); while (subIterator.hasNext()) { final Dependency nextDependency = subIterator.next(); + Dependency main = null; if (hashesMatch(dependency, nextDependency) && !containedInWar(dependency.getFilePath()) && !containedInWar(nextDependency.getFilePath())) { if (firstPathIsShortest(dependency.getFilePath(), nextDependency.getFilePath())) { @@ -138,8 +139,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal mergeDependencies(nextDependency, dependency, dependenciesToRemove); break; //since we merged into the next dependency - skip forward to the next in mainIterator } - } else if ( isSameRubyGem(dependency, nextDependency) ) { - Dependency main = getMainGemspecDependency(dependency, nextDependency); + } else if ( (main = getMainGemspecDependency(dependency, nextDependency)) != null ) { + if (main == dependency) { + mergeDependencies(dependency, nextDependency, dependenciesToRemove); + } else { + mergeDependencies(nextDependency, dependency, dependenciesToRemove); + break; //since we merged into the next dependency - skip forward to the next in mainIterator + } + } else if ( (main = getMainSwiftDependency(dependency, nextDependency)) != null) { if (main == dependency) { mergeDependencies(dependency, nextDependency, dependenciesToRemove); } else { @@ -348,6 +355,33 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal } return null; } + + /** + * Bundling same swift dependencies with the same packagePath but identified by different analyzers. + */ + private boolean isSameSwiftPackage(Dependency dependency1, Dependency dependency2) { + if (dependency1 == null || dependency2 == null || + (!dependency1.getFileName().endsWith(".podspec") && + !dependency1.getFileName().equals("Package.swift")) || + (!dependency2.getFileName().endsWith(".podspec") && + !dependency2.getFileName().equals("Package.swift")) || + dependency1.getPackagePath() == null || + dependency2.getPackagePath() == null) { + return false; + } + if (dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath())) + return true; + + return false; + } + private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) { + if (isSameSwiftPackage(dependency1, dependency2)) { + if(dependency1.getFileName().endsWith(".podspec")) + return dependency1; + return dependency2; + } + return null; + } /** * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index b378e68f5..e771c729b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -21,14 +21,9 @@ import java.io.File; import java.io.FileFilter; import java.io.IOException; import java.nio.charset.Charset; -import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; -import javax.json.JsonObject; -import javax.json.JsonString; -import javax.json.JsonValue; - import org.apache.commons.io.FileUtils; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; @@ -37,8 +32,6 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** * @author Bianca Xue Jiang @@ -119,7 +112,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { */ @Override protected String getAnalyzerEnabledSettingKey() { - return Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED; + return Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED; } @Override @@ -149,8 +142,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { if (!name.isEmpty()) { vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST); } - setPackagePath(dependency); } + setPackagePath(dependency); } private String addStringEvidence(EvidenceCollection evidences, diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index 118b5b50f..777ea470b 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -102,6 +102,8 @@ analyzer.nuspec.enabled=true analyzer.openssl.enabled=true analyzer.central.enabled=true analyzer.nexus.enabled=false +analyzer.cocoapods.enabled=true +analyzer.swift.package.manager.enabled=true #whether the nexus analyzer uses the proxy analyzer.nexus.proxy=true diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java index e937af7a6..94e4b020d 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java @@ -117,12 +117,7 @@ public class SwiftAnalyzersTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "swift/Gloss/Package.swift")); spmAnalyzer.analyze(result, null); - System.out.println(result.getProductEvidence().toString()); - -// assertThat(vendorString, containsString("Carlos Vidal")); -// assertThat(vendorString, containsString("https://github.com/nakiostudio/EasyPeasy")); -// assertThat(vendorString, containsString("MIT")); + assertThat(result.getProductEvidence().toString(), containsString("Gloss")); -// assertThat(result.getVersionEvidence().toString(), containsString("0.2.3")); } } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 8f1f38147..bacae09fd 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -253,6 +253,14 @@ public final class Settings { * The properties key for whether the OpenSSL analyzer is enabled. */ public static final String ANALYZER_OPENSSL_ENABLED = "analyzer.openssl.enabled"; + /** + * The properties key for whether the cocoapods analyzer is enabled. + */ + public static final String ANALYZER_COCOAPODS_ENABLED = "analyzer.cocoapods.enabled"; + /** + * The properties key for whether the SWIFT package manager analyzer is enabled. + */ + public static final String ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED = "analyzer.swift.package.manager.enabled"; /** * The properties key for the Central search URL. */