Adding Dependency Bundling to collapse multiple related dependencies into a single reportable instance

Former-commit-id: a82034eaaa59e1ea9f69847135be01b5631d59cb

src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -0,0 +1,120 @@
+/*
+ * This file is part of DependencyCheck.
+ *
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
+
+/**
+ * <p>This analyzer ensures dependencies that should be grouped together, to remove
+ * excess noise from the report, are grouped. An example would be Spring, Spring
+ * Beans, Spring MVC, etc. If they are all for the same version and have the same
+ * relative path then these should be grouped into a single dependency under the
+ * core/main library.</p>
+ * <p>Note, this grouping only works on dependencies with identified CVE entries</p>
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
+
+    /**
+     * The set of file extensions supported by this analyzer.
+     */
+    private static final Set<String> EXTENSIONS = null;
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Dependency Bundling Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
+
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    public Set<String> getSupportedExtensions() {
+        return EXTENSIONS;
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support
+     * @return whether or not the specified file extension is supported by this
+     * analyzer.
+     */
+    public boolean supportsExtension(String extension) {
+        return true;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * The initialize method does nothing for this Analyzer.
+     *
+     * @throws Exception never thrown by this analyzer
+     */
+    public void initialize() throws Exception {
+        //do nothing
+    }
+
+    /**
+     * The close method does nothing for this Analyzer.
+     *
+     * @throws Exception never thrown by this analyzer
+     */
+    public void close() throws Exception {
+        //do nothing
+    }
+    /**
+     *
+     *
+     * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
+     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * file.
+     */
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        
+    }
+
+}

src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -23,6 +23,7 @@ import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
 import java.util.logging.Level;
@@ -441,4 +442,35 @@ public class Dependency {
     public void addVulnerability(Vulnerability vulnerability) {
         this.vulnerabilities.add(vulnerability);
     }
+    /**
+     * A collection of related dependencies.
+     */
+    private Set<Dependency> relatedDependencies = new TreeSet<Dependency>();
+
+    /**
+     * Get the value of relatedDependencies.
+     *
+     * @return the value of relatedDependencies
+     */
+    public Set<Dependency> getRelatedDependencies() {
+        return relatedDependencies;
+    }
+
+    /**
+     * Set the value of relatedDependencies.
+     *
+     * @param relatedDependencies new value of relatedDependencies
+     */
+    public void setRelatedDependencies(Set<Dependency> relatedDependencies) {
+        this.relatedDependencies = relatedDependencies;
+    }
+
+    /**
+     * Adds a related dependency.
+     *
+     * @param dependency a reference to the related dependency
+     */
+    public void addRelatedDependency(Dependency dependency) {
+        relatedDependencies.add(dependency);
+    }
 }