From 2223b3666faa75cde2d6a02a4b957a415e69a2f9 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Thu, 18 Apr 2013 17:58:47 -0400 Subject: [PATCH] Adding Dependency Bundling to collapse multiple related dependencies into a single reportable instance Former-commit-id: a82034eaaa59e1ea9f69847135be01b5631d59cb --- .../analyzer/DependencyBundlingAnalyzer.java | 120 ++++++++++++++++++ .../dependency/Dependency.java | 32 +++++ 2 files changed, 152 insertions(+) create mode 100644 src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java diff --git a/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java new file mode 100644 index 000000000..686a51099 --- /dev/null +++ b/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -0,0 +1,120 @@ +/* + * This file is part of DependencyCheck. + * + * DependencyCheck is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation, either version 3 of the License, or (at your option) any + * later version. + * + * DependencyCheck is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * DependencyCheck. If not, see http://www.gnu.org/licenses/. + * + * Copyright (c) 2012 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import java.util.ArrayList; +import java.util.List; +import java.util.Set; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Identifier; + +/** + *

This analyzer ensures dependencies that should be grouped together, to remove + * excess noise from the report, are grouped. An example would be Spring, Spring + * Beans, Spring MVC, etc. If they are all for the same version and have the same + * relative path then these should be grouped into a single dependency under the + * core/main library.

+ *

Note, this grouping only works on dependencies with identified CVE entries

+ * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class DependencyBundlingAnalyzer extends AbstractAnalyzer { + + /** + * The set of file extensions supported by this analyzer. + */ + private static final Set EXTENSIONS = null; + /** + * The name of the analyzer. + */ + private static final String ANALYZER_NAME = "Dependency Bundling Analyzer"; + /** + * The phase that this analyzer is intended to run in. + */ + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS; + + /** + * Returns a list of file EXTENSIONS supported by this analyzer. + * + * @return a list of file EXTENSIONS supported by this analyzer. + */ + public Set getSupportedExtensions() { + return EXTENSIONS; + } + + /** + * Returns the name of the analyzer. + * + * @return the name of the analyzer. + */ + public String getName() { + return ANALYZER_NAME; + } + + /** + * Returns whether or not this analyzer can process the given extension. + * + * @param extension the file extension to test for support + * @return whether or not the specified file extension is supported by this + * analyzer. + */ + public boolean supportsExtension(String extension) { + return true; + } + + /** + * Returns the phase that the analyzer is intended to run in. + * + * @return the phase that the analyzer is intended to run in. + */ + public AnalysisPhase getAnalysisPhase() { + return ANALYSIS_PHASE; + } + + /** + * The initialize method does nothing for this Analyzer. + * + * @throws Exception never thrown by this analyzer + */ + public void initialize() throws Exception { + //do nothing + } + + /** + * The close method does nothing for this Analyzer. + * + * @throws Exception never thrown by this analyzer + */ + public void close() throws Exception { + //do nothing + } + /** + * + * + * @param dependency the dependency to analyze. + * @param engine the engine that is scanning the dependencies + * @throws AnalysisException is thrown if there is an error reading the JAR + * file. + */ + public void analyze(Dependency dependency, Engine engine) throws AnalysisException { + + } + +} diff --git a/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 866649165..38499f556 100644 --- a/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -23,6 +23,7 @@ import java.io.IOException; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.List; +import java.util.Set; import java.util.SortedSet; import java.util.TreeSet; import java.util.logging.Level; @@ -441,4 +442,35 @@ public class Dependency { public void addVulnerability(Vulnerability vulnerability) { this.vulnerabilities.add(vulnerability); } + /** + * A collection of related dependencies. + */ + private Set relatedDependencies = new TreeSet(); + + /** + * Get the value of relatedDependencies. + * + * @return the value of relatedDependencies + */ + public Set getRelatedDependencies() { + return relatedDependencies; + } + + /** + * Set the value of relatedDependencies. + * + * @param relatedDependencies new value of relatedDependencies + */ + public void setRelatedDependencies(Set relatedDependencies) { + this.relatedDependencies = relatedDependencies; + } + + /** + * Adds a related dependency. + * + * @param dependency a reference to the related dependency + */ + public void addRelatedDependency(Dependency dependency) { + relatedDependencies.add(dependency); + } }