github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-17 23:04:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

Adding Dependency Bundling to collapse multiple related dependencies into a single reportable instance

Browse Source 
Former-commit-id: a82034eaaa59e1ea9f69847135be01b5631d59cb
This commit is contained in:
Jeremy Long
2013-04-18 17:58:47 -04:00
parent 561b9d78d4
commit 2223b3666f
2 changed files with 152 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java Normal file
View File

@@ -0,0 +1,120 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
/**
* <p>This analyzer ensures dependencies that should be grouped together, to remove
* excess noise from the report, are grouped. An example would be Spring, Spring
* Beans, Spring MVC, etc. If they are all for the same version and have the same
* relative path then these should be grouped into a single dependency under the
* core/main library.</p>
* <p>Note, this grouping only works on dependencies with identified CVE entries</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
/**
* The set of file extensions supported by this analyzer.
*/
private static final Set<String> EXTENSIONS = null;
/**
* The name of the analyzer.
*/
private static final String ANALYZER_NAME = "Dependency Bundling Analyzer";
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
/**
* Returns a list of file EXTENSIONS supported by this analyzer.
*
* @return a list of file EXTENSIONS supported by this analyzer.
*/
public Set<String> getSupportedExtensions() {
return EXTENSIONS;
}
/**
* Returns the name of the analyzer.
*
* @return the name of the analyzer.
*/
public String getName() {
return ANALYZER_NAME;
}
/**
* Returns whether or not this analyzer can process the given extension.
*
* @param extension the file extension to test for support
* @return whether or not the specified file extension is supported by this
* analyzer.
*/
public boolean supportsExtension(String extension) {
return true;
}
/**
* Returns the phase that the analyzer is intended to run in.
*
* @return the phase that the analyzer is intended to run in.
*/
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
/**
* The initialize method does nothing for this Analyzer.
*
* @throws Exception never thrown by this analyzer
*/
public void initialize() throws Exception {
//do nothing
}
/**
* The close method does nothing for this Analyzer.
*
* @throws Exception never thrown by this analyzer
*/
public void close() throws Exception {
//do nothing
}
/**
*
*
* @param dependency the dependency to analyze.
* @param engine the engine that is scanning the dependencies
* @throws AnalysisException is thrown if there is an error reading the JAR
* file.
*/
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
}
}

32
src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -23,6 +23,7 @@ import java.io.IOException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Set;
import java.util.SortedSet; import java.util.SortedSet;
import java.util.TreeSet; import java.util.TreeSet;
import java.util.logging.Level; import java.util.logging.Level;
@@ -441,4 +442,35 @@ public class Dependency {
public void addVulnerability(Vulnerability vulnerability) { public void addVulnerability(Vulnerability vulnerability) {
this.vulnerabilities.add(vulnerability); this.vulnerabilities.add(vulnerability);
} }
/**
* A collection of related dependencies.
*/
private Set<Dependency> relatedDependencies = new TreeSet<Dependency>();
/**
* Get the value of relatedDependencies.
*
* @return the value of relatedDependencies
*/
public Set<Dependency> getRelatedDependencies() {
return relatedDependencies;
}
/**
* Set the value of relatedDependencies.
*
* @param relatedDependencies new value of relatedDependencies
*/
public void setRelatedDependencies(Set<Dependency> relatedDependencies) {
this.relatedDependencies = relatedDependencies;
}
/**
* Adds a related dependency.
*
* @param dependency a reference to the related dependency
*/
public void addRelatedDependency(Dependency dependency) {
relatedDependencies.add(dependency);
}
} }