mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 15:53:36 +01:00
Prefer interfaces over concrete classes. I have updated internal usage and accepted parameters. I have not touched return values for public/protected methods since they may be called externally and I don't want to break assignments from these.
Former-commit-id: e534f9acf569a258dd72a568dfe69e70486eb697
This commit is contained in:
Hans Joachim Desserud
@@ -110,7 +110,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
static {
|
||||
final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
|
||||
if (additionalZipExt != null) {
|
||||
final HashSet<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
|
||||
final Set<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
|
||||
ZIPPABLES.addAll(ext);
|
||||
}
|
||||
EXTENSIONS.addAll(ZIPPABLES);
|
||||
|
||||
@@ -255,7 +255,7 @@ public class CPEAnalyzer implements Analyzer {
|
||||
protected List<IndexEntry> searchCPE(String vendor, String product,
|
||||
Set<String> vendorWeightings, Set<String> productWeightings) {
|
||||
|
||||
final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
|
||||
final List<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
|
||||
|
||||
final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
|
||||
if (searchString == null) {
|
||||
|
||||
@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
@@ -101,7 +102,7 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
|
||||
}
|
||||
final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
|
||||
final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
|
||||
final List<Evidence> newEntries = new ArrayList<Evidence>();
|
||||
while (itr.hasNext()) {
|
||||
final Evidence e = itr.next();
|
||||
if ("sun".equalsIgnoreCase(e.getValue(false))) {
|
||||
|
||||
@@ -227,7 +227,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
@Override
|
||||
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
|
||||
try {
|
||||
final ArrayList<ClassNameInformation> classNames = collectClassNames(dependency);
|
||||
final List<ClassNameInformation> classNames = collectClassNames(dependency);
|
||||
final String fileName = dependency.getFileName().toLowerCase();
|
||||
if (classNames.isEmpty()
|
||||
&& (fileName.endsWith("-sources.jar")
|
||||
@@ -255,7 +255,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @throws AnalysisException is thrown if there is an exception parsing the pom
|
||||
* @return whether or not evidence was added to the dependency
|
||||
*/
|
||||
protected boolean analyzePOM(Dependency dependency, ArrayList<ClassNameInformation> classes, Engine engine) throws AnalysisException {
|
||||
protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
|
||||
boolean foundSomething = false;
|
||||
final JarFile jar;
|
||||
try {
|
||||
@@ -531,7 +531,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* file being analyzed
|
||||
* @return true if there was evidence within the pom that we could use; otherwise false
|
||||
*/
|
||||
private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
|
||||
private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, List<ClassNameInformation> classes) {
|
||||
boolean foundSomething = false;
|
||||
boolean addAsIdentifier = true;
|
||||
if (pom == null) {
|
||||
@@ -659,10 +659,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param dependency a dependency to analyze
|
||||
* @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
|
||||
*/
|
||||
protected void analyzePackageNames(ArrayList<ClassNameInformation> classNames,
|
||||
protected void analyzePackageNames(List<ClassNameInformation> classNames,
|
||||
Dependency dependency, boolean addPackagesAsEvidence) {
|
||||
final HashMap<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
|
||||
final HashMap<String, Integer> productIdentifiers = new HashMap<String, Integer>();
|
||||
final Map<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
|
||||
final Map<String, Integer> productIdentifiers = new HashMap<String, Integer>();
|
||||
analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers);
|
||||
|
||||
final int classCount = classNames.size();
|
||||
@@ -704,7 +704,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @return whether evidence was identified parsing the manifest
|
||||
* @throws IOException if there is an issue reading the JAR file
|
||||
*/
|
||||
protected boolean parseManifest(Dependency dependency, ArrayList<ClassNameInformation> classInformation) throws IOException {
|
||||
protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) throws IOException {
|
||||
boolean foundSomething = false;
|
||||
JarFile jar = null;
|
||||
try {
|
||||
@@ -1050,8 +1050,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param dependency the dependency being analyzed
|
||||
* @return an list of fully qualified class names
|
||||
*/
|
||||
private ArrayList<ClassNameInformation> collectClassNames(Dependency dependency) {
|
||||
final ArrayList<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
|
||||
private List<ClassNameInformation> collectClassNames(Dependency dependency) {
|
||||
final List<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
|
||||
JarFile jar = null;
|
||||
try {
|
||||
jar = new JarFile(dependency.getActualFilePath());
|
||||
@@ -1089,10 +1089,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param vendor HashMap of possible vendor names from package names (e.g. owasp)
|
||||
* @param product HashMap of possible product names from package names (e.g. dependencycheck)
|
||||
*/
|
||||
private void analyzeFullyQualifiedClassNames(ArrayList<ClassNameInformation> classNames,
|
||||
HashMap<String, Integer> vendor, HashMap<String, Integer> product) {
|
||||
private void analyzeFullyQualifiedClassNames(List<ClassNameInformation> classNames,
|
||||
Map<String, Integer> vendor, Map<String, Integer> product) {
|
||||
for (ClassNameInformation entry : classNames) {
|
||||
final ArrayList<String> list = entry.getPackageStructure();
|
||||
final List<String> list = entry.getPackageStructure();
|
||||
addEntry(vendor, list.get(0));
|
||||
|
||||
if (list.size() == 2) {
|
||||
@@ -1120,7 +1120,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param collection a collection of strings and their occurrence count
|
||||
* @param key the key to add to the collection
|
||||
*/
|
||||
private void addEntry(HashMap<String, Integer> collection, String key) {
|
||||
private void addEntry(Map<String, Integer> collection, String key) {
|
||||
if (collection.containsKey(key)) {
|
||||
collection.put(key, collection.get(key) + 1);
|
||||
} else {
|
||||
@@ -1137,7 +1137,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param value the value to check to see if it contains a package name
|
||||
* @param evidence the evidence collection to add new entries too
|
||||
*/
|
||||
private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
|
||||
private void addMatchingValues(List<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
|
||||
if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -28,6 +28,7 @@ import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.Properties;
|
||||
import java.util.Set;
|
||||
@@ -458,7 +459,8 @@ public class CveDB {
|
||||
final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
|
||||
|
||||
PreparedStatement ps;
|
||||
final HashSet<String> cveEntries = new HashSet<String>();
|
||||
//TODO(code review): Looks like things are only added to this map, but never retrieved or checked
|
||||
final Set<String> cveEntries = new HashSet<String>();
|
||||
try {
|
||||
ps = getConnection().prepareStatement(SELECT_CVE_FROM_SOFTWARE);
|
||||
ps.setString(1, cpe.getVendor());
|
||||
@@ -466,7 +468,7 @@ public class CveDB {
|
||||
rs = ps.executeQuery();
|
||||
String currentCVE = "";
|
||||
|
||||
final HashMap<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
|
||||
final Map<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
|
||||
while (rs.next()) {
|
||||
final String cveId = rs.getString(1);
|
||||
if (!currentCVE.equals(cveId)) { //check for match and add
|
||||
@@ -787,12 +789,12 @@ public class CveDB {
|
||||
* @param identifiedVersion the identified version of the dependency being analyzed
|
||||
* @return true if the identified version is affected, otherwise false
|
||||
*/
|
||||
protected Entry<String, Boolean> getMatchingSoftware(HashMap<String, Boolean> vulnerableSoftware, String vendor, String product,
|
||||
protected Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
|
||||
DependencyVersion identifiedVersion) {
|
||||
|
||||
final boolean isVersionTwoADifferentProduct = "apache".equals(vendor) && "struts".equals(product);
|
||||
|
||||
final HashSet<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
|
||||
final Set<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
|
||||
final boolean matchesAnyPrevious = identifiedVersion == null || "-".equals(identifiedVersion.toString());
|
||||
String majorVersionMatch = null;
|
||||
for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
|
||||
|
||||
@@ -154,7 +154,7 @@ public class DatabaseProperties {
|
||||
* @return a map of the database meta data
|
||||
*/
|
||||
public Map<String, String> getMetaData() {
|
||||
final TreeMap<String, String> map = new TreeMap<String, String>();
|
||||
final Map<String, String> map = new TreeMap<String, String>();
|
||||
for (Entry<Object, Object> entry : properties.entrySet()) {
|
||||
final String key = (String) entry.getKey();
|
||||
if (!"version".equals(key)) {
|
||||
|
||||
@@ -27,6 +27,7 @@ import java.sql.Driver;
|
||||
import java.sql.DriverManager;
|
||||
import java.sql.SQLException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
|
||||
@@ -75,7 +76,7 @@ public final class DriverLoader {
|
||||
*/
|
||||
public static Driver load(String className, String pathToDriver) throws DriverLoadException {
|
||||
final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader();
|
||||
final ArrayList<URL> urls = new ArrayList<URL>();
|
||||
final List<URL> urls = new ArrayList<URL>();
|
||||
final String[] paths = pathToDriver.split(File.pathSeparator);
|
||||
for (String path : paths) {
|
||||
final File file = new File(path);
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
@@ -62,7 +63,7 @@ public final class DependencyVersionUtil {
|
||||
//'-' is a special case used within the CVE entries, just include it as the version.
|
||||
if ("-".equals(text)) {
|
||||
final DependencyVersion dv = new DependencyVersion();
|
||||
final ArrayList<String> list = new ArrayList<String>();
|
||||
final List<String> list = new ArrayList<String>();
|
||||
list.add(text);
|
||||
dv.setVersionParts(list);
|
||||
return dv;
|
||||
|
||||
@@ -23,6 +23,7 @@ import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
/**
|
||||
@@ -68,7 +69,7 @@ public final class UrlStringUtils {
|
||||
/**
|
||||
* A listing of domain parts that should not be used as evidence. Yes, this is an incomplete list.
|
||||
*/
|
||||
private static final HashSet<String> IGNORE_LIST = new HashSet<String>(
|
||||
private static final Set<String> IGNORE_LIST = new HashSet<String>(
|
||||
Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));
|
||||
|
||||
/**
|
||||
@@ -86,7 +87,7 @@ public final class UrlStringUtils {
|
||||
* @throws MalformedURLException thrown if the URL is malformed
|
||||
*/
|
||||
public static List<String> extractImportantUrlData(String text) throws MalformedURLException {
|
||||
final ArrayList<String> importantParts = new ArrayList<String>();
|
||||
final List<String> importantParts = new ArrayList<String>();
|
||||
final URL url = new URL(text);
|
||||
final String[] domain = url.getHost().split("\\.");
|
||||
//add the domain except www and the tld.
|
||||
|
||||
Reference in New Issue
Block a user