mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-05-01 04:34:45 +02:00
Merge branch 'ruby_dependency' into swift_support
This commit is contained in:
bjiang
@@ -209,21 +209,25 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
@Override
|
||||
protected void analyzeFileType(Dependency dependency, Engine engine)
|
||||
throws AnalysisException {
|
||||
// if (needToDisableGemspecAnalyzer) {
|
||||
// boolean failed = true;
|
||||
// final String className = RubyGemspecAnalyzer.class.getName();
|
||||
// for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
|
||||
// if (analyzer instanceof RubyGemspecAnalyzer) {
|
||||
// ((RubyGemspecAnalyzer) analyzer).setEnabled(false);
|
||||
// LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
|
||||
// failed = false;
|
||||
// }
|
||||
// }
|
||||
// if (failed) {
|
||||
// LOGGER.warn("Did not find" + className + '.');
|
||||
// }
|
||||
// needToDisableGemspecAnalyzer = false;
|
||||
// }
|
||||
if (needToDisableGemspecAnalyzer) {
|
||||
boolean failed = true;
|
||||
final String className = RubyGemspecAnalyzer.class.getName();
|
||||
for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
|
||||
if (analyzer instanceof RubyBundlerAnalyzer) {
|
||||
((RubyBundlerAnalyzer) analyzer).setEnabled(false);
|
||||
LOGGER.info("Disabled " + RubyBundlerAnalyzer.class.getName() + " to avoid noisy duplicate results.");
|
||||
}
|
||||
else if (analyzer instanceof RubyGemspecAnalyzer) {
|
||||
((RubyGemspecAnalyzer) analyzer).setEnabled(false);
|
||||
LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
|
||||
failed = false;
|
||||
}
|
||||
}
|
||||
if (failed) {
|
||||
LOGGER.warn("Did not find " + className + '.');
|
||||
}
|
||||
needToDisableGemspecAnalyzer = false;
|
||||
}
|
||||
final File parentFile = dependency.getActualFile().getParentFile();
|
||||
final Process process = launchBundleAudit(parentFile);
|
||||
try {
|
||||
|
||||
@@ -1,65 +0,0 @@
|
||||
package org.owasp.dependencycheck.analyzer;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FilenameFilter;
|
||||
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
|
||||
public class RubyBundleInstallDeploymentAnalyzer extends RubyGemspecAnalyzer {
|
||||
|
||||
private static final String SPECIFICATIONS = "specifications";
|
||||
private static final String GEMS = "gems";
|
||||
|
||||
/**
|
||||
* The logger.
|
||||
*/
|
||||
// private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleInstallDeploymentAnalyzer.class);
|
||||
|
||||
/**
|
||||
* Only accept *.gemspec stubs generated by "bundle install --deployment" under "specifications" folder.
|
||||
*/
|
||||
@Override
|
||||
public boolean accept(File pathname) {
|
||||
|
||||
boolean accepted = super.accept(pathname);
|
||||
if(accepted == true) {
|
||||
File parentDir = pathname.getParentFile();
|
||||
accepted = parentDir != null && parentDir.exists() && parentDir.getName().equals(SPECIFICATIONS);
|
||||
}
|
||||
|
||||
return accepted;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void analyzeFileType(Dependency dependency, Engine engine)
|
||||
throws AnalysisException {
|
||||
super.analyzeFileType(dependency, engine);
|
||||
|
||||
//find the corresponding gem folder for this .gemspec stub by "bundle install --deployment"
|
||||
File gemspecFile = dependency.getActualFile();
|
||||
String gemFileName = gemspecFile.getName();
|
||||
final String gemName = gemFileName.substring(0, gemFileName.lastIndexOf(".gemspec"));
|
||||
File specificationsDir = gemspecFile.getParentFile();
|
||||
if(specificationsDir != null && specificationsDir.getName().equals(SPECIFICATIONS) && specificationsDir.exists()) {
|
||||
File parentDir = specificationsDir.getParentFile();
|
||||
if(parentDir != null && parentDir.exists()) {
|
||||
File gemsDir = new File(parentDir, GEMS);
|
||||
if(gemsDir != null && gemsDir.exists()) {
|
||||
File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() {
|
||||
public boolean accept(File dir, String name) {
|
||||
return name.equals(gemName);
|
||||
}
|
||||
});
|
||||
|
||||
if(matchingFiles.length > 0) {
|
||||
String gemPath = matchingFiles[0].getAbsolutePath();
|
||||
if(gemPath != null)
|
||||
dependency.setPackagePath(gemPath);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,113 @@
|
||||
/*
|
||||
* This file is part of dependency-check-core.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2016 Bianca Jiang. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.analyzer;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FilenameFilter;
|
||||
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
|
||||
/**
|
||||
* This analyzer accepts the fully resolved .gemspec created by the Ruby bundler (http://bundler.io)
|
||||
* for better evidence results. It also tries to resolve the dependency packagePath
|
||||
* to where the gem is actually installed. Then during {@link AnalysisPhase.PRE_FINDING_ANALYSIS}
|
||||
* {@link DependencyBundlingAnalyzer} will merge two .gemspec dependencies together if
|
||||
* <code>Dependency.getPackagePath()</code> are the same.
|
||||
*
|
||||
* Ruby bundler creates new .gemspec files under a folder called "specifications" at deploy time,
|
||||
* in addition to the original .gemspec files from source. The bundler generated
|
||||
* .gemspec files always contain fully resolved attributes thus provide more accurate
|
||||
* evidences, whereas the original .gemspec from source often contain variables for attributes
|
||||
* that can't be used for evidences.
|
||||
*
|
||||
* Note this analyzer share the same {@link Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED} as
|
||||
* {@link RubyGemspecAnalyzer}, so it will enabled/disabled with {@link RubyGemspecAnalyzer}.
|
||||
*
|
||||
* @author Bianca Jiang (biancajiang@gmail.com)
|
||||
*/
|
||||
public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
|
||||
|
||||
/**
|
||||
* The name of the analyzer.
|
||||
*/
|
||||
private static final String ANALYZER_NAME = "Ruby Bundler Analyzer";
|
||||
|
||||
//Folder name that contains .gemspec files created by "bundle install"
|
||||
private static final String SPECIFICATIONS = "specifications";
|
||||
|
||||
//Folder name that contains the gems by "bundle install"
|
||||
private static final String GEMS = "gems";
|
||||
|
||||
/**
|
||||
* Returns the name of the analyzer.
|
||||
*
|
||||
* @return the name of the analyzer.
|
||||
*/
|
||||
@Override
|
||||
public String getName() {
|
||||
return ANALYZER_NAME;
|
||||
}
|
||||
|
||||
/**
|
||||
* Only accept *.gemspec files generated by "bundle install --deployment" under "specifications" folder.
|
||||
*/
|
||||
@Override
|
||||
public boolean accept(File pathname) {
|
||||
|
||||
boolean accepted = super.accept(pathname);
|
||||
if(accepted == true) {
|
||||
File parentDir = pathname.getParentFile();
|
||||
accepted = parentDir != null && parentDir.getName().equals(SPECIFICATIONS);
|
||||
}
|
||||
|
||||
return accepted;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void analyzeFileType(Dependency dependency, Engine engine)
|
||||
throws AnalysisException {
|
||||
super.analyzeFileType(dependency, engine);
|
||||
|
||||
//find the corresponding gem folder for this .gemspec stub by "bundle install --deployment"
|
||||
File gemspecFile = dependency.getActualFile();
|
||||
String gemFileName = gemspecFile.getName();
|
||||
final String gemName = gemFileName.substring(0, gemFileName.lastIndexOf(".gemspec"));
|
||||
File specificationsDir = gemspecFile.getParentFile();
|
||||
if(specificationsDir != null && specificationsDir.getName().equals(SPECIFICATIONS) && specificationsDir.exists()) {
|
||||
File parentDir = specificationsDir.getParentFile();
|
||||
if(parentDir != null && parentDir.exists()) {
|
||||
File gemsDir = new File(parentDir, GEMS);
|
||||
if(gemsDir != null && gemsDir.exists()) {
|
||||
File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() {
|
||||
public boolean accept(File dir, String name) {
|
||||
return name.equals(gemName);
|
||||
}
|
||||
});
|
||||
|
||||
if(matchingFiles.length > 0) {
|
||||
String gemPath = matchingFiles[0].getAbsolutePath();
|
||||
if(gemPath != null)
|
||||
dependency.setPackagePath(gemPath);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -57,11 +57,13 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
private static final FileFilter FILTER
|
||||
= FileFilterBuilder.newInstance().addExtensions(GEMSPEC).build();
|
||||
//TODO: support Rakefile
|
||||
//= FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
|
||||
|
||||
private static final String VERSION_FILE_NAME = "VERSION";
|
||||
|
||||
/**
|
||||
* @return a filter that accepts files named Rakefile or matching the glob pattern, *.gemspec
|
||||
* @return a filter that accepts files matching the glob pattern, *.gemspec
|
||||
*/
|
||||
@Override
|
||||
protected FileFilter getFileFilter() {
|
||||
@@ -133,11 +135,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.LOW);
|
||||
|
||||
addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST);
|
||||
// addListEvidence(vendor, contents, blockVariable, "authors", Confidence.HIGHEST);
|
||||
addStringEvidence(vendor, contents, blockVariable, "email", "emails?", Confidence.MEDIUM);
|
||||
// if (email.isEmpty()) {
|
||||
// addListEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM);
|
||||
// }
|
||||
addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST);
|
||||
addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST);
|
||||
|
||||
@@ -149,16 +147,6 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
setPackagePath(dependency);
|
||||
}
|
||||
|
||||
// private void addListEvidence(EvidenceCollection evidences, String contents,
|
||||
// String blockVariable, String field, Confidence confidence) {
|
||||
// final Matcher matcher = Pattern.compile(
|
||||
// String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
|
||||
// if (matcher.find()) {
|
||||
// final String value = matcher.group(1).replaceAll("['\"]", " ").trim();
|
||||
// evidences.addEvidence(GEMSPEC, field, value, confidence);
|
||||
// }
|
||||
// }
|
||||
|
||||
private String addStringEvidence(EvidenceCollection evidences, String contents,
|
||||
String blockVariable, String field, String fieldPattern, Confidence confidence) {
|
||||
String value = "";
|
||||
|
||||
@@ -19,7 +19,7 @@ org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer
|
||||
org.owasp.dependencycheck.analyzer.CMakeAnalyzer
|
||||
org.owasp.dependencycheck.analyzer.NodePackageAnalyzer
|
||||
org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer
|
||||
org.owasp.dependencycheck.analyzer.RubyBundleInstallDeploymentAnalyzer
|
||||
org.owasp.dependencycheck.analyzer.RubyBundlerAnalyzer
|
||||
org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer
|
||||
org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer
|
||||
org.owasp.dependencycheck.analyzer.CocoaPodsAnalyzer
|
||||
|
||||
Reference in New Issue
Block a user