From 2e3331f5688cd690ea76eb30573262a96e213f7c Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Thu, 9 May 2013 22:34:47 -0400 Subject: [PATCH] bug fixes Former-commit-id: e6e1292842528039ab4498d65239759e6729a70a --- .../analyzer/FalsePositiveAnalyzer.java | 2 +- .../analyzer/HintAnalyzer.java | 14 +++++- .../dependency/Dependency.java | 8 ++-- .../dependency/Identifier.java | 4 +- .../reporting/ReportGenerator.java | 43 +++++++++++++++---- .../data/cpe/CPEAnalyzerTest.java | 6 ++- .../dependencycheck/data/cwe/CweDBTest.java | 2 +- .../dependency/DependencyTest.java | 12 +++--- 8 files changed, 67 insertions(+), 24 deletions(-) diff --git a/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index 4b76aea2d..3666f5586 100644 --- a/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -178,7 +178,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { * @param dependency the dependency to remove JRE CPEs from */ private void removeJreEntries(Dependency dependency) { - final List identifiers = dependency.getIdentifiers(); + final Set identifiers = dependency.getIdentifiers(); final Iterator itr = identifiers.iterator(); while (itr.hasNext()) { final Identifier i = itr.next(); diff --git a/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java index bd72262db..61d09aa73 100644 --- a/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java +++ b/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java @@ -98,12 +98,24 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer { "org.springframework.core", Evidence.Confidence.HIGH); - final Set evidence = dependency.getProductEvidence().getEvidence(); + final Evidence springTest3 = new Evidence("Manifest", + "Bundle-Vendor", + "SpringSource", + Evidence.Confidence.HIGH); + + + Set evidence = dependency.getProductEvidence().getEvidence(); if (evidence.contains(springTest1) || evidence.contains(springTest2)) { dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH); dependency.getVendorEvidence().addEvidence("a priori", "vendor", "SpringSource", Evidence.Confidence.HIGH); dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH); } + evidence = dependency.getVendorEvidence().getEvidence(); + if (evidence.contains(springTest3)) { + dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH); + dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH); + } + } } diff --git a/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 822b00ee9..46d59412a 100644 --- a/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -68,7 +68,7 @@ public class Dependency implements Comparable { /** * A list of Identifiers. */ - private List identifiers; + private Set identifiers; /** * A collection of vendor evidence. */ @@ -89,7 +89,7 @@ public class Dependency implements Comparable { vendorEvidence = new EvidenceCollection(); productEvidence = new EvidenceCollection(); versionEvidence = new EvidenceCollection(); - identifiers = new ArrayList(); + identifiers = new TreeSet(); vulnerabilities = new TreeSet(new VulnerabilityComparator()); } @@ -222,7 +222,7 @@ public class Dependency implements Comparable { * * @return an ArrayList of Identifiers. */ - public List getIdentifiers() { + public Set getIdentifiers() { return this.identifiers; } @@ -231,7 +231,7 @@ public class Dependency implements Comparable { * * @param identifiers A list of Identifiers. */ - public void setIdentifiers(List identifiers) { + public void setIdentifiers(Set identifiers) { this.identifiers = identifiers; } diff --git a/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java b/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java index 5a1e37ffd..1b0c1bd82 100644 --- a/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java +++ b/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java @@ -31,7 +31,7 @@ public class Identifier implements Comparable { * @param value the identifier value. * @param url the identifier url. */ - Identifier(String type, String value, String url) { + public Identifier(String type, String value, String url) { this.type = type; this.value = value; this.url = url; @@ -45,7 +45,7 @@ public class Identifier implements Comparable { * @param url the identifier url. * @param description the description of the identifier. */ - Identifier(String type, String value, String url, String description) { + public Identifier(String type, String value, String url, String description) { this(type, value, url); this.description = description; } diff --git a/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java index 653053d2e..768291924 100644 --- a/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java +++ b/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java @@ -48,6 +48,12 @@ import org.owasp.dependencycheck.dependency.Dependency; */ public class ReportGenerator { + public enum Format { + ALL, + XML, + HTML + } + /** * The Velocity Engine. */ @@ -105,18 +111,39 @@ public class ReportGenerator { /** * Generates the Dependency Reports for the identified dependencies. * - * @param outputDir the path where the reports should be written. - * @param outputFormat the format the report should be written in. - * @throws IOException is thrown when the template file does not exist. + * @param outputDir the path where the reports should be written + * @param format the format the report should be written in + * @throws IOException is thrown when the template file does not exist + * @throws Exception is thrown if there is an error writing out the + * reports. + */ + public void generateReports(String outputDir, Format format) throws IOException, Exception { + if (format == Format.XML || format == Format.ALL) { + generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml"); + } + if (format == Format.HTML || format == Format.ALL) { + generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html"); + } + } + + /** + * Generates the Dependency Reports for the identified dependencies. + * + * @param outputDir the path where the reports should be written + * @param outputFormat the format the report should be written in (XML, HTML, ALL) + * @throws IOException is thrown when the template file does not exist * @throws Exception is thrown if there is an error writing out the * reports. */ public void generateReports(String outputDir, String outputFormat) throws IOException, Exception { - if ("XML".equalsIgnoreCase(outputFormat) || "ALL".equalsIgnoreCase(outputFormat)) { - generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml"); + if ("XML".equalsIgnoreCase(outputFormat)) { + generateReports(outputDir, Format.XML); } - if ("HTML".equalsIgnoreCase(outputFormat) || "ALL".equalsIgnoreCase(outputFormat)) { - generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html"); + if ("HTML".equalsIgnoreCase(outputFormat)) { + generateReports(outputDir, Format.XML); + } + if ("ALL".equalsIgnoreCase(outputFormat)) { + generateReports(outputDir, Format.ALL); } } @@ -130,7 +157,7 @@ public class ReportGenerator { * @throws IOException is thrown when the template file does not exist. * @throws Exception is thrown when an exception occurs. */ - public void generateReport(String templateName, String outFileName) throws IOException, Exception { + protected void generateReport(String templateName, String outFileName) throws IOException, Exception { InputStream input = null; String templatePath = null; final File f = new File(templateName); diff --git a/src/test/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzerTest.java b/src/test/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzerTest.java index 7537b324b..223c264d6 100644 --- a/src/test/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzerTest.java +++ b/src/test/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzerTest.java @@ -31,6 +31,7 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.analyzer.JarAnalyzer; import org.junit.Assert; import org.junit.Test; +import org.owasp.dependencycheck.dependency.Identifier; /** * @@ -110,6 +111,7 @@ public class CPEAnalyzerTest extends BaseIndexTestCase { CPEAnalyzer instance = new CPEAnalyzer(); instance.open(); String expResult = "cpe:/a:apache:struts:2.1.2"; + Identifier expIdentifier = new Identifier("cpe", expResult, expResult); String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5"; String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0"; instance.determineCPE(depends); @@ -117,7 +119,9 @@ public class CPEAnalyzerTest extends BaseIndexTestCase { instance.determineCPE(spring3); instance.close(); Assert.assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() >= 1); - Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult)); + + + Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().contains(expIdentifier)); //the following two only work if the HintAnalyzer is used. //Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1); //Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring)); diff --git a/src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java b/src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java index 9c28c7c57..a00f5e963 100644 --- a/src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java +++ b/src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java @@ -54,7 +54,7 @@ public class CweDBTest { /** * Method to serialize the CWE HashMap. This is not used in * production; this is only used once during dev to create - * the serialized hashmap. + * the serialized HashMap. */ // @Test // public void testUpdate() throws Exception { diff --git a/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java b/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java index 8799920f3..8d76245f9 100644 --- a/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java +++ b/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java @@ -1,5 +1,6 @@ package org.owasp.dependencycheck.dependency; +import java.util.Set; import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Dependency; @@ -208,7 +209,7 @@ public class DependencyTest { public void testGetIdentifiers() { Dependency instance = new Dependency(); List expResult = null; - List result = instance.getIdentifiers(); + Set result = instance.getIdentifiers(); assertTrue(true); //this is just a getter setter pair. } @@ -218,7 +219,7 @@ public class DependencyTest { */ @Test public void testSetIdentifiers() { - List identifiers = null; + Set identifiers = null; Dependency instance = new Dependency(); instance.setIdentifiers(identifiers); assertTrue(true); //this is just a getter setter pair. @@ -232,13 +233,12 @@ public class DependencyTest { String type = "cpe"; String value = "cpe:/a:apache:struts:2.1.2"; String url = "http://somewhere"; + Identifier expResult = new Identifier(type,value,url); + Dependency instance = new Dependency(); instance.addIdentifier(type, value, url); assertEquals(1,instance.getIdentifiers().size()); - Identifier i = instance.getIdentifiers().get(0); - assertEquals(type,i.getType()); - assertEquals(value, i.getValue()); - assertEquals(url, i.getUrl()); + assertTrue("Identifier doesn't contain expected result.", instance.getIdentifiers().contains(expResult)); } /**