github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-22 09:09:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ruby Bundler: Clean up report a little bit, and grouped vulnerabilities under dependencies, when appropriate.

Browse Source
This commit is contained in:
Dale Visser
2015-08-29 11:06:24 -04:00
parent 6f4ce34840
commit 2eb6918fb3
1 changed files with 37 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
View File

@@ -30,7 +30,9 @@ import org.slf4j.LoggerFactory;
import java.io.*; import java.io.*;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map;
/** /**
* Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool. * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
@@ -193,6 +195,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
Dependency dependency = null; Dependency dependency = null;
Vulnerability vulnerability = null; Vulnerability vulnerability = null;
String gem = null; String gem = null;
final Map<String, Dependency> map = new HashMap<String, Dependency>();
int i = 0; int i = 0;
while (rdr.ready()) { while (rdr.ready()) {
final String nextLine = rdr.readLine(); final String nextLine = rdr.readLine();
@@ -201,16 +204,18 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
break; break;
} else if (nextLine.startsWith(NAME)) { } else if (nextLine.startsWith(NAME)) {
gem = nextLine.substring(NAME.length()); gem = nextLine.substring(NAME.length());
if (map.containsKey(gem)) {
dependency = map.get(gem);
} else {
final File tempFile = File.createTempFile("Gemfile-" + gem, ".lock", Settings.getTempDirectory()); final File tempFile = File.createTempFile("Gemfile-" + gem, ".lock", Settings.getTempDirectory());
final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem); final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem);
FileUtils.write(tempFile, displayFileName + "\n" + i); // unique contents to avoid dependency bundling FileUtils.write(tempFile, displayFileName + "\n" + i); // unique contents to avoid dependency bundling
dependency = new Dependency(tempFile); dependency = new Dependency(tempFile);
engine.getDependencies().add(dependency);
dependency.setDisplayFileName(displayFileName);
dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST); dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST);
vulnerability = new Vulnerability(); dependency.setDisplayFileName(displayFileName);
vulnerability.setName(gem); engine.getDependencies().add(dependency);
dependency.getVulnerabilities().add(vulnerability); map.put(gem, dependency);
}
LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine)); LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
} else if (nextLine.startsWith(VERSION)) { } else if (nextLine.startsWith(VERSION)) {
if (null != dependency) { if (null != dependency) {
@@ -220,6 +225,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
"Version", "Version",
version, version,
Confidence.HIGHEST); Confidence.HIGHEST);
vulnerability = new Vulnerability(); // don't add to dependency until we have name set later
vulnerability.setMatchedCPE( vulnerability.setMatchedCPE(
String.format("cpe:/a:%1$s_project:%1$s:%2$s::~~~ruby~~", gem, version), String.format("cpe:/a:%1$s_project:%1$s:%2$s::~~~ruby~~", gem, version),
null); null);
@@ -228,9 +234,19 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
} else if (nextLine.startsWith(ADVISORY)) { } else if (nextLine.startsWith(ADVISORY)) {
final String advisory = nextLine.substring((ADVISORY.length())); final String advisory = nextLine.substring((ADVISORY.length()));
vulnerability.setName(advisory); vulnerability.setName(advisory);
vulnerability.setCvssAccessVector("-");
vulnerability.setCvssAccessComplexity("-");
vulnerability.setCvssAuthentication("-");
vulnerability.setCvssAvailabilityImpact("-");
vulnerability.setCvssConfidentialityImpact("-");
vulnerability.setCvssIntegrityImpact("-");
if (null != dependency) {
dependency.getVulnerabilities().add(vulnerability);
}
LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine)); LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
} else if (nextLine.startsWith(CRITICALITY)) { } else if (nextLine.startsWith(CRITICALITY)) {
final String criticality = nextLine.substring(CRITICALITY.length()).trim(); final String criticality = nextLine.substring(CRITICALITY.length()).trim();
if (null != vulnerability) {
if ("High".equals(criticality)) { if ("High".equals(criticality)) {
vulnerability.setCvssScore(8.5f); vulnerability.setCvssScore(8.5f);
} else if ("Medium".equals(criticality)) { } else if ("Medium".equals(criticality)) {
@@ -240,6 +256,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
} else { } else {
vulnerability.setCvssScore(-1.0f); vulnerability.setCvssScore(-1.0f);
} }
}
LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine)); LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
} }
} }