bug fixes

Former-commit-id: 4c1161542509a2e2e9b78be119a230e1d8cf4cfc

src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -178,7 +178,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      * @param dependency the dependency to remove JRE CPEs from
      */
     private void removeJreEntries(Dependency dependency) {
-        final List<Identifier> identifiers = dependency.getIdentifiers();
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
         final Iterator<Identifier> itr = identifiers.iterator();
         while (itr.hasNext()) {
             final Identifier i = itr.next();

src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -98,12 +98,24 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                 "org.springframework.core",
                 Evidence.Confidence.HIGH);
 
-        final Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
+        final Evidence springTest3 = new Evidence("Manifest",
+                "Bundle-Vendor",
+                "SpringSource",
+                Evidence.Confidence.HIGH);
+
+
+        Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
         if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
             dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("a priori", "vendor", "SpringSource", Evidence.Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
         }
 
+        evidence = dependency.getVendorEvidence().getEvidence();
+        if (evidence.contains(springTest3)) {
+            dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
+        }
+
     }
 }

src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -68,7 +68,7 @@ public class Dependency implements Comparable<Dependency> {
     /**
      * A list of Identifiers.
      */
-    private List<Identifier> identifiers;
+    private Set<Identifier> identifiers;
     /**
      * A collection of vendor evidence.
      */
@@ -89,7 +89,7 @@ public class Dependency implements Comparable<Dependency> {
         vendorEvidence = new EvidenceCollection();
         productEvidence = new EvidenceCollection();
         versionEvidence = new EvidenceCollection();
-        identifiers = new ArrayList<Identifier>();
+        identifiers = new TreeSet<Identifier>();
         vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
     }
 
@@ -222,7 +222,7 @@ public class Dependency implements Comparable<Dependency> {
      *
      * @return an ArrayList of Identifiers.
      */
-    public List<Identifier> getIdentifiers() {
+    public Set<Identifier> getIdentifiers() {
         return this.identifiers;
     }
 
@@ -231,7 +231,7 @@ public class Dependency implements Comparable<Dependency> {
      *
      * @param identifiers A list of Identifiers.
      */
-    public void setIdentifiers(List<Identifier> identifiers) {
+    public void setIdentifiers(Set<Identifier> identifiers) {
         this.identifiers = identifiers;
     }
 

src/main/java/org/owasp/dependencycheck/dependency/Identifier.java

@@ -31,7 +31,7 @@ public class Identifier implements Comparable<Identifier> {
      * @param value the identifier value.
      * @param url the identifier url.
      */
-    Identifier(String type, String value, String url) {
+    public Identifier(String type, String value, String url) {
         this.type = type;
         this.value = value;
         this.url = url;
@@ -45,7 +45,7 @@ public class Identifier implements Comparable<Identifier> {
      * @param url the identifier url.
      * @param description the description of the identifier.
      */
-    Identifier(String type, String value, String url, String description) {
+    public Identifier(String type, String value, String url, String description) {
         this(type, value, url);
         this.description = description;
     }

src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -48,6 +48,12 @@ import org.owasp.dependencycheck.dependency.Dependency;
  */
 public class ReportGenerator {
 
+    public enum Format {
+        ALL,
+        XML,
+        HTML
+    }
+
     /**
      * The Velocity Engine.
      */
@@ -105,18 +111,39 @@ public class ReportGenerator {
     /**
      * Generates the Dependency Reports for the identified dependencies.
      *
-     * @param outputDir the path where the reports should be written.
+     * @param outputDir the path where the reports should be written
-     * @param outputFormat the format the report should be written in.
+     * @param format the format the report should be written in
-     * @throws IOException is thrown when the template file does not exist.
+     * @throws IOException is thrown when the template file does not exist
+     * @throws Exception is thrown if there is an error writing out the
+     * reports.
+     */
+    public void generateReports(String outputDir, Format format) throws IOException, Exception {
+        if (format == Format.XML || format == Format.ALL) {
+            generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
+        }
+        if (format == Format.HTML || format == Format.ALL) {
+            generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
+        }
+    }
+
+    /**
+     * Generates the Dependency Reports for the identified dependencies.
+     *
+     * @param outputDir the path where the reports should be written
+     * @param outputFormat the format the report should be written in (XML, HTML, ALL)
+     * @throws IOException is thrown when the template file does not exist
      * @throws Exception is thrown if there is an error writing out the
      * reports.
      */
     public void generateReports(String outputDir, String outputFormat) throws IOException, Exception {
-        if ("XML".equalsIgnoreCase(outputFormat) || "ALL".equalsIgnoreCase(outputFormat)) {
+        if ("XML".equalsIgnoreCase(outputFormat)) {
-            generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
+            generateReports(outputDir, Format.XML);
         }
-        if ("HTML".equalsIgnoreCase(outputFormat) || "ALL".equalsIgnoreCase(outputFormat)) {
+        if ("HTML".equalsIgnoreCase(outputFormat)) {
-            generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
+            generateReports(outputDir, Format.XML);
+        }
+        if ("ALL".equalsIgnoreCase(outputFormat)) {
+            generateReports(outputDir, Format.ALL);
         }
     }
 
@@ -130,7 +157,7 @@ public class ReportGenerator {
      * @throws IOException is thrown when the template file does not exist.
      * @throws Exception is thrown when an exception occurs.
      */
-    public void generateReport(String templateName, String outFileName) throws IOException, Exception {
+    protected void generateReport(String templateName, String outFileName) throws IOException, Exception {
         InputStream input = null;
         String templatePath = null;
         final File f = new File(templateName);

src/test/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzerTest.java

@@ -31,6 +31,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.analyzer.JarAnalyzer;
 import org.junit.Assert;
 import org.junit.Test;
+import org.owasp.dependencycheck.dependency.Identifier;
 
 /**
  *
@@ -110,6 +111,7 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
         CPEAnalyzer instance = new CPEAnalyzer();
         instance.open();
         String expResult = "cpe:/a:apache:struts:2.1.2";
+        Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
         String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
         String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
         instance.determineCPE(depends);
@@ -117,7 +119,9 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
         instance.determineCPE(spring3);
         instance.close();
         Assert.assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() >= 1);
-        Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult));
+
+
+        Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().contains(expIdentifier));
         //the following two only work if the HintAnalyzer is used.
         //Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
         //Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));

src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java

@@ -54,7 +54,7 @@ public class CweDBTest {
     /**
      * Method to serialize the CWE HashMap. This is not used in
      * production; this is only used once during dev to create
-     * the serialized hashmap.
+     * the serialized HashMap.
      */
 //    @Test
 //    public void testUpdate() throws Exception {

src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java

@@ -1,5 +1,6 @@
 package org.owasp.dependencycheck.dependency;
 
+import java.util.Set;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -208,7 +209,7 @@ public class DependencyTest {
     public void testGetIdentifiers() {
         Dependency instance = new Dependency();
         List expResult = null;
-        List result = instance.getIdentifiers();
+        Set<Identifier> result = instance.getIdentifiers();
 
         assertTrue(true); //this is just a getter setter pair.
     }
@@ -218,7 +219,7 @@ public class DependencyTest {
      */
     @Test
     public void testSetIdentifiers() {
-        List<Identifier> identifiers = null;
+        Set<Identifier> identifiers = null;
         Dependency instance = new Dependency();
         instance.setIdentifiers(identifiers);
         assertTrue(true); //this is just a getter setter pair.
@@ -232,13 +233,12 @@ public class DependencyTest {
         String type = "cpe";
         String value = "cpe:/a:apache:struts:2.1.2";
         String url = "http://somewhere";
+        Identifier expResult = new Identifier(type,value,url);
+
         Dependency instance = new Dependency();
         instance.addIdentifier(type, value, url);
         assertEquals(1,instance.getIdentifiers().size());
-        Identifier i = instance.getIdentifiers().get(0);
+        assertTrue("Identifier doesn't contain expected result.", instance.getIdentifiers().contains(expResult));
-        assertEquals(type,i.getType());
-        assertEquals(value, i.getValue());
-        assertEquals(url, i.getUrl());
     }
 
     /**