Remove the redundant top level entry for composer.lock once the child

dependencies are processed. This main entry is empty of evidence because everything is added into the new dependencies.
2026-01-15 00:03:43 +01:00 · 2017-09-17 18:01:40 -04:00
parent bbd59be1d6
commit 3b00b764ac
1 changed files with 18 additions and 3 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
@@ -105,8 +105,14 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
            final ComposerLockParser clp = new ComposerLockParser(fis);
            LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath());
            clp.process();
+            //if dependencies are found in the lock, then there is always an empty shell dependency left behind for the
+    	    		//composer.lock. The first pass through, reuse the top level dependency, and add new ones for the rest.
+            boolean processedAtLeastOneDep = false;
            for (ComposerDependency dep : clp.getDependencies()) {
-                final Dependency d = new Dependency(dependency.getActualFile());
+            		
+            		final Dependency d = new Dependency(dependency.getActualFile());
+            	    
+            			
                d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject()));
                final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject());
                final MessageDigest sha1 = getSha1MessageDigest();
@@ -115,8 +121,17 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
                d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
                d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
                d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
-                LOGGER.info("Adding dependency {}", d);
-                engine.getDependencies().add(d);
+                
+                LOGGER.info("Adding dependency {}", d.getDisplayFileName());
+        			engine.getDependencies().add(d);	
+                
+                //make sure we only remove the main dependency if we went through this loop at least once.
+                	processedAtLeastOneDep = true;
+                }
+            //remove the dependency at the end because it's referenced in the loop itself.
+            if (processedAtLeastOneDep) {
+            		LOGGER.info("Removing main redundant dependency {}",dependency.getDisplayFileName());
+            		engine.getDependencies().remove(dependency);   
            }
        } catch (IOException ex) {
            LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath());