github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-19 07:44:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

resolve version matching for issue #997

Browse Source
This commit is contained in:
Jeremy Long
2017-12-09 06:46:05 -05:00
parent a1012ded26
commit 412b72540a
4 changed files with 58 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -956,7 +956,7 @@ public final class CveDB implements AutoCloseable {
} else { } else {
versionText = cpe.getVersion(); versionText = cpe.getVersion();
} }
cpeVersion = DependencyVersionUtil.parseVersion(versionText); cpeVersion = DependencyVersionUtil.parseVersion(versionText, true);
} else { } else {
cpeVersion = new DependencyVersion("-"); cpeVersion = new DependencyVersion("-");
} }

21
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
View File

@@ -70,6 +70,25 @@ public final class DependencyVersionUtil {
* @return a DependencyVersion containing the version * @return a DependencyVersion containing the version
*/ */
public static DependencyVersion parseVersion(String text) { public static DependencyVersion parseVersion(String text) {
return parseVersion(text, false);
}
/**
* <p>
* A utility class to extract version numbers from file names (or other
* strings containing version numbers.</p>
* <pre>
* Example:
* Give the file name: library-name-1.4.1r2-release.jar
* This function would return: 1.4.1.r2</pre>
*
* @param text the text being analyzed
* @param firstMatchOnly if <code>false</code> and more then one
* version string is found in the given text, null will be returned.
* Otherwise, the first version found will be returned.
* @return a DependencyVersion containing the version
*/
public static DependencyVersion parseVersion(String text, boolean firstMatchOnly) {
if (text == null) { if (text == null) {
return null; return null;
} }
@@ -87,7 +106,7 @@ public final class DependencyVersionUtil {
version = matcher.group(); version = matcher.group();
} }
//throw away the results if there are two things that look like version numbers //throw away the results if there are two things that look like version numbers
if (matcher.find()) { if (!firstMatchOnly && matcher.find()) {
return null; return null;
} }
if (version == null) { if (version == null) {

8
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -958,7 +958,13 @@
<gav regex="true">^org\.codehaus\.groovy:groovy-all:.*$</gav> <gav regex="true">^org\.codehaus\.groovy:groovy-all:.*$</gav>
<cve>CVE-2016-6497</cve> <cve>CVE-2016-6497</cve>
</suppress> </suppress>
<!--suppress base="true">
<notes><![CDATA[
FP per issue #997 - actual fix was in DependencyVersionUtils
]]></notes>
<gav regex="true">^com\.typesafe\.play:play-netty-utils:.*$</gav>
<cpe>cpe:/a:playframework:play_framework</cpe>
</suppress-->
<suppress base="true"> <suppress base="true">
<notes><![CDATA[ <notes><![CDATA[

31
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java
View File

@@ -33,7 +33,7 @@ public class DependencyVersionUtilTest extends BaseTest {
* Test of parseVersion method, of class DependencyVersionUtil. * Test of parseVersion method, of class DependencyVersionUtil.
*/ */
@Test @Test
public void testParseVersion() { public void testParseVersion_String() {
final String[] fileName = {"something-0.9.5.jar", "lib2-1.1.jar", "lib1.5r4-someflag-R26.jar", final String[] fileName = {"something-0.9.5.jar", "lib2-1.1.jar", "lib1.5r4-someflag-R26.jar",
"lib-1.2.5-dev-20050313.jar", "testlib_V4.4.0.jar", "lib-core-2.0.0-RC1-SNAPSHOT.jar", "lib-1.2.5-dev-20050313.jar", "testlib_V4.4.0.jar", "lib-core-2.0.0-RC1-SNAPSHOT.jar",
"lib-jsp-2.0.1_R114940.jar", "dev-api-2.3.11_R121413.jar", "lib-api-3.7-SNAPSHOT.jar", "lib-jsp-2.0.1_R114940.jar", "dev-api-2.3.11_R121413.jar", "lib-api-3.7-SNAPSHOT.jar",
@@ -59,4 +59,33 @@ public class DependencyVersionUtilTest extends BaseTest {
assertNull("Found version in name that should have failed \"" + failingName + "\".", version); assertNull("Found version in name that should have failed \"" + failingName + "\".", version);
} }
} }
/**
* Test of parseVersion method, of class DependencyVersionUtil.
*/
@Test
public void testParseVersion_String_boolean() {
//cpe:/a:playframework:play_framework:2.1.1:rc1-2.9.x-backport
String text = "2.1.1.rc1.2.9.x-backport";
boolean firstMatchOnly = false;
DependencyVersion expResult = null;
DependencyVersion result = DependencyVersionUtil.parseVersion(text, firstMatchOnly);
assertNull(result);
firstMatchOnly = true;
expResult = DependencyVersionUtil.parseVersion("2.1.1.rc1");
result = DependencyVersionUtil.parseVersion(text, firstMatchOnly);
assertEquals(expResult, result);
}
/**
* Test of parsePreVersion method, of class DependencyVersionUtil.
*/
@Test
public void testParsePreVersion() {
String text = "library-name-1.4.1r2-release.jar";
String expResult = "library-name";
String result = DependencyVersionUtil.parsePreVersion(text);
assertEquals(expResult, result);
}
} }