github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-23 17:41:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

checkstyle suggested cleanup

Browse Source
This commit is contained in:
Jeremy Long
2017-09-12 08:55:57 -04:00
parent 82a5b4ab12
commit 4358952e17
24 changed files with 73 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java
View File

@@ -51,6 +51,7 @@ public class Purge extends Task {
* occurs. * occurs.
*/ */
private boolean failOnError = true; private boolean failOnError = true;
/** /**
* Construct a new DependencyCheckTask. * Construct a new DependencyCheckTask.
*/ */

5
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -58,6 +58,11 @@ public final class CliParser {
*/ */
private final Settings settings; private final Settings settings;
/**
* Constructs a new CLI Parser object with the configured settings.
*
* @param settings the configured settings
*/
public CliParser(Settings settings) { public CliParser(Settings settings) {
this.settings = settings; this.settings = settings;
} }

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -246,6 +246,17 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
engine.sortDependencies(); engine.sortDependencies();
} }
/**
* Extracts the contents of the archive dependency and scans for additional
* dependencies.
*
* @param dependency the dependency being analyzed
* @param engine the engine doing the analysis
* @param scanDepth the current scan depth; extracctAndAnalyze is recursive
* and will, be default, only go 3 levels deep
* @throws AnalysisException thrown if there is a problem analyzing the
* dependencies
*/
private void extractAndAnalyze(Dependency dependency, Engine engine, int scanDepth) throws AnalysisException { private void extractAndAnalyze(Dependency dependency, Engine engine, int scanDepth) throws AnalysisException {
final File f = new File(dependency.getActualFilePath()); final File f = new File(dependency.getActualFilePath());
final File tmpDir = getNextTempDirectory(); final File tmpDir = getNextTempDirectory();

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -28,7 +28,6 @@ import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.FileUtils; import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.Settings;

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -241,7 +241,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
final StringBuilder sb = new StringBuilder(); final StringBuilder sb = new StringBuilder();
sb.append(' ').append(txt).append(' '); sb.append(' ').append(txt).append(' ');
for (Evidence e : evidence) { for (Evidence e : evidence) {
String value = e.getValue(); final String value = e.getValue();
//removed as the URLTokenizingFilter was created //removed as the URLTokenizingFilter was created
//hack to get around the fact that lucene does a really good job of recognizing domains and not splitting them. //hack to get around the fact that lucene does a really good job of recognizing domains and not splitting them.
// if (value.startsWith("http://")) { // if (value.startsWith("http://")) {
@@ -499,7 +499,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
boolean found = false; boolean found = false;
for (Evidence e : evidence) { for (Evidence e : evidence) {
if (e.getValue().toLowerCase().contains(word.toLowerCase())) { if (e.getValue().toLowerCase().contains(word.toLowerCase())) {
if ("http".equals(word)&& e.getValue().contains("http:")) { if ("http".equals(word) && e.getValue().contains("http:")) {
continue; continue;
} }
found = true; found = true;

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java
View File

@@ -141,25 +141,25 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "name_project", name, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "name_project", name, Confidence.HIGHEST);
dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "name_project", name, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "name_project", name, Confidence.HIGHEST);
} }
String summary = determineEvidence(contents, blockVariable, "summary"); final String summary = determineEvidence(contents, blockVariable, "summary");
if (!summary.isEmpty()) { if (!summary.isEmpty()) {
dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "summary", summary, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "summary", summary, Confidence.HIGHEST);
} }
String author = determineEvidence(contents, blockVariable, "authors?"); final String author = determineEvidence(contents, blockVariable, "authors?");
if (!author.isEmpty()) { if (!author.isEmpty()) {
dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "author", author, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "author", author, Confidence.HIGHEST);
} }
String homepage = determineEvidence(contents, blockVariable, "homepage"); final String homepage = determineEvidence(contents, blockVariable, "homepage");
if (!homepage.isEmpty()) { if (!homepage.isEmpty()) {
dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "homepage", homepage, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "homepage", homepage, Confidence.HIGHEST);
} }
String license = determineEvidence(contents, blockVariable, "licen[cs]es?"); final String license = determineEvidence(contents, blockVariable, "licen[cs]es?");
if (!license.isEmpty()) { if (!license.isEmpty()) {
dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "license", license, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "license", license, Confidence.HIGHEST);
} }
String version = determineEvidence(contents, blockVariable, "version"); final String version = determineEvidence(contents, blockVariable, "version");
if (!version.isEmpty()) { if (!version.isEmpty()) {
dependency.addEvidence(EvidenceType.VERSION, PODSPEC, "version", version, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VERSION, PODSPEC, "version", version, Confidence.HIGHEST);
} }

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View File

@@ -18,7 +18,6 @@
package org.owasp.dependencycheck.analyzer; package org.owasp.dependencycheck.analyzer;
import java.io.File; import java.io.File;
import java.util.Iterator;
import java.util.Set; import java.util.Set;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java
View File

@@ -18,7 +18,6 @@
package org.owasp.dependencycheck.analyzer; package org.owasp.dependencycheck.analyzer;
import java.io.File; import java.io.File;
import java.util.Iterator;
import java.util.Set; import java.util.Set;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence; import org.owasp.dependencycheck.dependency.Evidence;

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -23,7 +23,6 @@ import java.net.URLEncoder;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.ListIterator; import java.util.ListIterator;
import java.util.Set; import java.util.Set;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
View File

@@ -114,7 +114,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer {
// a shade. This should hopefully correct for cases like log4j.jar or // a shade. This should hopefully correct for cases like log4j.jar or
// struts2-core.jar // struts2-core.jar
if (version.getVersionParts() == null || version.getVersionParts().size() < 2) { if (version.getVersionParts() == null || version.getVersionParts().size() < 2) {
dependency.addEvidence(EvidenceType.VERSION, "file", "version",version.toString(), Confidence.MEDIUM); dependency.addEvidence(EvidenceType.VERSION, "file", "version", version.toString(), Confidence.MEDIUM);
} else { } else {
dependency.addEvidence(EvidenceType.VERSION, "file", "version", version.toString(), Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VERSION, "file", "version", version.toString(), Confidence.HIGHEST);
} }

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java
View File

@@ -209,7 +209,8 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
if (value instanceof JsonString) { if (value instanceof JsonString) {
final String valueString = ((JsonString) value).getString(); final String valueString = ((JsonString) value).getString();
dependency.addEvidence(EvidenceType.PRODUCT, PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.PRODUCT, PACKAGE_JSON, "name", valueString, Confidence.HIGHEST);
dependency.addEvidence(EvidenceType.VENDOR, PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); dependency.addEvidence(EvidenceType.VENDOR, PACKAGE_JSON, "name_project",
String.format("%s_project", valueString), Confidence.LOW);
} else { } else {
LOGGER.warn("JSON value not string as expected: {}", value); LOGGER.warn("JSON value not string as expected: {}", value);
} }
@@ -338,8 +339,9 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
* Adds information to an evidence collection from the node json * Adds information to an evidence collection from the node json
* configuration. * configuration.
* *
* @param dep the dependency to which the evidence will be added
* @param type the type of evidence to be added
* @param json information from node.js * @param json information from node.js
* @param collection a set of evidence about a dependency
* @param key the key to obtain the data from the json information * @param key the key to obtain the data from the json information
*/ */
private void addToEvidence(Dependency dep, EvidenceType type, JsonObject json, String key) { private void addToEvidence(Dependency dep, EvidenceType type, JsonObject json, String key) {

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
View File

@@ -141,11 +141,11 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
} }
if (np.getOwners() != null) { if (np.getOwners() != null) {
dependency.addEvidence(EvidenceType.VENDOR,"nuspec", "owners", np.getOwners(), Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "owners", np.getOwners(), Confidence.HIGHEST);
} }
dependency.addEvidence(EvidenceType.VENDOR,"nuspec", "authors", np.getAuthors(), Confidence.HIGH); dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "authors", np.getAuthors(), Confidence.HIGH);
dependency.addEvidence(EvidenceType.VERSION,"nuspec", "version", np.getVersion(), Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VERSION, "nuspec", "version", np.getVersion(), Confidence.HIGHEST);
dependency.addEvidence(EvidenceType.PRODUCT,"nuspec", "id", np.getId(), Confidence.HIGHEST); dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "id", np.getId(), Confidence.HIGHEST);
if (np.getTitle() != null) { if (np.getTitle() != null) {
dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "title", np.getTitle(), Confidence.MEDIUM); dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "title", np.getTitle(), Confidence.MEDIUM);
} }

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
View File

@@ -299,8 +299,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
* *
* @param dependency the dependency being analyzed * @param dependency the dependency being analyzed
* @param type the type of evidence to add * @param type the type of evidence to add
* @param confidence the confidence in the evidence being added
* @param headers the properties collection * @param headers the properties collection
* @param evidence the evidence collection to add the value
* @param property the property name * @param property the property name
*/ */
private static void addPropertyToEvidence(Dependency dependency, EvidenceType type, Confidence confidence, private static void addPropertyToEvidence(Dependency dependency, EvidenceType type, Confidence confidence,

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java
View File

@@ -18,7 +18,6 @@
package org.owasp.dependencycheck.analyzer; package org.owasp.dependencycheck.analyzer;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects; import java.util.Objects;
import java.util.Set; import java.util.Set;
import javax.annotation.concurrent.ThreadSafe; import javax.annotation.concurrent.ThreadSafe;
@@ -154,8 +153,8 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer {
final boolean pomMatch = Objects.equals(dvPom, dvFile) || Objects.equals(dvPom, dvManifest); final boolean pomMatch = Objects.equals(dvPom, dvFile) || Objects.equals(dvPom, dvManifest);
if (fileMatch || manifestMatch || pomMatch) { if (fileMatch || manifestMatch || pomMatch) {
LOGGER.debug("filtering evidence from {}", dependency.getFileName()); LOGGER.debug("filtering evidence from {}", dependency.getFileName());
Set<Evidence> remove = new HashSet<>(); final Set<Evidence> remove = new HashSet<>();
for(Evidence e : dependency.getEvidence(EvidenceType.VERSION)) { for (Evidence e : dependency.getEvidence(EvidenceType.VERSION)) {
if (!(pomMatch && VERSION.equals(e.getName()) if (!(pomMatch && VERSION.equals(e.getName())
&& (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource()))) && (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource())))
&& !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource())) && !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource()))
@@ -163,7 +162,7 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer {
remove.add(e); remove.add(e);
} }
} }
for (Evidence e: remove) { for (Evidence e : remove) {
dependency.removeEvidence(EvidenceType.VERSION, e); dependency.removeEvidence(EvidenceType.VERSION, e);
} }
} }

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
View File

@@ -151,8 +151,8 @@ public final class CpeMemoryIndex implements AutoCloseable {
private Analyzer createSearchingAnalyzer() { private Analyzer createSearchingAnalyzer() {
final Map<String, Analyzer> fieldAnalyzers = new HashMap<>(); final Map<String, Analyzer> fieldAnalyzers = new HashMap<>();
fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer()); fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
SearchFieldAnalyzer productFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); final SearchFieldAnalyzer productFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
SearchFieldAnalyzer vendorFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); final SearchFieldAnalyzer vendorFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
fieldAnalyzers.put(Fields.PRODUCT, productFieldAnalyzer); fieldAnalyzers.put(Fields.PRODUCT, productFieldAnalyzer);
fieldAnalyzers.put(Fields.VENDOR, vendorFieldAnalyzer); fieldAnalyzers.put(Fields.VENDOR, vendorFieldAnalyzer);

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceType.java
View File

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.dependency;
/** /**
* The types of evidence. * The types of evidence.
*
* @author jeremy long * @author jeremy long
*/ */
public enum EvidenceType { public enum EvidenceType {

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
View File

@@ -367,7 +367,7 @@ public class SuppressionRule {
} }
if (this.hasCpe()) { if (this.hasCpe()) {
Set<Identifier> removalList = new HashSet<>(); final Set<Identifier> removalList = new HashSet<>();
for (Identifier i : dependency.getIdentifiers()) { for (Identifier i : dependency.getIdentifiers()) {
for (PropertyType c : this.cpe) { for (PropertyType c : this.cpe) {
if (identifierMatches("cpe", c, i)) { if (identifierMatches("cpe", c, i)) {
@@ -387,7 +387,7 @@ public class SuppressionRule {
} }
} }
if (hasCve() || hasCwe() || hasCvssBelow()) { if (hasCve() || hasCwe() || hasCvssBelow()) {
Set<Vulnerability> removeVulns = new HashSet<>(); final Set<Vulnerability> removeVulns = new HashSet<>();
for (Vulnerability v : dependency.getVulnerabilities()) { for (Vulnerability v : dependency.getVulnerabilities()) {
boolean remove = false; boolean remove = false;
for (String entry : this.cve) { for (String entry : this.cve) {

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -1080,6 +1080,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
if (server != null) { if (server != null) {
databaseUser = server.getUsername(); databaseUser = server.getUsername();
try { try {
//CSOFF: LineLength
//The following fix was copied from: //The following fix was copied from:
// https://github.com/bsorrentino/maven-confluence-plugin/blob/master/maven-confluence-reporting-plugin/src/main/java/org/bsc/maven/confluence/plugin/AbstractBaseConfluenceMojo.java // https://github.com/bsorrentino/maven-confluence-plugin/blob/master/maven-confluence-reporting-plugin/src/main/java/org/bsc/maven/confluence/plugin/AbstractBaseConfluenceMojo.java
// //
@@ -1087,6 +1088,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
// org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: // org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException:
// java.io.FileNotFoundException: ~/.settings-security.xml (No such file or directory) // java.io.FileNotFoundException: ~/.settings-security.xml (No such file or directory)
// //
//CSON: LineLength
if (securityDispatcher instanceof DefaultSecDispatcher) { if (securityDispatcher instanceof DefaultSecDispatcher) {
((DefaultSecDispatcher) securityDispatcher).setConfigurationFile("~/.m2/settings-security.xml"); ((DefaultSecDispatcher) securityDispatcher).setConfigurationFile("~/.m2/settings-security.xml");
} }

1
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
View File

@@ -30,7 +30,6 @@ import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.exception.ExceptionCollection; import org.owasp.dependencycheck.exception.ExceptionCollection;
import org.owasp.dependencycheck.exception.ReportException; import org.owasp.dependencycheck.exception.ReportException;
import org.owasp.dependencycheck.utils.Settings;
/** /**
* Maven Plugin that checks the project dependencies to see if they have any * Maven Plugin that checks the project dependencies to see if they have any

1
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java
View File

@@ -26,7 +26,6 @@ import org.apache.maven.plugins.annotations.ResolutionScope;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.update.exception.UpdateException; import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.Settings;
/** /**
* Maven Plugin that checks the project dependencies to see if they have any * Maven Plugin that checks the project dependencies to see if they have any

3
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java
View File

@@ -71,7 +71,8 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
* supported * supported
* @throws KeyManagementException thrown if initialization fails * @throws KeyManagementException thrown if initialization fails
*/ */
public SSLSocketFactoryEx(KeyManager[] km, TrustManager[] tm, SecureRandom random, Settings settings) throws NoSuchAlgorithmException, KeyManagementException { public SSLSocketFactoryEx(KeyManager[] km, TrustManager[] tm, SecureRandom random, Settings settings)
throws NoSuchAlgorithmException, KeyManagementException {
this.settings = settings; this.settings = settings;
initSSLSocketFactoryEx(km, tm, random); initSSLSocketFactoryEx(km, tm, random);
} }

2
src/main/config/checkstyle-checks.xml
View File

@@ -197,7 +197,7 @@
<property name="braceAdjustment" value="0"/> <property name="braceAdjustment" value="0"/>
<property name="caseIndent" value="0"/> <property name="caseIndent" value="0"/>
</module--> </module-->
<module name="ArrayTrailingComma"/> <!--module name="ArrayTrailingComma"/-->
<module name="FinalLocalVariable"/> <module name="FinalLocalVariable"/>
<module name="EqualsAvoidNull"/> <module name="EqualsAvoidNull"/>
<module name="ParameterAssignment"/> <module name="ParameterAssignment"/>