github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-23 17:41:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

checkstyle/pmd/findbugs fixes

Browse Source 
Former-commit-id: b7b60a9649e79b1ea30d0a0601b8212679ad59b7
This commit is contained in:
Jeremy Long
2013-04-23 20:22:51 -04:00
parent f40fa460ca
commit 43e1ee3e67
6 changed files with 64 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/main/config/checkstyle-header.txt
View File

@@ -14,6 +14,6 @@
^ \* You should have received a copy of the GNU General Public License along with\s*$ ^ \* You should have received a copy of the GNU General Public License along with\s*$
^ \* DependencyCheck\. If not, see http://www.gnu.org/licenses/\.\s*$ ^ \* DependencyCheck\. If not, see http://www.gnu.org/licenses/\.\s*$
^ \*\s*$ ^ \*\s*$
^ \* Copyright \(c\) 2012 Jeremy Long\. All Rights Reserved\.\s*$ ^ \* Copyright \(c\) 201[23] Jeremy Long\. All Rights Reserved\.\s*$
^ \*/\s*$ ^ \*/\s*$
^package ^package

44
src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -119,27 +119,27 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
* @param dependency the dependency being analyzed * @param dependency the dependency being analyzed
*/ */
private void removeSpuriousCPE(Dependency dependency) { private void removeSpuriousCPE(Dependency dependency) {
List<Identifier> ids = new ArrayList<Identifier>(); final List<Identifier> ids = new ArrayList<Identifier>();
ids.addAll(dependency.getIdentifiers()); ids.addAll(dependency.getIdentifiers());
ListIterator<Identifier> mainItr = ids.listIterator(); final ListIterator<Identifier> mainItr = ids.listIterator();
while (mainItr.hasNext()) { while (mainItr.hasNext()) {
Identifier currentId = mainItr.next(); final Identifier currentId = mainItr.next();
Entry currentCpe = parseCpe(currentId.getType(), currentId.getValue()); final Entry currentCpe = parseCpe(currentId.getType(), currentId.getValue());
if (currentCpe == null) { if (currentCpe == null) {
continue; continue;
} }
ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex()); final ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex());
while (subItr.hasNext()) { while (subItr.hasNext()) {
Identifier nextId = subItr.next(); final Identifier nextId = subItr.next();
Entry nextCpe = parseCpe(nextId.getType(), nextId.getValue()); final Entry nextCpe = parseCpe(nextId.getType(), nextId.getValue());
if (nextCpe == null) { if (nextCpe == null) {
continue; continue;
} }
if (currentCpe.getVendor().equals(nextCpe.getVendor())) { if (currentCpe.getVendor().equals(nextCpe.getVendor())) {
if (currentCpe.getProduct().equals(nextCpe.getProduct())) { if (currentCpe.getProduct().equals(nextCpe.getProduct())) {
// see if one is contained in the other.. remove the contained one from dependency.getIdentifier // see if one is contained in the other.. remove the contained one from dependency.getIdentifier
String mainVersion = currentCpe.getVersion(); final String mainVersion = currentCpe.getVersion();
String nextVersion = nextCpe.getVersion(); final String nextVersion = nextCpe.getVersion();
if (mainVersion.length() < nextVersion.length()) { if (mainVersion.length() < nextVersion.length()) {
if (nextVersion.startsWith(mainVersion)) { if (nextVersion.startsWith(mainVersion)) {
//remove mainVersion //remove mainVersion
@@ -155,8 +155,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
if (currentCpe.getVersion().equals(nextCpe.getVersion())) { if (currentCpe.getVersion().equals(nextCpe.getVersion())) {
//same vendor and version - but different products //same vendor and version - but different products
// are we dealing with something like Axis & Axis2 // are we dealing with something like Axis & Axis2
String currentProd = currentCpe.getProduct(); final String currentProd = currentCpe.getProduct();
String nextProd = nextCpe.getProduct(); final String nextProd = nextCpe.getProduct();
if (currentProd.startsWith(nextProd)) { if (currentProd.startsWith(nextProd)) {
dependency.getIdentifiers().remove(nextId); dependency.getIdentifiers().remove(nextId);
} }
@@ -169,20 +169,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
} }
} }
} }
/*
* NOTE - don't remove the two different vendors.
*
currentCpe: currentCpe:/a:mortbay:jetty:4.2.27
currentCpe: currentCpe:/a:mortbay_jetty:jetty:4.2
currentCpe: currentCpe:/a:mortbay:jetty:4.2
*
Source Name Value
file name org.mortbay.jetty
Manifest Implementation-Vendor Mort Bay Consulting, Pty. Ltd.
Manifest Implementation-Version 4.2.27
*/
} }
/** /**
@@ -205,11 +191,17 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
} }
} }
/**
* Parses a CPE string into an Entry.
* @param type the type of identifier
* @param value the cpe identifier to parse
* @return an Entry constructed from the identifier
*/
private Entry parseCpe(String type, String value) { private Entry parseCpe(String type, String value) {
if (!"cpe".equals(type)) { if (!"cpe".equals(type)) {
return null; return null;
} }
Entry cpe = new Entry(); final Entry cpe = new Entry();
try { try {
cpe.parseName(value); cpe.parseName(value);
} catch (UnsupportedEncodingException ex) { } catch (UnsupportedEncodingException ex) {

17
src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -188,13 +188,13 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
//todo - catch should be more granular here, one for each call likely //todo - catch should be more granular here, one for each call likely
//todo - think about sources/javadoc jars, should we remove or move to related dependency? //todo - think about sources/javadoc jars, should we remove or move to related dependency?
try { try {
boolean hasManifest = parseManifest(dependency); final boolean hasManifest = parseManifest(dependency);
boolean hasPOM = analyzePOM(dependency); final boolean hasPOM = analyzePOM(dependency);
boolean deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN); final boolean deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
if ((!hasManifest && !hasPOM) || deepScan) { if ((!hasManifest && !hasPOM) || deepScan) {
addPackagesAsEvidence = true; addPackagesAsEvidence = true;
} }
boolean hasClasses = analyzePackageNames(dependency, addPackagesAsEvidence); final boolean hasClasses = analyzePackageNames(dependency, addPackagesAsEvidence);
if (!hasClasses if (!hasClasses
&& (dependency.getFileName().toLowerCase().endsWith("-sources.jar") && (dependency.getFileName().toLowerCase().endsWith("-sources.jar")
|| dependency.getFileName().toLowerCase().endsWith("-javadoc.jar") || dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
@@ -389,14 +389,15 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
String[] path = null; String[] path = null;
if (entry.getName().contains("/")) { if (entry.getName().contains("/")) {
path = entry.getName().toLowerCase().split("/"); path = entry.getName().toLowerCase().split("/");
if ("java".equals(path[0]) if ("java".equals(path[0])
|| "javax".equals(path[0]) || "javax".equals(path[0])
|| ("com".equals(path[0]) && "sun".equals(path[0]))) { || ("com".equals(path[0]) && "sun".equals(path[0]))) {
continue; continue;
} }
} else {
path = new String[1];
path[0] = entry.getName();
} }
count += 1; count += 1;
String temp = path[0]; String temp = path[0];
if (level0.containsKey(temp)) { if (level0.containsKey(temp)) {
@@ -404,7 +405,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
} else { } else {
level0.put(temp, 1); level0.put(temp, 1);
} }
if (path.length > 2) { if (path.length > 2) {
temp += "/" + path[1]; temp += "/" + path[1];
if (level1.containsKey(temp)) { if (level1.containsKey(temp)) {
@@ -421,7 +421,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
level2.put(temp, 1); level2.put(temp, 1);
} }
} }
if (path.length > 4) { if (path.length > 4) {
temp += "/" + path[3]; temp += "/" + path[3];
if (level3.containsKey(temp)) { if (level3.containsKey(temp)) {
@@ -430,10 +429,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
level3.put(temp, 1); level3.put(temp, 1);
} }
} }
} }
} }
if (count == 0) { if (count == 0) {
return hasClasses; return hasClasses;
} }

2
src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java
View File

@@ -32,7 +32,9 @@ import org.owasp.dependencycheck.dependency.Identifier;
* to the CPE values (if there are any for the version of spring being used). * to the CPE values (if there are any for the version of spring being used).
* *
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
* @deprecated This class has been deprecated as it has been replaced by the BundlingAnalyzer
*/ */
@Deprecated
public class SpringCleaningAnalyzer extends AbstractAnalyzer implements Analyzer { public class SpringCleaningAnalyzer extends AbstractAnalyzer implements Analyzer {
/** /**

7
src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
View File

@@ -19,7 +19,6 @@
package org.owasp.dependencycheck.utils; package org.owasp.dependencycheck.utils;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator; import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.regex.Matcher; import java.util.regex.Matcher;
@@ -63,7 +62,7 @@ public class DependencyVersion implements Iterable {
versionParts = new ArrayList<String>(); versionParts = new ArrayList<String>();
if (version != null) { if (version != null) {
final Pattern rx = Pattern.compile("(\\d+|[a-z]+\\d+)"); final Pattern rx = Pattern.compile("(\\d+|[a-z]+\\d+)");
Matcher matcher = rx.matcher(version.toLowerCase()); final Matcher matcher = rx.matcher(version.toLowerCase());
while (matcher.find()) { while (matcher.find()) {
versionParts.add(matcher.group()); versionParts.add(matcher.group());
} }
@@ -78,7 +77,7 @@ public class DependencyVersion implements Iterable {
private List<String> versionParts; private List<String> versionParts;
/** /**
* Get the value of versionParts * Get the value of versionParts.
* *
* @return the value of versionParts * @return the value of versionParts
*/ */
@@ -87,7 +86,7 @@ public class DependencyVersion implements Iterable {
} }
/** /**
* Set the value of versionParts * Set the value of versionParts.
* *
* @param versionParts new value of versionParts * @param versionParts new value of versionParts
*/ */

64
src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
View File

@@ -1,20 +1,37 @@
/* /*
* To change this template, choose Tools | Templates * This file is part of DependencyCheck.
* and open the template in the editor. *
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/ */
package org.owasp.dependencycheck.utils; package org.owasp.dependencycheck.utils;
import java.util.regex.MatchResult;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
/** /**
* <p>A utility class to extract version numbers from file names (or other strings
* containing version numbers.</p>
* *
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public final class DependencyVersionUtil { public final class DependencyVersionUtil {
//private final static Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)*(\\d+[a-zA-Z]{1,3}\\d+)?"); /**
private final static Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)+(\\.?[a-zA-Z_-]{1,3}\\d+)?"); * Regular expression to extract version numbers from file names.
*/
private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)+(\\.?[a-zA-Z_-]{1,3}\\d+)?");
/** /**
* Private constructor for utility class. * Private constructor for utility class.
@@ -22,12 +39,22 @@ public final class DependencyVersionUtil {
private DependencyVersionUtil() { private DependencyVersionUtil() {
} }
/**
* <p>A utility class to extract version numbers from file names (or other strings
* containing version numbers.<br/>
* Example:<br/>
* Give the file name: library-name-1.4.1r2-release.jar<br/>
* This function would return: 1.4.1.r2</p>
*
* @param filename the filename being analyzed
* @return a DependencyVersion containing the version
*/
public static DependencyVersion parseVersionFromFileName(String filename) { public static DependencyVersion parseVersionFromFileName(String filename) {
if (filename == null) { if (filename == null) {
return null; return null;
} }
String version = null; String version = null;
Matcher matcher = RX_VERSION.matcher(filename); final Matcher matcher = RX_VERSION.matcher(filename);
if (matcher.find()) { if (matcher.find()) {
version = matcher.group(); version = matcher.group();
} }
@@ -39,30 +66,5 @@ public final class DependencyVersionUtil {
return null; return null;
} }
return new DependencyVersion(version); return new DependencyVersion(version);
// String name = null;
// final int pos = filename.lastIndexOf('.');
// if (pos>0) {
// name = filename.substring(0, pos).toLowerCase();
// } else {
// name = filename.toLowerCase();
// }
//// if (name.endsWith("-snapshot")) {
//// name = name.substring(0,name.length() - 9);
//// }
//// if (name.endsWith("-release")) {
//// name = name.substring(0,name.length() - 8);
//// }
// final String[] parts = name.split("[_-]");
// if (parts == null || parts.length == 0) {
// return null;
// }
// for (int x = parts.length - 1; x >= 0; x--) {
// if (RX_VERSION.matcher(parts[x]).matches()) {
// return new DependencyVersion(parts[x]);
// }
// }
// return null;
} }
} }