From 48af120db8901d4c330a93cb6019b3cce5dbb26d Mon Sep 17 00:00:00 2001 From: bjiang Date: Fri, 15 Apr 2016 11:28:33 -0400 Subject: [PATCH] add project URL evidence from pom --- .../dependencycheck/analyzer/JarAnalyzer.java | 5 ++++ .../owasp/dependencycheck/xml/pom/Model.java | 27 +++++++++++++++++-- .../dependencycheck/xml/pom/PomHandler.java | 2 ++ 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index c76e8199b..22549e6c9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -565,6 +565,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { addMatchingValues(classes, trimmedDescription, dependency.getVendorEvidence()); addMatchingValues(classes, trimmedDescription, dependency.getProductEvidence()); } + + String projectURL = pom.getProjectURL(); + if(projectURL != null && !projectURL.trim().isEmpty()) { + dependency.getVersionEvidence().addEvidence("pom", "url", projectURL, Confidence.HIGHEST); + } extractLicense(pom, dependency); return foundSomething; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java index 190116acc..2cecff585 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java @@ -260,6 +260,29 @@ public class Model { public void addLicense(License license) { licenses.add(license); } + + /** + * The project URL. + */ + private String projectURL; + + /** + * Get the value of projectURL. + * + * @return the value of projectURL + */ + public String getProjectURL() { + return projectURL; + } + + /** + * Set the value of projectURL. + * + * @param parentVersion new value of projectURL + */ + public void setProjectURL(String projectURL) { + this.projectURL = projectURL; + } /** * Process the Maven properties file and interpolate all properties. @@ -276,11 +299,11 @@ public class Model { l.setUrl(interpolateString(l.getUrl(), properties)); } this.name = interpolateString(this.name, properties); + this.projectURL = interpolateString(this.projectURL, properties); this.organization = interpolateString(this.organization, properties); this.parentGroupId = interpolateString(this.parentGroupId, properties); this.parentArtifactId = interpolateString(this.parentArtifactId, properties); this.parentVersion = interpolateString(this.parentVersion, properties); - } /** @@ -317,7 +340,7 @@ public class Model { return substitutor.replace(text); } - /** + /** * Utility class that can provide values from a Properties object to a StrSubstitutor. */ private static class PropertyLookup extends StrLookup { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java index d3f0bc701..669ab9d0d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java @@ -145,6 +145,8 @@ public class PomHandler extends DefaultHandler { model.setOrganization(currentText.toString()); } else if (DESCRIPTION.equals(qName)) { model.setDescription(currentText.toString()); + } else if (URL.equals(qName)) { + model.setProjectURL(currentText.toString()); } } else if (PARENT.equals(parentNode)) { if (GROUPID.equals(qName)) {