From a0081318b6a651e183cd5177e5bb36145d162265 Mon Sep 17 00:00:00 2001
From: brianf <brianf@sonatype.com>
Date: Fri, 15 Sep 2017 13:27:44 -0400
Subject: [PATCH 1/2] Adding version to the composer.lock displayFileName
 Changed output to debug Added basic test for composer parsing, including the
 new version

---
 .../dependencycheck/analyzer/ComposerLockAnalyzer.java      | 6 +++---
 .../dependencycheck/analyzer/ComposerLockAnalyzerTest.java  | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
index cccfeb010..41afd49e0 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
@@ -107,15 +107,15 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
             clp.process();
             for (ComposerDependency dep : clp.getDependencies()) {
                 final Dependency d = new Dependency(dependency.getActualFile());
-                d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject()));
-                final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject());
+                d.setDisplayFileName(String.format("%s:%s/%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject(), dep.getVersion()));
+                final String filePath = String.format("%s:%s/%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject(), dep.getVersion());
                 final MessageDigest sha1 = getSha1MessageDigest();
                 d.setFilePath(filePath);
                 d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset()))));
                 d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
                 d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
                 d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
-                LOGGER.info("Adding dependency {}", d);
+                LOGGER.debug("Adding dependency {}", d);
                 engine.getDependencies().add(d);
             }
         } catch (IOException ex) {
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
index 30c72b25a..f2c066659 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
@@ -36,6 +36,8 @@ import java.security.NoSuchAlgorithmException;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertThat;
+import static org.hamcrest.CoreMatchers.equalTo;
 
 /**
  * Unit tests for NodePackageAnalyzer.
@@ -99,6 +101,8 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "composer.lock"));
         analyzer.analyze(result, engine);
+        assertEquals(30,engine.getDependencies().size());
+        assertThat(engine.getDependencies().get(0).getDisplayFileName(),equalTo("composer.lock:classpreloader/classpreloader/2.0.0"));
     }
 
 

From 3b00b764ac05ed01217e7da89b07d19931d9632a Mon Sep 17 00:00:00 2001
From: brianf <brianf@apache.org>
Date: Sun, 17 Sep 2017 18:01:40 -0400
Subject: [PATCH 2/2] Remove the redundant top level entry for composer.lock
 once the child dependencies are processed.

This main entry is empty of evidence because everything is added into
the new dependencies.
---
 .../analyzer/ComposerLockAnalyzer.java        | 21 ++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
index cccfeb010..b154247ac 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
@@ -105,8 +105,14 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
             final ComposerLockParser clp = new ComposerLockParser(fis);
             LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath());
             clp.process();
+            //if dependencies are found in the lock, then there is always an empty shell dependency left behind for the
+    	    		//composer.lock. The first pass through, reuse the top level dependency, and add new ones for the rest.
+            boolean processedAtLeastOneDep = false;
             for (ComposerDependency dep : clp.getDependencies()) {
-                final Dependency d = new Dependency(dependency.getActualFile());
+            		
+            		final Dependency d = new Dependency(dependency.getActualFile());
+            	    
+            			
                 d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject()));
                 final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject());
                 final MessageDigest sha1 = getSha1MessageDigest();
@@ -115,8 +121,17 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
                 d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
                 d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
                 d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
-                LOGGER.info("Adding dependency {}", d);
-                engine.getDependencies().add(d);
+                
+                LOGGER.info("Adding dependency {}", d.getDisplayFileName());
+        			engine.getDependencies().add(d);	
+                
+                //make sure we only remove the main dependency if we went through this loop at least once.
+                	processedAtLeastOneDep = true;
+                }
+            //remove the dependency at the end because it's referenced in the loop itself.
+            if (processedAtLeastOneDep) {
+            		LOGGER.info("Removing main redundant dependency {}",dependency.getDisplayFileName());
+            		engine.getDependencies().remove(dependency);   
             }
         } catch (IOException ex) {
             LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath());