github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-18 07:14:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'phpAddVersion' into dependencyNameImprovements

Browse Source
This commit is contained in:
brianf
2017-09-21 15:22:43 -04:00
parent 9b718490e3 4ac0a0e305
commit 4a95efefac
3 changed files with 49 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
View File

@@ -103,20 +103,34 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
try (FileInputStream fis = new FileInputStream(dependency.getActualFile())) { try (FileInputStream fis = new FileInputStream(dependency.getActualFile())) {
final ComposerLockParser clp = new ComposerLockParser(fis); final ComposerLockParser clp = new ComposerLockParser(fis);
LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath()); LOGGER.debug("Checking composer.lock file {}", dependency.getActualFilePath());
clp.process(); clp.process();
//if dependencies are found in the lock, then there is always an empty shell dependency left behind for the
//composer.lock. The first pass through, reuse the top level dependency, and add new ones for the rest.
boolean processedAtLeastOneDep = false;
for (ComposerDependency dep : clp.getDependencies()) { for (ComposerDependency dep : clp.getDependencies()) {
final Dependency d = new Dependency(dependency.getActualFile()); final Dependency d = new Dependency(dependency.getActualFile());
d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject())); d.setDisplayFileName(String.format("%s:%s/%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject(), dep.getVersion()));
final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject()); final String filePath = String.format("%s:%s/%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject(), dep.getVersion());
final MessageDigest sha1 = getSha1MessageDigest(); final MessageDigest sha1 = getSha1MessageDigest();
d.setFilePath(filePath); d.setFilePath(filePath);
d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset())))); d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset()))));
d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST); d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST); d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST); d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
LOGGER.info("Adding dependency {}", d); LOGGER.debug("Adding dependency {}", d.getDisplayFileName());
engine.getDependencies().add(d); engine.getDependencies().add(d);
//make sure we only remove the main dependency if we went through this loop at least once.
processedAtLeastOneDep = true;
}
//remove the dependency at the end because it's referenced in the loop itself.
//double check the name to be sure we only remove the generic entry.
if (processedAtLeastOneDep && dependency.getDisplayFileName().equalsIgnoreCase("composer.lock")) {
LOGGER.debug("Removing main redundant dependency {}",dependency.getDisplayFileName());
engine.getDependencies().remove(dependency);
} }
} catch (IOException ex) { } catch (IOException ex) {
LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath()); LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath());

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java
View File

@@ -58,7 +58,7 @@ public class ComposerLockParser {
* @param inputStream the InputStream to parse * @param inputStream the InputStream to parse
*/ */
public ComposerLockParser(InputStream inputStream) { public ComposerLockParser(InputStream inputStream) {
LOGGER.info("Creating a ComposerLockParser"); LOGGER.debug("Creating a ComposerLockParser");
this.jsonReader = Json.createReader(inputStream); this.jsonReader = Json.createReader(inputStream);
this.composerDependencies = new ArrayList<>(); this.composerDependencies = new ArrayList<>();
} }
@@ -67,7 +67,7 @@ public class ComposerLockParser {
* Process the input stream to create the list of dependencies. * Process the input stream to create the list of dependencies.
*/ */
public void process() { public void process() {
LOGGER.info("Beginning Composer lock processing"); LOGGER.debug("Beginning Composer lock processing");
try { try {
final JsonObject composer = jsonReader.readObject(); final JsonObject composer = jsonReader.readObject();
if (composer.containsKey("packages")) { if (composer.containsKey("packages")) {

28
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
View File

@@ -36,6 +36,8 @@ import java.security.NoSuchAlgorithmException;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertThat;
import static org.hamcrest.CoreMatchers.equalTo;
/** /**
* Unit tests for NodePackageAnalyzer. * Unit tests for NodePackageAnalyzer.
@@ -88,6 +90,25 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase {
assertTrue(analyzer.accept(new File("composer.lock"))); assertTrue(analyzer.accept(new File("composer.lock")));
} }
/**
* Test of basic additions to the depdnency list by parsing the composer.lock file
*
* @throws AnalysisException is thrown when an exception occurs.
*/
@Test
public void testRemoveRedundantParent() throws Exception {
final Engine engine = new Engine();
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
"composer.lock"));
///test that we don't remove the parent if it's not redundant by name
result.setDisplayFileName("NotComposer.Lock");
engine.getDependencies().add(result);
analyzer.analyze(result, engine);
//make sure the composer.lock is not removed
assertTrue(engine.getDependencies().contains(result));
}
/** /**
* Test of inspect method, of class PythonDistributionAnalyzer. * Test of inspect method, of class PythonDistributionAnalyzer.
* *
@@ -96,9 +117,16 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase {
@Test @Test
public void testAnalyzePackageJson() throws Exception { public void testAnalyzePackageJson() throws Exception {
final Engine engine = new Engine(); final Engine engine = new Engine();
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
"composer.lock")); "composer.lock"));
//simulate normal operation when the composer.lock is already added to the engine as a dependency
engine.getDependencies().add(result);
analyzer.analyze(result, engine); analyzer.analyze(result, engine);
//make sure the redundant composer.lock is removed
assertFalse(engine.getDependencies().contains(result));
assertEquals(30,engine.getDependencies().size());
assertThat(engine.getDependencies().get(0).getDisplayFileName(),equalTo("composer.lock:classpreloader/classpreloader/2.0.0"));
} }