node.js: Adding name_project to vendor evidence, as many node.js projects seem to follow this pattern with their CPEs. Also, logging warnings whenever JSON parse doesn't go as expected.

2026-01-14 15:53:36 +01:00 · 2015-08-09 11:18:16 -04:00
parent 4f8772bd77
commit 4b17fd88a3
2 changed files with 37 additions and 10 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
@@ -26,6 +26,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

 import java.io.FileFilter;
 import java.io.IOException;
@@ -38,6 +40,11 @@ import java.io.IOException;
 */
 public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(NodePackageAnalyzer.class);
+
    /**
     * The name of the analyzer.
     */
@@ -112,24 +119,42 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
        }
        JSONObject json = new JSONObject(contents);
        final EvidenceCollection productEvidence = dependency.getProductEvidence();
-        addToEvidence(json, productEvidence, "name");
+        final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
+        if (json.has("name")) {
+            Object value = json.get("name");
+            if (value instanceof String) {
+                productEvidence.addEvidence(PACKAGE_JSON, "name", (String) value, Confidence.HIGHEST);
+                vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", value), Confidence.LOW);
+            } else {
+                LOGGER.warn("JSON value not string as expected: %s", value);
+            }
+        }
        addToEvidence(json, productEvidence, "description");
-        addToEvidence(json, dependency.getVendorEvidence(), "author");
+
+        addToEvidence(json, vendorEvidence, "author");
        addToEvidence(json, dependency.getVersionEvidence(), "version");
    }

-    private void addToEvidence(JSONObject json, EvidenceCollection productEvidence, String key) {
+    private void addToEvidence(JSONObject json, EvidenceCollection collection, String key) {
        if (json.has(key)) {
            Object value = json.get(key);
            if (value instanceof String) {
-                productEvidence.addEvidence(PACKAGE_JSON, key, (String) value, Confidence.HIGHEST);
+                collection.addEvidence(PACKAGE_JSON, key, (String) value, Confidence.HIGHEST);
            } else if (value instanceof JSONObject) {
-                for (String property : ((JSONObject) value).keySet()) {
-                    productEvidence.addEvidence(PACKAGE_JSON,
-                            String.format("%s.%s", key, property),
-                            ((JSONObject) value).getString(property),
-                            Confidence.HIGHEST);
+                final JSONObject jsonObject = (JSONObject) value;
+                for (String property : jsonObject.keySet()) {
+                    final Object subValue = jsonObject.get(property);
+                    if (subValue instanceof String) {
+                        collection.addEvidence(PACKAGE_JSON,
+                                String.format("%s.%s", key, property),
+                                (String) subValue,
+                                Confidence.HIGHEST);
+                    } else {
+                        LOGGER.warn("JSON sub-value not string as expected: %s");
+                    }
                }
+            } else {
+                LOGGER.warn("JSON value not string or JSON object as expected: %s", value);
            }
        }
    }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java
@@ -91,7 +91,9 @@ public class NodePackageAnalyzerTest extends BaseTest {
        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                "nodejs/node_modules/dns-sync/package.json"));
        analyzer.analyze(result, null);
-        assertThat(result.getVendorEvidence().toString(), containsString("Sanjeev Koranga"));
+        final String vendorString = result.getVendorEvidence().toString();
+        assertThat(vendorString, containsString("Sanjeev Koranga"));
+        assertThat(vendorString, containsString("dns-sync_project"));
        assertThat(result.getProductEvidence().toString(), containsString("dns-sync"));
        assertThat(result.getVersionEvidence().toString(), containsString("0.1.0"));
    }