github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 07:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

checkstyle corrections

Browse Source
This commit is contained in:
Jeremy Long
2016-06-06 18:45:39 -04:00
parent 7909bbbbe9
commit 4e4417c7af
6 changed files with 140 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -51,8 +51,9 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE. It uses
* the evidence contained within the dependency to search the Lucene index.
* CPEAnalyzer is a utility class that takes a project dependency and attempts
* to discern if there is an associated CPE. It uses the evidence contained
* within the dependency to search the Lucene index.
*
* @author Jeremy Long
*/
@@ -71,15 +72,18 @@ public class CPEAnalyzer implements Analyzer {
*/
static final String WEIGHTING_BOOST = "^5";
/**
* A string representation of a regular expression defining characters utilized within the CPE Names.
* A string representation of a regular expression defining characters
* utilized within the CPE Names.
*/
static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
/**
* A string representation of a regular expression used to remove all but alpha characters.
* A string representation of a regular expression used to remove all but
* alpha characters.
*/
static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
/**
* The additional size to add to a new StringBuilder to account for extra data that will be written into the string.
* The additional size to add to a new StringBuilder to account for extra
* data that will be written into the string.
*/
static final int STRING_BUILDER_BUFFER = 20;
/**
@@ -129,9 +133,10 @@ public class CPEAnalyzer implements Analyzer {
/**
* Opens the data source.
*
* @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
* @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use by another
* process.
* @throws IOException when the Lucene directory to be queried does not
* exist or is corrupt.
* @throws DatabaseException when the database throws an exception. This
* usually occurs when the database is in use by another process.
*/
public void open() throws IOException, DatabaseException {
if (!isOpen()) {
@@ -170,8 +175,9 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence contained
* within. The dependency passed in is updated with any identified CPE values.
* Searches the data store of CPE entries, trying to identify the CPE for
* the given dependency based on the evidence contained within. The
* dependency passed in is updated with any identified CPE values.
*
* @param dependency the dependency to search for CPE entries on.
* @throws CorruptIndexException is thrown when the Lucene index is corrupt.
@@ -215,9 +221,10 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a specific
* confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence is longer then 200
* characters it will be truncated.
* Returns the text created by concatenating the text and the values from
* the EvidenceCollection (filtered for a specific confidence). This
* attempts to prevent duplicate terms from being added.<br/<br/> Note, if
* the evidence is longer then 200 characters it will be truncated.
*
* @param text the base text.
* @param ec an EvidenceCollection
@@ -248,17 +255,19 @@ public class CPEAnalyzer implements Analyzer {
/**
* <p>
* Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
* version.</p>
* Searches the Lucene CPE index to identify possible CPE entries associated
* with the supplied vendor, product, and version.</p>
*
* <p>
* If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting factors to
* the search.</p>
* If either the vendorWeightings or productWeightings lists have been
* populated this data is used to add weighting factors to the search.</p>
*
* @param vendor the text used to search the vendor field
* @param product the text used to search the product field
* @param vendorWeightings a list of strings to use to add weighting factors to the vendor field
* @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search
* @param vendorWeightings a list of strings to use to add weighting factors
* to the vendor field
* @param productWeightings Adds a list of strings that will be used to add
* weighting factors to the product search
* @return a list of possible CPE values
*/
protected List<IndexEntry> searchCPE(String vendor, String product,
@@ -297,16 +306,20 @@ public class CPEAnalyzer implements Analyzer {
/**
* <p>
* Builds a Lucene search string by properly escaping data and constructing a valid search query.</p>
* Builds a Lucene search string by properly escaping data and constructing
* a valid search query.</p>
*
* <p>
* If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting factors to
* the search string generated.</p>
* If either the possibleVendor or possibleProducts lists have been
* populated this data is used to add weighting factors to the search string
* generated.</p>
*
* @param vendor text to search the vendor field
* @param product text to search the product field
* @param vendorWeighting a list of strings to apply to the vendor to boost the terms weight
* @param productWeightings a list of strings to apply to the product to boost the terms weight
* @param vendorWeighting a list of strings to apply to the vendor to boost
* the terms weight
* @param productWeightings a list of strings to apply to the product to
* boost the terms weight
* @return the Lucene query
*/
protected String buildSearch(String vendor, String product,
@@ -327,13 +340,17 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* This method constructs a Lucene query for a given field. The searchText is split into separate words and if the word is
* within the list of weighted words then an additional weighting is applied to the term as it is appended into the query.
* This method constructs a Lucene query for a given field. The searchText
* is split into separate words and if the word is within the list of
* weighted words then an additional weighting is applied to the term as it
* is appended into the query.
*
* @param sb a StringBuilder that the query text will be appended to.
* @param field the field within the Lucene index that the query is searching.
* @param field the field within the Lucene index that the query is
* searching.
* @param searchText text used to construct the query.
* @param weightedText a list of terms that will be considered higher importance when searching.
* @param weightedText a list of terms that will be considered higher
* importance when searching.
* @return if the append was successful.
*/
private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set<String> weightedText) {
@@ -379,7 +396,8 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Removes characters from the input text that are not used within the CPE index.
* Removes characters from the input text that are not used within the CPE
* index.
*
* @param text is the text to remove the characters from.
* @return the text having removed some characters.
@@ -389,7 +407,8 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Compares two strings after lower casing them and removing the non-alpha characters.
* Compares two strings after lower casing them and removing the non-alpha
* characters.
*
* @param l string one to compare.
* @param r string two to compare.
@@ -406,8 +425,9 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version information
* for the CPE are contained within the dependencies evidence.
* Ensures that the CPE Identified matches the dependency. This validates
* that the product, vendor, and version information for the CPE are
* contained within the dependencies evidence.
*
* @param entry a CPE entry.
* @param dependency the dependency that the CPE entries could be for.
@@ -474,11 +494,13 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
* Analyzes a dependency and attempts to determine if there are any CPE
* identifiers for this dependency.
*
* @param dependency The Dependency to analyze.
* @param engine The analysis engine
* @throws AnalysisException is thrown if there is an issue analyzing the dependency.
* @throws AnalysisException is thrown if there is an issue analyzing the
* dependency.
*/
@Override
public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
@@ -494,15 +516,19 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then validated to find
* only CPEs that are valid for the given dependency. It is possible that the CPE identified is a best effort "guess" based on
* the vendor, product, and version information.
* Retrieves a list of CPE values from the CveDB based on the vendor and
* product passed in. The list is then validated to find only CPEs that are
* valid for the given dependency. It is possible that the CPE identified is
* a best effort "guess" based on the vendor, product, and version
* information.
*
* @param dependency the Dependency being analyzed
* @param vendor the vendor for the CPE being analyzed
* @param product the product for the CPE being analyzed
* @param currentConfidence the current confidence being used during analysis
* @return <code>true</code> if an identifier was added to the dependency; otherwise <code>false</code>
* @param currentConfidence the current confidence being used during
* analysis
* @return <code>true</code> if an identifier was added to the dependency;
* otherwise <code>false</code>
* @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
*/
protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
@@ -512,7 +538,7 @@ public class CPEAnalyzer implements Analyzer {
Confidence bestGuessConf = null;
boolean hasBroadMatch = false;
final List<IdentifierMatch> collected = new ArrayList<IdentifierMatch>();
//TODO the following algorithm incorrectly identifies things as a lower version
// if there lower confidence evidence when the current (highest) version number
// is newer then anything in the NVD.
@@ -538,15 +564,13 @@ public class CPEAnalyzer implements Analyzer {
final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
collected.add(match);
} else {
//TODO the following isn't quite right is it? need to think about this guessing game a bit more.
if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
&& evVer.matchesAtLeastThreeLevels(dbVer)) {
if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
bestGuess = dbVer;
bestGuessConf = conf;
}
} else //TODO the following isn't quite right is it? need to think about this guessing game a bit more.
if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
&& evVer.matchesAtLeastThreeLevels(dbVer)) {
if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
bestGuess = dbVer;
bestGuessConf = conf;
}
}
}
@@ -605,14 +629,16 @@ public class CPEAnalyzer implements Analyzer {
*/
BEST_GUESS,
/**
* The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS that only
* specifies vendor/product.
* The entire vendor/product group must be added (without a guess at
* version) because there is a CVE with a VS that only specifies
* vendor/product.
*/
BROAD_MATCH
}
/**
* A simple object to hold an identifier and carry information about the confidence in the identifier.
* A simple object to hold an identifier and carry information about the
* confidence in the identifier.
*/
private static class IdentifierMatch implements Comparable<IdentifierMatch> {
@@ -622,8 +648,10 @@ public class CPEAnalyzer implements Analyzer {
* @param type the type of identifier (such as CPE)
* @param value the value of the identifier
* @param url the URL of the identifier
* @param identifierConfidence the confidence in the identifier: best guess or exact match
* @param evidenceConfidence the confidence of the evidence used to find the identifier
* @param identifierConfidence the confidence in the identifier: best
* guess or exact match
* @param evidenceConfidence the confidence of the evidence used to find
* the identifier
*/
IdentifierMatch(String type, String value, String url, IdentifierConfidence identifierConfidence, Confidence evidenceConfidence) {
this.identifier = new Identifier(type, value, url);
@@ -754,7 +782,8 @@ public class CPEAnalyzer implements Analyzer {
//</editor-fold>
/**
* Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the identifier.
* Standard implementation of compareTo that compares identifier
* confidence, evidence confidence, and then the identifier.
*
* @param o the IdentifierMatch to compare to
* @return the natural ordering of IdentifierMatch

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -644,7 +644,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @return whether evidence was identified parsing the manifest
* @throws IOException if there is an issue reading the JAR file
*/
protected boolean parseManifest(Dependency dependency,
protected boolean parseManifest(Dependency dependency,
List<ClassNameInformation> classInformation)
throws IOException {
boolean foundSomething = false;

19
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
View File

@@ -61,13 +61,30 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
/**
* The filter defining which files will be analyzed.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
/**
* Name.
*/
public static final String NAME = "Name: ";
/**
* Version.
*/
public static final String VERSION = "Version: ";
/**
* Advisory.
*/
public static final String ADVISORY = "Advisory: ";
/**
* Criticality.
*/
public static final String CRITICALITY = "Criticality: ";
/**
* The DAL.
*/
private CveDB cvedb;
/**

51
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -60,9 +60,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
/**
* <p>
* Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.</p>
* Downloads the latest NVD CVE XML file from the web and imports it into
* the current CVE Database.</p>
*
* @throws UpdateException is thrown if there is an error updating the database
* @throws UpdateException is thrown if there is an error updating the
* database
*/
@Override
public void update() throws UpdateException {
@@ -79,7 +81,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(System.currentTimeMillis()));
if (updateable.isUpdateNeeded()) {
performUpdate(updateable);
}
}
}
} catch (MalformedURLException ex) {
LOGGER.warn(
@@ -99,12 +101,15 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
/**
* Checks if the NVD CVE XML files were last checked recently. As an optimization, we can avoid repetitive checks against the
* NVD. Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again. A database property
* stores the timestamp of the last check.
* Checks if the NVD CVE XML files were last checked recently. As an
* optimization, we can avoid repetitive checks against the NVD. Setting
* CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before
* checking again. A database property stores the timestamp of the last
* check.
*
* @return true to proceed with the check, or false to skip.
* @throws UpdateException thrown when there is an issue checking for updates.
* @throws UpdateException thrown when there is an issue checking for
* updates.
*/
private boolean checkUpdate() throws UpdateException {
boolean proceed = true;
@@ -146,11 +151,13 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
/**
* Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
* Downloads the latest NVD CVE XML file from the web and imports it into
* the current CVE Database.
*
* @param updateable a collection of NVD CVE data file references that need to be downloaded and processed to update the
* @param updateable a collection of NVD CVE data file references that need
* to be downloaded and processed to update the database
* @throws UpdateException is thrown if there is an error updating the
* database
* @throws UpdateException is thrown if there is an error updating the database
*/
public void performUpdate(UpdateableNvdCve updateable) throws UpdateException {
int maxUpdates = 0;
@@ -244,13 +251,18 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
/**
* Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last update
* date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to be updated.
* Determines if the index needs to be updated. This is done by fetching the
* NVD CVE meta data and checking the last update date. If the data needs to
* be refreshed this method will return the NvdCveUrl for the files that
* need to be updated.
*
* @return the collection of files that need to be updated
* @throws MalformedURLException is thrown if the URL for the NVD CVE Meta data is incorrect
* @throws DownloadFailedException is thrown if there is an error. downloading the NVD CVE download data file
* @throws UpdateException Is thrown if there is an issue with the last updated properties file
* @throws MalformedURLException is thrown if the URL for the NVD CVE Meta
* data is incorrect
* @throws DownloadFailedException is thrown if there is an error.
* downloading the NVD CVE download data file
* @throws UpdateException Is thrown if there is an issue with the last
* updated properties file
*/
protected final UpdateableNvdCve getUpdatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException {
UpdateableNvdCve updates = null;
@@ -314,9 +326,12 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
* Retrieves the timestamps from the NVD CVE meta data file.
*
* @return the timestamp from the currently published nvdcve downloads page
* @throws MalformedURLException thrown if the URL for the NVD CCE Meta data is incorrect.
* @throws DownloadFailedException thrown if there is an error downloading the nvd cve meta data file
* @throws InvalidDataException thrown if there is an exception parsing the timestamps
* @throws MalformedURLException thrown if the URL for the NVD CCE Meta data
* is incorrect.
* @throws DownloadFailedException thrown if there is an error downloading
* the nvd cve meta data file
* @throws InvalidDataException thrown if there is an exception parsing the
* timestamps
* @throws InvalidSettingException thrown if the settings are invalid
*/
private UpdateableNvdCve retrieveCurrentTimestampsFromWeb()

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
View File

@@ -20,7 +20,8 @@ package org.owasp.dependencycheck.dependency;
import java.io.Serializable;
/**
* An external reference for a vulnerability. This contains a name, URL, and a source.
* An external reference for a vulnerability. This contains a name, URL, and a
* source.
*
* @author Jeremy Long
*/
@@ -99,7 +100,7 @@ public class Reference implements Serializable, Comparable<Reference> {
@Override
public String toString() {
return "Reference: { name='"+this.name+"', url='"+this.url+"', source='"+this.source+"' }";
return "Reference: { name='" + this.name + "', url='" + this.url + "', source='" + this.source + "' }";
}
@Override

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
View File

@@ -387,7 +387,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
@Override
public String toString() {
StringBuilder sb = new StringBuilder("Vulnerability ");
final StringBuilder sb = new StringBuilder("Vulnerability ");
sb.append(this.name);
sb.append("\nReferences:\n");
for (Iterator i = this.references.iterator(); i.hasNext();) {