From 4e4417c7af720c0673d7f0893c4145f206a4e928 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 6 Jun 2016 18:45:39 -0400 Subject: [PATCH] checkstyle corrections --- .../dependencycheck/analyzer/CPEAnalyzer.java | 139 +++++++++++------- .../dependencycheck/analyzer/JarAnalyzer.java | 2 +- .../analyzer/RubyBundleAuditAnalyzer.java | 19 ++- .../data/update/NvdCveUpdater.java | 51 ++++--- .../dependencycheck/dependency/Reference.java | 5 +- .../dependency/Vulnerability.java | 2 +- 6 files changed, 140 insertions(+), 78 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index 6b4caef8e..43528d863 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -51,8 +51,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE. It uses - * the evidence contained within the dependency to search the Lucene index. + * CPEAnalyzer is a utility class that takes a project dependency and attempts + * to discern if there is an associated CPE. It uses the evidence contained + * within the dependency to search the Lucene index. * * @author Jeremy Long */ @@ -71,15 +72,18 @@ public class CPEAnalyzer implements Analyzer { */ static final String WEIGHTING_BOOST = "^5"; /** - * A string representation of a regular expression defining characters utilized within the CPE Names. + * A string representation of a regular expression defining characters + * utilized within the CPE Names. */ static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]"; /** - * A string representation of a regular expression used to remove all but alpha characters. + * A string representation of a regular expression used to remove all but + * alpha characters. */ static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*"; /** - * The additional size to add to a new StringBuilder to account for extra data that will be written into the string. + * The additional size to add to a new StringBuilder to account for extra + * data that will be written into the string. */ static final int STRING_BUILDER_BUFFER = 20; /** @@ -129,9 +133,10 @@ public class CPEAnalyzer implements Analyzer { /** * Opens the data source. * - * @throws IOException when the Lucene directory to be queried does not exist or is corrupt. - * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use by another - * process. + * @throws IOException when the Lucene directory to be queried does not + * exist or is corrupt. + * @throws DatabaseException when the database throws an exception. This + * usually occurs when the database is in use by another process. */ public void open() throws IOException, DatabaseException { if (!isOpen()) { @@ -170,8 +175,9 @@ public class CPEAnalyzer implements Analyzer { } /** - * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence contained - * within. The dependency passed in is updated with any identified CPE values. + * Searches the data store of CPE entries, trying to identify the CPE for + * the given dependency based on the evidence contained within. The + * dependency passed in is updated with any identified CPE values. * * @param dependency the dependency to search for CPE entries on. * @throws CorruptIndexException is thrown when the Lucene index is corrupt. @@ -215,9 +221,10 @@ public class CPEAnalyzer implements Analyzer { } /** - * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a specific - * confidence). This attempts to prevent duplicate terms from being added.
Note, if the evidence is longer then 200 - * characters it will be truncated. + * Returns the text created by concatenating the text and the values from + * the EvidenceCollection (filtered for a specific confidence). This + * attempts to prevent duplicate terms from being added.
Note, if + * the evidence is longer then 200 characters it will be truncated. * * @param text the base text. * @param ec an EvidenceCollection @@ -248,17 +255,19 @@ public class CPEAnalyzer implements Analyzer { /** *

- * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and - * version.

+ * Searches the Lucene CPE index to identify possible CPE entries associated + * with the supplied vendor, product, and version.

* *

- * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting factors to - * the search.

+ * If either the vendorWeightings or productWeightings lists have been + * populated this data is used to add weighting factors to the search.

* * @param vendor the text used to search the vendor field * @param product the text used to search the product field - * @param vendorWeightings a list of strings to use to add weighting factors to the vendor field - * @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search + * @param vendorWeightings a list of strings to use to add weighting factors + * to the vendor field + * @param productWeightings Adds a list of strings that will be used to add + * weighting factors to the product search * @return a list of possible CPE values */ protected List searchCPE(String vendor, String product, @@ -297,16 +306,20 @@ public class CPEAnalyzer implements Analyzer { /** *

- * Builds a Lucene search string by properly escaping data and constructing a valid search query.

+ * Builds a Lucene search string by properly escaping data and constructing + * a valid search query.

* *

- * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting factors to - * the search string generated.

+ * If either the possibleVendor or possibleProducts lists have been + * populated this data is used to add weighting factors to the search string + * generated.

* * @param vendor text to search the vendor field * @param product text to search the product field - * @param vendorWeighting a list of strings to apply to the vendor to boost the terms weight - * @param productWeightings a list of strings to apply to the product to boost the terms weight + * @param vendorWeighting a list of strings to apply to the vendor to boost + * the terms weight + * @param productWeightings a list of strings to apply to the product to + * boost the terms weight * @return the Lucene query */ protected String buildSearch(String vendor, String product, @@ -327,13 +340,17 @@ public class CPEAnalyzer implements Analyzer { } /** - * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the word is - * within the list of weighted words then an additional weighting is applied to the term as it is appended into the query. + * This method constructs a Lucene query for a given field. The searchText + * is split into separate words and if the word is within the list of + * weighted words then an additional weighting is applied to the term as it + * is appended into the query. * * @param sb a StringBuilder that the query text will be appended to. - * @param field the field within the Lucene index that the query is searching. + * @param field the field within the Lucene index that the query is + * searching. * @param searchText text used to construct the query. - * @param weightedText a list of terms that will be considered higher importance when searching. + * @param weightedText a list of terms that will be considered higher + * importance when searching. * @return if the append was successful. */ private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set weightedText) { @@ -379,7 +396,8 @@ public class CPEAnalyzer implements Analyzer { } /** - * Removes characters from the input text that are not used within the CPE index. + * Removes characters from the input text that are not used within the CPE + * index. * * @param text is the text to remove the characters from. * @return the text having removed some characters. @@ -389,7 +407,8 @@ public class CPEAnalyzer implements Analyzer { } /** - * Compares two strings after lower casing them and removing the non-alpha characters. + * Compares two strings after lower casing them and removing the non-alpha + * characters. * * @param l string one to compare. * @param r string two to compare. @@ -406,8 +425,9 @@ public class CPEAnalyzer implements Analyzer { } /** - * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version information - * for the CPE are contained within the dependencies evidence. + * Ensures that the CPE Identified matches the dependency. This validates + * that the product, vendor, and version information for the CPE are + * contained within the dependencies evidence. * * @param entry a CPE entry. * @param dependency the dependency that the CPE entries could be for. @@ -474,11 +494,13 @@ public class CPEAnalyzer implements Analyzer { } /** - * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency. + * Analyzes a dependency and attempts to determine if there are any CPE + * identifiers for this dependency. * * @param dependency The Dependency to analyze. * @param engine The analysis engine - * @throws AnalysisException is thrown if there is an issue analyzing the dependency. + * @throws AnalysisException is thrown if there is an issue analyzing the + * dependency. */ @Override public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException { @@ -494,15 +516,19 @@ public class CPEAnalyzer implements Analyzer { } /** - * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then validated to find - * only CPEs that are valid for the given dependency. It is possible that the CPE identified is a best effort "guess" based on - * the vendor, product, and version information. + * Retrieves a list of CPE values from the CveDB based on the vendor and + * product passed in. The list is then validated to find only CPEs that are + * valid for the given dependency. It is possible that the CPE identified is + * a best effort "guess" based on the vendor, product, and version + * information. * * @param dependency the Dependency being analyzed * @param vendor the vendor for the CPE being analyzed * @param product the product for the CPE being analyzed - * @param currentConfidence the current confidence being used during analysis - * @return true if an identifier was added to the dependency; otherwise false + * @param currentConfidence the current confidence being used during + * analysis + * @return true if an identifier was added to the dependency; + * otherwise false * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported */ protected boolean determineIdentifiers(Dependency dependency, String vendor, String product, @@ -512,7 +538,7 @@ public class CPEAnalyzer implements Analyzer { Confidence bestGuessConf = null; boolean hasBroadMatch = false; final List collected = new ArrayList(); - + //TODO the following algorithm incorrectly identifies things as a lower version // if there lower confidence evidence when the current (highest) version number // is newer then anything in the NVD. @@ -538,15 +564,13 @@ public class CPEAnalyzer implements Analyzer { final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8")); final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf); collected.add(match); - } else { - //TODO the following isn't quite right is it? need to think about this guessing game a bit more. - if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size() - && evVer.matchesAtLeastThreeLevels(dbVer)) { - if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) { - if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) { - bestGuess = dbVer; - bestGuessConf = conf; - } + } else //TODO the following isn't quite right is it? need to think about this guessing game a bit more. + if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size() + && evVer.matchesAtLeastThreeLevels(dbVer)) { + if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) { + if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) { + bestGuess = dbVer; + bestGuessConf = conf; } } } @@ -605,14 +629,16 @@ public class CPEAnalyzer implements Analyzer { */ BEST_GUESS, /** - * The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS that only - * specifies vendor/product. + * The entire vendor/product group must be added (without a guess at + * version) because there is a CVE with a VS that only specifies + * vendor/product. */ BROAD_MATCH } /** - * A simple object to hold an identifier and carry information about the confidence in the identifier. + * A simple object to hold an identifier and carry information about the + * confidence in the identifier. */ private static class IdentifierMatch implements Comparable { @@ -622,8 +648,10 @@ public class CPEAnalyzer implements Analyzer { * @param type the type of identifier (such as CPE) * @param value the value of the identifier * @param url the URL of the identifier - * @param identifierConfidence the confidence in the identifier: best guess or exact match - * @param evidenceConfidence the confidence of the evidence used to find the identifier + * @param identifierConfidence the confidence in the identifier: best + * guess or exact match + * @param evidenceConfidence the confidence of the evidence used to find + * the identifier */ IdentifierMatch(String type, String value, String url, IdentifierConfidence identifierConfidence, Confidence evidenceConfidence) { this.identifier = new Identifier(type, value, url); @@ -754,7 +782,8 @@ public class CPEAnalyzer implements Analyzer { // /** - * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the identifier. + * Standard implementation of compareTo that compares identifier + * confidence, evidence confidence, and then the identifier. * * @param o the IdentifierMatch to compare to * @return the natural ordering of IdentifierMatch diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index d6f4731bc..da6fb6078 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -644,7 +644,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * @return whether evidence was identified parsing the manifest * @throws IOException if there is an issue reading the JAR file */ - protected boolean parseManifest(Dependency dependency, + protected boolean parseManifest(Dependency dependency, List classInformation) throws IOException { boolean foundSomething = false; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index 2782c9968..087184bdd 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -61,13 +61,30 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { * The phase that this analyzer is intended to run in. */ private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION; - + /** + * The filter defining which files will be analyzed. + */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build(); + /** + * Name. + */ public static final String NAME = "Name: "; + /** + * Version. + */ public static final String VERSION = "Version: "; + /** + * Advisory. + */ public static final String ADVISORY = "Advisory: "; + /** + * Criticality. + */ public static final String CRITICALITY = "Criticality: "; + /** + * The DAL. + */ private CveDB cvedb; /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index 763f35b70..8aa06c797 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -60,9 +60,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { /** *

- * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.

+ * Downloads the latest NVD CVE XML file from the web and imports it into + * the current CVE Database.

* - * @throws UpdateException is thrown if there is an error updating the database + * @throws UpdateException is thrown if there is an error updating the + * database */ @Override public void update() throws UpdateException { @@ -79,7 +81,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(System.currentTimeMillis())); if (updateable.isUpdateNeeded()) { performUpdate(updateable); - } + } } } catch (MalformedURLException ex) { LOGGER.warn( @@ -99,12 +101,15 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { } /** - * Checks if the NVD CVE XML files were last checked recently. As an optimization, we can avoid repetitive checks against the - * NVD. Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again. A database property - * stores the timestamp of the last check. + * Checks if the NVD CVE XML files were last checked recently. As an + * optimization, we can avoid repetitive checks against the NVD. Setting + * CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before + * checking again. A database property stores the timestamp of the last + * check. * * @return true to proceed with the check, or false to skip. - * @throws UpdateException thrown when there is an issue checking for updates. + * @throws UpdateException thrown when there is an issue checking for + * updates. */ private boolean checkUpdate() throws UpdateException { boolean proceed = true; @@ -146,11 +151,13 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { } /** - * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database. + * Downloads the latest NVD CVE XML file from the web and imports it into + * the current CVE Database. * - * @param updateable a collection of NVD CVE data file references that need to be downloaded and processed to update the + * @param updateable a collection of NVD CVE data file references that need + * to be downloaded and processed to update the database + * @throws UpdateException is thrown if there is an error updating the * database - * @throws UpdateException is thrown if there is an error updating the database */ public void performUpdate(UpdateableNvdCve updateable) throws UpdateException { int maxUpdates = 0; @@ -244,13 +251,18 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { } /** - * Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last update - * date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to be updated. + * Determines if the index needs to be updated. This is done by fetching the + * NVD CVE meta data and checking the last update date. If the data needs to + * be refreshed this method will return the NvdCveUrl for the files that + * need to be updated. * * @return the collection of files that need to be updated - * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta data is incorrect - * @throws DownloadFailedException is thrown if there is an error. downloading the NVD CVE download data file - * @throws UpdateException Is thrown if there is an issue with the last updated properties file + * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta + * data is incorrect + * @throws DownloadFailedException is thrown if there is an error. + * downloading the NVD CVE download data file + * @throws UpdateException Is thrown if there is an issue with the last + * updated properties file */ protected final UpdateableNvdCve getUpdatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException { UpdateableNvdCve updates = null; @@ -314,9 +326,12 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { * Retrieves the timestamps from the NVD CVE meta data file. * * @return the timestamp from the currently published nvdcve downloads page - * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data is incorrect. - * @throws DownloadFailedException thrown if there is an error downloading the nvd cve meta data file - * @throws InvalidDataException thrown if there is an exception parsing the timestamps + * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data + * is incorrect. + * @throws DownloadFailedException thrown if there is an error downloading + * the nvd cve meta data file + * @throws InvalidDataException thrown if there is an exception parsing the + * timestamps * @throws InvalidSettingException thrown if the settings are invalid */ private UpdateableNvdCve retrieveCurrentTimestampsFromWeb() diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java index 3d4b2ee26..5be391a27 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java @@ -20,7 +20,8 @@ package org.owasp.dependencycheck.dependency; import java.io.Serializable; /** - * An external reference for a vulnerability. This contains a name, URL, and a source. + * An external reference for a vulnerability. This contains a name, URL, and a + * source. * * @author Jeremy Long */ @@ -99,7 +100,7 @@ public class Reference implements Serializable, Comparable { @Override public String toString() { - return "Reference: { name='"+this.name+"', url='"+this.url+"', source='"+this.source+"' }"; + return "Reference: { name='" + this.name + "', url='" + this.url + "', source='" + this.source + "' }"; } @Override diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index ed278076b..3de3f99ee 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -387,7 +387,7 @@ public class Vulnerability implements Serializable, Comparable { @Override public String toString() { - StringBuilder sb = new StringBuilder("Vulnerability "); + final StringBuilder sb = new StringBuilder("Vulnerability "); sb.append(this.name); sb.append("\nReferences:\n"); for (Iterator i = this.references.iterator(); i.hasNext();) {