github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-19 15:54:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

filter version numbers for issue #575

Browse Source
This commit is contained in:
Jeremy Long
2017-01-14 09:41:34 -05:00
parent 5ab5a7b72b
commit 523cd23b6b
5 changed files with 239 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

129
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java Normal file
View File

@@ -0,0 +1,129 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2017 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import java.util.Iterator;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* This analyzer attempts to filter out erroneous version numbers collected.
* Initially, this will focus on JAR files that contain a POM version number
* that matches the file name - if identified all other version information will
* be removed.
*
* @author Jeremy Long
*/
public class VersionFilterAnalyzer extends AbstractAnalyzer {
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/
private static final String ANALYZER_NAME = "Version Filter Analyzer";
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION;
/**
* Returns the name of the analyzer.
*
* @return the name of the analyzer.
*/
@Override
public String getName() {
return ANALYZER_NAME;
}
/**
* Returns the phase that the analyzer is intended to run in.
*
* @return the phase that the analyzer is intended to run in.
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
/**
* Returns the setting key to determine if the analyzer is enabled.
*
* @return the key for the analyzer's enabled property
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_VERSION_FILTER_ENABLED;
}
//</editor-fold>
/**
* The Logger for use throughout the class
*/
private static final Logger LOGGER = LoggerFactory.getLogger(VersionFilterAnalyzer.class);
/**
* The HintAnalyzer uses knowledge about a dependency to add additional
* information to help in identification of identifiers or vulnerabilities.
*
* @param dependency The dependency being analyzed
* @param engine The scanning engine
* @throws AnalysisException is thrown if there is an exception analyzing
* the dependency.
*/
@Override
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
String fileVersion = null;
String pomVersion = null;
for (Evidence e : dependency.getVersionEvidence()) {
if ("file".equals(e.getSource()) && "version".equals(e.getName())) {
fileVersion = e.getValue(Boolean.FALSE);
} else if (("nexus".equals(e.getSource()) || "central".equals(e.getSource()) || "pom".equals(e.getSource())) && "version".equals(e.getName())) {
pomVersion = e.getValue(Boolean.FALSE);
}
}
if (fileVersion != null && pomVersion != null) {
DependencyVersion dvFile = new DependencyVersion(fileVersion);
DependencyVersion dvPom = new DependencyVersion(pomVersion);
if (dvPom.equals(dvFile)) {
LOGGER.debug("filtering evidence from {}", dependency.getFileName());
EvidenceCollection versionEvidence = dependency.getVersionEvidence();
synchronized (versionEvidence) {
final Iterator<Evidence> itr = versionEvidence.iterator();
while (itr.hasNext()) {
Evidence e = itr.next();
if (!("version".equals(e.getName())
&& ("file".equals(e.getSource())
|| "nexus".equals(e.getSource())
|| "central".equals(e.getSource())
|| "pom".equals(e.getSource())))) {
itr.remove();
}
}
}
}
}
}
}

1
dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
View File

@@ -25,3 +25,4 @@ org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer
org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer
org.owasp.dependencycheck.analyzer.CocoaPodsAnalyzer org.owasp.dependencycheck.analyzer.CocoaPodsAnalyzer
org.owasp.dependencycheck.analyzer.SwiftPackageManagerAnalyzer org.owasp.dependencycheck.analyzer.SwiftPackageManagerAnalyzer
org.owasp.dependencycheck.analyzer.VersionFilterAnalyzer

1
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -114,3 +114,4 @@ analyzer.nvdcve.enabled=true
analyzer.vulnerabilitysuppression.enabled=true analyzer.vulnerabilitysuppression.enabled=true
updater.nvdcve.enabled=true updater.nvdcve.enabled=true
updater.versioncheck.enabled=true updater.versioncheck.enabled=true
analyzer.versionfilter.enabled=true

104
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java Normal file
View File

@@ -0,0 +1,104 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2017 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import org.junit.Test;
import static org.junit.Assert.*;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author jerem
*/
public class VersionFilterAnalyzerTest extends BaseTest {
/**
* Test of getName method, of class VersionFilterAnalyzer.
*/
@Test
public void testGetName() {
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
String expResult = "Version Filter Analyzer";
String result = instance.getName();
assertEquals(expResult, result);
}
/**
* Test of getAnalysisPhase method, of class VersionFilterAnalyzer.
*/
@Test
public void testGetAnalysisPhase() {
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}
/**
* Test of getAnalyzerEnabledSettingKey method, of class
* VersionFilterAnalyzer.
*/
@Test
public void testGetAnalyzerEnabledSettingKey() {
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
String expResult = Settings.KEYS.ANALYZER_VERSION_FILTER_ENABLED;
String result = instance.getAnalyzerEnabledSettingKey();
assertEquals(expResult, result);
}
/**
* Test of analyzeDependency method, of class VersionFilterAnalyzer.
*/
@Test
public void testAnalyzeDependency() throws Exception {
Dependency dependency = new Dependency();
EvidenceCollection versions = dependency.getVersionEvidence();
versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
versions.addEvidence("manifest", "implementation-version", "1.2.3", Confidence.HIGHEST);
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(4, versions.size());
versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(2, versions.size());
versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(4, versions.size());
}
}

4
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -370,6 +370,10 @@ public final class Settings {
* The key to determine if the Hint analyzer is enabled. * The key to determine if the Hint analyzer is enabled.
*/ */
public static final String ANALYZER_HINT_ENABLED = "analyzer.hint.enabled"; public static final String ANALYZER_HINT_ENABLED = "analyzer.hint.enabled";
/**
* The key to determine if the Version Filter analyzer is enabled.
*/
public static final String ANALYZER_VERSION_FILTER_ENABLED = "analyzer.versionfilter.enabled";
/** /**
* The key to determine if the NVD CVE analyzer is enabled. * The key to determine if the NVD CVE analyzer is enabled.
*/ */