github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 07:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

checkstyle/pmd/findbugs fixes

Browse Source 
Former-commit-id: ed64aebbc7c5f25978b8e4b6391a6d7fc08749be
This commit is contained in:
Jeremy Long
2013-04-23 20:22:51 -04:00
parent 6987845228
commit 536f373b91
6 changed files with 64 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/main/config/checkstyle-header.txt
View File

@@ -14,6 +14,6 @@
^ \* You should have received a copy of the GNU General Public License along with\s*$
^ \* DependencyCheck\. If not, see http://www.gnu.org/licenses/\.\s*$
^ \*\s*$
^ \* Copyright \(c\) 2012 Jeremy Long\. All Rights Reserved\.\s*$
^ \* Copyright \(c\) 201[23] Jeremy Long\. All Rights Reserved\.\s*$
^ \*/\s*$
^package

44
src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -119,27 +119,27 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
* @param dependency the dependency being analyzed
*/
private void removeSpuriousCPE(Dependency dependency) {
List<Identifier> ids = new ArrayList<Identifier>();
final List<Identifier> ids = new ArrayList<Identifier>();
ids.addAll(dependency.getIdentifiers());
ListIterator<Identifier> mainItr = ids.listIterator();
final ListIterator<Identifier> mainItr = ids.listIterator();
while (mainItr.hasNext()) {
Identifier currentId = mainItr.next();
Entry currentCpe = parseCpe(currentId.getType(), currentId.getValue());
final Identifier currentId = mainItr.next();
final Entry currentCpe = parseCpe(currentId.getType(), currentId.getValue());
if (currentCpe == null) {
continue;
}
ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex());
final ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex());
while (subItr.hasNext()) {
Identifier nextId = subItr.next();
Entry nextCpe = parseCpe(nextId.getType(), nextId.getValue());
final Identifier nextId = subItr.next();
final Entry nextCpe = parseCpe(nextId.getType(), nextId.getValue());
if (nextCpe == null) {
continue;
}
if (currentCpe.getVendor().equals(nextCpe.getVendor())) {
if (currentCpe.getProduct().equals(nextCpe.getProduct())) {
// see if one is contained in the other.. remove the contained one from dependency.getIdentifier
String mainVersion = currentCpe.getVersion();
String nextVersion = nextCpe.getVersion();
final String mainVersion = currentCpe.getVersion();
final String nextVersion = nextCpe.getVersion();
if (mainVersion.length() < nextVersion.length()) {
if (nextVersion.startsWith(mainVersion)) {
//remove mainVersion
@@ -155,8 +155,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
if (currentCpe.getVersion().equals(nextCpe.getVersion())) {
//same vendor and version - but different products
// are we dealing with something like Axis & Axis2
String currentProd = currentCpe.getProduct();
String nextProd = nextCpe.getProduct();
final String currentProd = currentCpe.getProduct();
final String nextProd = nextCpe.getProduct();
if (currentProd.startsWith(nextProd)) {
dependency.getIdentifiers().remove(nextId);
}
@@ -169,20 +169,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
}
}
/*
* NOTE - don't remove the two different vendors.
*
currentCpe: currentCpe:/a:mortbay:jetty:4.2.27
currentCpe: currentCpe:/a:mortbay_jetty:jetty:4.2
currentCpe: currentCpe:/a:mortbay:jetty:4.2
*
Source Name Value
file name org.mortbay.jetty
Manifest Implementation-Vendor Mort Bay Consulting, Pty. Ltd.
Manifest Implementation-Version 4.2.27
*/
}
/**
@@ -205,11 +191,17 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
}
/**
* Parses a CPE string into an Entry.
* @param type the type of identifier
* @param value the cpe identifier to parse
* @return an Entry constructed from the identifier
*/
private Entry parseCpe(String type, String value) {
if (!"cpe".equals(type)) {
return null;
}
Entry cpe = new Entry();
final Entry cpe = new Entry();
try {
cpe.parseName(value);
} catch (UnsupportedEncodingException ex) {

17
src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -188,13 +188,13 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
//todo - catch should be more granular here, one for each call likely
//todo - think about sources/javadoc jars, should we remove or move to related dependency?
try {
boolean hasManifest = parseManifest(dependency);
boolean hasPOM = analyzePOM(dependency);
boolean deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
final boolean hasManifest = parseManifest(dependency);
final boolean hasPOM = analyzePOM(dependency);
final boolean deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
if ((!hasManifest && !hasPOM) || deepScan) {
addPackagesAsEvidence = true;
}
boolean hasClasses = analyzePackageNames(dependency, addPackagesAsEvidence);
final boolean hasClasses = analyzePackageNames(dependency, addPackagesAsEvidence);
if (!hasClasses
&& (dependency.getFileName().toLowerCase().endsWith("-sources.jar")
|| dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
@@ -389,14 +389,15 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
String[] path = null;
if (entry.getName().contains("/")) {
path = entry.getName().toLowerCase().split("/");
if ("java".equals(path[0])
|| "javax".equals(path[0])
|| ("com".equals(path[0]) && "sun".equals(path[0]))) {
continue;
}
} else {
path = new String[1];
path[0] = entry.getName();
}
count += 1;
String temp = path[0];
if (level0.containsKey(temp)) {
@@ -404,7 +405,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
} else {
level0.put(temp, 1);
}
if (path.length > 2) {
temp += "/" + path[1];
if (level1.containsKey(temp)) {
@@ -421,7 +421,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
level2.put(temp, 1);
}
}
if (path.length > 4) {
temp += "/" + path[3];
if (level3.containsKey(temp)) {
@@ -430,10 +429,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
level3.put(temp, 1);
}
}
}
}
if (count == 0) {
return hasClasses;
}

2
src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java
View File

@@ -32,7 +32,9 @@ import org.owasp.dependencycheck.dependency.Identifier;
* to the CPE values (if there are any for the version of spring being used).
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @deprecated This class has been deprecated as it has been replaced by the BundlingAnalyzer
*/
@Deprecated
public class SpringCleaningAnalyzer extends AbstractAnalyzer implements Analyzer {
/**

7
src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
View File

@@ -19,7 +19,6 @@
package org.owasp.dependencycheck.utils;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
@@ -63,7 +62,7 @@ public class DependencyVersion implements Iterable {
versionParts = new ArrayList<String>();
if (version != null) {
final Pattern rx = Pattern.compile("(\\d+|[a-z]+\\d+)");
Matcher matcher = rx.matcher(version.toLowerCase());
final Matcher matcher = rx.matcher(version.toLowerCase());
while (matcher.find()) {
versionParts.add(matcher.group());
}
@@ -78,7 +77,7 @@ public class DependencyVersion implements Iterable {
private List<String> versionParts;
/**
* Get the value of versionParts
* Get the value of versionParts.
*
* @return the value of versionParts
*/
@@ -87,7 +86,7 @@ public class DependencyVersion implements Iterable {
}
/**
* Set the value of versionParts
* Set the value of versionParts.
*
* @param versionParts new value of versionParts
*/

64
src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
View File

@@ -1,20 +1,37 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.util.regex.MatchResult;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* <p>A utility class to extract version numbers from file names (or other strings
* containing version numbers.</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public final class DependencyVersionUtil {
//private final static Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)*(\\d+[a-zA-Z]{1,3}\\d+)?");
private final static Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)+(\\.?[a-zA-Z_-]{1,3}\\d+)?");
/**
* Regular expression to extract version numbers from file names.
*/
private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)+(\\.?[a-zA-Z_-]{1,3}\\d+)?");
/**
* Private constructor for utility class.
@@ -22,12 +39,22 @@ public final class DependencyVersionUtil {
private DependencyVersionUtil() {
}
/**
* <p>A utility class to extract version numbers from file names (or other strings
* containing version numbers.<br/>
* Example:<br/>
* Give the file name: library-name-1.4.1r2-release.jar<br/>
* This function would return: 1.4.1.r2</p>
*
* @param filename the filename being analyzed
* @return a DependencyVersion containing the version
*/
public static DependencyVersion parseVersionFromFileName(String filename) {
if (filename == null) {
return null;
}
String version = null;
Matcher matcher = RX_VERSION.matcher(filename);
final Matcher matcher = RX_VERSION.matcher(filename);
if (matcher.find()) {
version = matcher.group();
}
@@ -39,30 +66,5 @@ public final class DependencyVersionUtil {
return null;
}
return new DependencyVersion(version);
// String name = null;
// final int pos = filename.lastIndexOf('.');
// if (pos>0) {
// name = filename.substring(0, pos).toLowerCase();
// } else {
// name = filename.toLowerCase();
// }
//// if (name.endsWith("-snapshot")) {
//// name = name.substring(0,name.length() - 9);
//// }
//// if (name.endsWith("-release")) {
//// name = name.substring(0,name.length() - 8);
//// }
// final String[] parts = name.split("[_-]");
// if (parts == null || parts.length == 0) {
// return null;
// }
// for (int x = parts.length - 1; x >= 0; x--) {
// if (RX_VERSION.matcher(parts[x]).matches()) {
// return new DependencyVersion(parts[x]);
// }
// }
// return null;
}
}