From 536f373b91b43cfdbacc7e58bc98a5ca68621cd9 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 23 Apr 2013 20:22:51 -0400 Subject: [PATCH] checkstyle/pmd/findbugs fixes Former-commit-id: ed64aebbc7c5f25978b8e4b6391a6d7fc08749be --- src/main/config/checkstyle-header.txt | 2 +- .../analyzer/FalsePositiveAnalyzer.java | 44 ++++++------- .../dependencycheck/analyzer/JarAnalyzer.java | 17 ++--- .../analyzer/SpringCleaningAnalyzer.java | 2 + .../utils/DependencyVersion.java | 7 +- .../utils/DependencyVersionUtil.java | 64 ++++++++++--------- 6 files changed, 64 insertions(+), 72 deletions(-) diff --git a/src/main/config/checkstyle-header.txt b/src/main/config/checkstyle-header.txt index 14d1dec2e..cad15230d 100644 --- a/src/main/config/checkstyle-header.txt +++ b/src/main/config/checkstyle-header.txt @@ -14,6 +14,6 @@ ^ \* You should have received a copy of the GNU General Public License along with\s*$ ^ \* DependencyCheck\. If not, see http://www.gnu.org/licenses/\.\s*$ ^ \*\s*$ -^ \* Copyright \(c\) 2012 Jeremy Long\. All Rights Reserved\.\s*$ +^ \* Copyright \(c\) 201[23] Jeremy Long\. All Rights Reserved\.\s*$ ^ \*/\s*$ ^package diff --git a/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index f4cb480f6..4b76aea2d 100644 --- a/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -119,27 +119,27 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { * @param dependency the dependency being analyzed */ private void removeSpuriousCPE(Dependency dependency) { - List ids = new ArrayList(); + final List ids = new ArrayList(); ids.addAll(dependency.getIdentifiers()); - ListIterator mainItr = ids.listIterator(); + final ListIterator mainItr = ids.listIterator(); while (mainItr.hasNext()) { - Identifier currentId = mainItr.next(); - Entry currentCpe = parseCpe(currentId.getType(), currentId.getValue()); + final Identifier currentId = mainItr.next(); + final Entry currentCpe = parseCpe(currentId.getType(), currentId.getValue()); if (currentCpe == null) { continue; } - ListIterator subItr = ids.listIterator(mainItr.nextIndex()); + final ListIterator subItr = ids.listIterator(mainItr.nextIndex()); while (subItr.hasNext()) { - Identifier nextId = subItr.next(); - Entry nextCpe = parseCpe(nextId.getType(), nextId.getValue()); + final Identifier nextId = subItr.next(); + final Entry nextCpe = parseCpe(nextId.getType(), nextId.getValue()); if (nextCpe == null) { continue; } if (currentCpe.getVendor().equals(nextCpe.getVendor())) { if (currentCpe.getProduct().equals(nextCpe.getProduct())) { // see if one is contained in the other.. remove the contained one from dependency.getIdentifier - String mainVersion = currentCpe.getVersion(); - String nextVersion = nextCpe.getVersion(); + final String mainVersion = currentCpe.getVersion(); + final String nextVersion = nextCpe.getVersion(); if (mainVersion.length() < nextVersion.length()) { if (nextVersion.startsWith(mainVersion)) { //remove mainVersion @@ -155,8 +155,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { if (currentCpe.getVersion().equals(nextCpe.getVersion())) { //same vendor and version - but different products // are we dealing with something like Axis & Axis2 - String currentProd = currentCpe.getProduct(); - String nextProd = nextCpe.getProduct(); + final String currentProd = currentCpe.getProduct(); + final String nextProd = nextCpe.getProduct(); if (currentProd.startsWith(nextProd)) { dependency.getIdentifiers().remove(nextId); } @@ -169,20 +169,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } } } - - /* - * NOTE - don't remove the two different vendors. - * - currentCpe: currentCpe:/a:mortbay:jetty:4.2.27 - currentCpe: currentCpe:/a:mortbay_jetty:jetty:4.2 - currentCpe: currentCpe:/a:mortbay:jetty:4.2 - * - Source Name Value - file name org.mortbay.jetty - Manifest Implementation-Vendor Mort Bay Consulting, Pty. Ltd. - Manifest Implementation-Version 4.2.27 - */ - } /** @@ -205,11 +191,17 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } } + /** + * Parses a CPE string into an Entry. + * @param type the type of identifier + * @param value the cpe identifier to parse + * @return an Entry constructed from the identifier + */ private Entry parseCpe(String type, String value) { if (!"cpe".equals(type)) { return null; } - Entry cpe = new Entry(); + final Entry cpe = new Entry(); try { cpe.parseName(value); } catch (UnsupportedEncodingException ex) { diff --git a/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index ee2c39509..4a0f92336 100644 --- a/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -188,13 +188,13 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { //todo - catch should be more granular here, one for each call likely //todo - think about sources/javadoc jars, should we remove or move to related dependency? try { - boolean hasManifest = parseManifest(dependency); - boolean hasPOM = analyzePOM(dependency); - boolean deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN); + final boolean hasManifest = parseManifest(dependency); + final boolean hasPOM = analyzePOM(dependency); + final boolean deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN); if ((!hasManifest && !hasPOM) || deepScan) { addPackagesAsEvidence = true; } - boolean hasClasses = analyzePackageNames(dependency, addPackagesAsEvidence); + final boolean hasClasses = analyzePackageNames(dependency, addPackagesAsEvidence); if (!hasClasses && (dependency.getFileName().toLowerCase().endsWith("-sources.jar") || dependency.getFileName().toLowerCase().endsWith("-javadoc.jar") @@ -389,14 +389,15 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { String[] path = null; if (entry.getName().contains("/")) { path = entry.getName().toLowerCase().split("/"); - if ("java".equals(path[0]) || "javax".equals(path[0]) || ("com".equals(path[0]) && "sun".equals(path[0]))) { continue; } + } else { + path = new String[1]; + path[0] = entry.getName(); } - count += 1; String temp = path[0]; if (level0.containsKey(temp)) { @@ -404,7 +405,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { } else { level0.put(temp, 1); } - if (path.length > 2) { temp += "/" + path[1]; if (level1.containsKey(temp)) { @@ -421,7 +421,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { level2.put(temp, 1); } } - if (path.length > 4) { temp += "/" + path[3]; if (level3.containsKey(temp)) { @@ -430,10 +429,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { level3.put(temp, 1); } } - } } - if (count == 0) { return hasClasses; } diff --git a/src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java b/src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java index 2b3a5c5ff..5d0d045c2 100644 --- a/src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java +++ b/src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java @@ -32,7 +32,9 @@ import org.owasp.dependencycheck.dependency.Identifier; * to the CPE values (if there are any for the version of spring being used). * * @author Jeremy Long (jeremy.long@gmail.com) + * @deprecated This class has been deprecated as it has been replaced by the BundlingAnalyzer */ +@Deprecated public class SpringCleaningAnalyzer extends AbstractAnalyzer implements Analyzer { /** diff --git a/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java b/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java index e8647339e..328890a35 100644 --- a/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java +++ b/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java @@ -19,7 +19,6 @@ package org.owasp.dependencycheck.utils; import java.util.ArrayList; -import java.util.Arrays; import java.util.Iterator; import java.util.List; import java.util.regex.Matcher; @@ -63,7 +62,7 @@ public class DependencyVersion implements Iterable { versionParts = new ArrayList(); if (version != null) { final Pattern rx = Pattern.compile("(\\d+|[a-z]+\\d+)"); - Matcher matcher = rx.matcher(version.toLowerCase()); + final Matcher matcher = rx.matcher(version.toLowerCase()); while (matcher.find()) { versionParts.add(matcher.group()); } @@ -78,7 +77,7 @@ public class DependencyVersion implements Iterable { private List versionParts; /** - * Get the value of versionParts + * Get the value of versionParts. * * @return the value of versionParts */ @@ -87,7 +86,7 @@ public class DependencyVersion implements Iterable { } /** - * Set the value of versionParts + * Set the value of versionParts. * * @param versionParts new value of versionParts */ diff --git a/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java b/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java index 3bb7999e4..193ea6b3e 100644 --- a/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java +++ b/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java @@ -1,20 +1,37 @@ /* - * To change this template, choose Tools | Templates - * and open the template in the editor. + * This file is part of DependencyCheck. + * + * DependencyCheck is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation, either version 3 of the License, or (at your option) any + * later version. + * + * DependencyCheck is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * DependencyCheck. If not, see http://www.gnu.org/licenses/. + * + * Copyright (c) 2013 Jeremy Long. All Rights Reserved. */ package org.owasp.dependencycheck.utils; -import java.util.regex.MatchResult; import java.util.regex.Matcher; import java.util.regex.Pattern; /** + *

A utility class to extract version numbers from file names (or other strings + * containing version numbers.

* * @author Jeremy Long (jeremy.long@gmail.com) */ public final class DependencyVersionUtil { - //private final static Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)*(\\d+[a-zA-Z]{1,3}\\d+)?"); - private final static Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)+(\\.?[a-zA-Z_-]{1,3}\\d+)?"); + /** + * Regular expression to extract version numbers from file names. + */ + private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)+(\\.?[a-zA-Z_-]{1,3}\\d+)?"); /** * Private constructor for utility class. @@ -22,12 +39,22 @@ public final class DependencyVersionUtil { private DependencyVersionUtil() { } + /** + *

A utility class to extract version numbers from file names (or other strings + * containing version numbers.
+ * Example:
+ * Give the file name: library-name-1.4.1r2-release.jar
+ * This function would return: 1.4.1.r2

+ * + * @param filename the filename being analyzed + * @return a DependencyVersion containing the version + */ public static DependencyVersion parseVersionFromFileName(String filename) { if (filename == null) { return null; } String version = null; - Matcher matcher = RX_VERSION.matcher(filename); + final Matcher matcher = RX_VERSION.matcher(filename); if (matcher.find()) { version = matcher.group(); } @@ -39,30 +66,5 @@ public final class DependencyVersionUtil { return null; } return new DependencyVersion(version); - - -// String name = null; -// final int pos = filename.lastIndexOf('.'); -// if (pos>0) { -// name = filename.substring(0, pos).toLowerCase(); -// } else { -// name = filename.toLowerCase(); -// } -//// if (name.endsWith("-snapshot")) { -//// name = name.substring(0,name.length() - 9); -//// } -//// if (name.endsWith("-release")) { -//// name = name.substring(0,name.length() - 8); -//// } -// final String[] parts = name.split("[_-]"); -// if (parts == null || parts.length == 0) { -// return null; -// } -// for (int x = parts.length - 1; x >= 0; x--) { -// if (RX_VERSION.matcher(parts[x]).matches()) { -// return new DependencyVersion(parts[x]); -// } -// } -// return null; } }