From 562269dd2bfa83b2715c87681dd77ea9b070426f Mon Sep 17 00:00:00 2001
From: brianf <brianf@apache.org>
Date: Thu, 21 Sep 2017 15:53:13 -0400
Subject: [PATCH] Normalized Python Package Name

---
 .../analyzer/PythonPackageAnalyzer.java       | 40 ++++++++++++++++---
 .../analyzer/PythonPackageAnalyzerTest.java   |  4 ++
 2 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
index 12e58d3f4..4bb9a9ce0 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
@@ -109,7 +109,12 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * The file filter used to determine which files this analyzer supports.
      */
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
-
+    
+    /**
+     * The dependency Ecosystem
+     */
+     static final String DEPENDENCY_ECOSYSTEM = "Python.Pkg";
+    
     /**
      * Returns the name of the Python Package Analyzer.
      *
@@ -173,14 +178,15 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     @Override
     protected void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
-        final File file = dependency.getActualFile();
+        dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM);
+    	    final File file = dependency.getActualFile();
         final File parent = file.getParentFile();
         final String parentName = parent.getName();
         if (INIT_PY_FILTER.accept(file)) {
             //by definition, the containing folder of __init__.py is considered the package, even the file is empty:
             //"The __init__.py files are required to make Python treat the directories as containing packages"
             //see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html;
-            dependency.setDisplayFileName(parentName + "/__init__.py");
+            dependency.setName(parentName);
             dependency.getProductEvidence().addEvidence(file.getName(),
                     "PackageName", parentName, Confidence.HIGHEST);
 
@@ -217,9 +223,9 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
         boolean found = false;
         if (!contents.isEmpty()) {
             final String source = file.getName();
-            found = gatherEvidence(VERSION_PATTERN, contents, source,
+            found = gatherVersionEvidence(VERSION_PATTERN, contents, source,
                     dependency.getVersionEvidence(), "SourceVersion",
-                    Confidence.MEDIUM);
+                    Confidence.MEDIUM,dependency);
             found |= addSummaryInfo(dependency, SUMMARY_PATTERN, 4, contents,
                     source, "summary");
             if (INIT_PY_FILTER.accept(file)) {
@@ -310,6 +316,30 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
         }
         return found;
     }
+    
+    /**
+     * Gather package version evidence from a Python source file using the given string
+     * assignment regex pattern.
+     *
+     * @param pattern to scan contents with
+     * @param contents of Python source file
+     * @param source for storing evidence
+     * @param evidence to store evidence in
+     * @param name of evidence
+     * @param confidence in evidence
+     * @return whether evidence was found
+     */
+    private boolean gatherVersionEvidence(Pattern pattern, String contents,
+            String source, EvidenceCollection evidence, String name,
+            Confidence confidence,Dependency d) {
+        final Matcher matcher = pattern.matcher(contents);
+        final boolean found = matcher.find();
+        if (found) {
+            evidence.addEvidence(source, name, matcher.group(4), confidence);
+            d.setVersion(matcher.group(4));
+        }
+        return found;
+    }
 
     @Override
     protected String getAnalyzerEnabledSettingKey() {
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java
index 74d594535..f4cc4d9f1 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java
@@ -98,6 +98,10 @@ public class PythonPackageAnalyzerTest extends BaseTest {
             }
         }
         assertTrue("Version 0.0.1 not found in EggTest dependency.", found);
+        assertEquals("0.0.1",result.getVersion());
+        assertEquals("eggtest",result.getName());
+        assertEquals("eggtest:0.0.1",result.getDisplayFileName());
+        assertEquals(PythonPackageAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem());
     }
 
 }