mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-13 05:35:36 +01:00
evidence thread-safety updates
This commit is contained in:
Jeremy Long
@@ -47,6 +47,7 @@ import javax.annotation.concurrent.ThreadSafe;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.apache.commons.lang3.SystemUtils;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.utils.XmlUtils;
|
||||
|
||||
/**
|
||||
@@ -170,20 +171,17 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
final String version = xpath.evaluate("/assembly/version", doc);
|
||||
if (version != null) {
|
||||
dependency.getVersionEvidence().addEvidence(new Evidence("grokassembly", "version",
|
||||
version, Confidence.HIGHEST));
|
||||
dependency.addEvidence(EvidenceType.VERSION, "grokassembly", "version", version, Confidence.HIGHEST);
|
||||
}
|
||||
|
||||
final String vendor = xpath.evaluate("/assembly/company", doc);
|
||||
if (vendor != null) {
|
||||
dependency.getVendorEvidence().addEvidence(new Evidence("grokassembly", "vendor",
|
||||
vendor, Confidence.HIGH));
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "vendor", vendor, Confidence.HIGH);
|
||||
}
|
||||
|
||||
final String product = xpath.evaluate("/assembly/product", doc);
|
||||
if (product != null) {
|
||||
dependency.getProductEvidence().addEvidence(new Evidence("grokassembly", "product",
|
||||
product, Confidence.HIGH));
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "product", product, Confidence.HIGH);
|
||||
}
|
||||
|
||||
} catch (ParserConfigurationException pce) {
|
||||
|
||||
@@ -22,7 +22,6 @@ import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.owasp.dependencycheck.utils.UrlStringUtils;
|
||||
@@ -33,6 +32,7 @@ import java.io.IOException;
|
||||
import java.nio.charset.Charset;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
|
||||
/**
|
||||
@@ -168,8 +168,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final String contents = getFileContents(actualFile);
|
||||
if (!contents.isEmpty()) {
|
||||
if (isOutputScript) {
|
||||
extractConfigureScriptEvidence(dependency, name,
|
||||
contents);
|
||||
extractConfigureScriptEvidence(dependency, name, contents);
|
||||
} else {
|
||||
gatherEvidence(dependency, name, contents);
|
||||
}
|
||||
@@ -195,17 +194,13 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final String value = matcher.group(2);
|
||||
if (!value.isEmpty()) {
|
||||
if (variable.endsWith("NAME")) {
|
||||
dependency.getProductEvidence().addEvidence(name, variable,
|
||||
value, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.HIGHEST);
|
||||
} else if ("VERSION".equals(variable)) {
|
||||
dependency.getVersionEvidence().addEvidence(name, variable,
|
||||
value, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, name, variable, value, Confidence.HIGHEST);
|
||||
} else if ("BUGREPORT".equals(variable)) {
|
||||
dependency.getVendorEvidence().addEvidence(name, variable,
|
||||
value, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH);
|
||||
} else if ("URL".equals(variable)) {
|
||||
dependency.getVendorEvidence().addEvidence(name, variable,
|
||||
value, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -239,27 +234,19 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
String contents) {
|
||||
final Matcher matcher = AC_INIT_PATTERN.matcher(contents);
|
||||
if (matcher.find()) {
|
||||
final EvidenceCollection productEvidence = dependency
|
||||
.getProductEvidence();
|
||||
productEvidence.addEvidence(name, "Package", matcher.group(1),
|
||||
Confidence.HIGHEST);
|
||||
dependency.getVersionEvidence().addEvidence(name,
|
||||
"Package Version", matcher.group(2), Confidence.HIGHEST);
|
||||
final EvidenceCollection vendorEvidence = dependency
|
||||
.getVendorEvidence();
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, name, "Package", matcher.group(1), Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, name, "Package Version", matcher.group(2), Confidence.HIGHEST);
|
||||
|
||||
if (null != matcher.group(3)) {
|
||||
vendorEvidence.addEvidence(name, "Bug report address",
|
||||
matcher.group(4), Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, name, "Bug report address", matcher.group(4), Confidence.HIGH);
|
||||
}
|
||||
if (null != matcher.group(5)) {
|
||||
productEvidence.addEvidence(name, "Tarname", matcher.group(6),
|
||||
Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, name, "Tarname", matcher.group(6), Confidence.HIGH);
|
||||
}
|
||||
if (null != matcher.group(7)) {
|
||||
final String url = matcher.group(8);
|
||||
if (UrlStringUtils.isUrl(url)) {
|
||||
vendorEvidence.addEvidence(name, "URL", url,
|
||||
Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, name, "URL", url, Confidence.HIGH);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -38,6 +38,7 @@ import java.security.MessageDigest;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
|
||||
/**
|
||||
@@ -172,8 +173,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
m.groupCount(), m.group(0)));
|
||||
final String group = m.group(1);
|
||||
LOGGER.debug("Group 1: {}", group);
|
||||
dependency.getProductEvidence().addEvidence(name, "Project",
|
||||
group, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, name, "Project", group, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, name, "Project", group, Confidence.HIGH);
|
||||
}
|
||||
LOGGER.debug("Found {} matches.", count);
|
||||
analyzeSetVersionCommand(dependency, engine, contents);
|
||||
@@ -227,10 +228,9 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
engine.addDependency(currentDep);
|
||||
}
|
||||
final String source = currentDep.getDisplayFileName();
|
||||
currentDep.getProductEvidence().addEvidence(source, "Product",
|
||||
product, Confidence.MEDIUM);
|
||||
currentDep.getVersionEvidence().addEvidence(source, "Version",
|
||||
version, Confidence.MEDIUM);
|
||||
currentDep.addEvidence(EvidenceType.PRODUCT, source, "Product", product, Confidence.MEDIUM);
|
||||
currentDep.addEvidence(EvidenceType.VENDOR, source, "Vendor", product, Confidence.MEDIUM);
|
||||
currentDep.addEvidence(EvidenceType.VERSION, source, "Version", version, Confidence.MEDIUM);
|
||||
}
|
||||
LOGGER.debug("Found {} matches.", count);
|
||||
}
|
||||
|
||||
@@ -47,7 +47,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.dependency.Identifier;
|
||||
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
@@ -157,17 +157,17 @@ public class CPEAnalyzer extends AbstractAnalyzer {
|
||||
* usually occurs when the database is in use by another process.
|
||||
*/
|
||||
public void open(CveDB cve) throws IOException, DatabaseException {
|
||||
this.cve = cve;
|
||||
this.cpe = CpeMemoryIndex.getInstance();
|
||||
try {
|
||||
final long creationStart = System.currentTimeMillis();
|
||||
cpe.open(cve);
|
||||
final long creationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - creationStart);
|
||||
LOGGER.info("Created CPE Index ({} seconds)", creationSeconds);
|
||||
} catch (IndexException ex) {
|
||||
LOGGER.debug("IndexException", ex);
|
||||
throw new DatabaseException(ex);
|
||||
}
|
||||
this.cve = cve;
|
||||
this.cpe = CpeMemoryIndex.getInstance();
|
||||
try {
|
||||
final long creationStart = System.currentTimeMillis();
|
||||
cpe.open(cve);
|
||||
final long creationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - creationStart);
|
||||
LOGGER.info("Created CPE Index ({} seconds)", creationSeconds);
|
||||
} catch (IndexException ex) {
|
||||
LOGGER.debug("IndexException", ex);
|
||||
throw new DatabaseException(ex);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -195,17 +195,17 @@ public class CPEAnalyzer extends AbstractAnalyzer {
|
||||
String vendors = "";
|
||||
String products = "";
|
||||
for (Confidence confidence : Confidence.values()) {
|
||||
if (dependency.getVendorEvidence().contains(confidence)) {
|
||||
vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
|
||||
if (dependency.contains(EvidenceType.VENDOR, confidence)) {
|
||||
vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getIterator(EvidenceType.VENDOR, confidence));
|
||||
LOGGER.debug("vendor search: {}", vendors);
|
||||
}
|
||||
if (dependency.getProductEvidence().contains(confidence)) {
|
||||
products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
|
||||
if (dependency.contains(EvidenceType.PRODUCT, confidence)) {
|
||||
products = addEvidenceWithoutDuplicateTerms(products, dependency.getIterator(EvidenceType.PRODUCT, confidence));
|
||||
LOGGER.debug("product search: {}", products);
|
||||
}
|
||||
if (!vendors.isEmpty() && !products.isEmpty()) {
|
||||
final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getVendorEvidence().getWeighting(),
|
||||
dependency.getProductEvidence().getWeighting());
|
||||
final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getVendorWeightings(),
|
||||
dependency.getProductWeightings());
|
||||
if (entries == null) {
|
||||
continue;
|
||||
}
|
||||
@@ -232,26 +232,24 @@ public class CPEAnalyzer extends AbstractAnalyzer {
|
||||
* attempts to prevent duplicate terms from being added.<br/<br/> Note, if
|
||||
* the evidence is longer then 200 characters it will be truncated.
|
||||
*
|
||||
* @param text the base text.
|
||||
* @param ec an EvidenceCollection
|
||||
* @param confidenceFilter a Confidence level to filter the evidence by.
|
||||
* @param text the base text
|
||||
* @param evidence an iterable set of evidence to concatenate
|
||||
* @return the new evidence text
|
||||
*/
|
||||
private String addEvidenceWithoutDuplicateTerms(final String text, final EvidenceCollection ec, Confidence confidenceFilter) {
|
||||
private String addEvidenceWithoutDuplicateTerms(final String text, final Iterable<Evidence> evidence) {
|
||||
final String txt = (text == null) ? "" : text;
|
||||
final StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
|
||||
final StringBuilder sb = new StringBuilder();
|
||||
sb.append(' ').append(txt).append(' ');
|
||||
for (Evidence e : ec.iterator(confidenceFilter)) {
|
||||
for (Evidence e : evidence) {
|
||||
String value = e.getValue();
|
||||
|
||||
//hack to get around the fact that lucene does a really good job of recognizing domains and not
|
||||
// splitting them. TODO - put together a better lucene analyzer specific to the domain.
|
||||
if (value.startsWith("http://")) {
|
||||
value = value.substring(7).replaceAll("\\.", " ");
|
||||
}
|
||||
if (value.startsWith("https://")) {
|
||||
value = value.substring(8).replaceAll("\\.", " ");
|
||||
}
|
||||
//removed as the URLTokenizingFilter was created
|
||||
//hack to get around the fact that lucene does a really good job of recognizing domains and not splitting them.
|
||||
// if (value.startsWith("http://")) {
|
||||
// value = value.substring(7).replaceAll("\\.", " ");
|
||||
// }
|
||||
// if (value.startsWith("https://")) {
|
||||
// value = value.substring(8).replaceAll("\\.", " ");
|
||||
// }
|
||||
if (sb.indexOf(" " + value + " ") < 0) {
|
||||
sb.append(value).append(' ');
|
||||
}
|
||||
@@ -444,8 +442,8 @@ public class CPEAnalyzer extends AbstractAnalyzer {
|
||||
|
||||
//TODO - does this nullify some of the fuzzy matching that happens in the lucene search?
|
||||
// for instance CPE some-component and in the evidence we have SomeComponent.
|
||||
if (collectionContainsString(dependency.getProductEvidence(), entry.getProduct())
|
||||
&& collectionContainsString(dependency.getVendorEvidence(), entry.getVendor())) {
|
||||
if (collectionContainsString(dependency.getEvidence(EvidenceType.PRODUCT), entry.getProduct())
|
||||
&& collectionContainsString(dependency.getEvidence(EvidenceType.VENDOR), entry.getVendor())) {
|
||||
//&& collectionContainsVersion(dependency.getVersionEvidence(), entry.getVersion())
|
||||
isValid = true;
|
||||
}
|
||||
@@ -455,11 +453,11 @@ public class CPEAnalyzer extends AbstractAnalyzer {
|
||||
/**
|
||||
* Used to determine if the EvidenceCollection contains a specific string.
|
||||
*
|
||||
* @param ec an EvidenceCollection
|
||||
* @param evidence an of evidence object to check
|
||||
* @param text the text to search for
|
||||
* @return whether or not the EvidenceCollection contains the string
|
||||
*/
|
||||
private boolean collectionContainsString(EvidenceCollection ec, String text) {
|
||||
private boolean collectionContainsString(Set<Evidence> evidence, String text) {
|
||||
//TODO - likely need to change the split... not sure if this will work for CPE with special chars
|
||||
if (text == null) {
|
||||
return false;
|
||||
@@ -496,11 +494,24 @@ public class CPEAnalyzer extends AbstractAnalyzer {
|
||||
if (list.isEmpty()) {
|
||||
return false;
|
||||
}
|
||||
boolean contains = true;
|
||||
boolean isValid = true;
|
||||
for (String word : list) {
|
||||
contains &= ec.containsUsedString(word);
|
||||
boolean found = false;
|
||||
for (Evidence e : evidence) {
|
||||
if (e.getValue().toLowerCase().contains(word.toLowerCase())) {
|
||||
if ("http".equals(word)&& e.getValue().contains("http:")) {
|
||||
continue;
|
||||
}
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
isValid &= found;
|
||||
if (!isValid) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
return contains;
|
||||
return isValid;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -556,7 +567,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
|
||||
// if there lower confidence evidence when the current (highest) version number
|
||||
// is newer then anything in the NVD.
|
||||
for (Confidence conf : Confidence.values()) {
|
||||
for (Evidence evidence : dependency.getVersionEvidence().iterator(conf)) {
|
||||
for (Evidence evidence : dependency.getIterator(EvidenceType.VERSION, conf)) {
|
||||
final DependencyVersion evVer = DependencyVersionUtil.parseVersion(evidence.getValue());
|
||||
if (evVer == null) {
|
||||
continue;
|
||||
|
||||
@@ -37,6 +37,7 @@ import java.net.MalformedURLException;
|
||||
import java.net.URL;
|
||||
import java.util.List;
|
||||
import javax.annotation.concurrent.ThreadSafe;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.owasp.dependencycheck.utils.DownloadFailedException;
|
||||
import org.owasp.dependencycheck.utils.Downloader;
|
||||
@@ -217,7 +218,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma, dependency.getFileName());
|
||||
dependency.addAsEvidence("central", ma, confidence);
|
||||
boolean pomAnalyzed = false;
|
||||
for (Evidence e : dependency.getVendorEvidence()) {
|
||||
for (Evidence e : dependency.getEvidence(EvidenceType.VENDOR)) {
|
||||
if ("pom".equals(e.getSource())) {
|
||||
pomAnalyzed = true;
|
||||
break;
|
||||
|
||||
@@ -30,7 +30,7 @@ import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
@@ -136,21 +136,34 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
contents = contents.substring(matcher.end());
|
||||
final String blockVariable = matcher.group(1);
|
||||
|
||||
final EvidenceCollection vendor = dependency.getVendorEvidence();
|
||||
final EvidenceCollection product = dependency.getProductEvidence();
|
||||
final EvidenceCollection version = dependency.getVersionEvidence();
|
||||
|
||||
final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST);
|
||||
final String name = determineEvidence(contents, blockVariable, "name");
|
||||
if (!name.isEmpty()) {
|
||||
vendor.addEvidence(PODSPEC, "name_project", name, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "name_project", name, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "name_project", name, Confidence.HIGHEST);
|
||||
}
|
||||
String summary = determineEvidence(contents, blockVariable, "summary");
|
||||
if (!summary.isEmpty()) {
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "summary", summary, Confidence.HIGHEST);
|
||||
}
|
||||
addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.HIGHEST);
|
||||
|
||||
addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST);
|
||||
addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST);
|
||||
addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST);
|
||||
String author = determineEvidence(contents, blockVariable, "authors?");
|
||||
if (!author.isEmpty()) {
|
||||
dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "author", author, Confidence.HIGHEST);
|
||||
}
|
||||
String homepage = determineEvidence(contents, blockVariable, "homepage");
|
||||
if (!homepage.isEmpty()) {
|
||||
dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "homepage", homepage, Confidence.HIGHEST);
|
||||
}
|
||||
String license = determineEvidence(contents, blockVariable, "licen[cs]es?");
|
||||
if (!license.isEmpty()) {
|
||||
dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "license", license, Confidence.HIGHEST);
|
||||
}
|
||||
|
||||
String version = determineEvidence(contents, blockVariable, "version");
|
||||
if (!version.isEmpty()) {
|
||||
dependency.addEvidence(EvidenceType.VERSION, PODSPEC, "version", version, Confidence.HIGHEST);
|
||||
}
|
||||
|
||||
addStringEvidence(version, contents, blockVariable, "version", "version", Confidence.HIGHEST);
|
||||
}
|
||||
|
||||
setPackagePath(dependency);
|
||||
@@ -160,16 +173,12 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* Extracts evidence from the contents and adds it to the given evidence
|
||||
* collection.
|
||||
*
|
||||
* @param evidences the evidence collection to update
|
||||
* @param contents the text to extract evidence from
|
||||
* @param blockVariable the block variable within the content to search for
|
||||
* @param field the name of the field being searched for
|
||||
* @param fieldPattern the field pattern within the contents to search for
|
||||
* @param confidence the confidence level of the evidence if found
|
||||
* @return the string that was added as evidence
|
||||
* @return the evidence
|
||||
*/
|
||||
private String addStringEvidence(EvidenceCollection evidences, String contents,
|
||||
String blockVariable, String field, String fieldPattern, Confidence confidence) {
|
||||
private String determineEvidence(String contents, String blockVariable, String fieldPattern) {
|
||||
String value = "";
|
||||
|
||||
//capture array value between [ ]
|
||||
@@ -186,9 +195,6 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
value = matcher.group(2);
|
||||
}
|
||||
}
|
||||
if (value.length() > 0) {
|
||||
evidences.addEvidence(PODSPEC, field, value, confidence);
|
||||
}
|
||||
return value;
|
||||
}
|
||||
|
||||
|
||||
@@ -37,6 +37,7 @@ import java.io.IOException;
|
||||
import java.nio.charset.Charset;
|
||||
import java.security.MessageDigest;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Used to analyze a composer.lock file for a composer PHP app.
|
||||
@@ -113,9 +114,9 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final MessageDigest sha1 = getSha1MessageDigest();
|
||||
d.setFilePath(filePath);
|
||||
d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset()))));
|
||||
d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
|
||||
d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
|
||||
d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
|
||||
d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
|
||||
d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
|
||||
d.addEvidence(EvidenceType.VERSION, COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
|
||||
LOGGER.info("Adding dependency {}", d);
|
||||
engine.addDependency(d);
|
||||
}
|
||||
|
||||
@@ -21,6 +21,8 @@ import java.io.File;
|
||||
import java.util.Iterator;
|
||||
import java.util.Set;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
@@ -120,10 +122,16 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz
|
||||
private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
|
||||
LOGGER.debug("Merging '{}' into '{}'", relatedDependency.getFilePath(), dependency.getFilePath());
|
||||
dependency.addRelatedDependency(relatedDependency);
|
||||
dependency.getVendorEvidence().getEvidence().addAll(relatedDependency.getVendorEvidence().getEvidence());
|
||||
dependency.getProductEvidence().getEvidence().addAll(relatedDependency.getProductEvidence().getEvidence());
|
||||
dependency.getVersionEvidence().getEvidence().addAll(relatedDependency.getVersionEvidence().getEvidence());
|
||||
|
||||
for (Evidence e : relatedDependency.getEvidence(EvidenceType.VENDOR)) {
|
||||
dependency.addEvidence(EvidenceType.VENDOR, e);
|
||||
}
|
||||
for (Evidence e : relatedDependency.getEvidence(EvidenceType.PRODUCT)) {
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, e);
|
||||
}
|
||||
for (Evidence e : relatedDependency.getEvidence(EvidenceType.VERSION)) {
|
||||
dependency.addEvidence(EvidenceType.VERSION, e);
|
||||
}
|
||||
|
||||
final Iterator<Dependency> i = relatedDependency.getRelatedDependencies().iterator();
|
||||
while (i.hasNext()) {
|
||||
dependency.addRelatedDependency(i.next());
|
||||
|
||||
@@ -32,6 +32,8 @@ import javax.annotation.concurrent.ThreadSafe;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.dependency.Identifier;
|
||||
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
@@ -157,7 +159,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|
||||
}
|
||||
}
|
||||
}
|
||||
if (mustContain != null) {
|
||||
if (mustContain != null) {
|
||||
final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
|
||||
while (itr.hasNext()) {
|
||||
final Identifier i = itr.next();
|
||||
@@ -287,7 +289,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|
||||
*
|
||||
* @param dependency the dependency to analyze
|
||||
*/
|
||||
private void removeBadMatches(Dependency dependency) {
|
||||
protected void removeBadMatches(Dependency dependency) {
|
||||
final Set<Identifier> identifiers = dependency.getIdentifiers();
|
||||
final Iterator<Identifier> itr = identifiers.iterator();
|
||||
|
||||
@@ -346,9 +348,25 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|
||||
} else if (i.getValue().startsWith("cpe:/a:apache:maven")
|
||||
&& !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
|
||||
itr.remove();
|
||||
} else if (i.getValue().startsWith("cpe:/a:m-core:m-core")
|
||||
&& !dependency.getEvidenceUsed().containsUsedString("m-core")) {
|
||||
itr.remove();
|
||||
} else if (i.getValue().startsWith("cpe:/a:m-core:m-core")) {
|
||||
boolean found = false;
|
||||
for (Evidence e : dependency.getEvidence(EvidenceType.PRODUCT)) {
|
||||
if ("m-core".equalsIgnoreCase(e.getValue())) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!found) {
|
||||
for (Evidence e : dependency.getEvidence(EvidenceType.VENDOR)) {
|
||||
if ("m-core".equalsIgnoreCase(e.getValue())) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!found) {
|
||||
itr.remove();
|
||||
}
|
||||
} else if (i.getValue().startsWith("cpe:/a:jboss:jboss")
|
||||
&& !dependency.getFileName().toLowerCase().matches("jboss-?[\\d\\.-]+(GA)?\\.jar")) {
|
||||
itr.remove();
|
||||
|
||||
@@ -26,6 +26,7 @@ import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersion;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
@@ -113,21 +114,16 @@ public class FileNameAnalyzer extends AbstractAnalyzer {
|
||||
// a shade. This should hopefully correct for cases like log4j.jar or
|
||||
// struts2-core.jar
|
||||
if (version.getVersionParts() == null || version.getVersionParts().size() < 2) {
|
||||
dependency.getVersionEvidence().addEvidence("file", "version",
|
||||
version.toString(), Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "file", "version",version.toString(), Confidence.MEDIUM);
|
||||
} else {
|
||||
dependency.getVersionEvidence().addEvidence("file", "version",
|
||||
version.toString(), Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "file", "version", version.toString(), Confidence.HIGHEST);
|
||||
}
|
||||
dependency.getVersionEvidence().addEvidence("file", "name",
|
||||
packageName, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "file", "name", packageName, Confidence.MEDIUM);
|
||||
}
|
||||
|
||||
if (!IGNORED_FILES.accept(f)) {
|
||||
dependency.getProductEvidence().addEvidence("file", "name",
|
||||
packageName, Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("file", "name",
|
||||
packageName, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "file", "name", packageName, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "file", "name", packageName, Confidence.HIGH);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -27,11 +27,11 @@ import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.regex.Pattern;
|
||||
import javax.annotation.concurrent.ThreadSafe;
|
||||
import org.apache.commons.lang.ArrayUtils;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.owasp.dependencycheck.xml.suppression.PropertyType;
|
||||
import org.owasp.dependencycheck.utils.DownloadFailedException;
|
||||
@@ -141,14 +141,14 @@ public class HintAnalyzer extends AbstractAnalyzer {
|
||||
for (HintRule hint : hints) {
|
||||
boolean matchFound = false;
|
||||
for (Evidence given : hint.getGivenVendor()) {
|
||||
if (dependency.getVendorEvidence().getEvidence().contains(given)) {
|
||||
if (dependency.contains(EvidenceType.VENDOR, given)) {
|
||||
matchFound = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!matchFound) {
|
||||
for (Evidence given : hint.getGivenProduct()) {
|
||||
if (dependency.getProductEvidence().getEvidence().contains(given)) {
|
||||
if (dependency.contains(EvidenceType.PRODUCT, given)) {
|
||||
matchFound = true;
|
||||
break;
|
||||
}
|
||||
@@ -156,7 +156,7 @@ public class HintAnalyzer extends AbstractAnalyzer {
|
||||
}
|
||||
if (!matchFound) {
|
||||
for (Evidence given : hint.getGivenVersion()) {
|
||||
if (dependency.getVersionEvidence().getEvidence().contains(given)) {
|
||||
if (dependency.contains(EvidenceType.VERSION, given)) {
|
||||
matchFound = true;
|
||||
break;
|
||||
}
|
||||
@@ -172,45 +172,45 @@ public class HintAnalyzer extends AbstractAnalyzer {
|
||||
}
|
||||
if (matchFound) {
|
||||
for (Evidence e : hint.getAddVendor()) {
|
||||
dependency.getVendorEvidence().addEvidence(e);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, e);
|
||||
}
|
||||
for (Evidence e : hint.getAddProduct()) {
|
||||
dependency.getProductEvidence().addEvidence(e);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, e);
|
||||
}
|
||||
for (Evidence e : hint.getAddVersion()) {
|
||||
dependency.getVersionEvidence().addEvidence(e);
|
||||
dependency.addEvidence(EvidenceType.VERSION, e);
|
||||
}
|
||||
for (Evidence e : hint.getRemoveVendor()) {
|
||||
if (dependency.getVendorEvidence().getEvidence().contains(e)) {
|
||||
dependency.getVendorEvidence().getEvidence().remove(e);
|
||||
if (dependency.contains(EvidenceType.VENDOR, e)) {
|
||||
dependency.removeEvidence(EvidenceType.VENDOR, e);
|
||||
}
|
||||
}
|
||||
for (Evidence e : hint.getRemoveProduct()) {
|
||||
if (dependency.getProductEvidence().getEvidence().contains(e)) {
|
||||
dependency.getProductEvidence().getEvidence().remove(e);
|
||||
if (dependency.contains(EvidenceType.PRODUCT, e)) {
|
||||
dependency.removeEvidence(EvidenceType.PRODUCT, e);
|
||||
}
|
||||
}
|
||||
for (Evidence e : hint.getRemoveVersion()) {
|
||||
if (dependency.getVersionEvidence().getEvidence().contains(e)) {
|
||||
dependency.getVersionEvidence().getEvidence().remove(e);
|
||||
if (dependency.contains(EvidenceType.VERSION, e)) {
|
||||
dependency.removeEvidence(EvidenceType.VERSION, e);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
|
||||
final Iterator<Evidence> itr = dependency.getEvidence(EvidenceType.VENDOR).iterator();
|
||||
final List<Evidence> newEntries = new ArrayList<>();
|
||||
while (itr.hasNext()) {
|
||||
final Evidence e = itr.next();
|
||||
for (VendorDuplicatingHintRule dhr : vendorHints) {
|
||||
if (dhr.getValue().equalsIgnoreCase(e.getValue(false))) {
|
||||
if (dhr.getValue().equalsIgnoreCase(e.getValue())) {
|
||||
newEntries.add(new Evidence(e.getSource() + " (hint)",
|
||||
e.getName(), dhr.getDuplicate(), e.getConfidence()));
|
||||
}
|
||||
}
|
||||
}
|
||||
for (Evidence e : newEntries) {
|
||||
dependency.getVendorEvidence().addEvidence(e);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, e);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -53,7 +53,7 @@ import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.FileUtils;
|
||||
@@ -527,15 +527,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
if (groupid != null && !groupid.isEmpty()) {
|
||||
foundSomething = true;
|
||||
dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST);
|
||||
dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
|
||||
addMatchingValues(classes, groupid, dependency.getVendorEvidence());
|
||||
addMatchingValues(classes, groupid, dependency.getProductEvidence());
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "groupid", groupid, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "groupid", groupid, Confidence.LOW);
|
||||
addMatchingVendorValues(classes, groupid, dependency);
|
||||
addMatchingProductValues(classes, groupid, dependency);
|
||||
if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
|
||||
dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
|
||||
dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
|
||||
addMatchingValues(classes, parentGroupId, dependency.getVendorEvidence());
|
||||
addMatchingValues(classes, parentGroupId, dependency.getProductEvidence());
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "parent-groupid", parentGroupId, Confidence.LOW);
|
||||
addMatchingVendorValues(classes, parentGroupId, dependency);
|
||||
addMatchingProductValues(classes, parentGroupId, dependency);
|
||||
}
|
||||
} else {
|
||||
addAsIdentifier = false;
|
||||
@@ -543,15 +543,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
if (artifactid != null && !artifactid.isEmpty()) {
|
||||
foundSomething = true;
|
||||
dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST);
|
||||
dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
|
||||
addMatchingValues(classes, artifactid, dependency.getVendorEvidence());
|
||||
addMatchingValues(classes, artifactid, dependency.getProductEvidence());
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "artifactid", artifactid, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "artifactid", artifactid, Confidence.LOW);
|
||||
addMatchingVendorValues(classes, artifactid, dependency);
|
||||
addMatchingProductValues(classes, artifactid, dependency);
|
||||
if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
|
||||
dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
|
||||
dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
|
||||
addMatchingValues(classes, parentArtifactId, dependency.getVendorEvidence());
|
||||
addMatchingValues(classes, parentArtifactId, dependency.getProductEvidence());
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
|
||||
addMatchingProductValues(classes, parentArtifactId, dependency);
|
||||
addMatchingProductValues(classes, parentArtifactId, dependency);
|
||||
}
|
||||
} else {
|
||||
addAsIdentifier = false;
|
||||
@@ -559,9 +559,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
if (version != null && !version.isEmpty()) {
|
||||
foundSomething = true;
|
||||
dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "pom", "version", version, Confidence.HIGHEST);
|
||||
if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
|
||||
dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "pom", "parent-version", version, Confidence.LOW);
|
||||
}
|
||||
} else {
|
||||
addAsIdentifier = false;
|
||||
@@ -574,26 +574,26 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
// org name
|
||||
final String org = pom.getOrganization();
|
||||
if (org != null && !org.isEmpty()) {
|
||||
dependency.getVendorEvidence().addEvidence("pom", "organization name", org, Confidence.HIGH);
|
||||
dependency.getProductEvidence().addEvidence("pom", "organization name", org, Confidence.LOW);
|
||||
addMatchingValues(classes, org, dependency.getVendorEvidence());
|
||||
addMatchingValues(classes, org, dependency.getProductEvidence());
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "organization name", org, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "organization name", org, Confidence.LOW);
|
||||
addMatchingVendorValues(classes, org, dependency);
|
||||
addMatchingProductValues(classes, org, dependency);
|
||||
}
|
||||
// org name
|
||||
final String orgUrl = pom.getOrganizationUrl();
|
||||
if (orgUrl != null && !orgUrl.isEmpty()) {
|
||||
dependency.getVendorEvidence().addEvidence("pom", "organization url", orgUrl, Confidence.MEDIUM);
|
||||
dependency.getProductEvidence().addEvidence("pom", "organization url", orgUrl, Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "organization url", orgUrl, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "organization url", orgUrl, Confidence.LOW);
|
||||
}
|
||||
//pom name
|
||||
final String pomName = pom.getName();
|
||||
if (pomName
|
||||
!= null && !pomName.isEmpty()) {
|
||||
foundSomething = true;
|
||||
dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
|
||||
addMatchingValues(classes, pomName, dependency.getVendorEvidence());
|
||||
addMatchingValues(classes, pomName, dependency.getProductEvidence());
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "name", pomName, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "name", pomName, Confidence.HIGH);
|
||||
addMatchingVendorValues(classes, pomName, dependency);
|
||||
addMatchingProductValues(classes, pomName, dependency);
|
||||
}
|
||||
|
||||
//Description
|
||||
@@ -601,13 +601,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (description != null && !description.isEmpty() && !description.startsWith("POM was created by")) {
|
||||
foundSomething = true;
|
||||
final String trimmedDescription = addDescription(dependency, description, "pom", "description");
|
||||
addMatchingValues(classes, trimmedDescription, dependency.getVendorEvidence());
|
||||
addMatchingValues(classes, trimmedDescription, dependency.getProductEvidence());
|
||||
addMatchingVendorValues(classes, trimmedDescription, dependency);
|
||||
addMatchingProductValues(classes, trimmedDescription, dependency);
|
||||
}
|
||||
|
||||
final String projectURL = pom.getProjectURL();
|
||||
if (projectURL != null && !projectURL.trim().isEmpty()) {
|
||||
dependency.getVendorEvidence().addEvidence("pom", "url", projectURL, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "url", projectURL, Confidence.HIGHEST);
|
||||
}
|
||||
|
||||
extractLicense(pom, dependency);
|
||||
@@ -632,25 +632,24 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers);
|
||||
|
||||
final int classCount = classNames.size();
|
||||
final EvidenceCollection vendor = dependency.getVendorEvidence();
|
||||
final EvidenceCollection product = dependency.getProductEvidence();
|
||||
|
||||
for (Map.Entry<String, Integer> entry : vendorIdentifiers.entrySet()) {
|
||||
final float ratio = entry.getValue() / (float) classCount;
|
||||
if (ratio > 0.5) {
|
||||
//TODO remove weighting
|
||||
vendor.addWeighting(entry.getKey());
|
||||
//TODO remove weighting?
|
||||
dependency.addVendorWeighting(entry.getKey());
|
||||
if (addPackagesAsEvidence && entry.getKey().length() > 1) {
|
||||
vendor.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "jar", "package name", entry.getKey(), Confidence.LOW);
|
||||
}
|
||||
}
|
||||
}
|
||||
for (Map.Entry<String, Integer> entry : productIdentifiers.entrySet()) {
|
||||
final float ratio = entry.getValue() / (float) classCount;
|
||||
if (ratio > 0.5) {
|
||||
product.addWeighting(entry.getKey());
|
||||
//todo remove weighting
|
||||
dependency.addProductWeighting(entry.getKey());
|
||||
if (addPackagesAsEvidence && entry.getKey().length() > 1) {
|
||||
product.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "jar", "package name", entry.getKey(), Confidence.LOW);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -687,9 +686,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
return false;
|
||||
}
|
||||
final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
|
||||
final EvidenceCollection productEvidence = dependency.getProductEvidence();
|
||||
final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
|
||||
String source = "Manifest";
|
||||
String specificationVersion = null;
|
||||
boolean hasImplementationVersion = false;
|
||||
@@ -705,35 +701,35 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
continue;
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
|
||||
foundSomething = true;
|
||||
productEvidence.addEvidence(source, key, value, Confidence.HIGH);
|
||||
addMatchingValues(classInformation, value, productEvidence);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.HIGH);
|
||||
addMatchingProductValues(classInformation, value, dependency);
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
|
||||
hasImplementationVersion = true;
|
||||
foundSomething = true;
|
||||
versionEvidence.addEvidence(source, key, value, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.HIGH);
|
||||
} else if ("specification-version".equalsIgnoreCase(key)) {
|
||||
specificationVersion = value;
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
|
||||
foundSomething = true;
|
||||
vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
|
||||
addMatchingValues(classInformation, value, vendorEvidence);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.HIGH);
|
||||
addMatchingVendorValues(classInformation, value, dependency);
|
||||
} else if (key.equalsIgnoreCase(IMPLEMENTATION_VENDOR_ID)) {
|
||||
foundSomething = true;
|
||||
vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, vendorEvidence);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingVendorValues(classInformation, value, dependency);
|
||||
} else if (key.equalsIgnoreCase(BUNDLE_DESCRIPTION)) {
|
||||
foundSomething = true;
|
||||
addDescription(dependency, value, "manifest", key);
|
||||
addMatchingValues(classInformation, value, productEvidence);
|
||||
addMatchingProductValues(classInformation, value, dependency);
|
||||
} else if (key.equalsIgnoreCase(BUNDLE_NAME)) {
|
||||
foundSomething = true;
|
||||
productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, productEvidence);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingProductValues(classInformation, value, dependency);
|
||||
// //the following caused false positives.
|
||||
// } else if (key.equalsIgnoreCase(BUNDLE_VENDOR)) {
|
||||
} else if (key.equalsIgnoreCase(BUNDLE_VERSION)) {
|
||||
foundSomething = true;
|
||||
versionEvidence.addEvidence(source, key, value, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.HIGH);
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.MAIN_CLASS.toString())) {
|
||||
//noinspection UnnecessaryContinue
|
||||
continue;
|
||||
@@ -754,7 +750,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
foundSomething = true;
|
||||
if (key.contains("version")) {
|
||||
if (!key.contains("specification")) {
|
||||
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.MEDIUM);
|
||||
}
|
||||
} else if ("build-id".equals(key)) {
|
||||
int pos = value.indexOf('(');
|
||||
@@ -765,37 +761,37 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (pos > 0) {
|
||||
value = value.substring(0, pos - 1);
|
||||
}
|
||||
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.MEDIUM);
|
||||
} else if (key.contains("title")) {
|
||||
productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, productEvidence);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingProductValues(classInformation, value, dependency);
|
||||
} else if (key.contains("vendor")) {
|
||||
if (key.contains("specification")) {
|
||||
vendorEvidence.addEvidence(source, key, value, Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.LOW);
|
||||
} else {
|
||||
vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, vendorEvidence);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingVendorValues(classInformation, value, dependency);
|
||||
}
|
||||
} else if (key.contains("name")) {
|
||||
productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, vendorEvidence);
|
||||
addMatchingValues(classInformation, value, productEvidence);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingVendorValues(classInformation, value, dependency);
|
||||
addMatchingProductValues(classInformation, value, dependency);
|
||||
} else if (key.contains("license")) {
|
||||
addLicense(dependency, value);
|
||||
} else if (key.contains("description")) {
|
||||
addDescription(dependency, value, "manifest", key);
|
||||
} else {
|
||||
productEvidence.addEvidence(source, key, value, Confidence.LOW);
|
||||
vendorEvidence.addEvidence(source, key, value, Confidence.LOW);
|
||||
addMatchingValues(classInformation, value, vendorEvidence);
|
||||
addMatchingValues(classInformation, value, productEvidence);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.LOW);
|
||||
addMatchingVendorValues(classInformation, value, dependency);
|
||||
addMatchingProductValues(classInformation, value, dependency);
|
||||
if (value.matches(".*\\d.*")) {
|
||||
final StringTokenizer tokenizer = new StringTokenizer(value, " ");
|
||||
while (tokenizer.hasMoreElements()) {
|
||||
final String s = tokenizer.nextToken();
|
||||
if (s.matches("^[0-9.]+$")) {
|
||||
versionEvidence.addEvidence(source, key, s, Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.VERSION, source, key, s, Confidence.LOW);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -812,25 +808,25 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final String value = atts.getValue(key);
|
||||
if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
|
||||
foundSomething = true;
|
||||
productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, productEvidence);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingProductValues(classInformation, value, dependency);
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
|
||||
foundSomething = true;
|
||||
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.MEDIUM);
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
|
||||
foundSomething = true;
|
||||
vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, vendorEvidence);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingVendorValues(classInformation, value, dependency);
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.SPECIFICATION_TITLE.toString())) {
|
||||
foundSomething = true;
|
||||
productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, productEvidence);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingProductValues(classInformation, value, dependency);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (specificationVersion != null && !hasImplementationVersion) {
|
||||
foundSomething = true;
|
||||
versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VERSION, source, "specification-version", specificationVersion, Confidence.HIGH);
|
||||
}
|
||||
}
|
||||
return foundSomething;
|
||||
@@ -888,11 +884,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (pos > 0) {
|
||||
desc = desc.substring(0, pos) + "...";
|
||||
}
|
||||
dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.LOW);
|
||||
dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, desc, Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, desc, Confidence.LOW);
|
||||
} else {
|
||||
dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.MEDIUM);
|
||||
dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, desc, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, desc, Confidence.MEDIUM);
|
||||
}
|
||||
return desc;
|
||||
}
|
||||
@@ -1062,9 +1058,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
*
|
||||
* @param classes a collection of class name information
|
||||
* @param value the value to check to see if it contains a package name
|
||||
* @param evidence the evidence collection to add new entries too
|
||||
* @param dep the dependency to add new entries too
|
||||
*/
|
||||
private static void addMatchingValues(List<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
|
||||
private static void addMatchingVendorValues(List<ClassNameInformation> classes, String value, Dependency dep) {
|
||||
if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
|
||||
return;
|
||||
}
|
||||
@@ -1074,7 +1070,32 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final Pattern p = Pattern.compile("\b" + key + "\b");
|
||||
if (p.matcher(text).find()) {
|
||||
//if (text.contains(key)) { //note, package structure elements are already lowercase.
|
||||
evidence.addEvidence("jar", "package name", key, Confidence.HIGHEST);
|
||||
dep.addEvidence(EvidenceType.VENDOR, "jar", "package name", key, Confidence.HIGHEST);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
/**
|
||||
* Cycles through the collection of class name information to see if parts
|
||||
* of the package names are contained in the provided value. If found, it
|
||||
* will be added as the HIGHEST confidence evidence because we have more
|
||||
* then one source corroborating the value.
|
||||
*
|
||||
* @param classes a collection of class name information
|
||||
* @param value the value to check to see if it contains a package name
|
||||
* @param dep the dependency to add new entries too
|
||||
*/
|
||||
private static void addMatchingProductValues(List<ClassNameInformation> classes, String value, Dependency dep) {
|
||||
if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
|
||||
return;
|
||||
}
|
||||
final String text = value.toLowerCase();
|
||||
for (ClassNameInformation cni : classes) {
|
||||
for (String key : cni.getPackageStructure()) {
|
||||
final Pattern p = Pattern.compile("\b" + key + "\b");
|
||||
if (p.matcher(text).find()) {
|
||||
//if (text.contains(key)) { //note, package structure elements are already lowercase.
|
||||
dep.addEvidence(EvidenceType.PRODUCT, "jar", "package name", key, Confidence.HIGHEST);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -36,6 +36,7 @@ import java.io.IOException;
|
||||
import java.net.MalformedURLException;
|
||||
import java.net.URL;
|
||||
import javax.annotation.concurrent.ThreadSafe;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.owasp.dependencycheck.utils.DownloadFailedException;
|
||||
import org.owasp.dependencycheck.utils.Downloader;
|
||||
@@ -236,7 +237,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
|
||||
boolean pomAnalyzed = false;
|
||||
LOGGER.debug("POM URL {}", ma.getPomUrl());
|
||||
for (Evidence e : dependency.getVendorEvidence()) {
|
||||
for (Evidence e : dependency.getEvidence(EvidenceType.VENDOR)) {
|
||||
if ("pom".equals(e.getSource())) {
|
||||
pomAnalyzed = true;
|
||||
break;
|
||||
|
||||
@@ -22,7 +22,6 @@ import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.slf4j.Logger;
|
||||
@@ -40,6 +39,7 @@ import javax.json.JsonReader;
|
||||
import javax.json.JsonString;
|
||||
import javax.json.JsonValue;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Used to analyze Node Package Manager (npm) package.json files, and collect
|
||||
@@ -130,21 +130,20 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(file))) {
|
||||
final JsonObject json = jsonReader.readObject();
|
||||
final EvidenceCollection productEvidence = dependency.getProductEvidence();
|
||||
final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
|
||||
if (json.containsKey("name")) {
|
||||
final Object value = json.get("name");
|
||||
if (value instanceof JsonString) {
|
||||
final String valueString = ((JsonString) value).getString();
|
||||
productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST);
|
||||
vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, PACKAGE_JSON, "name", valueString, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, PACKAGE_JSON, "name_project",
|
||||
String.format("%s_project", valueString), Confidence.LOW);
|
||||
} else {
|
||||
LOGGER.warn("JSON value not string as expected: {}", value);
|
||||
}
|
||||
}
|
||||
addToEvidence(json, productEvidence, "description");
|
||||
addToEvidence(json, vendorEvidence, "author");
|
||||
addToEvidence(json, dependency.getVersionEvidence(), "version");
|
||||
addToEvidence(dependency, EvidenceType.PRODUCT, json, "description");
|
||||
addToEvidence(dependency, EvidenceType.VENDOR, json, "author");
|
||||
addToEvidence(dependency, EvidenceType.VERSION, json, "version");
|
||||
dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName()));
|
||||
} catch (JsonException e) {
|
||||
LOGGER.warn("Failed to parse package.json file.", e);
|
||||
@@ -157,22 +156,24 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* Adds information to an evidence collection from the node json
|
||||
* configuration.
|
||||
*
|
||||
* @param dep the dependency to add the evidence
|
||||
* @param t the type of evidence to add
|
||||
* @param json information from node.js
|
||||
* @param collection a set of evidence about a dependency
|
||||
* @param key the key to obtain the data from the json information
|
||||
*/
|
||||
private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) {
|
||||
private void addToEvidence(Dependency dep, EvidenceType t, JsonObject json, String key) {
|
||||
if (json.containsKey(key)) {
|
||||
final JsonValue value = json.get(key);
|
||||
if (value instanceof JsonString) {
|
||||
collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST);
|
||||
dep.addEvidence(t, PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST);
|
||||
|
||||
} else if (value instanceof JsonObject) {
|
||||
final JsonObject jsonObject = (JsonObject) value;
|
||||
for (final Map.Entry<String, JsonValue> entry : jsonObject.entrySet()) {
|
||||
final String property = entry.getKey();
|
||||
final JsonValue subValue = entry.getValue();
|
||||
if (subValue instanceof JsonString) {
|
||||
collection.addEvidence(PACKAGE_JSON,
|
||||
dep.addEvidence(t, PACKAGE_JSON,
|
||||
String.format("%s.%s", key, property),
|
||||
((JsonString) subValue).getString(),
|
||||
Confidence.HIGHEST);
|
||||
|
||||
@@ -25,7 +25,6 @@ import org.owasp.dependencycheck.data.nsp.NspSearch;
|
||||
import org.owasp.dependencycheck.data.nsp.SanitizePackage;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.dependency.Identifier;
|
||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
|
||||
@@ -50,6 +49,7 @@ import javax.json.JsonObjectBuilder;
|
||||
import javax.json.JsonReader;
|
||||
import javax.json.JsonString;
|
||||
import javax.json.JsonValue;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
|
||||
|
||||
@@ -204,14 +204,12 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/*
|
||||
* Adds evidence about the node package itself, not any of the modules.
|
||||
*/
|
||||
final EvidenceCollection productEvidence = dependency.getProductEvidence();
|
||||
final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
|
||||
if (packageJson.containsKey("name")) {
|
||||
final Object value = packageJson.get("name");
|
||||
if (value instanceof JsonString) {
|
||||
final String valueString = ((JsonString) value).getString();
|
||||
productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST);
|
||||
vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, PACKAGE_JSON, "name", valueString, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW);
|
||||
} else {
|
||||
LOGGER.warn("JSON value not string as expected: {}", value);
|
||||
}
|
||||
@@ -260,9 +258,9 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/*
|
||||
* Adds general evidence to about the package.
|
||||
*/
|
||||
addToEvidence(packageJson, productEvidence, "description");
|
||||
addToEvidence(packageJson, vendorEvidence, "author");
|
||||
addToEvidence(packageJson, dependency.getVersionEvidence(), "version");
|
||||
addToEvidence(dependency, EvidenceType.PRODUCT, packageJson, "description");
|
||||
addToEvidence(dependency, EvidenceType.VENDOR, packageJson, "author");
|
||||
addToEvidence(dependency, EvidenceType.VERSION, packageJson, "version");
|
||||
dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName()));
|
||||
} catch (URLConnectionFailureException e) {
|
||||
this.setEnabled(false);
|
||||
@@ -341,18 +339,18 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param collection a set of evidence about a dependency
|
||||
* @param key the key to obtain the data from the json information
|
||||
*/
|
||||
private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) {
|
||||
private void addToEvidence(Dependency dep, EvidenceType type, JsonObject json, String key) {
|
||||
if (json.containsKey(key)) {
|
||||
final JsonValue value = json.get(key);
|
||||
if (value instanceof JsonString) {
|
||||
collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST);
|
||||
dep.addEvidence(type, PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST);
|
||||
} else if (value instanceof JsonObject) {
|
||||
final JsonObject jsonObject = (JsonObject) value;
|
||||
for (final Map.Entry<String, JsonValue> entry : jsonObject.entrySet()) {
|
||||
final String property = entry.getKey();
|
||||
final JsonValue subValue = entry.getValue();
|
||||
if (subValue instanceof JsonString) {
|
||||
collection.addEvidence(PACKAGE_JSON,
|
||||
dep.addEvidence(type, PACKAGE_JSON,
|
||||
String.format("%s.%s", key, property),
|
||||
((JsonString) subValue).getString(),
|
||||
Confidence.HIGHEST);
|
||||
|
||||
@@ -34,6 +34,7 @@ import java.io.FileFilter;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import javax.annotation.concurrent.ThreadSafe;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
|
||||
/**
|
||||
@@ -140,13 +141,13 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
if (np.getOwners() != null) {
|
||||
dependency.getVendorEvidence().addEvidence("nuspec", "owners", np.getOwners(), Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VENDOR,"nuspec", "owners", np.getOwners(), Confidence.HIGHEST);
|
||||
}
|
||||
dependency.getVendorEvidence().addEvidence("nuspec", "authors", np.getAuthors(), Confidence.HIGH);
|
||||
dependency.getVersionEvidence().addEvidence("nuspec", "version", np.getVersion(), Confidence.HIGHEST);
|
||||
dependency.getProductEvidence().addEvidence("nuspec", "id", np.getId(), Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VENDOR,"nuspec", "authors", np.getAuthors(), Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VERSION,"nuspec", "version", np.getVersion(), Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT,"nuspec", "id", np.getId(), Confidence.HIGHEST);
|
||||
if (np.getTitle() != null) {
|
||||
dependency.getProductEvidence().addEvidence("nuspec", "title", np.getTitle(), Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "title", np.getTitle(), Confidence.MEDIUM);
|
||||
}
|
||||
} catch (Throwable e) {
|
||||
throw new AnalysisException(e);
|
||||
|
||||
@@ -32,6 +32,7 @@ import java.nio.charset.Charset;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
import javax.annotation.concurrent.ThreadSafe;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
|
||||
/**
|
||||
@@ -184,15 +185,15 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (!contents.isEmpty()) {
|
||||
final Matcher matcher = VERSION_PATTERN.matcher(contents);
|
||||
if (matcher.find()) {
|
||||
dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant",
|
||||
dependency.addEvidence(EvidenceType.VERSION, OPENSSLV_H, "Version Constant",
|
||||
getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH);
|
||||
found = true;
|
||||
}
|
||||
}
|
||||
if (found) {
|
||||
dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H);
|
||||
dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST);
|
||||
dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST);
|
||||
} else {
|
||||
engine.removeDependency(dependency);
|
||||
}
|
||||
|
||||
@@ -32,7 +32,6 @@ import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
@@ -47,6 +46,7 @@ import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.owasp.dependencycheck.utils.UrlStringUtils;
|
||||
import java.util.concurrent.atomic.AtomicInteger;
|
||||
import javax.annotation.concurrent.ThreadSafe;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Used to analyze a Wheel or egg distribution files, or their contents in
|
||||
@@ -279,20 +279,15 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
*/
|
||||
private static void collectWheelMetadata(Dependency dependency, File file) {
|
||||
final InternetHeaders headers = getManifestProperties(file);
|
||||
addPropertyToEvidence(headers, dependency.getVersionEvidence(),
|
||||
"Version", Confidence.HIGHEST);
|
||||
addPropertyToEvidence(headers, dependency.getProductEvidence(), "Name",
|
||||
Confidence.HIGHEST);
|
||||
addPropertyToEvidence(dependency, EvidenceType.VERSION, Confidence.HIGHEST, headers, "Version");
|
||||
addPropertyToEvidence(dependency, EvidenceType.PRODUCT, Confidence.HIGHEST, headers, "Name");
|
||||
final String url = headers.getHeader("Home-page", null);
|
||||
final EvidenceCollection vendorEvidence = dependency
|
||||
.getVendorEvidence();
|
||||
if (StringUtils.isNotBlank(url)) {
|
||||
if (UrlStringUtils.isUrl(url)) {
|
||||
vendorEvidence.addEvidence(METADATA, "vendor", url,
|
||||
Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, METADATA, "vendor", url, Confidence.MEDIUM);
|
||||
}
|
||||
}
|
||||
addPropertyToEvidence(headers, vendorEvidence, "Author", Confidence.LOW);
|
||||
addPropertyToEvidence(dependency, EvidenceType.VENDOR, Confidence.LOW, headers, "Author");
|
||||
final String summary = headers.getHeader("Summary", null);
|
||||
if (StringUtils.isNotBlank(summary)) {
|
||||
JarAnalyzer.addDescription(dependency, summary, METADATA, "summary");
|
||||
@@ -302,17 +297,18 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/**
|
||||
* Adds a value to the evidence collection.
|
||||
*
|
||||
* @param dependency the dependency being analyzed
|
||||
* @param type the type of evidence to add
|
||||
* @param headers the properties collection
|
||||
* @param evidence the evidence collection to add the value
|
||||
* @param property the property name
|
||||
* @param confidence the confidence of the evidence
|
||||
*/
|
||||
private static void addPropertyToEvidence(InternetHeaders headers,
|
||||
EvidenceCollection evidence, String property, Confidence confidence) {
|
||||
private static void addPropertyToEvidence(Dependency dependency, EvidenceType type, Confidence confidence,
|
||||
InternetHeaders headers, String property) {
|
||||
final String value = headers.getHeader(property, null);
|
||||
LOGGER.debug("Property: {}, Value: {}", property, value);
|
||||
if (StringUtils.isNotBlank(value)) {
|
||||
evidence.addEvidence(METADATA, property, value, confidence);
|
||||
dependency.addEvidence(type, METADATA, property, value, confidence);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -24,7 +24,6 @@ import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.owasp.dependencycheck.utils.UrlStringUtils;
|
||||
@@ -36,6 +35,7 @@ import java.nio.charset.Charset;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
import javax.annotation.concurrent.ThreadSafe;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
|
||||
/**
|
||||
@@ -191,8 +191,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
//"The __init__.py files are required to make Python treat the directories as containing packages"
|
||||
//see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html;
|
||||
dependency.setDisplayFileName(parentName + "/__init__.py");
|
||||
dependency.getProductEvidence().addEvidence(file.getName(),
|
||||
"PackageName", parentName, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, file.getName(), "PackageName", parentName, Confidence.HIGHEST);
|
||||
|
||||
final File[] fileList = parent.listFiles(PY_FILTER);
|
||||
if (fileList != null) {
|
||||
@@ -226,26 +225,23 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
boolean found = false;
|
||||
if (!contents.isEmpty()) {
|
||||
final String source = file.getName();
|
||||
found = gatherEvidence(VERSION_PATTERN, contents, source,
|
||||
dependency.getVersionEvidence(), "SourceVersion",
|
||||
Confidence.MEDIUM);
|
||||
found = gatherEvidence(dependency, EvidenceType.VERSION, VERSION_PATTERN, contents,
|
||||
source, "SourceVersion", Confidence.MEDIUM);
|
||||
found |= addSummaryInfo(dependency, SUMMARY_PATTERN, 4, contents,
|
||||
source, "summary");
|
||||
if (INIT_PY_FILTER.accept(file)) {
|
||||
found |= addSummaryInfo(dependency, MODULE_DOCSTRING, 2,
|
||||
contents, source, "docstring");
|
||||
}
|
||||
found |= gatherEvidence(TITLE_PATTERN, contents, source,
|
||||
dependency.getProductEvidence(), "SourceTitle",
|
||||
Confidence.LOW);
|
||||
final EvidenceCollection vendorEvidence = dependency
|
||||
.getVendorEvidence();
|
||||
found |= gatherEvidence(AUTHOR_PATTERN, contents, source,
|
||||
vendorEvidence, "SourceAuthor", Confidence.MEDIUM);
|
||||
found |= gatherHomePageEvidence(URI_PATTERN, vendorEvidence,
|
||||
found |= gatherEvidence(dependency, EvidenceType.PRODUCT, TITLE_PATTERN, contents,
|
||||
source, "SourceTitle", Confidence.LOW);
|
||||
|
||||
found |= gatherEvidence(dependency, EvidenceType.VENDOR, AUTHOR_PATTERN, contents,
|
||||
source, "SourceAuthor", Confidence.MEDIUM);
|
||||
found |= gatherHomePageEvidence(dependency, EvidenceType.VENDOR, URI_PATTERN,
|
||||
source, "URL", contents);
|
||||
found |= gatherHomePageEvidence(HOMEPAGE_PATTERN,
|
||||
vendorEvidence, source, "HomePage", contents);
|
||||
found |= gatherHomePageEvidence(dependency, EvidenceType.VENDOR, HOMEPAGE_PATTERN,
|
||||
source, "HomePage", contents);
|
||||
}
|
||||
return found;
|
||||
}
|
||||
@@ -275,23 +271,23 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/**
|
||||
* Collects evidence from the home page URL.
|
||||
*
|
||||
* @param dependency the dependency that is being analyzed
|
||||
* @param type the type of evidence
|
||||
* @param pattern the pattern to match
|
||||
* @param evidence the evidence collection to add the evidence to
|
||||
* @param source the source of the evidence
|
||||
* @param name the name of the evidence
|
||||
* @param contents the home page URL
|
||||
* @return true if evidence was collected; otherwise false
|
||||
*/
|
||||
private boolean gatherHomePageEvidence(Pattern pattern,
|
||||
EvidenceCollection evidence, String source, String name,
|
||||
String contents) {
|
||||
private boolean gatherHomePageEvidence(Dependency dependency, EvidenceType type, Pattern pattern,
|
||||
String source, String name, String contents) {
|
||||
final Matcher matcher = pattern.matcher(contents);
|
||||
boolean found = false;
|
||||
if (matcher.find()) {
|
||||
final String url = matcher.group(4);
|
||||
if (UrlStringUtils.isUrl(url)) {
|
||||
found = true;
|
||||
evidence.addEvidence(source, name, url, Confidence.MEDIUM);
|
||||
dependency.addEvidence(type, source, name, url, Confidence.MEDIUM);
|
||||
}
|
||||
}
|
||||
return found;
|
||||
@@ -301,21 +297,21 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* Gather evidence from a Python source file using the given string
|
||||
* assignment regex pattern.
|
||||
*
|
||||
* @param dependency the dependency that is being analyzed
|
||||
* @param type the type of evidence
|
||||
* @param pattern to scan contents with
|
||||
* @param contents of Python source file
|
||||
* @param source for storing evidence
|
||||
* @param evidence to store evidence in
|
||||
* @param name of evidence
|
||||
* @param confidence in evidence
|
||||
* @return whether evidence was found
|
||||
*/
|
||||
private boolean gatherEvidence(Pattern pattern, String contents,
|
||||
String source, EvidenceCollection evidence, String name,
|
||||
Confidence confidence) {
|
||||
private boolean gatherEvidence(Dependency dependency, EvidenceType type, Pattern pattern, String contents,
|
||||
String source, String name, Confidence confidence) {
|
||||
final Matcher matcher = pattern.matcher(contents);
|
||||
final boolean found = matcher.find();
|
||||
if (found) {
|
||||
evidence.addEvidence(source, name, matcher.group(4), confidence);
|
||||
dependency.addEvidence(type, source, name, matcher.group(4), confidence);
|
||||
}
|
||||
return found;
|
||||
}
|
||||
|
||||
@@ -37,6 +37,7 @@ import org.owasp.dependencycheck.data.nvdcve.CveDB;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.dependency.Reference;
|
||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
@@ -440,7 +441,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
Vulnerability vulnerability = null;
|
||||
if (null != dependency) {
|
||||
final String version = nextLine.substring(VERSION.length());
|
||||
dependency.getVersionEvidence().addEvidence(
|
||||
dependency.addEvidence(EvidenceType.VERSION,
|
||||
"bundler-audit",
|
||||
"Version",
|
||||
version,
|
||||
@@ -480,7 +481,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
FileUtils.write(gemFile, displayFileName, Charset.defaultCharset()); // unique contents to avoid dependency bundling
|
||||
final Dependency dependency = new Dependency(gemFile);
|
||||
dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "bundler-audit", "Name", gem, Confidence.HIGHEST);
|
||||
dependency.setDisplayFileName(displayFileName);
|
||||
dependency.setFileName(fileName);
|
||||
dependency.setFilePath(filePath);
|
||||
|
||||
@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
@@ -145,23 +145,21 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
contents = contents.substring(matcher.end());
|
||||
final String blockVariable = matcher.group(1);
|
||||
|
||||
final EvidenceCollection vendor = dependency.getVendorEvidence();
|
||||
final EvidenceCollection product = dependency.getProductEvidence();
|
||||
final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST);
|
||||
final String name = addStringEvidence(dependency, EvidenceType.PRODUCT, contents, blockVariable, "name", "name", Confidence.HIGHEST);
|
||||
if (!name.isEmpty()) {
|
||||
vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, GEMSPEC, "name_project", name + "_project", Confidence.LOW);
|
||||
}
|
||||
addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.LOW);
|
||||
addStringEvidence(dependency, EvidenceType.PRODUCT, contents, blockVariable, "summary", "summary", Confidence.LOW);
|
||||
|
||||
addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST);
|
||||
addStringEvidence(vendor, contents, blockVariable, "email", "emails?", Confidence.MEDIUM);
|
||||
addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST);
|
||||
addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST);
|
||||
addStringEvidence(dependency, EvidenceType.VENDOR, contents, blockVariable, "author", "authors?", Confidence.HIGHEST);
|
||||
addStringEvidence(dependency, EvidenceType.VENDOR, contents, blockVariable, "email", "emails?", Confidence.MEDIUM);
|
||||
addStringEvidence(dependency, EvidenceType.VENDOR, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST);
|
||||
addStringEvidence(dependency, EvidenceType.VENDOR, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST);
|
||||
|
||||
final String value = addStringEvidence(dependency.getVersionEvidence(), contents,
|
||||
final String value = addStringEvidence(dependency, EvidenceType.VERSION, contents,
|
||||
blockVariable, "version", "version", Confidence.HIGHEST);
|
||||
if (value.length() < 1) {
|
||||
addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence());
|
||||
addEvidenceFromVersionFile(dependency, EvidenceType.VERSION, dependency.getActualFile());
|
||||
}
|
||||
}
|
||||
|
||||
@@ -171,7 +169,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/**
|
||||
* Adds the specified evidence to the given evidence collection.
|
||||
*
|
||||
* @param evidences the collection to add the evidence to
|
||||
* @param dependency the dependency being analyzed
|
||||
* @param type the type of evidence to add
|
||||
* @param contents the evidence contents
|
||||
* @param blockVariable the variable
|
||||
* @param field the field
|
||||
@@ -179,7 +178,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param confidence the confidence of the evidence
|
||||
* @return the evidence string value added
|
||||
*/
|
||||
private String addStringEvidence(EvidenceCollection evidences, String contents,
|
||||
private String addStringEvidence(Dependency dependency, EvidenceType type, String contents,
|
||||
String blockVariable, String field, String fieldPattern, Confidence confidence) {
|
||||
String value = "";
|
||||
|
||||
@@ -197,7 +196,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
}
|
||||
if (value.length() > 0) {
|
||||
evidences.addEvidence(GEMSPEC, field, value, confidence);
|
||||
dependency.addEvidence(type, GEMSPEC, field, value, confidence);
|
||||
}
|
||||
|
||||
return value;
|
||||
@@ -206,10 +205,11 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/**
|
||||
* Adds evidence from the version file.
|
||||
*
|
||||
* @param dependency the dependency being analyzed
|
||||
* @param type the type of evidence to add
|
||||
* @param dependencyFile the dependency being analyzed
|
||||
* @param versionEvidences the version evidence
|
||||
*/
|
||||
private void addEvidenceFromVersionFile(File dependencyFile, EvidenceCollection versionEvidences) {
|
||||
private void addEvidenceFromVersionFile(Dependency dependency, EvidenceType type, File dependencyFile) {
|
||||
final File parentDir = dependencyFile.getParentFile();
|
||||
if (parentDir != null) {
|
||||
final File[] matchingFiles = parentDir.listFiles(new FilenameFilter() {
|
||||
@@ -226,7 +226,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final List<String> lines = FileUtils.readLines(f, Charset.defaultCharset());
|
||||
if (lines.size() == 1) { //TODO other checking?
|
||||
final String value = lines.get(0).trim();
|
||||
versionEvidences.addEvidence(GEMSPEC, "version", value, Confidence.HIGH);
|
||||
dependency.addEvidence(type, GEMSPEC, "version", value, Confidence.HIGH);
|
||||
}
|
||||
} catch (IOException e) {
|
||||
LOGGER.debug("Error reading gemspec", e);
|
||||
|
||||
@@ -30,7 +30,7 @@ import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
@@ -135,14 +135,11 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
return;
|
||||
}
|
||||
|
||||
final EvidenceCollection product = dependency.getProductEvidence();
|
||||
final EvidenceCollection vendor = dependency.getVendorEvidence();
|
||||
|
||||
//SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies.
|
||||
//Future interesting metadata: version, license, homepage, author, summary, etc.
|
||||
final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST);
|
||||
final String name = addStringEvidence(dependency, EvidenceType.PRODUCT, packageDescription, "name", "name", Confidence.HIGHEST);
|
||||
if (name != null && !name.isEmpty()) {
|
||||
vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST);
|
||||
}
|
||||
}
|
||||
setPackagePath(dependency);
|
||||
@@ -152,14 +149,15 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* Extracts evidence from the package description and adds it to the given
|
||||
* evidence collection.
|
||||
*
|
||||
* @param evidences the evidence collection to update
|
||||
* @param dependency the dependency being analyzed
|
||||
* @param type the type of evidence to add
|
||||
* @param packageDescription the text to extract evidence from
|
||||
* @param field the name of the field being searched for
|
||||
* @param fieldPattern the field pattern within the contents to search for
|
||||
* @param confidence the confidence level of the evidence if found
|
||||
* @return the string that was added as evidence
|
||||
*/
|
||||
private String addStringEvidence(EvidenceCollection evidences,
|
||||
private String addStringEvidence(Dependency dependency, EvidenceType type,
|
||||
String packageDescription, String field, String fieldPattern, Confidence confidence) {
|
||||
String value = "";
|
||||
|
||||
@@ -172,7 +170,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (value != null) {
|
||||
value = value.trim();
|
||||
if (value.length() > 0) {
|
||||
evidences.addEvidence(SPM_FILE_NAME, field, value, confidence);
|
||||
dependency.addEvidence(type, SPM_FILE_NAME, field, value, confidence);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -17,14 +17,16 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.analyzer;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Iterator;
|
||||
import java.util.Objects;
|
||||
import java.util.Set;
|
||||
import javax.annotation.concurrent.ThreadSafe;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersion;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.slf4j.Logger;
|
||||
@@ -132,14 +134,14 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer {
|
||||
String fileVersion = null;
|
||||
String pomVersion = null;
|
||||
String manifestVersion = null;
|
||||
for (Evidence e : dependency.getVersionEvidence()) {
|
||||
for (Evidence e : dependency.getEvidence(EvidenceType.VERSION)) {
|
||||
if (FILE.equals(e.getSource()) && VERSION.equals(e.getName())) {
|
||||
fileVersion = e.getValue(Boolean.FALSE);
|
||||
fileVersion = e.getValue();
|
||||
} else if ((NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource())
|
||||
|| POM.equals(e.getSource())) && VERSION.equals(e.getName())) {
|
||||
pomVersion = e.getValue(Boolean.FALSE);
|
||||
pomVersion = e.getValue();
|
||||
} else if (MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName())) {
|
||||
manifestVersion = e.getValue(Boolean.FALSE);
|
||||
manifestVersion = e.getValue();
|
||||
}
|
||||
}
|
||||
//ensure we have at least two not null
|
||||
@@ -152,17 +154,18 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer {
|
||||
final boolean pomMatch = Objects.equals(dvPom, dvFile) || Objects.equals(dvPom, dvManifest);
|
||||
if (fileMatch || manifestMatch || pomMatch) {
|
||||
LOGGER.debug("filtering evidence from {}", dependency.getFileName());
|
||||
final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
|
||||
final Iterator<Evidence> itr = versionEvidence.iterator();
|
||||
while (itr.hasNext()) {
|
||||
final Evidence e = itr.next();
|
||||
Set<Evidence> remove = new HashSet<>();
|
||||
for(Evidence e : dependency.getEvidence(EvidenceType.VERSION)) {
|
||||
if (!(pomMatch && VERSION.equals(e.getName())
|
||||
&& (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource())))
|
||||
&& !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource()))
|
||||
&& !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) {
|
||||
itr.remove();
|
||||
remove.add(e);
|
||||
}
|
||||
}
|
||||
for (Evidence e: remove) {
|
||||
dependency.removeEvidence(EvidenceType.VERSION, e);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -45,7 +45,7 @@ import org.slf4j.LoggerFactory;
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
@NotThreadSafe
|
||||
public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
public class Dependency extends EvidenceCollection implements Serializable, Comparable<Dependency> {
|
||||
|
||||
/**
|
||||
* The serial version UID for serialization.
|
||||
@@ -55,14 +55,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
* The logger.
|
||||
*/
|
||||
private static final Logger LOGGER = LoggerFactory.getLogger(Dependency.class);
|
||||
/**
|
||||
* Used as starting point for generating the value in {@link #hashCode()}.
|
||||
*/
|
||||
private static final int MAGIC_HASH_INIT_VALUE = 3;
|
||||
/**
|
||||
* Used as a multiplier for generating the value in {@link #hashCode()}.
|
||||
*/
|
||||
private static final int MAGIC_HASH_MULTIPLIER = 47;
|
||||
/**
|
||||
* The actual file path of the dependency on disk.
|
||||
*/
|
||||
@@ -90,19 +82,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
/**
|
||||
* A list of Identifiers.
|
||||
*/
|
||||
private Set<Identifier> identifiers;
|
||||
/**
|
||||
* A collection of vendor evidence.
|
||||
*/
|
||||
private final EvidenceCollection vendorEvidence;
|
||||
/**
|
||||
* A collection of product evidence.
|
||||
*/
|
||||
private final EvidenceCollection productEvidence;
|
||||
/**
|
||||
* A collection of version evidence.
|
||||
*/
|
||||
private final EvidenceCollection versionEvidence;
|
||||
private Set<Identifier> identifiers = new TreeSet<>();
|
||||
/**
|
||||
* The file name to display in reports.
|
||||
*/
|
||||
@@ -110,11 +90,11 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
/**
|
||||
* A set of identifiers that have been suppressed.
|
||||
*/
|
||||
private Set<Identifier> suppressedIdentifiers;
|
||||
private Set<Identifier> suppressedIdentifiers = new TreeSet<>();
|
||||
/**
|
||||
* A set of vulnerabilities that have been suppressed.
|
||||
*/
|
||||
private SortedSet<Vulnerability> suppressedVulnerabilities;
|
||||
private SortedSet<Vulnerability> suppressedVulnerabilities = new TreeSet<>(new VulnerabilityComparator());
|
||||
/**
|
||||
* The description of the JAR file.
|
||||
*/
|
||||
@@ -126,7 +106,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
/**
|
||||
* A list of vulnerabilities for this dependency.
|
||||
*/
|
||||
private SortedSet<Vulnerability> vulnerabilities;
|
||||
private SortedSet<Vulnerability> vulnerabilities = new TreeSet<>(new VulnerabilityComparator());
|
||||
/**
|
||||
* A collection of related dependencies.
|
||||
*/
|
||||
@@ -167,13 +147,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
* Constructs a new Dependency object.
|
||||
*/
|
||||
public Dependency() {
|
||||
vendorEvidence = new EvidenceCollection();
|
||||
productEvidence = new EvidenceCollection();
|
||||
versionEvidence = new EvidenceCollection();
|
||||
identifiers = new TreeSet<>();
|
||||
vulnerabilities = new TreeSet<>(new VulnerabilityComparator());
|
||||
suppressedIdentifiers = new TreeSet<>();
|
||||
suppressedVulnerabilities = new TreeSet<>(new VulnerabilityComparator());
|
||||
//empty contructor
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -189,7 +163,8 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
* Constructs a new Dependency object.
|
||||
*
|
||||
* @param file the File to create the dependency object from.
|
||||
* @param isVirtual specifies if the dependency is virtual indicating the file doesn't actually exist.
|
||||
* @param isVirtual specifies if the dependency is virtual indicating the
|
||||
* file doesn't actually exist.
|
||||
*/
|
||||
public Dependency(File file, boolean isVirtual) {
|
||||
this();
|
||||
@@ -401,13 +376,13 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
*/
|
||||
public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) {
|
||||
if (mavenArtifact.getGroupId() != null && !mavenArtifact.getGroupId().isEmpty()) {
|
||||
this.getVendorEvidence().addEvidence(source, "groupid", mavenArtifact.getGroupId(), confidence);
|
||||
this.addEvidence(EvidenceType.VENDOR, source, "groupid", mavenArtifact.getGroupId(), confidence);
|
||||
}
|
||||
if (mavenArtifact.getArtifactId() != null && !mavenArtifact.getArtifactId().isEmpty()) {
|
||||
this.getProductEvidence().addEvidence(source, "artifactid", mavenArtifact.getArtifactId(), confidence);
|
||||
this.addEvidence(EvidenceType.PRODUCT, source, "artifactid", mavenArtifact.getArtifactId(), confidence);
|
||||
}
|
||||
if (mavenArtifact.getVersion() != null && !mavenArtifact.getVersion().isEmpty()) {
|
||||
this.getVersionEvidence().addEvidence(source, "version", mavenArtifact.getVersion(), confidence);
|
||||
this.addEvidence(EvidenceType.VERSION, source, "version", mavenArtifact.getVersion(), confidence);
|
||||
}
|
||||
if (mavenArtifact.getArtifactUrl() != null && !mavenArtifact.getArtifactUrl().isEmpty()) {
|
||||
boolean found = false;
|
||||
@@ -493,60 +468,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
this.suppressedVulnerabilities.add(vulnerability);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the evidence used to identify this dependency.
|
||||
*
|
||||
* @return an EvidenceCollection.
|
||||
*/
|
||||
public EvidenceCollection getEvidence() {
|
||||
return EvidenceCollection.merge(this.productEvidence, this.vendorEvidence, this.versionEvidence);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the evidence used to identify this dependency.
|
||||
*
|
||||
* @return an EvidenceCollection.
|
||||
*/
|
||||
public Set<Evidence> getEvidenceForDisplay() {
|
||||
return EvidenceCollection.mergeForDisplay(this.productEvidence, this.vendorEvidence, this.versionEvidence);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the evidence used to identify this dependency.
|
||||
*
|
||||
* @return an EvidenceCollection.
|
||||
*/
|
||||
public EvidenceCollection getEvidenceUsed() {
|
||||
return EvidenceCollection.mergeUsed(this.productEvidence, this.vendorEvidence, this.versionEvidence);
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the Vendor Evidence.
|
||||
*
|
||||
* @return an EvidenceCollection.
|
||||
*/
|
||||
public EvidenceCollection getVendorEvidence() {
|
||||
return this.vendorEvidence;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the Product Evidence.
|
||||
*
|
||||
* @return an EvidenceCollection.
|
||||
*/
|
||||
public EvidenceCollection getProductEvidence() {
|
||||
return this.productEvidence;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the Version Evidence.
|
||||
*
|
||||
* @return an EvidenceCollection.
|
||||
*/
|
||||
public EvidenceCollection getVersionEvidence() {
|
||||
return this.versionEvidence;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the value of description.
|
||||
*
|
||||
@@ -773,13 +694,9 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
.append(this.md5sum, other.md5sum)
|
||||
.append(this.sha1sum, other.sha1sum)
|
||||
.append(this.identifiers, other.identifiers)
|
||||
.append(this.vendorEvidence, other.vendorEvidence)
|
||||
.append(this.productEvidence, other.productEvidence)
|
||||
.append(this.versionEvidence, other.versionEvidence)
|
||||
.append(this.description, other.description)
|
||||
.append(this.license, other.license)
|
||||
.append(this.vulnerabilities, other.vulnerabilities)
|
||||
//.append(this.relatedDependencies, other.relatedDependencies)
|
||||
.append(this.projectReferences, other.projectReferences)
|
||||
.append(this.availableVersions, other.availableVersions)
|
||||
.isEquals();
|
||||
@@ -792,20 +709,17 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
*/
|
||||
@Override
|
||||
public int hashCode() {
|
||||
return new HashCodeBuilder(MAGIC_HASH_INIT_VALUE, MAGIC_HASH_MULTIPLIER)
|
||||
return new HashCodeBuilder(3, 47)
|
||||
.appendSuper(super.hashCode())
|
||||
.append(actualFilePath)
|
||||
.append(filePath)
|
||||
.append(fileName)
|
||||
.append(md5sum)
|
||||
.append(sha1sum)
|
||||
.append(identifiers)
|
||||
.append(vendorEvidence)
|
||||
.append(productEvidence)
|
||||
.append(versionEvidence)
|
||||
.append(description)
|
||||
.append(license)
|
||||
.append(vulnerabilities)
|
||||
//.append(relatedDependencies)
|
||||
.append(projectReferences)
|
||||
.append(availableVersions)
|
||||
.toHashCode();
|
||||
|
||||
@@ -61,11 +61,6 @@ public class Evidence implements Serializable, Comparable<Evidence> {
|
||||
*/
|
||||
private String value;
|
||||
|
||||
/**
|
||||
* A value indicating if the Evidence has been "used" (aka read).
|
||||
*/
|
||||
private boolean used;
|
||||
|
||||
/**
|
||||
* The confidence level for the evidence.
|
||||
*/
|
||||
@@ -134,20 +129,6 @@ public class Evidence implements Serializable, Comparable<Evidence> {
|
||||
* @return the value of value
|
||||
*/
|
||||
public String getValue() {
|
||||
used = true;
|
||||
return value;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the value of value. If setUsed is set to false this call to get will
|
||||
* not mark the evidence as used.
|
||||
*
|
||||
* @param setUsed whether or not this call to getValue should cause the used
|
||||
* flag to be updated
|
||||
* @return the value of value
|
||||
*/
|
||||
public String getValue(Boolean setUsed) {
|
||||
used = used || setUsed;
|
||||
return value;
|
||||
}
|
||||
|
||||
@@ -160,24 +141,6 @@ public class Evidence implements Serializable, Comparable<Evidence> {
|
||||
this.value = value;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the value of used.
|
||||
*
|
||||
* @return the value of used
|
||||
*/
|
||||
public boolean isUsed() {
|
||||
return used;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of used.
|
||||
*
|
||||
* @param used new value of used
|
||||
*/
|
||||
public void setUsed(boolean used) {
|
||||
this.used = used;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the value of confidence.
|
||||
*
|
||||
|
||||
@@ -18,18 +18,13 @@
|
||||
package org.owasp.dependencycheck.dependency;
|
||||
|
||||
import java.io.Serializable;
|
||||
import java.net.MalformedURLException;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.TreeSet;
|
||||
import javax.annotation.concurrent.NotThreadSafe;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersion;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
|
||||
import javax.annotation.concurrent.ThreadSafe;
|
||||
import org.apache.commons.lang3.builder.EqualsBuilder;
|
||||
import org.apache.commons.lang3.builder.HashCodeBuilder;
|
||||
import org.owasp.dependencycheck.utils.Filter;
|
||||
import org.owasp.dependencycheck.utils.UrlStringUtils;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
@@ -38,8 +33,8 @@ import org.slf4j.LoggerFactory;
|
||||
*
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
@NotThreadSafe
|
||||
public class EvidenceCollection implements Serializable, Iterable<Evidence> {
|
||||
@ThreadSafe
|
||||
class EvidenceCollection implements Serializable {
|
||||
|
||||
/**
|
||||
* The serial version UID for serialization.
|
||||
@@ -50,13 +45,25 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
|
||||
*/
|
||||
private static final Logger LOGGER = LoggerFactory.getLogger(EvidenceCollection.class);
|
||||
/**
|
||||
* A collection of evidence.
|
||||
* A collection of vendor evidence.
|
||||
*/
|
||||
private final Set<Evidence> list;
|
||||
private final Set<Evidence> vendors = new HashSet<>();
|
||||
/**
|
||||
* A collection of strings used to adjust Lucene's term weighting.
|
||||
* A collection of strings used to adjust Lucene's vendor term weighting.
|
||||
*/
|
||||
private final Set<String> weightedStrings;
|
||||
private final Set<String> vendorWeightings = new HashSet<>();
|
||||
/**
|
||||
* A collection of product evidence.
|
||||
*/
|
||||
private final Set<Evidence> products = new HashSet<>();
|
||||
/**
|
||||
* A collection of strings used to adjust Lucene's product term weighting.
|
||||
*/
|
||||
private final Set<String> productWeightings = new HashSet<>();
|
||||
/**
|
||||
* A collection of version evidence.
|
||||
*/
|
||||
private final Set<Evidence> versions = new HashSet<>();
|
||||
|
||||
/**
|
||||
* Used to iterate over highest confidence evidence contained in the
|
||||
@@ -97,74 +104,113 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
|
||||
return evidence.getConfidence() == Confidence.LOW;
|
||||
}
|
||||
};
|
||||
/**
|
||||
* Used to iterate over evidence that has was used (aka read) from the
|
||||
* collection.
|
||||
*/
|
||||
private static final Filter<Evidence> EVIDENCE_USED = new Filter<Evidence>() {
|
||||
@Override
|
||||
public boolean passes(Evidence evidence) {
|
||||
return evidence.isUsed();
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* Used to iterate over evidence of the specified confidence.
|
||||
* Used to iterate over evidence of the specified type and confidence.
|
||||
*
|
||||
* @param type the evidence type to iterate over
|
||||
* @param confidence the confidence level for the evidence to be iterated
|
||||
* over.
|
||||
* @return Iterable<Evidence> an iterable collection of evidence
|
||||
*/
|
||||
public final Iterable<Evidence> iterator(Confidence confidence) {
|
||||
if (null != confidence) {
|
||||
public synchronized Iterable<Evidence> getIterator(EvidenceType type, Confidence confidence) {
|
||||
if (null != confidence && null != type) {
|
||||
Set<Evidence> list;
|
||||
|
||||
switch (type) {
|
||||
case VENDOR:
|
||||
list = Collections.unmodifiableSet(vendors);
|
||||
break;
|
||||
case PRODUCT:
|
||||
list = Collections.unmodifiableSet(products);
|
||||
break;
|
||||
case VERSION:
|
||||
list = Collections.unmodifiableSet(versions);
|
||||
break;
|
||||
default:
|
||||
return null;
|
||||
}
|
||||
|
||||
switch (confidence) {
|
||||
case HIGHEST:
|
||||
return EvidenceCollection.HIGHEST_CONFIDENCE.filter(this.list);
|
||||
return EvidenceCollection.HIGHEST_CONFIDENCE.filter(list);
|
||||
case HIGH:
|
||||
return EvidenceCollection.HIGH_CONFIDENCE.filter(this.list);
|
||||
return EvidenceCollection.HIGH_CONFIDENCE.filter(list);
|
||||
case MEDIUM:
|
||||
return EvidenceCollection.MEDIUM_CONFIDENCE.filter(this.list);
|
||||
return EvidenceCollection.MEDIUM_CONFIDENCE.filter(list);
|
||||
default:
|
||||
return EvidenceCollection.LOW_CONFIDENCE.filter(this.list);
|
||||
return EvidenceCollection.LOW_CONFIDENCE.filter(list);
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new EvidenceCollection.
|
||||
* Adds evidence to the collection.
|
||||
*
|
||||
* @param type the type of evidence (vendor, product, version)
|
||||
* @param e Evidence
|
||||
*/
|
||||
public EvidenceCollection() {
|
||||
list = new TreeSet<>();
|
||||
weightedStrings = new HashSet<>();
|
||||
public synchronized void addEvidence(EvidenceType type, Evidence e) {
|
||||
if (null != type) {
|
||||
switch (type) {
|
||||
case VENDOR:
|
||||
vendors.add(e);
|
||||
break;
|
||||
case PRODUCT:
|
||||
products.add(e);
|
||||
break;
|
||||
case VERSION:
|
||||
versions.add(e);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds evidence to the collection.
|
||||
* Removes evidence from the collection.
|
||||
*
|
||||
* @param type the type of evidence (vendor, product, version)
|
||||
* @param e Evidence.
|
||||
*/
|
||||
public void addEvidence(Evidence e) {
|
||||
list.add(e);
|
||||
public synchronized void removeEvidence(EvidenceType type, Evidence e) {
|
||||
if (null != type) {
|
||||
switch (type) {
|
||||
case VENDOR:
|
||||
vendors.remove(e);
|
||||
break;
|
||||
case PRODUCT:
|
||||
products.remove(e);
|
||||
break;
|
||||
case VERSION:
|
||||
versions.remove(e);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates an Evidence object from the parameters and adds the resulting
|
||||
* object to the collection.
|
||||
* object to the evidence collection.
|
||||
*
|
||||
* @param type the type of evidence (vendor, product, version)
|
||||
* @param source the source of the Evidence.
|
||||
* @param name the name of the Evidence.
|
||||
* @param value the value of the Evidence.
|
||||
* @param confidence the confidence of the Evidence.
|
||||
*/
|
||||
public void addEvidence(String source, String name, String value, Confidence confidence) {
|
||||
public void addEvidence(EvidenceType type, String source, String name, String value, Confidence confidence) {
|
||||
final Evidence e = new Evidence(source, name, value, confidence);
|
||||
addEvidence(e);
|
||||
addEvidence(type, e);
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds term to the weighting collection. The terms added here are used
|
||||
* later to boost the score of other terms. This is a way of combining
|
||||
* Adds term to the vendor weighting collection. The terms added here are
|
||||
* used later to boost the score of other terms. This is a way of combining
|
||||
* evidence from multiple sources to boost the confidence of the given
|
||||
* evidence.
|
||||
*
|
||||
@@ -177,136 +223,122 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
|
||||
*
|
||||
* @param str to add to the weighting collection.
|
||||
*/
|
||||
public void addWeighting(String str) {
|
||||
weightedStrings.add(str);
|
||||
public synchronized void addVendorWeighting(String str) {
|
||||
vendorWeightings.add(str);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a set of Weightings - a list of terms that are believed to be of
|
||||
* higher confidence when also found in another location.
|
||||
* Adds term to the product weighting collection. The terms added here are
|
||||
* used later to boost the score of other terms. This is a way of combining
|
||||
* evidence from multiple sources to boost the confidence of the given
|
||||
* evidence.
|
||||
*
|
||||
* @return Set<String>
|
||||
* Example: The term 'Apache' is found in the manifest of a JAR and is added
|
||||
* to the Collection. When we parse the package names within the JAR file we
|
||||
* may add these package names to the "weighted" strings collection to boost
|
||||
* the score in the Lucene query. That way when we construct the Lucene
|
||||
* query we find the term Apache in the collection AND in the weighted
|
||||
* strings; as such, we will boost the confidence of the term Apache.
|
||||
*
|
||||
* @param str to add to the weighting collection.
|
||||
*/
|
||||
public Set<String> getWeighting() {
|
||||
return weightedStrings;
|
||||
public synchronized void addProductWeighting(String str) {
|
||||
productWeightings.add(str);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the set of evidence.
|
||||
* Returns an unmodifiable set of vendor Weightings - a list of terms that
|
||||
* are believed to be of higher confidence when also found in another
|
||||
* location.
|
||||
*
|
||||
* @return the set of evidence.
|
||||
* @return an unmodifiable set of vendor weighting strings
|
||||
*/
|
||||
public Set<Evidence> getEvidence() {
|
||||
return list;
|
||||
public synchronized Set<String> getVendorWeightings() {
|
||||
return Collections.unmodifiableSet(vendorWeightings);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the set of evidence from a given source.
|
||||
* Returns an unmodifiable set of product Weightings - a list of terms that
|
||||
* are believed to be of higher confidence when also found in another
|
||||
* location.
|
||||
*
|
||||
* @param source the source of the evidence
|
||||
* @return the set of evidence.
|
||||
* @return an unmodifiable set of vendor weighting strings
|
||||
*/
|
||||
public Set<Evidence> getEvidence(String source) {
|
||||
if (source == null) {
|
||||
return null;
|
||||
}
|
||||
final Set<Evidence> ret = new HashSet<>();
|
||||
for (Evidence e : list) {
|
||||
if (source.equals(e.getSource())) {
|
||||
ret.add(e);
|
||||
public synchronized Set<String> getProductWeightings() {
|
||||
return Collections.unmodifiableSet(productWeightings);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the unmodifiable set of evidence of the given type.
|
||||
*
|
||||
* @param type the type of evidence (vendor, product, version)
|
||||
* @return the <b>unmodifiable<b/> set of evidence
|
||||
*/
|
||||
public synchronized Set<Evidence> getEvidence(EvidenceType type) {
|
||||
if (null != type) {
|
||||
switch (type) {
|
||||
case VENDOR:
|
||||
return Collections.unmodifiableSet(vendors);
|
||||
case PRODUCT:
|
||||
return Collections.unmodifiableSet(products);
|
||||
case VERSION:
|
||||
return Collections.unmodifiableSet(versions);
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the set of evidence from a given source and name.
|
||||
* Tests if the evidence collection contains the given evidence.
|
||||
*
|
||||
* @param source the source of the evidence
|
||||
* @param name the name of the evidence to return
|
||||
* @return the set of evidence.
|
||||
* @param type the type of evidence (vendor, product, version)
|
||||
* @param e the evidence to search
|
||||
* @return true if the evidence is found; otherwise false
|
||||
*/
|
||||
public Set<Evidence> getEvidence(String source, String name) {
|
||||
if (source == null || name == null) {
|
||||
return null;
|
||||
}
|
||||
final Set<Evidence> ret = new HashSet<>();
|
||||
for (Evidence e : list) {
|
||||
if (source.equals(e.getSource()) && name.equals(e.getName())) {
|
||||
ret.add(e);
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements the iterator interface for the Evidence Collection.
|
||||
*
|
||||
* @return an Iterator<Evidence>
|
||||
*/
|
||||
@Override
|
||||
public Iterator<Evidence> iterator() {
|
||||
return list.iterator();
|
||||
}
|
||||
|
||||
/**
|
||||
* Used to determine if a given string was used (aka read).
|
||||
*
|
||||
* @param text the string to search for.
|
||||
* @return whether or not the string was used.
|
||||
*/
|
||||
public boolean containsUsedString(String text) {
|
||||
if (text == null) {
|
||||
return false;
|
||||
}
|
||||
final String textToTest = text.toLowerCase();
|
||||
|
||||
for (Evidence e : EvidenceCollection.EVIDENCE_USED.filter(this)) {
|
||||
//TODO consider changing the regex to only compare alpha-numeric (i.e. strip everything else)
|
||||
final String item = e.getValue();
|
||||
if (item != null) {
|
||||
final String uc = urlCorrection(item.toLowerCase());
|
||||
if (uc != null) {
|
||||
final String value = uc.replaceAll("[\\s_-]", "");
|
||||
if (value.contains(textToTest)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
public synchronized boolean contains(EvidenceType type, Evidence e) {
|
||||
if (null != type) {
|
||||
switch (type) {
|
||||
case VENDOR:
|
||||
return vendors.contains(e);
|
||||
case PRODUCT:
|
||||
return products.contains(e);
|
||||
case VERSION:
|
||||
return versions.contains(e);
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Used to determine if a given version was used (aka read) from the
|
||||
* EvidenceCollection.
|
||||
*
|
||||
* @param version the version to search for within the collected evidence.
|
||||
* @return whether or not the string was used.
|
||||
*/
|
||||
public boolean containsUsedVersion(DependencyVersion version) {
|
||||
if (version == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
for (Evidence e : EvidenceCollection.EVIDENCE_USED.filter(this)) {
|
||||
final DependencyVersion value = DependencyVersionUtil.parseVersion(e.getValue());
|
||||
if (value != null && value.matchesAtLeastThreeLevels(version)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns whether or not the collection contains evidence of a specified
|
||||
* Confidence.
|
||||
*
|
||||
* Returns whether or not the collection contains evidence of a
|
||||
* specified type and confidence.
|
||||
* @param type the type of evidence (vendor, product, version)
|
||||
* @param confidence A Confidence value.
|
||||
* @return boolean.
|
||||
*/
|
||||
public boolean contains(Confidence confidence) {
|
||||
for (Evidence e : list) {
|
||||
public synchronized boolean contains(EvidenceType type, Confidence confidence) {
|
||||
if (null == type) {
|
||||
return false;
|
||||
}
|
||||
Set<Evidence> col;
|
||||
switch (type) {
|
||||
case VENDOR:
|
||||
col = vendors;
|
||||
break;
|
||||
case PRODUCT:
|
||||
col = products;
|
||||
break;
|
||||
case VERSION:
|
||||
col = versions;
|
||||
break;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
for (Evidence e : col) {
|
||||
if (e.getConfidence().equals(confidence)) {
|
||||
return true;
|
||||
}
|
||||
@@ -314,73 +346,27 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Merges multiple EvidenceCollections together, only merging evidence that
|
||||
* was used, into a new EvidenceCollection.
|
||||
*
|
||||
* @param ec One or more EvidenceCollections.
|
||||
* @return a new EvidenceCollection containing the used evidence.
|
||||
*/
|
||||
public static EvidenceCollection mergeUsed(EvidenceCollection... ec) {
|
||||
final EvidenceCollection ret = new EvidenceCollection();
|
||||
for (EvidenceCollection col : ec) {
|
||||
for (Evidence e : col.list) {
|
||||
if (e.isUsed()) {
|
||||
ret.addEvidence(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Merges multiple EvidenceCollections together.
|
||||
*
|
||||
* @param ec One or more EvidenceCollections.
|
||||
* @return a new EvidenceCollection.
|
||||
*/
|
||||
public static EvidenceCollection merge(EvidenceCollection... ec) {
|
||||
final EvidenceCollection ret = new EvidenceCollection();
|
||||
for (EvidenceCollection col : ec) {
|
||||
ret.list.addAll(col.list);
|
||||
ret.weightedStrings.addAll(col.weightedStrings);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Merges multiple EvidenceCollections together; flattening all of the
|
||||
* evidence items by removing the confidence.
|
||||
*
|
||||
* @param ec One or more EvidenceCollections
|
||||
* @return new set of evidence resulting from merging the evidence in the
|
||||
* collections
|
||||
*/
|
||||
public static Set<Evidence> mergeForDisplay(EvidenceCollection... ec) {
|
||||
final Set<Evidence> ret = new TreeSet<>();
|
||||
for (EvidenceCollection col : ec) {
|
||||
for (Evidence e : col) {
|
||||
//if (e.isUsed()) {
|
||||
final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null);
|
||||
newEvidence.setUsed(true);
|
||||
ret.add(newEvidence);
|
||||
//}
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a string of evidence 'values'.
|
||||
*
|
||||
* @return a string containing the evidence.
|
||||
*/
|
||||
@Override
|
||||
public String toString() {
|
||||
public synchronized String toString() {
|
||||
final StringBuilder sb = new StringBuilder();
|
||||
for (Evidence e : this.list) {
|
||||
sb.append(e.getValue()).append(' ');
|
||||
sb.append("{vendors: [");
|
||||
for (Evidence e : this.vendors) {
|
||||
sb.append("'").append(e.getValue()).append("', ");
|
||||
}
|
||||
sb.append("],/nproducts: [");
|
||||
for (Evidence e : this.products) {
|
||||
sb.append("'").append(e.getValue()).append("', ");
|
||||
}
|
||||
sb.append("],/nversions: [");
|
||||
for (Evidence e : this.versions) {
|
||||
sb.append("'").append(e.getValue()).append("', ");
|
||||
}
|
||||
sb.append("]");
|
||||
return sb.toString();
|
||||
}
|
||||
|
||||
@@ -389,49 +375,34 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
|
||||
*
|
||||
* @return the number of elements in the collection.
|
||||
*/
|
||||
public int size() {
|
||||
return list.size();
|
||||
public synchronized int size() {
|
||||
return vendors.size() + products.size() + versions.size();
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Takes a string that may contain a fully qualified domain and it will
|
||||
* return the string having removed the query string, the protocol, the
|
||||
* sub-domain of 'www', and the file extension of the path.</p>
|
||||
* <p>
|
||||
* This is useful for checking if the evidence contains a specific string.
|
||||
* The presence of the protocol, file extension, etc. may produce false
|
||||
* positives.
|
||||
*
|
||||
* <p>
|
||||
* Example, given the following input:</p>
|
||||
* <code>'Please visit https://www.owasp.com/path1/path2/file.php?id=439'</code>
|
||||
* <p>
|
||||
* The function would return:</p>
|
||||
* <code>'Please visit owasp path1 path2 file'</code>
|
||||
*
|
||||
* @param value the value that may contain a url
|
||||
* @return the modified string
|
||||
*/
|
||||
private String urlCorrection(String value) {
|
||||
if (value == null || !UrlStringUtils.containsUrl(value)) {
|
||||
return value;
|
||||
@Override
|
||||
public int hashCode() {
|
||||
return new HashCodeBuilder(13, 43)
|
||||
.append(vendors)
|
||||
.append(vendorWeightings)
|
||||
.append(products)
|
||||
.append(productWeightings)
|
||||
.append(versions)
|
||||
.toHashCode();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean equals(Object obj) {
|
||||
if (obj == null || getClass() != obj.getClass()) {
|
||||
return false;
|
||||
}
|
||||
final StringBuilder sb = new StringBuilder(value.length());
|
||||
final String[] parts = value.split("\\s");
|
||||
for (String part : parts) {
|
||||
if (UrlStringUtils.isUrl(part)) {
|
||||
try {
|
||||
final List<String> data = UrlStringUtils.extractImportantUrlData(part);
|
||||
sb.append(' ').append(StringUtils.join(data, ' '));
|
||||
} catch (MalformedURLException ex) {
|
||||
LOGGER.debug("error parsing {}", part, ex);
|
||||
sb.append(' ').append(part);
|
||||
}
|
||||
} else {
|
||||
sb.append(' ').append(part);
|
||||
}
|
||||
}
|
||||
return sb.toString().trim();
|
||||
final EvidenceCollection other = (EvidenceCollection) obj;
|
||||
return new EqualsBuilder()
|
||||
.appendSuper(super.equals(obj))
|
||||
.append(this.vendors, other.vendors)
|
||||
.append(this.vendorWeightings, other.vendorWeightings)
|
||||
.append(this.products, other.products)
|
||||
.append(this.productWeightings, other.productWeightings)
|
||||
.append(this.versions, other.versions)
|
||||
.isEquals();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
/*
|
||||
* This file is part of dependency-check-core.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2017 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.dependency;
|
||||
|
||||
/**
|
||||
* The types of evidence.
|
||||
* @author jeremy long
|
||||
*/
|
||||
public enum EvidenceType {
|
||||
/**
|
||||
* Vendor evidence.
|
||||
*/
|
||||
VENDOR,
|
||||
/**
|
||||
* Product evidence.
|
||||
*/
|
||||
PRODUCT,
|
||||
/**
|
||||
* Version evidence.
|
||||
*/
|
||||
VERSION
|
||||
|
||||
}
|
||||
@@ -14,7 +14,6 @@ import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.util.List;
|
||||
|
||||
import static org.hamcrest.CoreMatchers.notNullValue;
|
||||
import static org.hamcrest.CoreMatchers.nullValue;
|
||||
@@ -23,6 +22,7 @@ import static org.hamcrest.core.Is.is;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Assume;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.utils.FileUtils;
|
||||
|
||||
/**
|
||||
@@ -80,8 +80,8 @@ public class EngineModeIT extends BaseTest {
|
||||
dependencies = engine.getDependencies();
|
||||
assertThat(dependencies.length, is(1));
|
||||
Dependency dependency = dependencies[0];
|
||||
assertTrue(dependency.getVendorEvidence().toString().toLowerCase().contains("apache"));
|
||||
assertTrue(dependency.getVendorEvidence().getWeighting().contains("apache"));
|
||||
assertTrue(dependency.getEvidence(EvidenceType.VENDOR).toString().toLowerCase().contains("apache"));
|
||||
assertTrue(dependency.getVendorWeightings().contains("apache"));
|
||||
assertTrue(dependency.getVulnerabilities().isEmpty());
|
||||
}
|
||||
|
||||
@@ -115,8 +115,8 @@ public class EngineModeIT extends BaseTest {
|
||||
Dependency[] dependencies = engine.getDependencies();
|
||||
assertThat(dependencies.length, is(1));
|
||||
Dependency dependency = dependencies[0];
|
||||
assertTrue(dependency.getVendorEvidence().toString().toLowerCase().contains("apache"));
|
||||
assertTrue(dependency.getVendorEvidence().getWeighting().contains("apache"));
|
||||
assertTrue(dependency.getEvidence(EvidenceType.VENDOR).toString().toLowerCase().contains("apache"));
|
||||
assertTrue(dependency.getVendorWeightings().contains("apache"));
|
||||
assertFalse(dependency.getVulnerabilities().isEmpty());
|
||||
}
|
||||
}
|
||||
@@ -127,10 +127,6 @@ public class EngineModeIT extends BaseTest {
|
||||
assertThat(Files.exists(directory), is(true));
|
||||
assertThat(Files.isDirectory(directory), is(true));
|
||||
Path database = directory.resolve(getSettings().getString(Settings.KEYS.DB_FILE_NAME));
|
||||
//System.err.println(database.toString());
|
||||
//for (String f : directory.toFile().list()) {
|
||||
// System.err.println(f);
|
||||
//}
|
||||
assertThat(Files.exists(database), is(exists));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -40,6 +40,7 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.owasp.dependencycheck.utils.FileUtils;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
@@ -130,21 +131,8 @@ public class AssemblyAnalyzerTest extends BaseTest {
|
||||
File f = BaseTest.getResourceAsFile(this, "GrokAssembly.exe");
|
||||
Dependency d = new Dependency(f);
|
||||
analyzer.analyze(d, null);
|
||||
boolean foundVendor = false;
|
||||
for (Evidence e : d.getVendorEvidence().getEvidence("grokassembly", "vendor")) {
|
||||
if ("OWASP".equals(e.getValue())) {
|
||||
foundVendor = true;
|
||||
}
|
||||
}
|
||||
assertTrue(foundVendor);
|
||||
|
||||
boolean foundProduct = false;
|
||||
for (Evidence e : d.getProductEvidence().getEvidence("grokassembly", "product")) {
|
||||
if ("GrokAssembly".equals(e.getValue())) {
|
||||
foundProduct = true;
|
||||
}
|
||||
}
|
||||
assertTrue(foundProduct);
|
||||
assertTrue(d.contains(EvidenceType.VENDOR, new Evidence("grokassembly", "vendor", "OWASP", Confidence.HIGH)));
|
||||
assertTrue(d.contains(EvidenceType.PRODUCT, new Evidence("grokassembly", "product", "GrokAssembly", Confidence.HIGH)));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -154,9 +142,9 @@ public class AssemblyAnalyzerTest extends BaseTest {
|
||||
|
||||
Dependency d = new Dependency(f);
|
||||
analyzer.analyze(d, null);
|
||||
assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.2.13.0", Confidence.HIGHEST)));
|
||||
assertTrue(d.getVendorEvidence().getEvidence().contains(new Evidence("grokassembly", "vendor", "The Apache Software Foundation", Confidence.HIGH)));
|
||||
assertTrue(d.getProductEvidence().getEvidence().contains(new Evidence("grokassembly", "product", "log4net", Confidence.HIGH)));
|
||||
assertTrue(d.contains(EvidenceType.VERSION, new Evidence("grokassembly", "version", "1.2.13.0", Confidence.HIGHEST)));
|
||||
assertTrue(d.contains(EvidenceType.VENDOR, new Evidence("grokassembly", "vendor", "The Apache Software Foundation", Confidence.HIGH)));
|
||||
assertTrue(d.contains(EvidenceType.PRODUCT, new Evidence("grokassembly", "product", "log4net", Confidence.HIGH)));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@@ -28,6 +28,9 @@ import java.io.File;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were
|
||||
@@ -47,21 +50,6 @@ public class AutoconfAnalyzerTest extends BaseTest {
|
||||
*/
|
||||
private AutoconfAnalyzer analyzer;
|
||||
|
||||
private void assertCommonEvidence(Dependency result, String product,
|
||||
String version, String vendor) {
|
||||
assertProductAndVersion(result, product, version);
|
||||
assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
|
||||
result.getVendorEvidence().toString().contains(vendor));
|
||||
}
|
||||
|
||||
private void assertProductAndVersion(Dependency result, String product,
|
||||
String version) {
|
||||
assertTrue("Expected product evidence to contain \"" + product + "\".",
|
||||
result.getProductEvidence().toString().contains(product));
|
||||
assertTrue("Expected version evidence to contain \"" + version + "\".",
|
||||
result.getVersionEvidence().toString().contains(version));
|
||||
}
|
||||
|
||||
/**
|
||||
* Correctly setup the analyzer for testing.
|
||||
*
|
||||
@@ -91,8 +79,7 @@ public class AutoconfAnalyzerTest extends BaseTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Test whether expected evidence is gathered from Ghostscript's
|
||||
* configure.
|
||||
* Test whether expected evidence is gathered from Ghostscript's configure.
|
||||
*
|
||||
* @throws AnalysisException is thrown when an exception occurs.
|
||||
*/
|
||||
@@ -101,7 +88,10 @@ public class AutoconfAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/ghostscript/configure.ac"));
|
||||
analyzer.analyze(result, null);
|
||||
assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
|
||||
//TODO fix these
|
||||
assertTrue(result.contains(EvidenceType.VENDOR, new Evidence("configure.ac", "Bug report address", "gnu-ghostscript-bug@gnu.org", Confidence.HIGH)));
|
||||
assertTrue(result.contains(EvidenceType.PRODUCT, new Evidence("configure.ac", "Package", "gnu-ghostscript", Confidence.HIGHEST)));
|
||||
assertTrue(result.contains(EvidenceType.VERSION, new Evidence("configure.ac", "Package Version", "8.62.0", Confidence.HIGHEST)));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -114,14 +104,11 @@ public class AutoconfAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/readable-code/configure.ac"));
|
||||
analyzer.analyze(result, null);
|
||||
assertReadableCodeEvidence(result);
|
||||
}
|
||||
|
||||
private void assertReadableCodeEvidence(final Dependency result) {
|
||||
assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
|
||||
final String url = "http://readable.sourceforge.net/";
|
||||
assertTrue("Expected product evidence to contain \"" + url + "\".",
|
||||
result.getVendorEvidence().toString().contains(url));
|
||||
assertTrue(result.contains(EvidenceType.VENDOR, new Evidence("configure.ac", "Bug report address", "dwheeler@dwheeler.com", Confidence.HIGH)));
|
||||
assertTrue(result.contains(EvidenceType.PRODUCT, new Evidence("configure.ac", "Package", "readable", Confidence.HIGHEST)));
|
||||
assertTrue(result.contains(EvidenceType.VERSION, new Evidence("configure.ac", "Package Version", "1.0.7", Confidence.HIGHEST)));
|
||||
assertTrue(result.contains(EvidenceType.VENDOR, new Evidence("configure.ac", "URL", "http://readable.sourceforge.net/", Confidence.HIGH)));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -134,7 +121,9 @@ public class AutoconfAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/binutils/configure"));
|
||||
analyzer.analyze(result, null);
|
||||
assertProductAndVersion(result, "binutils", "2.25.51");
|
||||
|
||||
assertTrue(result.contains(EvidenceType.PRODUCT, new Evidence("configure", "NAME", "binutils", Confidence.HIGHEST)));
|
||||
assertTrue(result.contains(EvidenceType.VERSION, new Evidence("configure", "VERSION", "2.25.51", Confidence.HIGHEST)));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -148,7 +137,11 @@ public class AutoconfAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/readable-code/configure"));
|
||||
analyzer.analyze(result, null);
|
||||
assertReadableCodeEvidence(result);
|
||||
|
||||
assertTrue(result.contains(EvidenceType.VENDOR, new Evidence("configure", "BUGREPORT", "dwheeler@dwheeler.com", Confidence.HIGH)));
|
||||
assertTrue(result.contains(EvidenceType.PRODUCT, new Evidence("configure", "NAME", "readable", Confidence.HIGHEST)));
|
||||
assertTrue(result.contains(EvidenceType.VERSION, new Evidence("configure", "VERSION", "1.0.7", Confidence.HIGHEST)));
|
||||
assertTrue(result.contains(EvidenceType.VENDOR, new Evidence("configure", "URL", "http://readable.sourceforge.net/", Confidence.HIGH)));
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -42,6 +42,8 @@ import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertThat;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Unit tests for CmakeAnalyzer.
|
||||
@@ -132,10 +134,16 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
|
||||
final String product = "zlib";
|
||||
assertProductEvidence(result, product);
|
||||
}
|
||||
|
||||
|
||||
private void assertProductEvidence(Dependency result, String product) {
|
||||
assertTrue("Expected product evidence to contain \"" + product + "\".",
|
||||
result.getProductEvidence().toString().contains(product));
|
||||
boolean found = false;
|
||||
for (Evidence e : result.getEvidence(EvidenceType.PRODUCT)) {
|
||||
if (product.equals(e.getValue())) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
assertTrue("Expected product evidence to contain \"" + product + "\".", found);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -153,19 +161,25 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
|
||||
assertProductEvidence(result, "libavcodec");
|
||||
assertVersionEvidence(result, "55.18.102");
|
||||
assertFalse("ALIASOF_ prefix shouldn't be present.",
|
||||
Pattern.compile("\\bALIASOF_\\w+").matcher(result.getProductEvidence().toString()).find());
|
||||
Pattern.compile("\\bALIASOF_\\w+").matcher(result.getEvidence(EvidenceType.PRODUCT).toString()).find());
|
||||
final Dependency[] dependencies = engine.getDependencies();
|
||||
assertEquals("Number of additional dependencies should be 4.", 4, dependencies.length);
|
||||
final Dependency last = dependencies[3];
|
||||
assertProductEvidence(last, "libavresample");
|
||||
assertVersionEvidence(last, "1.0.1");
|
||||
}
|
||||
|
||||
|
||||
private void assertVersionEvidence(Dependency result, String version) {
|
||||
assertTrue("Expected version evidence to contain \"" + version + "\".",
|
||||
result.getVersionEvidence().toString().contains(version));
|
||||
boolean found = false;
|
||||
for (Evidence e : result.getEvidence(EvidenceType.VERSION)) {
|
||||
if (version.equals(e.getValue())) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
assertTrue("Expected version evidence to contain \"" + version + "\".", found);
|
||||
}
|
||||
|
||||
|
||||
@Test(expected = InitializationException.class)
|
||||
public void analyzerIsDisabledInCaseOfMissingMessageDigest() throws InitializationException {
|
||||
new MockUp<MessageDigest>() {
|
||||
@@ -174,13 +188,13 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
|
||||
throw new NoSuchAlgorithmException();
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
analyzer = new CMakeAnalyzer();
|
||||
analyzer.setFilesMatched(true);
|
||||
assertTrue(analyzer.isEnabled());
|
||||
analyzer.initializeSettings(getSettings());
|
||||
analyzer.initialize(null);
|
||||
|
||||
|
||||
assertFalse(analyzer.isEnabled());
|
||||
}
|
||||
}
|
||||
|
||||
@@ -34,6 +34,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Identifier;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -137,8 +138,14 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
|
||||
fp.analyze(dep, null);
|
||||
|
||||
if (expResult != null) {
|
||||
Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
|
||||
assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().contains(expIdentifier));
|
||||
boolean found = false;
|
||||
for (Identifier i : dep.getIdentifiers()) {
|
||||
if (expResult.equals(i.getValue())) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", found);
|
||||
} else {
|
||||
for (Identifier i : dep.getIdentifiers()) {
|
||||
assertFalse(String.format("%s - found a CPE identifier when should have been none (found '%s')", dep.getFileName(), i.getValue()), "cpe".equals(i.getType()));
|
||||
@@ -201,14 +208,20 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
|
||||
instance.close();
|
||||
|
||||
String expResult = "cpe:/a:apache:struts:2.1.2";
|
||||
Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
|
||||
|
||||
for (Identifier i : commonValidator.getIdentifiers()) {
|
||||
assertFalse("Apache Common Validator - found a CPE identifier?", "cpe".equals(i.getType()));
|
||||
}
|
||||
|
||||
assertTrue("Incorrect match size - struts", struts.getIdentifiers().size() >= 1);
|
||||
assertTrue("Incorrect match - struts", struts.getIdentifiers().contains(expIdentifier));
|
||||
boolean found = false;
|
||||
for (Identifier i : struts.getIdentifiers()) {
|
||||
if (expResult.equals(i.getValue())) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
assertTrue("Incorrect match - struts", found);
|
||||
assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);
|
||||
|
||||
jarAnalyzer.close();
|
||||
@@ -223,9 +236,9 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
|
||||
@Test
|
||||
public void testDetermineIdentifiers() throws Exception {
|
||||
Dependency openssl = new Dependency();
|
||||
openssl.getVendorEvidence().addEvidence("test", "vendor", "openssl", Confidence.HIGHEST);
|
||||
openssl.getProductEvidence().addEvidence("test", "product", "openssl", Confidence.HIGHEST);
|
||||
openssl.getVersionEvidence().addEvidence("test", "version", "1.0.1c", Confidence.HIGHEST);
|
||||
openssl.addEvidence(EvidenceType.VENDOR, "test", "vendor", "openssl", Confidence.HIGHEST);
|
||||
openssl.addEvidence(EvidenceType.PRODUCT, "test", "product", "openssl", Confidence.HIGHEST);
|
||||
openssl.addEvidence(EvidenceType.VERSION, "test", "version", "1.0.1c", Confidence.HIGHEST);
|
||||
|
||||
CPEAnalyzer instance = new CPEAnalyzer();
|
||||
Engine engine = new Engine(getSettings());
|
||||
@@ -234,12 +247,19 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
|
||||
instance.initialize(engine);
|
||||
instance.determineIdentifiers(openssl, "openssl", "openssl", Confidence.HIGHEST);
|
||||
instance.close();
|
||||
engine.close();
|
||||
|
||||
String expResult = "cpe:/a:openssl:openssl:1.0.1c";
|
||||
Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
|
||||
boolean found = false;
|
||||
for (Identifier i : openssl.getIdentifiers()) {
|
||||
if (expResult.equals(i.getValue())) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
assertTrue(openssl.getIdentifiers().contains(expIdentifier));
|
||||
engine.close();
|
||||
assertTrue("OpenSSL identifier not found", found);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -20,7 +20,10 @@ import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -51,10 +54,22 @@ public class FalsePositiveAnalyzerTest extends BaseTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of analyze method, of class FalsePositiveAnalyzer.
|
||||
* Test of getAnalyzerEnabledSettingKey method, of class
|
||||
* FalsePositiveAnalyzer.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyze() throws Exception {
|
||||
public void testGetAnalyzerEnabledSettingKey() {
|
||||
FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer();
|
||||
String expResult = Settings.KEYS.ANALYZER_FALSE_POSITIVE_ENABLED;
|
||||
String result = instance.getAnalyzerEnabledSettingKey();
|
||||
assertEquals(expResult, result);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of analyzeDependency method, of class FalsePositiveAnalyzer.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyzeDependency() throws Exception {
|
||||
Dependency dependency = new Dependency();
|
||||
dependency.setFileName("pom.xml");
|
||||
dependency.setFilePath("pom.xml");
|
||||
@@ -67,4 +82,27 @@ public class FalsePositiveAnalyzerTest extends BaseTest {
|
||||
assertTrue(before > after);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of removeBadMatches method, of class FalsePositiveAnalyzer.
|
||||
*/
|
||||
@Test
|
||||
public void testRemoveBadMatches() {
|
||||
Dependency dependency = new Dependency();
|
||||
dependency.setFileName("some.jar");
|
||||
dependency.setFilePath("some.jar");
|
||||
dependency.addIdentifier("cpe", "cpe:/a:m-core:m-core", "");
|
||||
|
||||
assertEquals(1, dependency.getIdentifiers().size());
|
||||
|
||||
FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer();
|
||||
instance.removeBadMatches(dependency);
|
||||
|
||||
assertEquals(0, dependency.getIdentifiers().size());
|
||||
dependency.addIdentifier("cpe", "cpe:/a:m-core:m-core", "");
|
||||
dependency.addEvidence(EvidenceType.PRODUCT,"test", "name", "m-core", Confidence.HIGHEST);
|
||||
|
||||
instance.removeBadMatches(dependency);
|
||||
assertEquals(1, dependency.getIdentifiers().size());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -24,6 +24,7 @@ import static org.junit.Assert.fail;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
|
||||
/**
|
||||
@@ -67,10 +68,10 @@ public class FileNameAnalyzerTest extends BaseTest {
|
||||
Dependency resultAxis = new Dependency(axis);
|
||||
FileNameAnalyzer instance = new FileNameAnalyzer();
|
||||
instance.analyze(resultStruts, null);
|
||||
assertTrue(resultStruts.getVendorEvidence().toString().toLowerCase().contains("struts"));
|
||||
assertTrue(resultStruts.getEvidence(EvidenceType.VENDOR).toString().toLowerCase().contains("struts"));
|
||||
|
||||
instance.analyze(resultAxis, null);
|
||||
assertTrue(resultStruts.getVersionEvidence().toString().toLowerCase().contains("2.1.2"));
|
||||
assertTrue(resultStruts.getEvidence(EvidenceType.VERSION).toString().toLowerCase().contains("2.1.2"));
|
||||
|
||||
}
|
||||
|
||||
|
||||
@@ -28,6 +28,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
@@ -73,10 +74,10 @@ public class HintAnalyzerTest extends BaseDBTestCase {
|
||||
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
|
||||
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
|
||||
Engine engine = new Engine(getSettings());
|
||||
|
||||
|
||||
engine.scan(guice);
|
||||
engine.scan(spring);
|
||||
engine.analyzeDependencies();
|
||||
engine.analyzeDependencies();
|
||||
Dependency gdep = null;
|
||||
Dependency sdep = null;
|
||||
for (Dependency d : engine.getDependencies()) {
|
||||
@@ -91,18 +92,16 @@ public class HintAnalyzerTest extends BaseDBTestCase {
|
||||
final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
|
||||
final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
|
||||
final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
|
||||
|
||||
Set<Evidence> evidence = gdep.getEvidence().getEvidence();
|
||||
assertFalse(evidence.contains(springTest1));
|
||||
assertFalse(evidence.contains(springTest2));
|
||||
assertFalse(evidence.contains(springTest3));
|
||||
assertFalse(evidence.contains(springTest4));
|
||||
assertFalse(evidence.contains(springTest5));
|
||||
|
||||
evidence = sdep.getEvidence().getEvidence();
|
||||
assertTrue(evidence.contains(springTest1));
|
||||
assertTrue(evidence.contains(springTest2));
|
||||
assertTrue(evidence.contains(springTest3));
|
||||
|
||||
assertFalse(gdep.contains(EvidenceType.PRODUCT, springTest1));
|
||||
assertFalse(gdep.contains(EvidenceType.VENDOR, springTest2));
|
||||
assertFalse(gdep.contains(EvidenceType.VENDOR, springTest3));
|
||||
assertFalse(gdep.contains(EvidenceType.PRODUCT, springTest4));
|
||||
assertFalse(gdep.contains(EvidenceType.VENDOR, springTest5));
|
||||
|
||||
assertTrue(sdep.contains(EvidenceType.PRODUCT, springTest1));
|
||||
assertTrue(sdep.contains(EvidenceType.VENDOR, springTest2));
|
||||
assertTrue(sdep.contains(EvidenceType.VENDOR, springTest3));
|
||||
//assertTrue(evidence.contains(springTest4));
|
||||
//assertTrue(evidence.contains(springTest5));
|
||||
}
|
||||
@@ -118,21 +117,21 @@ public class HintAnalyzerTest extends BaseDBTestCase {
|
||||
instance.initializeSettings(getSettings());
|
||||
instance.initialize(null);
|
||||
Dependency d = new Dependency();
|
||||
d.getVersionEvidence().addEvidence("version source", "given version name", "1.2.3", Confidence.HIGH);
|
||||
d.getVersionEvidence().addEvidence("hint analyzer", "remove version name", "value", Confidence.HIGH);
|
||||
d.getVendorEvidence().addEvidence("hint analyzer", "remove vendor name", "vendor", Confidence.HIGH);
|
||||
d.getProductEvidence().addEvidence("hint analyzer", "remove product name", "product", Confidence.HIGH);
|
||||
d.getVersionEvidence().addEvidence("hint analyzer", "other version name", "value", Confidence.HIGH);
|
||||
d.getVendorEvidence().addEvidence("hint analyzer", "other vendor name", "vendor", Confidence.HIGH);
|
||||
d.getProductEvidence().addEvidence("hint analyzer", "other product name", "product", Confidence.HIGH);
|
||||
|
||||
assertEquals("vendor evidence mismatch", 2, d.getVendorEvidence().size());
|
||||
assertEquals("product evidence mismatch", 2, d.getProductEvidence().size());
|
||||
assertEquals("version evidence mismatch", 3, d.getVersionEvidence().size());
|
||||
d.addEvidence(EvidenceType.VERSION, "version source", "given version name", "1.2.3", Confidence.HIGH);
|
||||
d.addEvidence(EvidenceType.VERSION, "hint analyzer", "remove version name", "value", Confidence.HIGH);
|
||||
d.addEvidence(EvidenceType.VENDOR, "hint analyzer", "remove vendor name", "vendor", Confidence.HIGH);
|
||||
d.addEvidence(EvidenceType.PRODUCT, "hint analyzer", "remove product name", "product", Confidence.HIGH);
|
||||
d.addEvidence(EvidenceType.VERSION, "hint analyzer", "other version name", "value", Confidence.HIGH);
|
||||
d.addEvidence(EvidenceType.VENDOR, "hint analyzer", "other vendor name", "vendor", Confidence.HIGH);
|
||||
d.addEvidence(EvidenceType.PRODUCT, "hint analyzer", "other product name", "product", Confidence.HIGH);
|
||||
|
||||
assertEquals("vendor evidence mismatch", 2, d.getEvidence(EvidenceType.VENDOR).size());
|
||||
assertEquals("product evidence mismatch", 2, d.getEvidence(EvidenceType.PRODUCT).size());
|
||||
assertEquals("version evidence mismatch", 3, d.getEvidence(EvidenceType.VERSION).size());
|
||||
instance.analyze(d, null);
|
||||
assertEquals("vendor evidence mismatch", 1, d.getVendorEvidence().size());
|
||||
assertEquals("product evidence mismatch", 1, d.getProductEvidence().size());
|
||||
assertEquals("version evidence mismatch", 2, d.getVersionEvidence().size());
|
||||
|
||||
assertEquals("vendor evidence mismatch", 1, d.getEvidence(EvidenceType.VENDOR).size());
|
||||
assertEquals("product evidence mismatch", 1, d.getEvidence(EvidenceType.PRODUCT).size());
|
||||
assertEquals("version evidence mismatch", 2, d.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -33,6 +33,7 @@ import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* @author Jeremy Long
|
||||
@@ -53,14 +54,14 @@ public class JarAnalyzerTest extends BaseTest {
|
||||
instance.initializeSettings(getSettings());
|
||||
instance.initializeFileTypeAnalyzer(null);
|
||||
instance.analyze(result, null);
|
||||
assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache"));
|
||||
assertTrue(result.getVendorEvidence().getWeighting().contains("apache"));
|
||||
assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().toLowerCase().contains("apache"));
|
||||
assertTrue(result.getVendorWeightings().contains("apache"));
|
||||
|
||||
file = BaseTest.getResourceAsFile(this, "dwr.jar");
|
||||
result = new Dependency(file);
|
||||
instance.analyze(result, null);
|
||||
boolean found = false;
|
||||
for (Evidence e : result.getVendorEvidence()) {
|
||||
for (Evidence e : result.getEvidence(EvidenceType.VENDOR)) {
|
||||
if (e.getName().equals("url")) {
|
||||
assertEquals("Project url was not as expected in dwr.jar", e.getValue(), "http://getahead.ltd.uk/dwr");
|
||||
found = true;
|
||||
@@ -74,7 +75,7 @@ public class JarAnalyzerTest extends BaseTest {
|
||||
result = new Dependency(file);
|
||||
instance.analyze(result, null);
|
||||
found = false;
|
||||
for (Evidence e : result.getProductEvidence()) {
|
||||
for (Evidence e : result.getEvidence(EvidenceType.PRODUCT)) {
|
||||
if (e.getName().equalsIgnoreCase("package-title")
|
||||
&& e.getValue().equalsIgnoreCase("org.mortbay.http")) {
|
||||
found = true;
|
||||
@@ -84,7 +85,7 @@ public class JarAnalyzerTest extends BaseTest {
|
||||
assertTrue("package-title of org.mortbay.http not found in org.mortbay.jetty.jar", found);
|
||||
|
||||
found = false;
|
||||
for (Evidence e : result.getVendorEvidence()) {
|
||||
for (Evidence e : result.getEvidence(EvidenceType.VENDOR)) {
|
||||
if (e.getName().equalsIgnoreCase("implementation-url")
|
||||
&& e.getValue().equalsIgnoreCase("http://jetty.mortbay.org")) {
|
||||
found = true;
|
||||
@@ -94,7 +95,7 @@ public class JarAnalyzerTest extends BaseTest {
|
||||
assertTrue("implementation-url of http://jetty.mortbay.org not found in org.mortbay.jetty.jar", found);
|
||||
|
||||
found = false;
|
||||
for (Evidence e : result.getVersionEvidence()) {
|
||||
for (Evidence e : result.getEvidence(EvidenceType.VERSION)) {
|
||||
if (e.getName().equalsIgnoreCase("Implementation-Version")
|
||||
&& e.getValue().equalsIgnoreCase("4.2.27")) {
|
||||
found = true;
|
||||
@@ -107,7 +108,7 @@ public class JarAnalyzerTest extends BaseTest {
|
||||
file = BaseTest.getResourceAsFile(this, "org.mortbay.jmx.jar");
|
||||
result = new Dependency(file);
|
||||
instance.analyze(result, null);
|
||||
assertEquals("org.mortbar.jmx.jar has version evidence?", result.getVersionEvidence().size(), 0);
|
||||
assertEquals("org.mortbar.jmx.jar has version evidence?", result.getEvidence(EvidenceType.VERSION).size(), 0);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -144,7 +145,7 @@ public class JarAnalyzerTest extends BaseTest {
|
||||
List<JarAnalyzer.ClassNameInformation> cni = new ArrayList<>();
|
||||
instance.parseManifest(result, cni);
|
||||
|
||||
assertTrue(result.getVersionEvidence().getEvidence("manifest: org/apache/xalan/").size() > 0);
|
||||
assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("manifest: org/apache/xalan/"));
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -29,6 +29,7 @@ import java.io.File;
|
||||
import static org.hamcrest.CoreMatchers.containsString;
|
||||
import static org.hamcrest.CoreMatchers.is;
|
||||
import static org.junit.Assert.*;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Unit tests for NodePackageAnalyzer.
|
||||
@@ -95,10 +96,10 @@ public class NodePackageAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
|
||||
"nodejs/node_modules/dns-sync/package.json"));
|
||||
analyzer.analyze(result, null);
|
||||
final String vendorString = result.getVendorEvidence().toString();
|
||||
final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString();
|
||||
assertThat(vendorString, containsString("Sanjeev Koranga"));
|
||||
assertThat(vendorString, containsString("dns-sync_project"));
|
||||
assertThat(result.getProductEvidence().toString(), containsString("dns-sync"));
|
||||
assertThat(result.getVersionEvidence().toString(), containsString("0.1.0"));
|
||||
assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("dns-sync"));
|
||||
assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("0.1.0"));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -11,8 +11,10 @@ import java.io.File;
|
||||
|
||||
import static org.hamcrest.CoreMatchers.is;
|
||||
import static org.junit.Assert.*;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
public class NspAnalyzerTest extends BaseTest {
|
||||
|
||||
private NspAnalyzer analyzer;
|
||||
|
||||
@Before
|
||||
@@ -47,18 +49,19 @@ public class NspAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/package.json"));
|
||||
analyzer.analyze(result, null);
|
||||
|
||||
assertEquals(result.getVendorEvidence().toString(), "owasp-nodejs-goat_project ");
|
||||
assertEquals(result.getProductEvidence().toString(), "A tool to learn OWASP Top 10 for node.js developers owasp-nodejs-goat ");
|
||||
assertEquals(result.getVersionEvidence().toString(), "1.3.0 ");
|
||||
assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("owasp-nodejs-goat_project"));
|
||||
assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("A tool to learn OWASP Top 10 for node.js developers"));
|
||||
assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("1.3.0"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAnalyzeEmpty() throws AnalysisException {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/empty.json"));
|
||||
analyzer.analyze(result, null);
|
||||
|
||||
assertEquals(result.getVendorEvidence().size(), 0);
|
||||
assertEquals(result.getProductEvidence().size(), 0);
|
||||
assertEquals(result.getVersionEvidence().size(), 0);
|
||||
assertEquals(result.getEvidence(EvidenceType.VENDOR).size(), 0);
|
||||
assertEquals(result.getEvidence(EvidenceType.PRODUCT).size(), 0);
|
||||
assertEquals(result.getEvidence(EvidenceType.VERSION).size(), 0);
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -66,9 +69,9 @@ public class NspAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/bundled.deps.package.json"));
|
||||
analyzer.analyze(result, null);
|
||||
|
||||
assertEquals(result.getVendorEvidence().toString(), "Philipp Dunkel <pip@pipobscure.com> fsevents_project ");
|
||||
assertEquals(result.getProductEvidence().toString(), "Native Access to Mac OS-X FSEvents fsevents ");
|
||||
assertEquals(result.getVersionEvidence().toString(), "1.1.1 ");
|
||||
assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("Philipp Dunkel <pip@pipobscure.com>"));
|
||||
assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("Native Access to Mac OS-X FSEvents"));
|
||||
assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("1.1.1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -76,20 +79,16 @@ public class NspAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/license.obj.package.json"));
|
||||
analyzer.analyze(result, null);
|
||||
|
||||
assertEquals(result.getVendorEvidence().toString(), "Twitter, Inc. bootstrap_project ");
|
||||
assertEquals(result.getProductEvidence().toString(), "The most popular front-end framework for developing responsive, mobile first projects on the web. bootstrap ");
|
||||
assertEquals(result.getVersionEvidence().toString(), "3.2.0 ");
|
||||
assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("Twitter, Inc."));
|
||||
assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("The most popular front-end framework for developing responsive, mobile first projects on the web"));
|
||||
assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("3.2.0"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAnalyzePackageJsonInNodeModulesDirectory() throws AnalysisException {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nodejs/node_modules/dns-sync/package.json"));
|
||||
analyzer.analyze(result, null);
|
||||
final String vendorString = result.getVendorEvidence().toString();
|
||||
|
||||
// node modules are not scanned
|
||||
assertTrue(vendorString.isEmpty());
|
||||
assertEquals(result.getProductEvidence().size(), 0);
|
||||
assertEquals(result.getVersionEvidence().size(), 0);
|
||||
// node modules are not scanned - no evidence is collected
|
||||
assertTrue(result.size() == 0);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -28,6 +28,7 @@ import java.io.File;
|
||||
|
||||
import static org.hamcrest.CoreMatchers.containsString;
|
||||
import static org.junit.Assert.*;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Unit tests for OpenSSLAnalyzerAnalyzer.
|
||||
@@ -108,8 +109,8 @@ public class OpenSSLAnalyzerTest extends BaseTest {
|
||||
this,
|
||||
"openssl/opensslv.h"));
|
||||
analyzer.analyze(result, null);
|
||||
assertThat(result.getProductEvidence().toString(), containsString("OpenSSL"));
|
||||
assertThat(result.getVendorEvidence().toString(), containsString("OpenSSL"));
|
||||
assertThat(result.getVersionEvidence().toString(), containsString("1.0.2c"));
|
||||
assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("OpenSSL"));
|
||||
assertThat(result.getEvidence(EvidenceType.VENDOR).toString(), containsString("OpenSSL"));
|
||||
assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("1.0.2c"));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -30,6 +30,7 @@ import java.io.File;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.junit.Assert.fail;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Unit tests for PythonDistributionAnalyzer.
|
||||
@@ -127,8 +128,8 @@ public class PythonDistributionAnalyzerTest extends BaseTest {
|
||||
boolean found = false;
|
||||
analyzer.analyze(result, null);
|
||||
assertTrue("Expected vendor evidence to contain \"djangoproject\".",
|
||||
result.getVendorEvidence().toString().contains("djangoproject"));
|
||||
for (final Evidence e : result.getVersionEvidence()) {
|
||||
result.getEvidence(EvidenceType.VENDOR).toString().contains("djangoproject"));
|
||||
for (final Evidence e : result.getEvidence(EvidenceType.VERSION)) {
|
||||
if ("Version".equals(e.getName()) && "1.7.2".equals(e.getValue())) {
|
||||
found = true;
|
||||
break;
|
||||
@@ -179,8 +180,8 @@ public class PythonDistributionAnalyzerTest extends BaseTest {
|
||||
context, resource));
|
||||
analyzer.analyze(result, null);
|
||||
assertTrue("Expected vendor evidence to contain \"example\".", result
|
||||
.getVendorEvidence().toString().contains("example"));
|
||||
for (final Evidence e : result.getVersionEvidence()) {
|
||||
.getEvidence(EvidenceType.VENDOR).toString().contains("example"));
|
||||
for (final Evidence e : result.getEvidence(EvidenceType.VERSION)) {
|
||||
if ("0.0.1".equals(e.getValue())) {
|
||||
found = true;
|
||||
break;
|
||||
|
||||
@@ -29,6 +29,7 @@ import java.io.File;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Unit tests for PythonPackageAnalyzer.
|
||||
@@ -93,9 +94,9 @@ public class PythonPackageAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "python/eggtest/__init__.py"));
|
||||
analyzer.analyze(result, null);
|
||||
assertTrue("Expected vendor evidence to contain \"example\".", result
|
||||
.getVendorEvidence().toString().contains("example"));
|
||||
for (final Evidence e : result.getVersionEvidence()) {
|
||||
assertTrue("Expected vendor evidence to contain \"example\".",
|
||||
result.getEvidence(EvidenceType.VENDOR).toString().contains("example"));
|
||||
for (final Evidence e : result.getEvidence(EvidenceType.VERSION)) {
|
||||
if ("0.0.1".equals(e.getValue())) {
|
||||
found = true;
|
||||
break;
|
||||
@@ -103,5 +104,4 @@ public class PythonPackageAnalyzerTest extends BaseTest {
|
||||
}
|
||||
assertTrue("Version 0.0.1 not found in EggTest dependency.", found);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -45,6 +45,7 @@ import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertThat;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.junit.Assert.fail;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link RubyBundleAuditAnalyzer}.
|
||||
@@ -127,8 +128,8 @@ public class RubyBundleAuditAnalyzerIT extends BaseDBTestCase {
|
||||
assertTrue(size >= 1);
|
||||
boolean found = false;
|
||||
for (Dependency dependency : dependencies) {
|
||||
found = dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet");
|
||||
found &= dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2");
|
||||
found = dependency.getEvidence(EvidenceType.PRODUCT).toString().toLowerCase().contains("redcarpet");
|
||||
found &= dependency.getEvidence(EvidenceType.VERSION).toString().toLowerCase().contains("2.2.2");
|
||||
found &= dependency.getFilePath().endsWith(resource);
|
||||
found &= dependency.getFileName().equals("Gemfile.lock");
|
||||
if (found) {
|
||||
|
||||
@@ -29,6 +29,7 @@ import java.io.File;
|
||||
import static org.hamcrest.CoreMatchers.containsString;
|
||||
import static org.hamcrest.CoreMatchers.is;
|
||||
import static org.junit.Assert.*;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link RubyBundlerAnalyzer}.
|
||||
@@ -97,14 +98,14 @@ public class RubyBundlerAnalyzerTest extends BaseTest {
|
||||
"ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/specifications/dalli-2.7.5.gemspec"));
|
||||
analyzer.analyze(result, null);
|
||||
|
||||
final String vendorString = result.getVendorEvidence().toString();
|
||||
final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString();
|
||||
assertThat(vendorString, containsString("Peter M. Goldstein"));
|
||||
assertThat(vendorString, containsString("Mike Perham"));
|
||||
assertThat(vendorString, containsString("peter.m.goldstein@gmail.com"));
|
||||
assertThat(vendorString, containsString("https://github.com/petergoldstein/dalli"));
|
||||
assertThat(vendorString, containsString("MIT"));
|
||||
assertThat(result.getProductEvidence().toString(), containsString("dalli"));
|
||||
assertThat(result.getProductEvidence().toString(), containsString("High performance memcached client for Ruby"));
|
||||
assertThat(result.getVersionEvidence().toString(), containsString("2.7.5"));
|
||||
assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("dalli"));
|
||||
assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("High performance memcached client for Ruby"));
|
||||
assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("2.7.5"));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -29,6 +29,7 @@ import java.io.File;
|
||||
import static org.hamcrest.CoreMatchers.containsString;
|
||||
import static org.hamcrest.CoreMatchers.is;
|
||||
import static org.junit.Assert.*;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link RubyGemspecAnalyzer}.
|
||||
@@ -96,13 +97,13 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
|
||||
"ruby/vulnerable/gems/specifications/rest-client-1.7.2.gemspec"));
|
||||
analyzer.analyze(result, null);
|
||||
final String vendorString = result.getVendorEvidence().toString();
|
||||
final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString();
|
||||
assertThat(vendorString, containsString("REST Client Team"));
|
||||
assertThat(vendorString, containsString("rest-client_project"));
|
||||
assertThat(vendorString, containsString("rest.client@librelist.com"));
|
||||
assertThat(vendorString, containsString("https://github.com/rest-client/rest-client"));
|
||||
assertThat(result.getProductEvidence().toString(), containsString("rest-client"));
|
||||
assertThat(result.getVersionEvidence().toString(), containsString("1.7.2"));
|
||||
assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("rest-client"));
|
||||
assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("1.7.2"));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -115,6 +116,6 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
|
||||
"ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/gems/pg-0.18.4/Rakefile"));
|
||||
analyzer.analyze(result, null);
|
||||
assertTrue(result.getEvidence().size()>0);
|
||||
assertTrue(result.size()>0);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,6 +12,7 @@ import static org.hamcrest.CoreMatchers.is;
|
||||
import static org.junit.Assert.assertThat;
|
||||
|
||||
import java.io.File;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
|
||||
/**
|
||||
* Unit tests for CocoaPodsAnalyzer.
|
||||
@@ -105,13 +106,13 @@ public class SwiftAnalyzersTest extends BaseTest {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
|
||||
"swift/cocoapods/EasyPeasy.podspec"));
|
||||
podsAnalyzer.analyze(result, null);
|
||||
final String vendorString = result.getVendorEvidence().toString();
|
||||
final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString();
|
||||
|
||||
assertThat(vendorString, containsString("Carlos Vidal"));
|
||||
assertThat(vendorString, containsString("https://github.com/nakiostudio/EasyPeasy"));
|
||||
assertThat(vendorString, containsString("MIT"));
|
||||
assertThat(result.getProductEvidence().toString(), containsString("EasyPeasy"));
|
||||
assertThat(result.getVersionEvidence().toString(), containsString("0.2.3"));
|
||||
assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("EasyPeasy"));
|
||||
assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("0.2.3"));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -125,6 +126,6 @@ public class SwiftAnalyzersTest extends BaseTest {
|
||||
"swift/Gloss/Package.swift"));
|
||||
spmAnalyzer.analyze(result, null);
|
||||
|
||||
assertThat(result.getProductEvidence().toString(), containsString("Gloss"));
|
||||
assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("Gloss"));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -22,7 +22,7 @@ import static org.junit.Assert.*;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
@@ -73,40 +73,39 @@ public class VersionFilterAnalyzerTest extends BaseTest {
|
||||
@Test
|
||||
public void testAnalyzeDependency() throws Exception {
|
||||
Dependency dependency = new Dependency();
|
||||
EvidenceCollection versions = dependency.getVersionEvidence();
|
||||
|
||||
versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
|
||||
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
|
||||
instance.initializeSettings(getSettings());
|
||||
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(3, versions.size());
|
||||
assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "pom", "version", "1.2.3", Confidence.HIGHEST);
|
||||
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(4, versions.size());
|
||||
assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "file", "version", "1.2.3", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(2, versions.size());
|
||||
assertEquals(2, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(3, versions.size());
|
||||
assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "nexus", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(4, versions.size());
|
||||
assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "central", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(5, versions.size());
|
||||
assertEquals(5, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -115,36 +114,35 @@ public class VersionFilterAnalyzerTest extends BaseTest {
|
||||
@Test
|
||||
public void testAnalyzeDependencyFilePom() throws Exception {
|
||||
Dependency dependency = new Dependency();
|
||||
EvidenceCollection versions = dependency.getVersionEvidence();
|
||||
|
||||
versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
|
||||
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
|
||||
instance.initializeSettings(getSettings());
|
||||
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(3, versions.size());
|
||||
assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "pom", "version", "1.2.3", Confidence.HIGHEST);
|
||||
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(4, versions.size());
|
||||
assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "file", "version", "1.2.3", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(2, versions.size());
|
||||
assertEquals(2, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "nexus", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(3, versions.size());
|
||||
assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "central", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(4, versions.size());
|
||||
assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -153,26 +151,25 @@ public class VersionFilterAnalyzerTest extends BaseTest {
|
||||
@Test
|
||||
public void testAnalyzeDependencyFileManifest() throws Exception {
|
||||
Dependency dependency = new Dependency();
|
||||
EvidenceCollection versions = dependency.getVersionEvidence();
|
||||
|
||||
versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
|
||||
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
|
||||
instance.initializeSettings(getSettings());
|
||||
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(3, versions.size());
|
||||
assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(4, versions.size());
|
||||
assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "file", "version", "1.2.3", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(2, versions.size());
|
||||
assertEquals(2, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -181,35 +178,34 @@ public class VersionFilterAnalyzerTest extends BaseTest {
|
||||
@Test
|
||||
public void testAnalyzeDependencyPomManifest() throws Exception {
|
||||
Dependency dependency = new Dependency();
|
||||
EvidenceCollection versions = dependency.getVersionEvidence();
|
||||
|
||||
versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
|
||||
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
|
||||
instance.initializeSettings(getSettings());
|
||||
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(3, versions.size());
|
||||
assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "pom", "version", "1.2.3", Confidence.HIGHEST);
|
||||
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(4, versions.size());
|
||||
assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(2, versions.size());
|
||||
assertEquals(2, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "nexus", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(3, versions.size());
|
||||
assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
|
||||
versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST);
|
||||
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "central", "version", "1.2.3", Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST);
|
||||
instance.analyzeDependency(dependency, null);
|
||||
assertEquals(4, versions.size());
|
||||
assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size());
|
||||
}
|
||||
}
|
||||
|
||||
@@ -203,57 +203,11 @@ public class DependencyTest extends BaseTest {
|
||||
@Test
|
||||
public void testGetEvidence() {
|
||||
Dependency instance = new Dependency();
|
||||
EvidenceCollection result = instance.getEvidence();
|
||||
Set<Evidence> result = instance.getEvidence(EvidenceType.VENDOR);
|
||||
assertNotNull(result);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of getEvidenceUsed method, of class Dependency.
|
||||
*/
|
||||
@Test
|
||||
public void testGetEvidenceUsed() {
|
||||
Dependency instance = new Dependency();
|
||||
String expResult = "used";
|
||||
|
||||
instance.getProductEvidence().addEvidence("used", "used", "used", Confidence.HIGH);
|
||||
instance.getProductEvidence().addEvidence("not", "not", "not", Confidence.MEDIUM);
|
||||
for (Evidence e : instance.getProductEvidence().iterator(Confidence.HIGH)) {
|
||||
e.getValue();
|
||||
}
|
||||
|
||||
EvidenceCollection result = instance.getEvidenceUsed();
|
||||
|
||||
assertEquals(1, result.size());
|
||||
assertTrue(result.containsUsedString(expResult));
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of getVendorEvidence method, of class Dependency.
|
||||
*/
|
||||
@Test
|
||||
public void testGetVendorEvidence() {
|
||||
Dependency instance = new Dependency();
|
||||
EvidenceCollection result = instance.getVendorEvidence();
|
||||
result = instance.getEvidence(EvidenceType.PRODUCT);
|
||||
assertNotNull(result);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of getProductEvidence method, of class Dependency.
|
||||
*/
|
||||
@Test
|
||||
public void testGetProductEvidence() {
|
||||
Dependency instance = new Dependency();
|
||||
EvidenceCollection result = instance.getProductEvidence();
|
||||
assertNotNull(result);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of getVersionEvidence method, of class Dependency.
|
||||
*/
|
||||
@Test
|
||||
public void testGetVersionEvidence() {
|
||||
Dependency instance = new Dependency();
|
||||
EvidenceCollection result = instance.getVersionEvidence();
|
||||
result = instance.getEvidence(EvidenceType.VERSION);
|
||||
assertNotNull(result);
|
||||
}
|
||||
|
||||
@@ -265,10 +219,8 @@ public class DependencyTest extends BaseTest {
|
||||
Dependency instance = new Dependency();
|
||||
MavenArtifact mavenArtifact = new MavenArtifact("group", "artifact", "version", "url");
|
||||
instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH);
|
||||
assertTrue(instance.getEvidence().contains(Confidence.HIGH));
|
||||
assertFalse(instance.getEvidence().getEvidence("pom", "groupid").isEmpty());
|
||||
assertFalse(instance.getEvidence().getEvidence("pom", "artifactid").isEmpty());
|
||||
assertFalse(instance.getEvidence().getEvidence("pom", "version").isEmpty());
|
||||
assertTrue(instance.contains(EvidenceType.VENDOR, Confidence.HIGH));
|
||||
assertTrue(instance.size()>1);
|
||||
assertFalse(instance.getIdentifiers().isEmpty());
|
||||
}
|
||||
|
||||
@@ -280,10 +232,8 @@ public class DependencyTest extends BaseTest {
|
||||
Dependency instance = new Dependency();
|
||||
MavenArtifact mavenArtifact = new MavenArtifact(null, null, null, null);
|
||||
instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH);
|
||||
assertFalse(instance.getEvidence().contains(Confidence.HIGH));
|
||||
assertTrue(instance.getEvidence().getEvidence("pom", "groupid").isEmpty());
|
||||
assertTrue(instance.getEvidence().getEvidence("pom", "artifactid").isEmpty());
|
||||
assertTrue(instance.getEvidence().getEvidence("pom", "version").isEmpty());
|
||||
assertFalse(instance.getEvidence(EvidenceType.VENDOR).contains(Confidence.HIGH));
|
||||
assertTrue(instance.size()==0);
|
||||
assertTrue(instance.getIdentifiers().isEmpty());
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user