diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 8b85f3a61..d03c064ac 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -47,6 +47,7 @@ import javax.annotation.concurrent.ThreadSafe; import javax.xml.parsers.ParserConfigurationException; import org.owasp.dependencycheck.exception.InitializationException; import org.apache.commons.lang3.SystemUtils; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.utils.XmlUtils; /** @@ -170,20 +171,17 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { final String version = xpath.evaluate("/assembly/version", doc); if (version != null) { - dependency.getVersionEvidence().addEvidence(new Evidence("grokassembly", "version", - version, Confidence.HIGHEST)); + dependency.addEvidence(EvidenceType.VERSION, "grokassembly", "version", version, Confidence.HIGHEST); } final String vendor = xpath.evaluate("/assembly/company", doc); if (vendor != null) { - dependency.getVendorEvidence().addEvidence(new Evidence("grokassembly", "vendor", - vendor, Confidence.HIGH)); + dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "vendor", vendor, Confidence.HIGH); } final String product = xpath.evaluate("/assembly/product", doc); if (product != null) { - dependency.getProductEvidence().addEvidence(new Evidence("grokassembly", "product", - product, Confidence.HIGH)); + dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "product", product, Confidence.HIGH); } } catch (ParserConfigurationException pce) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java index 91faf1378..788745acb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java @@ -22,7 +22,6 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.UrlStringUtils; @@ -33,6 +32,7 @@ import java.io.IOException; import java.nio.charset.Charset; import java.util.regex.Matcher; import java.util.regex.Pattern; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; /** @@ -168,8 +168,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { final String contents = getFileContents(actualFile); if (!contents.isEmpty()) { if (isOutputScript) { - extractConfigureScriptEvidence(dependency, name, - contents); + extractConfigureScriptEvidence(dependency, name, contents); } else { gatherEvidence(dependency, name, contents); } @@ -195,17 +194,13 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { final String value = matcher.group(2); if (!value.isEmpty()) { if (variable.endsWith("NAME")) { - dependency.getProductEvidence().addEvidence(name, variable, - value, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.HIGHEST); } else if ("VERSION".equals(variable)) { - dependency.getVersionEvidence().addEvidence(name, variable, - value, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, name, variable, value, Confidence.HIGHEST); } else if ("BUGREPORT".equals(variable)) { - dependency.getVendorEvidence().addEvidence(name, variable, - value, Confidence.HIGH); + dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH); } else if ("URL".equals(variable)) { - dependency.getVendorEvidence().addEvidence(name, variable, - value, Confidence.HIGH); + dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH); } } } @@ -239,27 +234,19 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { String contents) { final Matcher matcher = AC_INIT_PATTERN.matcher(contents); if (matcher.find()) { - final EvidenceCollection productEvidence = dependency - .getProductEvidence(); - productEvidence.addEvidence(name, "Package", matcher.group(1), - Confidence.HIGHEST); - dependency.getVersionEvidence().addEvidence(name, - "Package Version", matcher.group(2), Confidence.HIGHEST); - final EvidenceCollection vendorEvidence = dependency - .getVendorEvidence(); + dependency.addEvidence(EvidenceType.PRODUCT, name, "Package", matcher.group(1), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, name, "Package Version", matcher.group(2), Confidence.HIGHEST); + if (null != matcher.group(3)) { - vendorEvidence.addEvidence(name, "Bug report address", - matcher.group(4), Confidence.HIGH); + dependency.addEvidence(EvidenceType.VENDOR, name, "Bug report address", matcher.group(4), Confidence.HIGH); } if (null != matcher.group(5)) { - productEvidence.addEvidence(name, "Tarname", matcher.group(6), - Confidence.HIGH); + dependency.addEvidence(EvidenceType.PRODUCT, name, "Tarname", matcher.group(6), Confidence.HIGH); } if (null != matcher.group(7)) { final String url = matcher.group(8); if (UrlStringUtils.isUrl(url)) { - vendorEvidence.addEvidence(name, "URL", url, - Confidence.HIGH); + dependency.addEvidence(EvidenceType.VENDOR, name, "URL", url, Confidence.HIGH); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index 1e6804cc0..a74525d6a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -38,6 +38,7 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.regex.Matcher; import java.util.regex.Pattern; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; /** @@ -172,8 +173,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { m.groupCount(), m.group(0))); final String group = m.group(1); LOGGER.debug("Group 1: {}", group); - dependency.getProductEvidence().addEvidence(name, "Project", - group, Confidence.HIGH); + dependency.addEvidence(EvidenceType.PRODUCT, name, "Project", group, Confidence.HIGH); + dependency.addEvidence(EvidenceType.VENDOR, name, "Project", group, Confidence.HIGH); } LOGGER.debug("Found {} matches.", count); analyzeSetVersionCommand(dependency, engine, contents); @@ -227,10 +228,9 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { engine.addDependency(currentDep); } final String source = currentDep.getDisplayFileName(); - currentDep.getProductEvidence().addEvidence(source, "Product", - product, Confidence.MEDIUM); - currentDep.getVersionEvidence().addEvidence(source, "Version", - version, Confidence.MEDIUM); + currentDep.addEvidence(EvidenceType.PRODUCT, source, "Product", product, Confidence.MEDIUM); + currentDep.addEvidence(EvidenceType.VENDOR, source, "Vendor", product, Confidence.MEDIUM); + currentDep.addEvidence(EvidenceType.VERSION, source, "Version", version, Confidence.MEDIUM); } LOGGER.debug("Found {} matches.", count); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index 73179254d..6c51ab408 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -47,7 +47,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; -import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.VulnerableSoftware; import org.owasp.dependencycheck.exception.InitializationException; @@ -157,17 +157,17 @@ public class CPEAnalyzer extends AbstractAnalyzer { * usually occurs when the database is in use by another process. */ public void open(CveDB cve) throws IOException, DatabaseException { - this.cve = cve; - this.cpe = CpeMemoryIndex.getInstance(); - try { - final long creationStart = System.currentTimeMillis(); - cpe.open(cve); - final long creationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - creationStart); - LOGGER.info("Created CPE Index ({} seconds)", creationSeconds); - } catch (IndexException ex) { - LOGGER.debug("IndexException", ex); - throw new DatabaseException(ex); - } + this.cve = cve; + this.cpe = CpeMemoryIndex.getInstance(); + try { + final long creationStart = System.currentTimeMillis(); + cpe.open(cve); + final long creationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - creationStart); + LOGGER.info("Created CPE Index ({} seconds)", creationSeconds); + } catch (IndexException ex) { + LOGGER.debug("IndexException", ex); + throw new DatabaseException(ex); + } } /** @@ -195,17 +195,17 @@ public class CPEAnalyzer extends AbstractAnalyzer { String vendors = ""; String products = ""; for (Confidence confidence : Confidence.values()) { - if (dependency.getVendorEvidence().contains(confidence)) { - vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence); + if (dependency.contains(EvidenceType.VENDOR, confidence)) { + vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getIterator(EvidenceType.VENDOR, confidence)); LOGGER.debug("vendor search: {}", vendors); } - if (dependency.getProductEvidence().contains(confidence)) { - products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence); + if (dependency.contains(EvidenceType.PRODUCT, confidence)) { + products = addEvidenceWithoutDuplicateTerms(products, dependency.getIterator(EvidenceType.PRODUCT, confidence)); LOGGER.debug("product search: {}", products); } if (!vendors.isEmpty() && !products.isEmpty()) { - final List entries = searchCPE(vendors, products, dependency.getVendorEvidence().getWeighting(), - dependency.getProductEvidence().getWeighting()); + final List entries = searchCPE(vendors, products, dependency.getVendorWeightings(), + dependency.getProductWeightings()); if (entries == null) { continue; } @@ -232,26 +232,24 @@ public class CPEAnalyzer extends AbstractAnalyzer { * attempts to prevent duplicate terms from being added.
Note, if * the evidence is longer then 200 characters it will be truncated. * - * @param text the base text. - * @param ec an EvidenceCollection - * @param confidenceFilter a Confidence level to filter the evidence by. + * @param text the base text + * @param evidence an iterable set of evidence to concatenate * @return the new evidence text */ - private String addEvidenceWithoutDuplicateTerms(final String text, final EvidenceCollection ec, Confidence confidenceFilter) { + private String addEvidenceWithoutDuplicateTerms(final String text, final Iterable evidence) { final String txt = (text == null) ? "" : text; - final StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size())); + final StringBuilder sb = new StringBuilder(); sb.append(' ').append(txt).append(' '); - for (Evidence e : ec.iterator(confidenceFilter)) { + for (Evidence e : evidence) { String value = e.getValue(); - - //hack to get around the fact that lucene does a really good job of recognizing domains and not - // splitting them. TODO - put together a better lucene analyzer specific to the domain. - if (value.startsWith("http://")) { - value = value.substring(7).replaceAll("\\.", " "); - } - if (value.startsWith("https://")) { - value = value.substring(8).replaceAll("\\.", " "); - } + //removed as the URLTokenizingFilter was created + //hack to get around the fact that lucene does a really good job of recognizing domains and not splitting them. +// if (value.startsWith("http://")) { +// value = value.substring(7).replaceAll("\\.", " "); +// } +// if (value.startsWith("https://")) { +// value = value.substring(8).replaceAll("\\.", " "); +// } if (sb.indexOf(" " + value + " ") < 0) { sb.append(value).append(' '); } @@ -444,8 +442,8 @@ public class CPEAnalyzer extends AbstractAnalyzer { //TODO - does this nullify some of the fuzzy matching that happens in the lucene search? // for instance CPE some-component and in the evidence we have SomeComponent. - if (collectionContainsString(dependency.getProductEvidence(), entry.getProduct()) - && collectionContainsString(dependency.getVendorEvidence(), entry.getVendor())) { + if (collectionContainsString(dependency.getEvidence(EvidenceType.PRODUCT), entry.getProduct()) + && collectionContainsString(dependency.getEvidence(EvidenceType.VENDOR), entry.getVendor())) { //&& collectionContainsVersion(dependency.getVersionEvidence(), entry.getVersion()) isValid = true; } @@ -455,11 +453,11 @@ public class CPEAnalyzer extends AbstractAnalyzer { /** * Used to determine if the EvidenceCollection contains a specific string. * - * @param ec an EvidenceCollection + * @param evidence an of evidence object to check * @param text the text to search for * @return whether or not the EvidenceCollection contains the string */ - private boolean collectionContainsString(EvidenceCollection ec, String text) { + private boolean collectionContainsString(Set evidence, String text) { //TODO - likely need to change the split... not sure if this will work for CPE with special chars if (text == null) { return false; @@ -496,11 +494,24 @@ public class CPEAnalyzer extends AbstractAnalyzer { if (list.isEmpty()) { return false; } - boolean contains = true; + boolean isValid = true; for (String word : list) { - contains &= ec.containsUsedString(word); + boolean found = false; + for (Evidence e : evidence) { + if (e.getValue().toLowerCase().contains(word.toLowerCase())) { + if ("http".equals(word)&& e.getValue().contains("http:")) { + continue; + } + found = true; + break; + } + } + isValid &= found; + if (!isValid) { + break; + } } - return contains; + return isValid; } /** @@ -556,7 +567,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { // if there lower confidence evidence when the current (highest) version number // is newer then anything in the NVD. for (Confidence conf : Confidence.values()) { - for (Evidence evidence : dependency.getVersionEvidence().iterator(conf)) { + for (Evidence evidence : dependency.getIterator(EvidenceType.VERSION, conf)) { final DependencyVersion evVer = DependencyVersionUtil.parseVersion(evidence.getValue()); if (evVer == null) { continue; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index 8efb36581..4583486c6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -37,6 +37,7 @@ import java.net.MalformedURLException; import java.net.URL; import java.util.List; import javax.annotation.concurrent.ThreadSafe; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.utils.DownloadFailedException; import org.owasp.dependencycheck.utils.Downloader; @@ -217,7 +218,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma, dependency.getFileName()); dependency.addAsEvidence("central", ma, confidence); boolean pomAnalyzed = false; - for (Evidence e : dependency.getVendorEvidence()) { + for (Evidence e : dependency.getEvidence(EvidenceType.VENDOR)) { if ("pom".equals(e.getSource())) { pomAnalyzed = true; break; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java index fa84725a1..847a758a0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java @@ -30,7 +30,7 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; @@ -136,21 +136,34 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { contents = contents.substring(matcher.end()); final String blockVariable = matcher.group(1); - final EvidenceCollection vendor = dependency.getVendorEvidence(); - final EvidenceCollection product = dependency.getProductEvidence(); - final EvidenceCollection version = dependency.getVersionEvidence(); - - final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST); + final String name = determineEvidence(contents, blockVariable, "name"); if (!name.isEmpty()) { - vendor.addEvidence(PODSPEC, "name_project", name, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "name_project", name, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "name_project", name, Confidence.HIGHEST); + } + String summary = determineEvidence(contents, blockVariable, "summary"); + if (!summary.isEmpty()) { + dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "summary", summary, Confidence.HIGHEST); } - addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.HIGHEST); - addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST); - addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST); - addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST); + String author = determineEvidence(contents, blockVariable, "authors?"); + if (!author.isEmpty()) { + dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "author", author, Confidence.HIGHEST); + } + String homepage = determineEvidence(contents, blockVariable, "homepage"); + if (!homepage.isEmpty()) { + dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "homepage", homepage, Confidence.HIGHEST); + } + String license = determineEvidence(contents, blockVariable, "licen[cs]es?"); + if (!license.isEmpty()) { + dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "license", license, Confidence.HIGHEST); + } + + String version = determineEvidence(contents, blockVariable, "version"); + if (!version.isEmpty()) { + dependency.addEvidence(EvidenceType.VERSION, PODSPEC, "version", version, Confidence.HIGHEST); + } - addStringEvidence(version, contents, blockVariable, "version", "version", Confidence.HIGHEST); } setPackagePath(dependency); @@ -160,16 +173,12 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { * Extracts evidence from the contents and adds it to the given evidence * collection. * - * @param evidences the evidence collection to update * @param contents the text to extract evidence from * @param blockVariable the block variable within the content to search for - * @param field the name of the field being searched for * @param fieldPattern the field pattern within the contents to search for - * @param confidence the confidence level of the evidence if found - * @return the string that was added as evidence + * @return the evidence */ - private String addStringEvidence(EvidenceCollection evidences, String contents, - String blockVariable, String field, String fieldPattern, Confidence confidence) { + private String determineEvidence(String contents, String blockVariable, String fieldPattern) { String value = ""; //capture array value between [ ] @@ -186,9 +195,6 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { value = matcher.group(2); } } - if (value.length() > 0) { - evidences.addEvidence(PODSPEC, field, value, confidence); - } return value; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index 207a58d96..92729cece 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -37,6 +37,7 @@ import java.io.IOException; import java.nio.charset.Charset; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Used to analyze a composer.lock file for a composer PHP app. @@ -113,9 +114,9 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { final MessageDigest sha1 = getSha1MessageDigest(); d.setFilePath(filePath); d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset())))); - d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST); - d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST); - d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST); + d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST); + d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST); + d.addEvidence(EvidenceType.VERSION, COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST); LOGGER.info("Adding dependency {}", d); engine.addDependency(d); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java index 398d22da8..341856649 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java @@ -21,6 +21,8 @@ import java.io.File; import java.util.Iterator; import java.util.Set; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -120,10 +122,16 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set dependenciesToRemove) { LOGGER.debug("Merging '{}' into '{}'", relatedDependency.getFilePath(), dependency.getFilePath()); dependency.addRelatedDependency(relatedDependency); - dependency.getVendorEvidence().getEvidence().addAll(relatedDependency.getVendorEvidence().getEvidence()); - dependency.getProductEvidence().getEvidence().addAll(relatedDependency.getProductEvidence().getEvidence()); - dependency.getVersionEvidence().getEvidence().addAll(relatedDependency.getVersionEvidence().getEvidence()); - + for (Evidence e : relatedDependency.getEvidence(EvidenceType.VENDOR)) { + dependency.addEvidence(EvidenceType.VENDOR, e); + } + for (Evidence e : relatedDependency.getEvidence(EvidenceType.PRODUCT)) { + dependency.addEvidence(EvidenceType.PRODUCT, e); + } + for (Evidence e : relatedDependency.getEvidence(EvidenceType.VERSION)) { + dependency.addEvidence(EvidenceType.VERSION, e); + } + final Iterator i = relatedDependency.getRelatedDependencies().iterator(); while (i.hasNext()) { dependency.addRelatedDependency(i.next()); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index fb73251fb..f71d95ae7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -32,6 +32,8 @@ import javax.annotation.concurrent.ThreadSafe; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.VulnerableSoftware; import org.owasp.dependencycheck.utils.FileFilterBuilder; @@ -157,7 +159,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } } } - if (mustContain != null) { + if (mustContain != null) { final Iterator itr = dependency.getIdentifiers().iterator(); while (itr.hasNext()) { final Identifier i = itr.next(); @@ -287,7 +289,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { * * @param dependency the dependency to analyze */ - private void removeBadMatches(Dependency dependency) { + protected void removeBadMatches(Dependency dependency) { final Set identifiers = dependency.getIdentifiers(); final Iterator itr = identifiers.iterator(); @@ -346,9 +348,25 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } else if (i.getValue().startsWith("cpe:/a:apache:maven") && !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) { itr.remove(); - } else if (i.getValue().startsWith("cpe:/a:m-core:m-core") - && !dependency.getEvidenceUsed().containsUsedString("m-core")) { - itr.remove(); + } else if (i.getValue().startsWith("cpe:/a:m-core:m-core")) { + boolean found = false; + for (Evidence e : dependency.getEvidence(EvidenceType.PRODUCT)) { + if ("m-core".equalsIgnoreCase(e.getValue())) { + found = true; + break; + } + } + if (!found) { + for (Evidence e : dependency.getEvidence(EvidenceType.VENDOR)) { + if ("m-core".equalsIgnoreCase(e.getValue())) { + found = true; + break; + } + } + } + if (!found) { + itr.remove(); + } } else if (i.getValue().startsWith("cpe:/a:jboss:jboss") && !dependency.getFileName().toLowerCase().matches("jboss-?[\\d\\.-]+(GA)?\\.jar")) { itr.remove(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java index 999adc9c7..1a311d21f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java @@ -26,6 +26,7 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.utils.DependencyVersion; import org.owasp.dependencycheck.utils.DependencyVersionUtil; import org.owasp.dependencycheck.utils.Settings; @@ -113,21 +114,16 @@ public class FileNameAnalyzer extends AbstractAnalyzer { // a shade. This should hopefully correct for cases like log4j.jar or // struts2-core.jar if (version.getVersionParts() == null || version.getVersionParts().size() < 2) { - dependency.getVersionEvidence().addEvidence("file", "version", - version.toString(), Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VERSION, "file", "version",version.toString(), Confidence.MEDIUM); } else { - dependency.getVersionEvidence().addEvidence("file", "version", - version.toString(), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "file", "version", version.toString(), Confidence.HIGHEST); } - dependency.getVersionEvidence().addEvidence("file", "name", - packageName, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VERSION, "file", "name", packageName, Confidence.MEDIUM); } if (!IGNORED_FILES.accept(f)) { - dependency.getProductEvidence().addEvidence("file", "name", - packageName, Confidence.HIGH); - dependency.getVendorEvidence().addEvidence("file", "name", - packageName, Confidence.HIGH); + dependency.addEvidence(EvidenceType.PRODUCT, "file", "name", packageName, Confidence.HIGH); + dependency.addEvidence(EvidenceType.VENDOR, "file", "name", packageName, Confidence.HIGH); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java index ca8d0fdfc..71bd4d59a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java @@ -27,11 +27,11 @@ import java.util.Iterator; import java.util.List; import java.util.regex.Pattern; import javax.annotation.concurrent.ThreadSafe; -import org.apache.commons.lang.ArrayUtils; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.xml.suppression.PropertyType; import org.owasp.dependencycheck.utils.DownloadFailedException; @@ -141,14 +141,14 @@ public class HintAnalyzer extends AbstractAnalyzer { for (HintRule hint : hints) { boolean matchFound = false; for (Evidence given : hint.getGivenVendor()) { - if (dependency.getVendorEvidence().getEvidence().contains(given)) { + if (dependency.contains(EvidenceType.VENDOR, given)) { matchFound = true; break; } } if (!matchFound) { for (Evidence given : hint.getGivenProduct()) { - if (dependency.getProductEvidence().getEvidence().contains(given)) { + if (dependency.contains(EvidenceType.PRODUCT, given)) { matchFound = true; break; } @@ -156,7 +156,7 @@ public class HintAnalyzer extends AbstractAnalyzer { } if (!matchFound) { for (Evidence given : hint.getGivenVersion()) { - if (dependency.getVersionEvidence().getEvidence().contains(given)) { + if (dependency.contains(EvidenceType.VERSION, given)) { matchFound = true; break; } @@ -172,45 +172,45 @@ public class HintAnalyzer extends AbstractAnalyzer { } if (matchFound) { for (Evidence e : hint.getAddVendor()) { - dependency.getVendorEvidence().addEvidence(e); + dependency.addEvidence(EvidenceType.VENDOR, e); } for (Evidence e : hint.getAddProduct()) { - dependency.getProductEvidence().addEvidence(e); + dependency.addEvidence(EvidenceType.PRODUCT, e); } for (Evidence e : hint.getAddVersion()) { - dependency.getVersionEvidence().addEvidence(e); + dependency.addEvidence(EvidenceType.VERSION, e); } for (Evidence e : hint.getRemoveVendor()) { - if (dependency.getVendorEvidence().getEvidence().contains(e)) { - dependency.getVendorEvidence().getEvidence().remove(e); + if (dependency.contains(EvidenceType.VENDOR, e)) { + dependency.removeEvidence(EvidenceType.VENDOR, e); } } for (Evidence e : hint.getRemoveProduct()) { - if (dependency.getProductEvidence().getEvidence().contains(e)) { - dependency.getProductEvidence().getEvidence().remove(e); + if (dependency.contains(EvidenceType.PRODUCT, e)) { + dependency.removeEvidence(EvidenceType.PRODUCT, e); } } for (Evidence e : hint.getRemoveVersion()) { - if (dependency.getVersionEvidence().getEvidence().contains(e)) { - dependency.getVersionEvidence().getEvidence().remove(e); + if (dependency.contains(EvidenceType.VERSION, e)) { + dependency.removeEvidence(EvidenceType.VERSION, e); } } } } - final Iterator itr = dependency.getVendorEvidence().iterator(); + final Iterator itr = dependency.getEvidence(EvidenceType.VENDOR).iterator(); final List newEntries = new ArrayList<>(); while (itr.hasNext()) { final Evidence e = itr.next(); for (VendorDuplicatingHintRule dhr : vendorHints) { - if (dhr.getValue().equalsIgnoreCase(e.getValue(false))) { + if (dhr.getValue().equalsIgnoreCase(e.getValue())) { newEntries.add(new Evidence(e.getSource() + " (hint)", e.getName(), dhr.getDuplicate(), e.getConfidence())); } } } for (Evidence e : newEntries) { - dependency.getVendorEvidence().addEvidence(e); + dependency.addEvidence(EvidenceType.VENDOR, e); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index a4d2c765b..152f39561 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -53,7 +53,7 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.FileUtils; @@ -527,15 +527,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { if (groupid != null && !groupid.isEmpty()) { foundSomething = true; - dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST); - dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW); - addMatchingValues(classes, groupid, dependency.getVendorEvidence()); - addMatchingValues(classes, groupid, dependency.getProductEvidence()); + dependency.addEvidence(EvidenceType.VENDOR, "pom", "groupid", groupid, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.PRODUCT, "pom", "groupid", groupid, Confidence.LOW); + addMatchingVendorValues(classes, groupid, dependency); + addMatchingProductValues(classes, groupid, dependency); if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) { - dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM); - dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW); - addMatchingValues(classes, parentGroupId, dependency.getVendorEvidence()); - addMatchingValues(classes, parentGroupId, dependency.getProductEvidence()); + dependency.addEvidence(EvidenceType.VENDOR, "pom", "parent-groupid", parentGroupId, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.PRODUCT, "pom", "parent-groupid", parentGroupId, Confidence.LOW); + addMatchingVendorValues(classes, parentGroupId, dependency); + addMatchingProductValues(classes, parentGroupId, dependency); } } else { addAsIdentifier = false; @@ -543,15 +543,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { if (artifactid != null && !artifactid.isEmpty()) { foundSomething = true; - dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST); - dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW); - addMatchingValues(classes, artifactid, dependency.getVendorEvidence()); - addMatchingValues(classes, artifactid, dependency.getProductEvidence()); + dependency.addEvidence(EvidenceType.PRODUCT, "pom", "artifactid", artifactid, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, "pom", "artifactid", artifactid, Confidence.LOW); + addMatchingVendorValues(classes, artifactid, dependency); + addMatchingProductValues(classes, artifactid, dependency); if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) { - dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM); - dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW); - addMatchingValues(classes, parentArtifactId, dependency.getVendorEvidence()); - addMatchingValues(classes, parentArtifactId, dependency.getProductEvidence()); + dependency.addEvidence(EvidenceType.PRODUCT, "pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VENDOR, "pom", "parent-artifactid", parentArtifactId, Confidence.LOW); + addMatchingProductValues(classes, parentArtifactId, dependency); + addMatchingProductValues(classes, parentArtifactId, dependency); } } else { addAsIdentifier = false; @@ -559,9 +559,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { if (version != null && !version.isEmpty()) { foundSomething = true; - dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "pom", "version", version, Confidence.HIGHEST); if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) { - dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW); + dependency.addEvidence(EvidenceType.VERSION, "pom", "parent-version", version, Confidence.LOW); } } else { addAsIdentifier = false; @@ -574,26 +574,26 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { // org name final String org = pom.getOrganization(); if (org != null && !org.isEmpty()) { - dependency.getVendorEvidence().addEvidence("pom", "organization name", org, Confidence.HIGH); - dependency.getProductEvidence().addEvidence("pom", "organization name", org, Confidence.LOW); - addMatchingValues(classes, org, dependency.getVendorEvidence()); - addMatchingValues(classes, org, dependency.getProductEvidence()); + dependency.addEvidence(EvidenceType.VENDOR, "pom", "organization name", org, Confidence.HIGH); + dependency.addEvidence(EvidenceType.PRODUCT, "pom", "organization name", org, Confidence.LOW); + addMatchingVendorValues(classes, org, dependency); + addMatchingProductValues(classes, org, dependency); } // org name final String orgUrl = pom.getOrganizationUrl(); if (orgUrl != null && !orgUrl.isEmpty()) { - dependency.getVendorEvidence().addEvidence("pom", "organization url", orgUrl, Confidence.MEDIUM); - dependency.getProductEvidence().addEvidence("pom", "organization url", orgUrl, Confidence.LOW); + dependency.addEvidence(EvidenceType.VENDOR, "pom", "organization url", orgUrl, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.PRODUCT, "pom", "organization url", orgUrl, Confidence.LOW); } //pom name final String pomName = pom.getName(); if (pomName != null && !pomName.isEmpty()) { foundSomething = true; - dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH); - dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH); - addMatchingValues(classes, pomName, dependency.getVendorEvidence()); - addMatchingValues(classes, pomName, dependency.getProductEvidence()); + dependency.addEvidence(EvidenceType.PRODUCT, "pom", "name", pomName, Confidence.HIGH); + dependency.addEvidence(EvidenceType.VENDOR, "pom", "name", pomName, Confidence.HIGH); + addMatchingVendorValues(classes, pomName, dependency); + addMatchingProductValues(classes, pomName, dependency); } //Description @@ -601,13 +601,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { if (description != null && !description.isEmpty() && !description.startsWith("POM was created by")) { foundSomething = true; final String trimmedDescription = addDescription(dependency, description, "pom", "description"); - addMatchingValues(classes, trimmedDescription, dependency.getVendorEvidence()); - addMatchingValues(classes, trimmedDescription, dependency.getProductEvidence()); + addMatchingVendorValues(classes, trimmedDescription, dependency); + addMatchingProductValues(classes, trimmedDescription, dependency); } final String projectURL = pom.getProjectURL(); if (projectURL != null && !projectURL.trim().isEmpty()) { - dependency.getVendorEvidence().addEvidence("pom", "url", projectURL, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, "pom", "url", projectURL, Confidence.HIGHEST); } extractLicense(pom, dependency); @@ -632,25 +632,24 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers); final int classCount = classNames.size(); - final EvidenceCollection vendor = dependency.getVendorEvidence(); - final EvidenceCollection product = dependency.getProductEvidence(); for (Map.Entry entry : vendorIdentifiers.entrySet()) { final float ratio = entry.getValue() / (float) classCount; if (ratio > 0.5) { - //TODO remove weighting - vendor.addWeighting(entry.getKey()); + //TODO remove weighting? + dependency.addVendorWeighting(entry.getKey()); if (addPackagesAsEvidence && entry.getKey().length() > 1) { - vendor.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW); + dependency.addEvidence(EvidenceType.VENDOR, "jar", "package name", entry.getKey(), Confidence.LOW); } } } for (Map.Entry entry : productIdentifiers.entrySet()) { final float ratio = entry.getValue() / (float) classCount; if (ratio > 0.5) { - product.addWeighting(entry.getKey()); + //todo remove weighting + dependency.addProductWeighting(entry.getKey()); if (addPackagesAsEvidence && entry.getKey().length() > 1) { - product.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW); + dependency.addEvidence(EvidenceType.PRODUCT, "jar", "package name", entry.getKey(), Confidence.LOW); } } } @@ -687,9 +686,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } return false; } - final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); - final EvidenceCollection productEvidence = dependency.getProductEvidence(); - final EvidenceCollection versionEvidence = dependency.getVersionEvidence(); String source = "Manifest"; String specificationVersion = null; boolean hasImplementationVersion = false; @@ -705,35 +701,35 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { continue; } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) { foundSomething = true; - productEvidence.addEvidence(source, key, value, Confidence.HIGH); - addMatchingValues(classInformation, value, productEvidence); + dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.HIGH); + addMatchingProductValues(classInformation, value, dependency); } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) { hasImplementationVersion = true; foundSomething = true; - versionEvidence.addEvidence(source, key, value, Confidence.HIGH); + dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.HIGH); } else if ("specification-version".equalsIgnoreCase(key)) { specificationVersion = value; } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) { foundSomething = true; - vendorEvidence.addEvidence(source, key, value, Confidence.HIGH); - addMatchingValues(classInformation, value, vendorEvidence); + dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.HIGH); + addMatchingVendorValues(classInformation, value, dependency); } else if (key.equalsIgnoreCase(IMPLEMENTATION_VENDOR_ID)) { foundSomething = true; - vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, vendorEvidence); + dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM); + addMatchingVendorValues(classInformation, value, dependency); } else if (key.equalsIgnoreCase(BUNDLE_DESCRIPTION)) { foundSomething = true; addDescription(dependency, value, "manifest", key); - addMatchingValues(classInformation, value, productEvidence); + addMatchingProductValues(classInformation, value, dependency); } else if (key.equalsIgnoreCase(BUNDLE_NAME)) { foundSomething = true; - productEvidence.addEvidence(source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, productEvidence); + dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM); + addMatchingProductValues(classInformation, value, dependency); // //the following caused false positives. // } else if (key.equalsIgnoreCase(BUNDLE_VENDOR)) { } else if (key.equalsIgnoreCase(BUNDLE_VERSION)) { foundSomething = true; - versionEvidence.addEvidence(source, key, value, Confidence.HIGH); + dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.HIGH); } else if (key.equalsIgnoreCase(Attributes.Name.MAIN_CLASS.toString())) { //noinspection UnnecessaryContinue continue; @@ -754,7 +750,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { foundSomething = true; if (key.contains("version")) { if (!key.contains("specification")) { - versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.MEDIUM); } } else if ("build-id".equals(key)) { int pos = value.indexOf('('); @@ -765,37 +761,37 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { if (pos > 0) { value = value.substring(0, pos - 1); } - versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.MEDIUM); } else if (key.contains("title")) { - productEvidence.addEvidence(source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, productEvidence); + dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM); + addMatchingProductValues(classInformation, value, dependency); } else if (key.contains("vendor")) { if (key.contains("specification")) { - vendorEvidence.addEvidence(source, key, value, Confidence.LOW); + dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.LOW); } else { - vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, vendorEvidence); + dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM); + addMatchingVendorValues(classInformation, value, dependency); } } else if (key.contains("name")) { - productEvidence.addEvidence(source, key, value, Confidence.MEDIUM); - vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, vendorEvidence); - addMatchingValues(classInformation, value, productEvidence); + dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM); + addMatchingVendorValues(classInformation, value, dependency); + addMatchingProductValues(classInformation, value, dependency); } else if (key.contains("license")) { addLicense(dependency, value); } else if (key.contains("description")) { addDescription(dependency, value, "manifest", key); } else { - productEvidence.addEvidence(source, key, value, Confidence.LOW); - vendorEvidence.addEvidence(source, key, value, Confidence.LOW); - addMatchingValues(classInformation, value, vendorEvidence); - addMatchingValues(classInformation, value, productEvidence); + dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.LOW); + dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.LOW); + addMatchingVendorValues(classInformation, value, dependency); + addMatchingProductValues(classInformation, value, dependency); if (value.matches(".*\\d.*")) { final StringTokenizer tokenizer = new StringTokenizer(value, " "); while (tokenizer.hasMoreElements()) { final String s = tokenizer.nextToken(); if (s.matches("^[0-9.]+$")) { - versionEvidence.addEvidence(source, key, s, Confidence.LOW); + dependency.addEvidence(EvidenceType.VERSION, source, key, s, Confidence.LOW); } } } @@ -812,25 +808,25 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { final String value = atts.getValue(key); if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) { foundSomething = true; - productEvidence.addEvidence(source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, productEvidence); + dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM); + addMatchingProductValues(classInformation, value, dependency); } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) { foundSomething = true; - versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.MEDIUM); } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) { foundSomething = true; - vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, vendorEvidence); + dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM); + addMatchingVendorValues(classInformation, value, dependency); } else if (key.equalsIgnoreCase(Attributes.Name.SPECIFICATION_TITLE.toString())) { foundSomething = true; - productEvidence.addEvidence(source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, productEvidence); + dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM); + addMatchingProductValues(classInformation, value, dependency); } } } if (specificationVersion != null && !hasImplementationVersion) { foundSomething = true; - versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH); + dependency.addEvidence(EvidenceType.VERSION, source, "specification-version", specificationVersion, Confidence.HIGH); } } return foundSomething; @@ -888,11 +884,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { if (pos > 0) { desc = desc.substring(0, pos) + "..."; } - dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.LOW); - dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.LOW); + dependency.addEvidence(EvidenceType.PRODUCT, source, key, desc, Confidence.LOW); + dependency.addEvidence(EvidenceType.VENDOR, source, key, desc, Confidence.LOW); } else { - dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.MEDIUM); - dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.PRODUCT, source, key, desc, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VENDOR, source, key, desc, Confidence.MEDIUM); } return desc; } @@ -1062,9 +1058,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * * @param classes a collection of class name information * @param value the value to check to see if it contains a package name - * @param evidence the evidence collection to add new entries too + * @param dep the dependency to add new entries too */ - private static void addMatchingValues(List classes, String value, EvidenceCollection evidence) { + private static void addMatchingVendorValues(List classes, String value, Dependency dep) { if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) { return; } @@ -1074,7 +1070,32 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { final Pattern p = Pattern.compile("\b" + key + "\b"); if (p.matcher(text).find()) { //if (text.contains(key)) { //note, package structure elements are already lowercase. - evidence.addEvidence("jar", "package name", key, Confidence.HIGHEST); + dep.addEvidence(EvidenceType.VENDOR, "jar", "package name", key, Confidence.HIGHEST); + } + } + } + } + /** + * Cycles through the collection of class name information to see if parts + * of the package names are contained in the provided value. If found, it + * will be added as the HIGHEST confidence evidence because we have more + * then one source corroborating the value. + * + * @param classes a collection of class name information + * @param value the value to check to see if it contains a package name + * @param dep the dependency to add new entries too + */ + private static void addMatchingProductValues(List classes, String value, Dependency dep) { + if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) { + return; + } + final String text = value.toLowerCase(); + for (ClassNameInformation cni : classes) { + for (String key : cni.getPackageStructure()) { + final Pattern p = Pattern.compile("\b" + key + "\b"); + if (p.matcher(text).find()) { + //if (text.contains(key)) { //note, package structure elements are already lowercase. + dep.addEvidence(EvidenceType.PRODUCT, "jar", "package name", key, Confidence.HIGHEST); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index a5eac1d6d..f9b9ec49c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -36,6 +36,7 @@ import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; import javax.annotation.concurrent.ThreadSafe; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.utils.DownloadFailedException; import org.owasp.dependencycheck.utils.Downloader; @@ -236,7 +237,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { dependency.addAsEvidence("nexus", ma, Confidence.HIGH); boolean pomAnalyzed = false; LOGGER.debug("POM URL {}", ma.getPomUrl()); - for (Evidence e : dependency.getVendorEvidence()) { + for (Evidence e : dependency.getEvidence(EvidenceType.VENDOR)) { if ("pom".equals(e.getSource())) { pomAnalyzed = true; break; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index cc1d85f56..7886b4f45 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -22,7 +22,6 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; @@ -40,6 +39,7 @@ import javax.json.JsonReader; import javax.json.JsonString; import javax.json.JsonValue; import org.owasp.dependencycheck.exception.InitializationException; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Used to analyze Node Package Manager (npm) package.json files, and collect @@ -130,21 +130,20 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { } try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(file))) { final JsonObject json = jsonReader.readObject(); - final EvidenceCollection productEvidence = dependency.getProductEvidence(); - final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); if (json.containsKey("name")) { final Object value = json.get("name"); if (value instanceof JsonString) { final String valueString = ((JsonString) value).getString(); - productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); - vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); + dependency.addEvidence(EvidenceType.PRODUCT, PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, PACKAGE_JSON, "name_project", + String.format("%s_project", valueString), Confidence.LOW); } else { LOGGER.warn("JSON value not string as expected: {}", value); } } - addToEvidence(json, productEvidence, "description"); - addToEvidence(json, vendorEvidence, "author"); - addToEvidence(json, dependency.getVersionEvidence(), "version"); + addToEvidence(dependency, EvidenceType.PRODUCT, json, "description"); + addToEvidence(dependency, EvidenceType.VENDOR, json, "author"); + addToEvidence(dependency, EvidenceType.VERSION, json, "version"); dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName())); } catch (JsonException e) { LOGGER.warn("Failed to parse package.json file.", e); @@ -157,22 +156,24 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { * Adds information to an evidence collection from the node json * configuration. * + * @param dep the dependency to add the evidence + * @param t the type of evidence to add * @param json information from node.js - * @param collection a set of evidence about a dependency * @param key the key to obtain the data from the json information */ - private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) { + private void addToEvidence(Dependency dep, EvidenceType t, JsonObject json, String key) { if (json.containsKey(key)) { final JsonValue value = json.get(key); if (value instanceof JsonString) { - collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); + dep.addEvidence(t, PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); + } else if (value instanceof JsonObject) { final JsonObject jsonObject = (JsonObject) value; for (final Map.Entry entry : jsonObject.entrySet()) { final String property = entry.getKey(); final JsonValue subValue = entry.getValue(); if (subValue instanceof JsonString) { - collection.addEvidence(PACKAGE_JSON, + dep.addEvidence(t, PACKAGE_JSON, String.format("%s.%s", key, property), ((JsonString) subValue).getString(), Confidence.HIGHEST); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java index 7178522bd..d5aaafa4a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java @@ -25,7 +25,6 @@ import org.owasp.dependencycheck.data.nsp.NspSearch; import org.owasp.dependencycheck.data.nsp.SanitizePackage; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.dependency.VulnerableSoftware; @@ -50,6 +49,7 @@ import javax.json.JsonObjectBuilder; import javax.json.JsonReader; import javax.json.JsonString; import javax.json.JsonValue; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.utils.URLConnectionFailureException; @@ -204,14 +204,12 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { /* * Adds evidence about the node package itself, not any of the modules. */ - final EvidenceCollection productEvidence = dependency.getProductEvidence(); - final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); if (packageJson.containsKey("name")) { final Object value = packageJson.get("name"); if (value instanceof JsonString) { final String valueString = ((JsonString) value).getString(); - productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); - vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); + dependency.addEvidence(EvidenceType.PRODUCT, PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); } else { LOGGER.warn("JSON value not string as expected: {}", value); } @@ -260,9 +258,9 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { /* * Adds general evidence to about the package. */ - addToEvidence(packageJson, productEvidence, "description"); - addToEvidence(packageJson, vendorEvidence, "author"); - addToEvidence(packageJson, dependency.getVersionEvidence(), "version"); + addToEvidence(dependency, EvidenceType.PRODUCT, packageJson, "description"); + addToEvidence(dependency, EvidenceType.VENDOR, packageJson, "author"); + addToEvidence(dependency, EvidenceType.VERSION, packageJson, "version"); dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName())); } catch (URLConnectionFailureException e) { this.setEnabled(false); @@ -341,18 +339,18 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { * @param collection a set of evidence about a dependency * @param key the key to obtain the data from the json information */ - private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) { + private void addToEvidence(Dependency dep, EvidenceType type, JsonObject json, String key) { if (json.containsKey(key)) { final JsonValue value = json.get(key); if (value instanceof JsonString) { - collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); + dep.addEvidence(type, PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); } else if (value instanceof JsonObject) { final JsonObject jsonObject = (JsonObject) value; for (final Map.Entry entry : jsonObject.entrySet()) { final String property = entry.getKey(); final JsonValue subValue = entry.getValue(); if (subValue instanceof JsonString) { - collection.addEvidence(PACKAGE_JSON, + dep.addEvidence(type, PACKAGE_JSON, String.format("%s.%s", key, property), ((JsonString) subValue).getString(), Confidence.HIGHEST); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 5cc0618e7..3d22a70ac 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -34,6 +34,7 @@ import java.io.FileFilter; import java.io.FileInputStream; import java.io.FileNotFoundException; import javax.annotation.concurrent.ThreadSafe; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; /** @@ -140,13 +141,13 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { } if (np.getOwners() != null) { - dependency.getVendorEvidence().addEvidence("nuspec", "owners", np.getOwners(), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR,"nuspec", "owners", np.getOwners(), Confidence.HIGHEST); } - dependency.getVendorEvidence().addEvidence("nuspec", "authors", np.getAuthors(), Confidence.HIGH); - dependency.getVersionEvidence().addEvidence("nuspec", "version", np.getVersion(), Confidence.HIGHEST); - dependency.getProductEvidence().addEvidence("nuspec", "id", np.getId(), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR,"nuspec", "authors", np.getAuthors(), Confidence.HIGH); + dependency.addEvidence(EvidenceType.VERSION,"nuspec", "version", np.getVersion(), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.PRODUCT,"nuspec", "id", np.getId(), Confidence.HIGHEST); if (np.getTitle() != null) { - dependency.getProductEvidence().addEvidence("nuspec", "title", np.getTitle(), Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "title", np.getTitle(), Confidence.MEDIUM); } } catch (Throwable e) { throw new AnalysisException(e); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index ffda14743..918b7b057 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -32,6 +32,7 @@ import java.nio.charset.Charset; import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.annotation.concurrent.ThreadSafe; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; /** @@ -184,15 +185,15 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { if (!contents.isEmpty()) { final Matcher matcher = VERSION_PATTERN.matcher(contents); if (matcher.find()) { - dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant", + dependency.addEvidence(EvidenceType.VERSION, OPENSSLV_H, "Version Constant", getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH); found = true; } } if (found) { dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H); - dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST); - dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.PRODUCT, OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST); } else { engine.removeDependency(dependency); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 268e21a83..00797dc58 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -32,7 +32,6 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -47,6 +46,7 @@ import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.UrlStringUtils; import java.util.concurrent.atomic.AtomicInteger; import javax.annotation.concurrent.ThreadSafe; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Used to analyze a Wheel or egg distribution files, or their contents in @@ -279,20 +279,15 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { */ private static void collectWheelMetadata(Dependency dependency, File file) { final InternetHeaders headers = getManifestProperties(file); - addPropertyToEvidence(headers, dependency.getVersionEvidence(), - "Version", Confidence.HIGHEST); - addPropertyToEvidence(headers, dependency.getProductEvidence(), "Name", - Confidence.HIGHEST); + addPropertyToEvidence(dependency, EvidenceType.VERSION, Confidence.HIGHEST, headers, "Version"); + addPropertyToEvidence(dependency, EvidenceType.PRODUCT, Confidence.HIGHEST, headers, "Name"); final String url = headers.getHeader("Home-page", null); - final EvidenceCollection vendorEvidence = dependency - .getVendorEvidence(); if (StringUtils.isNotBlank(url)) { if (UrlStringUtils.isUrl(url)) { - vendorEvidence.addEvidence(METADATA, "vendor", url, - Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VENDOR, METADATA, "vendor", url, Confidence.MEDIUM); } } - addPropertyToEvidence(headers, vendorEvidence, "Author", Confidence.LOW); + addPropertyToEvidence(dependency, EvidenceType.VENDOR, Confidence.LOW, headers, "Author"); final String summary = headers.getHeader("Summary", null); if (StringUtils.isNotBlank(summary)) { JarAnalyzer.addDescription(dependency, summary, METADATA, "summary"); @@ -302,17 +297,18 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { /** * Adds a value to the evidence collection. * + * @param dependency the dependency being analyzed + * @param type the type of evidence to add * @param headers the properties collection * @param evidence the evidence collection to add the value * @param property the property name - * @param confidence the confidence of the evidence */ - private static void addPropertyToEvidence(InternetHeaders headers, - EvidenceCollection evidence, String property, Confidence confidence) { + private static void addPropertyToEvidence(Dependency dependency, EvidenceType type, Confidence confidence, + InternetHeaders headers, String property) { final String value = headers.getHeader(property, null); LOGGER.debug("Property: {}, Value: {}", property, value); if (StringUtils.isNotBlank(value)) { - evidence.addEvidence(METADATA, property, value, confidence); + dependency.addEvidence(type, METADATA, property, value, confidence); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 209ecf98e..5dd546be4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -24,7 +24,6 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.UrlStringUtils; @@ -36,6 +35,7 @@ import java.nio.charset.Charset; import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.annotation.concurrent.ThreadSafe; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; /** @@ -191,8 +191,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { //"The __init__.py files are required to make Python treat the directories as containing packages" //see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html; dependency.setDisplayFileName(parentName + "/__init__.py"); - dependency.getProductEvidence().addEvidence(file.getName(), - "PackageName", parentName, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.PRODUCT, file.getName(), "PackageName", parentName, Confidence.HIGHEST); final File[] fileList = parent.listFiles(PY_FILTER); if (fileList != null) { @@ -226,26 +225,23 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { boolean found = false; if (!contents.isEmpty()) { final String source = file.getName(); - found = gatherEvidence(VERSION_PATTERN, contents, source, - dependency.getVersionEvidence(), "SourceVersion", - Confidence.MEDIUM); + found = gatherEvidence(dependency, EvidenceType.VERSION, VERSION_PATTERN, contents, + source, "SourceVersion", Confidence.MEDIUM); found |= addSummaryInfo(dependency, SUMMARY_PATTERN, 4, contents, source, "summary"); if (INIT_PY_FILTER.accept(file)) { found |= addSummaryInfo(dependency, MODULE_DOCSTRING, 2, contents, source, "docstring"); } - found |= gatherEvidence(TITLE_PATTERN, contents, source, - dependency.getProductEvidence(), "SourceTitle", - Confidence.LOW); - final EvidenceCollection vendorEvidence = dependency - .getVendorEvidence(); - found |= gatherEvidence(AUTHOR_PATTERN, contents, source, - vendorEvidence, "SourceAuthor", Confidence.MEDIUM); - found |= gatherHomePageEvidence(URI_PATTERN, vendorEvidence, + found |= gatherEvidence(dependency, EvidenceType.PRODUCT, TITLE_PATTERN, contents, + source, "SourceTitle", Confidence.LOW); + + found |= gatherEvidence(dependency, EvidenceType.VENDOR, AUTHOR_PATTERN, contents, + source, "SourceAuthor", Confidence.MEDIUM); + found |= gatherHomePageEvidence(dependency, EvidenceType.VENDOR, URI_PATTERN, source, "URL", contents); - found |= gatherHomePageEvidence(HOMEPAGE_PATTERN, - vendorEvidence, source, "HomePage", contents); + found |= gatherHomePageEvidence(dependency, EvidenceType.VENDOR, HOMEPAGE_PATTERN, + source, "HomePage", contents); } return found; } @@ -275,23 +271,23 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { /** * Collects evidence from the home page URL. * + * @param dependency the dependency that is being analyzed + * @param type the type of evidence * @param pattern the pattern to match - * @param evidence the evidence collection to add the evidence to * @param source the source of the evidence * @param name the name of the evidence * @param contents the home page URL * @return true if evidence was collected; otherwise false */ - private boolean gatherHomePageEvidence(Pattern pattern, - EvidenceCollection evidence, String source, String name, - String contents) { + private boolean gatherHomePageEvidence(Dependency dependency, EvidenceType type, Pattern pattern, + String source, String name, String contents) { final Matcher matcher = pattern.matcher(contents); boolean found = false; if (matcher.find()) { final String url = matcher.group(4); if (UrlStringUtils.isUrl(url)) { found = true; - evidence.addEvidence(source, name, url, Confidence.MEDIUM); + dependency.addEvidence(type, source, name, url, Confidence.MEDIUM); } } return found; @@ -301,21 +297,21 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { * Gather evidence from a Python source file using the given string * assignment regex pattern. * + * @param dependency the dependency that is being analyzed + * @param type the type of evidence * @param pattern to scan contents with * @param contents of Python source file * @param source for storing evidence - * @param evidence to store evidence in * @param name of evidence * @param confidence in evidence * @return whether evidence was found */ - private boolean gatherEvidence(Pattern pattern, String contents, - String source, EvidenceCollection evidence, String name, - Confidence confidence) { + private boolean gatherEvidence(Dependency dependency, EvidenceType type, Pattern pattern, String contents, + String source, String name, Confidence confidence) { final Matcher matcher = pattern.matcher(contents); final boolean found = matcher.find(); if (found) { - evidence.addEvidence(source, name, matcher.group(4), confidence); + dependency.addEvidence(type, source, name, matcher.group(4), confidence); } return found; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index d097f11ff..707392c74 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -37,6 +37,7 @@ import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.dependency.Reference; import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.exception.InitializationException; @@ -440,7 +441,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { Vulnerability vulnerability = null; if (null != dependency) { final String version = nextLine.substring(VERSION.length()); - dependency.getVersionEvidence().addEvidence( + dependency.addEvidence(EvidenceType.VERSION, "bundler-audit", "Version", version, @@ -480,7 +481,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { FileUtils.write(gemFile, displayFileName, Charset.defaultCharset()); // unique contents to avoid dependency bundling final Dependency dependency = new Dependency(gemFile); - dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.PRODUCT, "bundler-audit", "Name", gem, Confidence.HIGHEST); dependency.setDisplayFileName(displayFileName); dependency.setFileName(fileName); dependency.setFilePath(filePath); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index 4cdec0e08..2605b6106 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -32,7 +32,7 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; @@ -145,23 +145,21 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { contents = contents.substring(matcher.end()); final String blockVariable = matcher.group(1); - final EvidenceCollection vendor = dependency.getVendorEvidence(); - final EvidenceCollection product = dependency.getProductEvidence(); - final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST); + final String name = addStringEvidence(dependency, EvidenceType.PRODUCT, contents, blockVariable, "name", "name", Confidence.HIGHEST); if (!name.isEmpty()) { - vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); + dependency.addEvidence(EvidenceType.VENDOR, GEMSPEC, "name_project", name + "_project", Confidence.LOW); } - addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.LOW); + addStringEvidence(dependency, EvidenceType.PRODUCT, contents, blockVariable, "summary", "summary", Confidence.LOW); - addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST); - addStringEvidence(vendor, contents, blockVariable, "email", "emails?", Confidence.MEDIUM); - addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST); - addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST); + addStringEvidence(dependency, EvidenceType.VENDOR, contents, blockVariable, "author", "authors?", Confidence.HIGHEST); + addStringEvidence(dependency, EvidenceType.VENDOR, contents, blockVariable, "email", "emails?", Confidence.MEDIUM); + addStringEvidence(dependency, EvidenceType.VENDOR, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST); + addStringEvidence(dependency, EvidenceType.VENDOR, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST); - final String value = addStringEvidence(dependency.getVersionEvidence(), contents, + final String value = addStringEvidence(dependency, EvidenceType.VERSION, contents, blockVariable, "version", "version", Confidence.HIGHEST); if (value.length() < 1) { - addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence()); + addEvidenceFromVersionFile(dependency, EvidenceType.VERSION, dependency.getActualFile()); } } @@ -171,7 +169,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { /** * Adds the specified evidence to the given evidence collection. * - * @param evidences the collection to add the evidence to + * @param dependency the dependency being analyzed + * @param type the type of evidence to add * @param contents the evidence contents * @param blockVariable the variable * @param field the field @@ -179,7 +178,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { * @param confidence the confidence of the evidence * @return the evidence string value added */ - private String addStringEvidence(EvidenceCollection evidences, String contents, + private String addStringEvidence(Dependency dependency, EvidenceType type, String contents, String blockVariable, String field, String fieldPattern, Confidence confidence) { String value = ""; @@ -197,7 +196,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { } } if (value.length() > 0) { - evidences.addEvidence(GEMSPEC, field, value, confidence); + dependency.addEvidence(type, GEMSPEC, field, value, confidence); } return value; @@ -206,10 +205,11 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { /** * Adds evidence from the version file. * + * @param dependency the dependency being analyzed + * @param type the type of evidence to add * @param dependencyFile the dependency being analyzed - * @param versionEvidences the version evidence */ - private void addEvidenceFromVersionFile(File dependencyFile, EvidenceCollection versionEvidences) { + private void addEvidenceFromVersionFile(Dependency dependency, EvidenceType type, File dependencyFile) { final File parentDir = dependencyFile.getParentFile(); if (parentDir != null) { final File[] matchingFiles = parentDir.listFiles(new FilenameFilter() { @@ -226,7 +226,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { final List lines = FileUtils.readLines(f, Charset.defaultCharset()); if (lines.size() == 1) { //TODO other checking? final String value = lines.get(0).trim(); - versionEvidences.addEvidence(GEMSPEC, "version", value, Confidence.HIGH); + dependency.addEvidence(type, GEMSPEC, "version", value, Confidence.HIGH); } } catch (IOException e) { LOGGER.debug("Error reading gemspec", e); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index 932b4ce2c..7a27377f9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -30,7 +30,7 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; @@ -135,14 +135,11 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { return; } - final EvidenceCollection product = dependency.getProductEvidence(); - final EvidenceCollection vendor = dependency.getVendorEvidence(); - //SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies. //Future interesting metadata: version, license, homepage, author, summary, etc. - final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST); + final String name = addStringEvidence(dependency, EvidenceType.PRODUCT, packageDescription, "name", "name", Confidence.HIGHEST); if (name != null && !name.isEmpty()) { - vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST); } } setPackagePath(dependency); @@ -152,14 +149,15 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { * Extracts evidence from the package description and adds it to the given * evidence collection. * - * @param evidences the evidence collection to update + * @param dependency the dependency being analyzed + * @param type the type of evidence to add * @param packageDescription the text to extract evidence from * @param field the name of the field being searched for * @param fieldPattern the field pattern within the contents to search for * @param confidence the confidence level of the evidence if found * @return the string that was added as evidence */ - private String addStringEvidence(EvidenceCollection evidences, + private String addStringEvidence(Dependency dependency, EvidenceType type, String packageDescription, String field, String fieldPattern, Confidence confidence) { String value = ""; @@ -172,7 +170,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { if (value != null) { value = value.trim(); if (value.length() > 0) { - evidences.addEvidence(SPM_FILE_NAME, field, value, confidence); + dependency.addEvidence(type, SPM_FILE_NAME, field, value, confidence); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java index 17c47429d..809732876 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java @@ -17,14 +17,16 @@ */ package org.owasp.dependencycheck.analyzer; +import java.util.HashSet; import java.util.Iterator; import java.util.Objects; +import java.util.Set; import javax.annotation.concurrent.ThreadSafe; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; -import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.utils.DependencyVersion; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; @@ -132,14 +134,14 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer { String fileVersion = null; String pomVersion = null; String manifestVersion = null; - for (Evidence e : dependency.getVersionEvidence()) { + for (Evidence e : dependency.getEvidence(EvidenceType.VERSION)) { if (FILE.equals(e.getSource()) && VERSION.equals(e.getName())) { - fileVersion = e.getValue(Boolean.FALSE); + fileVersion = e.getValue(); } else if ((NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource())) && VERSION.equals(e.getName())) { - pomVersion = e.getValue(Boolean.FALSE); + pomVersion = e.getValue(); } else if (MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName())) { - manifestVersion = e.getValue(Boolean.FALSE); + manifestVersion = e.getValue(); } } //ensure we have at least two not null @@ -152,17 +154,18 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer { final boolean pomMatch = Objects.equals(dvPom, dvFile) || Objects.equals(dvPom, dvManifest); if (fileMatch || manifestMatch || pomMatch) { LOGGER.debug("filtering evidence from {}", dependency.getFileName()); - final EvidenceCollection versionEvidence = dependency.getVersionEvidence(); - final Iterator itr = versionEvidence.iterator(); - while (itr.hasNext()) { - final Evidence e = itr.next(); + Set remove = new HashSet<>(); + for(Evidence e : dependency.getEvidence(EvidenceType.VERSION)) { if (!(pomMatch && VERSION.equals(e.getName()) && (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource()))) && !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource())) && !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) { - itr.remove(); + remove.add(e); } } + for (Evidence e: remove) { + dependency.removeEvidence(EvidenceType.VERSION, e); + } } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 9080a02ce..e38b9c458 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -45,7 +45,7 @@ import org.slf4j.LoggerFactory; * @author Jeremy Long */ @NotThreadSafe -public class Dependency implements Serializable, Comparable { +public class Dependency extends EvidenceCollection implements Serializable, Comparable { /** * The serial version UID for serialization. @@ -55,14 +55,6 @@ public class Dependency implements Serializable, Comparable { * The logger. */ private static final Logger LOGGER = LoggerFactory.getLogger(Dependency.class); - /** - * Used as starting point for generating the value in {@link #hashCode()}. - */ - private static final int MAGIC_HASH_INIT_VALUE = 3; - /** - * Used as a multiplier for generating the value in {@link #hashCode()}. - */ - private static final int MAGIC_HASH_MULTIPLIER = 47; /** * The actual file path of the dependency on disk. */ @@ -90,19 +82,7 @@ public class Dependency implements Serializable, Comparable { /** * A list of Identifiers. */ - private Set identifiers; - /** - * A collection of vendor evidence. - */ - private final EvidenceCollection vendorEvidence; - /** - * A collection of product evidence. - */ - private final EvidenceCollection productEvidence; - /** - * A collection of version evidence. - */ - private final EvidenceCollection versionEvidence; + private Set identifiers = new TreeSet<>(); /** * The file name to display in reports. */ @@ -110,11 +90,11 @@ public class Dependency implements Serializable, Comparable { /** * A set of identifiers that have been suppressed. */ - private Set suppressedIdentifiers; + private Set suppressedIdentifiers = new TreeSet<>(); /** * A set of vulnerabilities that have been suppressed. */ - private SortedSet suppressedVulnerabilities; + private SortedSet suppressedVulnerabilities = new TreeSet<>(new VulnerabilityComparator()); /** * The description of the JAR file. */ @@ -126,7 +106,7 @@ public class Dependency implements Serializable, Comparable { /** * A list of vulnerabilities for this dependency. */ - private SortedSet vulnerabilities; + private SortedSet vulnerabilities = new TreeSet<>(new VulnerabilityComparator()); /** * A collection of related dependencies. */ @@ -167,13 +147,7 @@ public class Dependency implements Serializable, Comparable { * Constructs a new Dependency object. */ public Dependency() { - vendorEvidence = new EvidenceCollection(); - productEvidence = new EvidenceCollection(); - versionEvidence = new EvidenceCollection(); - identifiers = new TreeSet<>(); - vulnerabilities = new TreeSet<>(new VulnerabilityComparator()); - suppressedIdentifiers = new TreeSet<>(); - suppressedVulnerabilities = new TreeSet<>(new VulnerabilityComparator()); + //empty contructor } /** @@ -189,7 +163,8 @@ public class Dependency implements Serializable, Comparable { * Constructs a new Dependency object. * * @param file the File to create the dependency object from. - * @param isVirtual specifies if the dependency is virtual indicating the file doesn't actually exist. + * @param isVirtual specifies if the dependency is virtual indicating the + * file doesn't actually exist. */ public Dependency(File file, boolean isVirtual) { this(); @@ -401,13 +376,13 @@ public class Dependency implements Serializable, Comparable { */ public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) { if (mavenArtifact.getGroupId() != null && !mavenArtifact.getGroupId().isEmpty()) { - this.getVendorEvidence().addEvidence(source, "groupid", mavenArtifact.getGroupId(), confidence); + this.addEvidence(EvidenceType.VENDOR, source, "groupid", mavenArtifact.getGroupId(), confidence); } if (mavenArtifact.getArtifactId() != null && !mavenArtifact.getArtifactId().isEmpty()) { - this.getProductEvidence().addEvidence(source, "artifactid", mavenArtifact.getArtifactId(), confidence); + this.addEvidence(EvidenceType.PRODUCT, source, "artifactid", mavenArtifact.getArtifactId(), confidence); } if (mavenArtifact.getVersion() != null && !mavenArtifact.getVersion().isEmpty()) { - this.getVersionEvidence().addEvidence(source, "version", mavenArtifact.getVersion(), confidence); + this.addEvidence(EvidenceType.VERSION, source, "version", mavenArtifact.getVersion(), confidence); } if (mavenArtifact.getArtifactUrl() != null && !mavenArtifact.getArtifactUrl().isEmpty()) { boolean found = false; @@ -493,60 +468,6 @@ public class Dependency implements Serializable, Comparable { this.suppressedVulnerabilities.add(vulnerability); } - /** - * Returns the evidence used to identify this dependency. - * - * @return an EvidenceCollection. - */ - public EvidenceCollection getEvidence() { - return EvidenceCollection.merge(this.productEvidence, this.vendorEvidence, this.versionEvidence); - } - - /** - * Returns the evidence used to identify this dependency. - * - * @return an EvidenceCollection. - */ - public Set getEvidenceForDisplay() { - return EvidenceCollection.mergeForDisplay(this.productEvidence, this.vendorEvidence, this.versionEvidence); - } - - /** - * Returns the evidence used to identify this dependency. - * - * @return an EvidenceCollection. - */ - public EvidenceCollection getEvidenceUsed() { - return EvidenceCollection.mergeUsed(this.productEvidence, this.vendorEvidence, this.versionEvidence); - } - - /** - * Gets the Vendor Evidence. - * - * @return an EvidenceCollection. - */ - public EvidenceCollection getVendorEvidence() { - return this.vendorEvidence; - } - - /** - * Gets the Product Evidence. - * - * @return an EvidenceCollection. - */ - public EvidenceCollection getProductEvidence() { - return this.productEvidence; - } - - /** - * Gets the Version Evidence. - * - * @return an EvidenceCollection. - */ - public EvidenceCollection getVersionEvidence() { - return this.versionEvidence; - } - /** * Get the value of description. * @@ -773,13 +694,9 @@ public class Dependency implements Serializable, Comparable { .append(this.md5sum, other.md5sum) .append(this.sha1sum, other.sha1sum) .append(this.identifiers, other.identifiers) - .append(this.vendorEvidence, other.vendorEvidence) - .append(this.productEvidence, other.productEvidence) - .append(this.versionEvidence, other.versionEvidence) .append(this.description, other.description) .append(this.license, other.license) .append(this.vulnerabilities, other.vulnerabilities) - //.append(this.relatedDependencies, other.relatedDependencies) .append(this.projectReferences, other.projectReferences) .append(this.availableVersions, other.availableVersions) .isEquals(); @@ -792,20 +709,17 @@ public class Dependency implements Serializable, Comparable { */ @Override public int hashCode() { - return new HashCodeBuilder(MAGIC_HASH_INIT_VALUE, MAGIC_HASH_MULTIPLIER) + return new HashCodeBuilder(3, 47) + .appendSuper(super.hashCode()) .append(actualFilePath) .append(filePath) .append(fileName) .append(md5sum) .append(sha1sum) .append(identifiers) - .append(vendorEvidence) - .append(productEvidence) - .append(versionEvidence) .append(description) .append(license) .append(vulnerabilities) - //.append(relatedDependencies) .append(projectReferences) .append(availableVersions) .toHashCode(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index 1130a3c06..aacda1e6a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -61,11 +61,6 @@ public class Evidence implements Serializable, Comparable { */ private String value; - /** - * A value indicating if the Evidence has been "used" (aka read). - */ - private boolean used; - /** * The confidence level for the evidence. */ @@ -134,20 +129,6 @@ public class Evidence implements Serializable, Comparable { * @return the value of value */ public String getValue() { - used = true; - return value; - } - - /** - * Get the value of value. If setUsed is set to false this call to get will - * not mark the evidence as used. - * - * @param setUsed whether or not this call to getValue should cause the used - * flag to be updated - * @return the value of value - */ - public String getValue(Boolean setUsed) { - used = used || setUsed; return value; } @@ -160,24 +141,6 @@ public class Evidence implements Serializable, Comparable { this.value = value; } - /** - * Get the value of used. - * - * @return the value of used - */ - public boolean isUsed() { - return used; - } - - /** - * Set the value of used. - * - * @param used new value of used - */ - public void setUsed(boolean used) { - this.used = used; - } - /** * Get the value of confidence. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java index a7a2d6f7e..c4f7de2cd 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java @@ -18,18 +18,13 @@ package org.owasp.dependencycheck.dependency; import java.io.Serializable; -import java.net.MalformedURLException; +import java.util.Collections; import java.util.HashSet; -import java.util.Iterator; -import java.util.List; import java.util.Set; -import java.util.TreeSet; -import javax.annotation.concurrent.NotThreadSafe; -import org.apache.commons.lang3.StringUtils; -import org.owasp.dependencycheck.utils.DependencyVersion; -import org.owasp.dependencycheck.utils.DependencyVersionUtil; +import javax.annotation.concurrent.ThreadSafe; +import org.apache.commons.lang3.builder.EqualsBuilder; +import org.apache.commons.lang3.builder.HashCodeBuilder; import org.owasp.dependencycheck.utils.Filter; -import org.owasp.dependencycheck.utils.UrlStringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -38,8 +33,8 @@ import org.slf4j.LoggerFactory; * * @author Jeremy Long */ -@NotThreadSafe -public class EvidenceCollection implements Serializable, Iterable { +@ThreadSafe +class EvidenceCollection implements Serializable { /** * The serial version UID for serialization. @@ -50,13 +45,25 @@ public class EvidenceCollection implements Serializable, Iterable { */ private static final Logger LOGGER = LoggerFactory.getLogger(EvidenceCollection.class); /** - * A collection of evidence. + * A collection of vendor evidence. */ - private final Set list; + private final Set vendors = new HashSet<>(); /** - * A collection of strings used to adjust Lucene's term weighting. + * A collection of strings used to adjust Lucene's vendor term weighting. */ - private final Set weightedStrings; + private final Set vendorWeightings = new HashSet<>(); + /** + * A collection of product evidence. + */ + private final Set products = new HashSet<>(); + /** + * A collection of strings used to adjust Lucene's product term weighting. + */ + private final Set productWeightings = new HashSet<>(); + /** + * A collection of version evidence. + */ + private final Set versions = new HashSet<>(); /** * Used to iterate over highest confidence evidence contained in the @@ -97,74 +104,113 @@ public class EvidenceCollection implements Serializable, Iterable { return evidence.getConfidence() == Confidence.LOW; } }; - /** - * Used to iterate over evidence that has was used (aka read) from the - * collection. - */ - private static final Filter EVIDENCE_USED = new Filter() { - @Override - public boolean passes(Evidence evidence) { - return evidence.isUsed(); - } - }; /** - * Used to iterate over evidence of the specified confidence. + * Used to iterate over evidence of the specified type and confidence. * + * @param type the evidence type to iterate over * @param confidence the confidence level for the evidence to be iterated * over. * @return Iterable<Evidence> an iterable collection of evidence */ - public final Iterable iterator(Confidence confidence) { - if (null != confidence) { + public synchronized Iterable getIterator(EvidenceType type, Confidence confidence) { + if (null != confidence && null != type) { + Set list; + + switch (type) { + case VENDOR: + list = Collections.unmodifiableSet(vendors); + break; + case PRODUCT: + list = Collections.unmodifiableSet(products); + break; + case VERSION: + list = Collections.unmodifiableSet(versions); + break; + default: + return null; + } + switch (confidence) { case HIGHEST: - return EvidenceCollection.HIGHEST_CONFIDENCE.filter(this.list); + return EvidenceCollection.HIGHEST_CONFIDENCE.filter(list); case HIGH: - return EvidenceCollection.HIGH_CONFIDENCE.filter(this.list); + return EvidenceCollection.HIGH_CONFIDENCE.filter(list); case MEDIUM: - return EvidenceCollection.MEDIUM_CONFIDENCE.filter(this.list); + return EvidenceCollection.MEDIUM_CONFIDENCE.filter(list); default: - return EvidenceCollection.LOW_CONFIDENCE.filter(this.list); + return EvidenceCollection.LOW_CONFIDENCE.filter(list); } } return null; } /** - * Creates a new EvidenceCollection. + * Adds evidence to the collection. + * + * @param type the type of evidence (vendor, product, version) + * @param e Evidence */ - public EvidenceCollection() { - list = new TreeSet<>(); - weightedStrings = new HashSet<>(); + public synchronized void addEvidence(EvidenceType type, Evidence e) { + if (null != type) { + switch (type) { + case VENDOR: + vendors.add(e); + break; + case PRODUCT: + products.add(e); + break; + case VERSION: + versions.add(e); + break; + default: + break; + } + } } /** - * Adds evidence to the collection. + * Removes evidence from the collection. * + * @param type the type of evidence (vendor, product, version) * @param e Evidence. */ - public void addEvidence(Evidence e) { - list.add(e); + public synchronized void removeEvidence(EvidenceType type, Evidence e) { + if (null != type) { + switch (type) { + case VENDOR: + vendors.remove(e); + break; + case PRODUCT: + products.remove(e); + break; + case VERSION: + versions.remove(e); + break; + default: + break; + } + } } /** * Creates an Evidence object from the parameters and adds the resulting - * object to the collection. + * object to the evidence collection. * + * @param type the type of evidence (vendor, product, version) * @param source the source of the Evidence. * @param name the name of the Evidence. * @param value the value of the Evidence. * @param confidence the confidence of the Evidence. */ - public void addEvidence(String source, String name, String value, Confidence confidence) { + public void addEvidence(EvidenceType type, String source, String name, String value, Confidence confidence) { final Evidence e = new Evidence(source, name, value, confidence); - addEvidence(e); + addEvidence(type, e); } /** - * Adds term to the weighting collection. The terms added here are used - * later to boost the score of other terms. This is a way of combining + * Adds term to the vendor weighting collection. The terms added here are + * used later to boost the score of other terms. This is a way of combining * evidence from multiple sources to boost the confidence of the given * evidence. * @@ -177,136 +223,122 @@ public class EvidenceCollection implements Serializable, Iterable { * * @param str to add to the weighting collection. */ - public void addWeighting(String str) { - weightedStrings.add(str); + public synchronized void addVendorWeighting(String str) { + vendorWeightings.add(str); } /** - * Returns a set of Weightings - a list of terms that are believed to be of - * higher confidence when also found in another location. + * Adds term to the product weighting collection. The terms added here are + * used later to boost the score of other terms. This is a way of combining + * evidence from multiple sources to boost the confidence of the given + * evidence. * - * @return Set<String> + * Example: The term 'Apache' is found in the manifest of a JAR and is added + * to the Collection. When we parse the package names within the JAR file we + * may add these package names to the "weighted" strings collection to boost + * the score in the Lucene query. That way when we construct the Lucene + * query we find the term Apache in the collection AND in the weighted + * strings; as such, we will boost the confidence of the term Apache. + * + * @param str to add to the weighting collection. */ - public Set getWeighting() { - return weightedStrings; + public synchronized void addProductWeighting(String str) { + productWeightings.add(str); } /** - * Returns the set of evidence. + * Returns an unmodifiable set of vendor Weightings - a list of terms that + * are believed to be of higher confidence when also found in another + * location. * - * @return the set of evidence. + * @return an unmodifiable set of vendor weighting strings */ - public Set getEvidence() { - return list; + public synchronized Set getVendorWeightings() { + return Collections.unmodifiableSet(vendorWeightings); } /** - * Returns the set of evidence from a given source. + * Returns an unmodifiable set of product Weightings - a list of terms that + * are believed to be of higher confidence when also found in another + * location. * - * @param source the source of the evidence - * @return the set of evidence. + * @return an unmodifiable set of vendor weighting strings */ - public Set getEvidence(String source) { - if (source == null) { - return null; - } - final Set ret = new HashSet<>(); - for (Evidence e : list) { - if (source.equals(e.getSource())) { - ret.add(e); + public synchronized Set getProductWeightings() { + return Collections.unmodifiableSet(productWeightings); + } + + /** + * Returns the unmodifiable set of evidence of the given type. + * + * @param type the type of evidence (vendor, product, version) + * @return the unmodifiable set of evidence + */ + public synchronized Set getEvidence(EvidenceType type) { + if (null != type) { + switch (type) { + case VENDOR: + return Collections.unmodifiableSet(vendors); + case PRODUCT: + return Collections.unmodifiableSet(products); + case VERSION: + return Collections.unmodifiableSet(versions); + default: + break; } } - return ret; + return null; } /** - * Returns the set of evidence from a given source and name. + * Tests if the evidence collection contains the given evidence. * - * @param source the source of the evidence - * @param name the name of the evidence to return - * @return the set of evidence. + * @param type the type of evidence (vendor, product, version) + * @param e the evidence to search + * @return true if the evidence is found; otherwise false */ - public Set getEvidence(String source, String name) { - if (source == null || name == null) { - return null; - } - final Set ret = new HashSet<>(); - for (Evidence e : list) { - if (source.equals(e.getSource()) && name.equals(e.getName())) { - ret.add(e); - } - } - return ret; - } - - /** - * Implements the iterator interface for the Evidence Collection. - * - * @return an Iterator<Evidence> - */ - @Override - public Iterator iterator() { - return list.iterator(); - } - - /** - * Used to determine if a given string was used (aka read). - * - * @param text the string to search for. - * @return whether or not the string was used. - */ - public boolean containsUsedString(String text) { - if (text == null) { - return false; - } - final String textToTest = text.toLowerCase(); - - for (Evidence e : EvidenceCollection.EVIDENCE_USED.filter(this)) { - //TODO consider changing the regex to only compare alpha-numeric (i.e. strip everything else) - final String item = e.getValue(); - if (item != null) { - final String uc = urlCorrection(item.toLowerCase()); - if (uc != null) { - final String value = uc.replaceAll("[\\s_-]", ""); - if (value.contains(textToTest)) { - return true; - } - } + public synchronized boolean contains(EvidenceType type, Evidence e) { + if (null != type) { + switch (type) { + case VENDOR: + return vendors.contains(e); + case PRODUCT: + return products.contains(e); + case VERSION: + return versions.contains(e); + default: + break; } } return false; } /** - * Used to determine if a given version was used (aka read) from the - * EvidenceCollection. - * - * @param version the version to search for within the collected evidence. - * @return whether or not the string was used. - */ - public boolean containsUsedVersion(DependencyVersion version) { - if (version == null) { - return false; - } - - for (Evidence e : EvidenceCollection.EVIDENCE_USED.filter(this)) { - final DependencyVersion value = DependencyVersionUtil.parseVersion(e.getValue()); - if (value != null && value.matchesAtLeastThreeLevels(version)) { - return true; - } - } - return false; - } - - /** - * Returns whether or not the collection contains evidence of a specified - * Confidence. - * + * Returns whether or not the collection contains evidence of a + * specified type and confidence. + * @param type the type of evidence (vendor, product, version) * @param confidence A Confidence value. * @return boolean. */ - public boolean contains(Confidence confidence) { - for (Evidence e : list) { + public synchronized boolean contains(EvidenceType type, Confidence confidence) { + if (null == type) { + return false; + } + Set col; + switch (type) { + case VENDOR: + col = vendors; + break; + case PRODUCT: + col = products; + break; + case VERSION: + col = versions; + break; + default: + return false; + } + for (Evidence e : col) { if (e.getConfidence().equals(confidence)) { return true; } @@ -314,73 +346,27 @@ public class EvidenceCollection implements Serializable, Iterable { return false; } - /** - * Merges multiple EvidenceCollections together, only merging evidence that - * was used, into a new EvidenceCollection. - * - * @param ec One or more EvidenceCollections. - * @return a new EvidenceCollection containing the used evidence. - */ - public static EvidenceCollection mergeUsed(EvidenceCollection... ec) { - final EvidenceCollection ret = new EvidenceCollection(); - for (EvidenceCollection col : ec) { - for (Evidence e : col.list) { - if (e.isUsed()) { - ret.addEvidence(e); - } - } - } - return ret; - } - - /** - * Merges multiple EvidenceCollections together. - * - * @param ec One or more EvidenceCollections. - * @return a new EvidenceCollection. - */ - public static EvidenceCollection merge(EvidenceCollection... ec) { - final EvidenceCollection ret = new EvidenceCollection(); - for (EvidenceCollection col : ec) { - ret.list.addAll(col.list); - ret.weightedStrings.addAll(col.weightedStrings); - } - return ret; - } - - /** - * Merges multiple EvidenceCollections together; flattening all of the - * evidence items by removing the confidence. - * - * @param ec One or more EvidenceCollections - * @return new set of evidence resulting from merging the evidence in the - * collections - */ - public static Set mergeForDisplay(EvidenceCollection... ec) { - final Set ret = new TreeSet<>(); - for (EvidenceCollection col : ec) { - for (Evidence e : col) { - //if (e.isUsed()) { - final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null); - newEvidence.setUsed(true); - ret.add(newEvidence); - //} - } - } - return ret; - } - /** * Returns a string of evidence 'values'. * * @return a string containing the evidence. */ @Override - public String toString() { + public synchronized String toString() { final StringBuilder sb = new StringBuilder(); - for (Evidence e : this.list) { - sb.append(e.getValue()).append(' '); + sb.append("{vendors: ["); + for (Evidence e : this.vendors) { + sb.append("'").append(e.getValue()).append("', "); } + sb.append("],/nproducts: ["); + for (Evidence e : this.products) { + sb.append("'").append(e.getValue()).append("', "); + } + sb.append("],/nversions: ["); + for (Evidence e : this.versions) { + sb.append("'").append(e.getValue()).append("', "); + } + sb.append("]"); return sb.toString(); } @@ -389,49 +375,34 @@ public class EvidenceCollection implements Serializable, Iterable { * * @return the number of elements in the collection. */ - public int size() { - return list.size(); + public synchronized int size() { + return vendors.size() + products.size() + versions.size(); } - /** - *

- * Takes a string that may contain a fully qualified domain and it will - * return the string having removed the query string, the protocol, the - * sub-domain of 'www', and the file extension of the path.

- *

- * This is useful for checking if the evidence contains a specific string. - * The presence of the protocol, file extension, etc. may produce false - * positives. - * - *

- * Example, given the following input:

- * 'Please visit https://www.owasp.com/path1/path2/file.php?id=439' - *

- * The function would return:

- * 'Please visit owasp path1 path2 file' - * - * @param value the value that may contain a url - * @return the modified string - */ - private String urlCorrection(String value) { - if (value == null || !UrlStringUtils.containsUrl(value)) { - return value; + @Override + public int hashCode() { + return new HashCodeBuilder(13, 43) + .append(vendors) + .append(vendorWeightings) + .append(products) + .append(productWeightings) + .append(versions) + .toHashCode(); + } + + @Override + public boolean equals(Object obj) { + if (obj == null || getClass() != obj.getClass()) { + return false; } - final StringBuilder sb = new StringBuilder(value.length()); - final String[] parts = value.split("\\s"); - for (String part : parts) { - if (UrlStringUtils.isUrl(part)) { - try { - final List data = UrlStringUtils.extractImportantUrlData(part); - sb.append(' ').append(StringUtils.join(data, ' ')); - } catch (MalformedURLException ex) { - LOGGER.debug("error parsing {}", part, ex); - sb.append(' ').append(part); - } - } else { - sb.append(' ').append(part); - } - } - return sb.toString().trim(); + final EvidenceCollection other = (EvidenceCollection) obj; + return new EqualsBuilder() + .appendSuper(super.equals(obj)) + .append(this.vendors, other.vendors) + .append(this.vendorWeightings, other.vendorWeightings) + .append(this.products, other.products) + .append(this.productWeightings, other.productWeightings) + .append(this.versions, other.versions) + .isEquals(); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceType.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceType.java new file mode 100644 index 000000000..b84bcaa0e --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceType.java @@ -0,0 +1,38 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.dependency; + +/** + * The types of evidence. + * @author jeremy long + */ +public enum EvidenceType { + /** + * Vendor evidence. + */ + VENDOR, + /** + * Product evidence. + */ + PRODUCT, + /** + * Version evidence. + */ + VERSION + +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineModeIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineModeIT.java index a749eaec7..1d08a9ee3 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineModeIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineModeIT.java @@ -14,7 +14,6 @@ import java.io.File; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; -import java.util.List; import static org.hamcrest.CoreMatchers.notNullValue; import static org.hamcrest.CoreMatchers.nullValue; @@ -23,6 +22,7 @@ import static org.hamcrest.core.Is.is; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import org.junit.Assume; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.utils.FileUtils; /** @@ -80,8 +80,8 @@ public class EngineModeIT extends BaseTest { dependencies = engine.getDependencies(); assertThat(dependencies.length, is(1)); Dependency dependency = dependencies[0]; - assertTrue(dependency.getVendorEvidence().toString().toLowerCase().contains("apache")); - assertTrue(dependency.getVendorEvidence().getWeighting().contains("apache")); + assertTrue(dependency.getEvidence(EvidenceType.VENDOR).toString().toLowerCase().contains("apache")); + assertTrue(dependency.getVendorWeightings().contains("apache")); assertTrue(dependency.getVulnerabilities().isEmpty()); } @@ -115,8 +115,8 @@ public class EngineModeIT extends BaseTest { Dependency[] dependencies = engine.getDependencies(); assertThat(dependencies.length, is(1)); Dependency dependency = dependencies[0]; - assertTrue(dependency.getVendorEvidence().toString().toLowerCase().contains("apache")); - assertTrue(dependency.getVendorEvidence().getWeighting().contains("apache")); + assertTrue(dependency.getEvidence(EvidenceType.VENDOR).toString().toLowerCase().contains("apache")); + assertTrue(dependency.getVendorWeightings().contains("apache")); assertFalse(dependency.getVulnerabilities().isEmpty()); } } @@ -127,10 +127,6 @@ public class EngineModeIT extends BaseTest { assertThat(Files.exists(directory), is(true)); assertThat(Files.isDirectory(directory), is(true)); Path database = directory.resolve(getSettings().getString(Settings.KEYS.DB_FILE_NAME)); - //System.err.println(database.toString()); - //for (String f : directory.toFile().list()) { - // System.err.println(f); - //} assertThat(Files.exists(database), is(exists)); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java index 2ee1c51dc..ffaeeea80 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java @@ -40,6 +40,7 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.utils.FileUtils; import org.owasp.dependencycheck.utils.Settings; @@ -130,21 +131,8 @@ public class AssemblyAnalyzerTest extends BaseTest { File f = BaseTest.getResourceAsFile(this, "GrokAssembly.exe"); Dependency d = new Dependency(f); analyzer.analyze(d, null); - boolean foundVendor = false; - for (Evidence e : d.getVendorEvidence().getEvidence("grokassembly", "vendor")) { - if ("OWASP".equals(e.getValue())) { - foundVendor = true; - } - } - assertTrue(foundVendor); - - boolean foundProduct = false; - for (Evidence e : d.getProductEvidence().getEvidence("grokassembly", "product")) { - if ("GrokAssembly".equals(e.getValue())) { - foundProduct = true; - } - } - assertTrue(foundProduct); + assertTrue(d.contains(EvidenceType.VENDOR, new Evidence("grokassembly", "vendor", "OWASP", Confidence.HIGH))); + assertTrue(d.contains(EvidenceType.PRODUCT, new Evidence("grokassembly", "product", "GrokAssembly", Confidence.HIGH))); } @Test @@ -154,9 +142,9 @@ public class AssemblyAnalyzerTest extends BaseTest { Dependency d = new Dependency(f); analyzer.analyze(d, null); - assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.2.13.0", Confidence.HIGHEST))); - assertTrue(d.getVendorEvidence().getEvidence().contains(new Evidence("grokassembly", "vendor", "The Apache Software Foundation", Confidence.HIGH))); - assertTrue(d.getProductEvidence().getEvidence().contains(new Evidence("grokassembly", "product", "log4net", Confidence.HIGH))); + assertTrue(d.contains(EvidenceType.VERSION, new Evidence("grokassembly", "version", "1.2.13.0", Confidence.HIGHEST))); + assertTrue(d.contains(EvidenceType.VENDOR, new Evidence("grokassembly", "vendor", "The Apache Software Foundation", Confidence.HIGH))); + assertTrue(d.contains(EvidenceType.PRODUCT, new Evidence("grokassembly", "product", "log4net", Confidence.HIGH))); } @Test diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java index 8a0ff2fd2..623494354 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java @@ -28,6 +28,9 @@ import java.io.File; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were @@ -47,21 +50,6 @@ public class AutoconfAnalyzerTest extends BaseTest { */ private AutoconfAnalyzer analyzer; - private void assertCommonEvidence(Dependency result, String product, - String version, String vendor) { - assertProductAndVersion(result, product, version); - assertTrue("Expected vendor evidence to contain \"" + vendor + "\".", - result.getVendorEvidence().toString().contains(vendor)); - } - - private void assertProductAndVersion(Dependency result, String product, - String version) { - assertTrue("Expected product evidence to contain \"" + product + "\".", - result.getProductEvidence().toString().contains(product)); - assertTrue("Expected version evidence to contain \"" + version + "\".", - result.getVersionEvidence().toString().contains(version)); - } - /** * Correctly setup the analyzer for testing. * @@ -91,8 +79,7 @@ public class AutoconfAnalyzerTest extends BaseTest { } /** - * Test whether expected evidence is gathered from Ghostscript's - * configure. + * Test whether expected evidence is gathered from Ghostscript's configure. * * @throws AnalysisException is thrown when an exception occurs. */ @@ -101,7 +88,10 @@ public class AutoconfAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile( this, "autoconf/ghostscript/configure.ac")); analyzer.analyze(result, null); - assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu"); + //TODO fix these + assertTrue(result.contains(EvidenceType.VENDOR, new Evidence("configure.ac", "Bug report address", "gnu-ghostscript-bug@gnu.org", Confidence.HIGH))); + assertTrue(result.contains(EvidenceType.PRODUCT, new Evidence("configure.ac", "Package", "gnu-ghostscript", Confidence.HIGHEST))); + assertTrue(result.contains(EvidenceType.VERSION, new Evidence("configure.ac", "Package Version", "8.62.0", Confidence.HIGHEST))); } /** @@ -114,14 +104,11 @@ public class AutoconfAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile( this, "autoconf/readable-code/configure.ac")); analyzer.analyze(result, null); - assertReadableCodeEvidence(result); - } - private void assertReadableCodeEvidence(final Dependency result) { - assertCommonEvidence(result, "readable", "1.0.7", "dwheeler"); - final String url = "http://readable.sourceforge.net/"; - assertTrue("Expected product evidence to contain \"" + url + "\".", - result.getVendorEvidence().toString().contains(url)); + assertTrue(result.contains(EvidenceType.VENDOR, new Evidence("configure.ac", "Bug report address", "dwheeler@dwheeler.com", Confidence.HIGH))); + assertTrue(result.contains(EvidenceType.PRODUCT, new Evidence("configure.ac", "Package", "readable", Confidence.HIGHEST))); + assertTrue(result.contains(EvidenceType.VERSION, new Evidence("configure.ac", "Package Version", "1.0.7", Confidence.HIGHEST))); + assertTrue(result.contains(EvidenceType.VENDOR, new Evidence("configure.ac", "URL", "http://readable.sourceforge.net/", Confidence.HIGH))); } /** @@ -134,7 +121,9 @@ public class AutoconfAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile( this, "autoconf/binutils/configure")); analyzer.analyze(result, null); - assertProductAndVersion(result, "binutils", "2.25.51"); + + assertTrue(result.contains(EvidenceType.PRODUCT, new Evidence("configure", "NAME", "binutils", Confidence.HIGHEST))); + assertTrue(result.contains(EvidenceType.VERSION, new Evidence("configure", "VERSION", "2.25.51", Confidence.HIGHEST))); } /** @@ -148,7 +137,11 @@ public class AutoconfAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile( this, "autoconf/readable-code/configure")); analyzer.analyze(result, null); - assertReadableCodeEvidence(result); + + assertTrue(result.contains(EvidenceType.VENDOR, new Evidence("configure", "BUGREPORT", "dwheeler@dwheeler.com", Confidence.HIGH))); + assertTrue(result.contains(EvidenceType.PRODUCT, new Evidence("configure", "NAME", "readable", Confidence.HIGHEST))); + assertTrue(result.contains(EvidenceType.VERSION, new Evidence("configure", "VERSION", "1.0.7", Confidence.HIGHEST))); + assertTrue(result.contains(EvidenceType.VENDOR, new Evidence("configure", "URL", "http://readable.sourceforge.net/", Confidence.HIGH))); } /** diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java index e7de753bf..96c7f6a0f 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java @@ -42,6 +42,8 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertThat; import static org.junit.Assert.assertTrue; +import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Unit tests for CmakeAnalyzer. @@ -132,10 +134,16 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { final String product = "zlib"; assertProductEvidence(result, product); } - + private void assertProductEvidence(Dependency result, String product) { - assertTrue("Expected product evidence to contain \"" + product + "\".", - result.getProductEvidence().toString().contains(product)); + boolean found = false; + for (Evidence e : result.getEvidence(EvidenceType.PRODUCT)) { + if (product.equals(e.getValue())) { + found = true; + break; + } + } + assertTrue("Expected product evidence to contain \"" + product + "\".", found); } /** @@ -153,19 +161,25 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { assertProductEvidence(result, "libavcodec"); assertVersionEvidence(result, "55.18.102"); assertFalse("ALIASOF_ prefix shouldn't be present.", - Pattern.compile("\\bALIASOF_\\w+").matcher(result.getProductEvidence().toString()).find()); + Pattern.compile("\\bALIASOF_\\w+").matcher(result.getEvidence(EvidenceType.PRODUCT).toString()).find()); final Dependency[] dependencies = engine.getDependencies(); assertEquals("Number of additional dependencies should be 4.", 4, dependencies.length); final Dependency last = dependencies[3]; assertProductEvidence(last, "libavresample"); assertVersionEvidence(last, "1.0.1"); } - + private void assertVersionEvidence(Dependency result, String version) { - assertTrue("Expected version evidence to contain \"" + version + "\".", - result.getVersionEvidence().toString().contains(version)); + boolean found = false; + for (Evidence e : result.getEvidence(EvidenceType.VERSION)) { + if (version.equals(e.getValue())) { + found = true; + break; + } + } + assertTrue("Expected version evidence to contain \"" + version + "\".", found); } - + @Test(expected = InitializationException.class) public void analyzerIsDisabledInCaseOfMissingMessageDigest() throws InitializationException { new MockUp() { @@ -174,13 +188,13 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { throw new NoSuchAlgorithmException(); } }; - + analyzer = new CMakeAnalyzer(); analyzer.setFilesMatched(true); assertTrue(analyzer.isEnabled()); analyzer.initializeSettings(getSettings()); analyzer.initialize(null); - + assertFalse(analyzer.isEnabled()); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java index 3f46f30a8..07580fba5 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java @@ -34,6 +34,7 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * @@ -137,8 +138,14 @@ public class CPEAnalyzerIT extends BaseDBTestCase { fp.analyze(dep, null); if (expResult != null) { - Identifier expIdentifier = new Identifier("cpe", expResult, expResult); - assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().contains(expIdentifier)); + boolean found = false; + for (Identifier i : dep.getIdentifiers()) { + if (expResult.equals(i.getValue())) { + found = true; + break; + } + } + assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", found); } else { for (Identifier i : dep.getIdentifiers()) { assertFalse(String.format("%s - found a CPE identifier when should have been none (found '%s')", dep.getFileName(), i.getValue()), "cpe".equals(i.getType())); @@ -201,14 +208,20 @@ public class CPEAnalyzerIT extends BaseDBTestCase { instance.close(); String expResult = "cpe:/a:apache:struts:2.1.2"; - Identifier expIdentifier = new Identifier("cpe", expResult, expResult); for (Identifier i : commonValidator.getIdentifiers()) { assertFalse("Apache Common Validator - found a CPE identifier?", "cpe".equals(i.getType())); } assertTrue("Incorrect match size - struts", struts.getIdentifiers().size() >= 1); - assertTrue("Incorrect match - struts", struts.getIdentifiers().contains(expIdentifier)); + boolean found = false; + for (Identifier i : struts.getIdentifiers()) { + if (expResult.equals(i.getValue())) { + found = true; + break; + } + } + assertTrue("Incorrect match - struts", found); assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1); jarAnalyzer.close(); @@ -223,9 +236,9 @@ public class CPEAnalyzerIT extends BaseDBTestCase { @Test public void testDetermineIdentifiers() throws Exception { Dependency openssl = new Dependency(); - openssl.getVendorEvidence().addEvidence("test", "vendor", "openssl", Confidence.HIGHEST); - openssl.getProductEvidence().addEvidence("test", "product", "openssl", Confidence.HIGHEST); - openssl.getVersionEvidence().addEvidence("test", "version", "1.0.1c", Confidence.HIGHEST); + openssl.addEvidence(EvidenceType.VENDOR, "test", "vendor", "openssl", Confidence.HIGHEST); + openssl.addEvidence(EvidenceType.PRODUCT, "test", "product", "openssl", Confidence.HIGHEST); + openssl.addEvidence(EvidenceType.VERSION, "test", "version", "1.0.1c", Confidence.HIGHEST); CPEAnalyzer instance = new CPEAnalyzer(); Engine engine = new Engine(getSettings()); @@ -234,12 +247,19 @@ public class CPEAnalyzerIT extends BaseDBTestCase { instance.initialize(engine); instance.determineIdentifiers(openssl, "openssl", "openssl", Confidence.HIGHEST); instance.close(); + engine.close(); String expResult = "cpe:/a:openssl:openssl:1.0.1c"; Identifier expIdentifier = new Identifier("cpe", expResult, expResult); + boolean found = false; + for (Identifier i : openssl.getIdentifiers()) { + if (expResult.equals(i.getValue())) { + found = true; + break; + } + } - assertTrue(openssl.getIdentifiers().contains(expIdentifier)); - engine.close(); + assertTrue("OpenSSL identifier not found", found); } /** diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java index d1b068da8..cb3153c3f 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java @@ -20,7 +20,10 @@ import static org.junit.Assert.assertTrue; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceType; +import org.owasp.dependencycheck.utils.Settings; /** * @@ -51,10 +54,22 @@ public class FalsePositiveAnalyzerTest extends BaseTest { } /** - * Test of analyze method, of class FalsePositiveAnalyzer. + * Test of getAnalyzerEnabledSettingKey method, of class + * FalsePositiveAnalyzer. */ @Test - public void testAnalyze() throws Exception { + public void testGetAnalyzerEnabledSettingKey() { + FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer(); + String expResult = Settings.KEYS.ANALYZER_FALSE_POSITIVE_ENABLED; + String result = instance.getAnalyzerEnabledSettingKey(); + assertEquals(expResult, result); + } + + /** + * Test of analyzeDependency method, of class FalsePositiveAnalyzer. + */ + @Test + public void testAnalyzeDependency() throws Exception { Dependency dependency = new Dependency(); dependency.setFileName("pom.xml"); dependency.setFilePath("pom.xml"); @@ -67,4 +82,27 @@ public class FalsePositiveAnalyzerTest extends BaseTest { assertTrue(before > after); } + /** + * Test of removeBadMatches method, of class FalsePositiveAnalyzer. + */ + @Test + public void testRemoveBadMatches() { + Dependency dependency = new Dependency(); + dependency.setFileName("some.jar"); + dependency.setFilePath("some.jar"); + dependency.addIdentifier("cpe", "cpe:/a:m-core:m-core", ""); + + assertEquals(1, dependency.getIdentifiers().size()); + + FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer(); + instance.removeBadMatches(dependency); + + assertEquals(0, dependency.getIdentifiers().size()); + dependency.addIdentifier("cpe", "cpe:/a:m-core:m-core", ""); + dependency.addEvidence(EvidenceType.PRODUCT,"test", "name", "m-core", Confidence.HIGHEST); + + instance.removeBadMatches(dependency); + assertEquals(1, dependency.getIdentifiers().size()); + } + } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java index 90416ed3f..c56f0207d 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java @@ -24,6 +24,7 @@ import static org.junit.Assert.fail; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; /** @@ -67,10 +68,10 @@ public class FileNameAnalyzerTest extends BaseTest { Dependency resultAxis = new Dependency(axis); FileNameAnalyzer instance = new FileNameAnalyzer(); instance.analyze(resultStruts, null); - assertTrue(resultStruts.getVendorEvidence().toString().toLowerCase().contains("struts")); + assertTrue(resultStruts.getEvidence(EvidenceType.VENDOR).toString().toLowerCase().contains("struts")); instance.analyze(resultAxis, null); - assertTrue(resultStruts.getVersionEvidence().toString().toLowerCase().contains("2.1.2")); + assertTrue(resultStruts.getEvidence(EvidenceType.VERSION).toString().toLowerCase().contains("2.1.2")); } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java index 23d582266..8e8d401cb 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java @@ -28,6 +28,7 @@ import org.owasp.dependencycheck.BaseDBTestCase; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.utils.Settings; /** @@ -73,10 +74,10 @@ public class HintAnalyzerTest extends BaseDBTestCase { getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false); getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false); Engine engine = new Engine(getSettings()); - + engine.scan(guice); engine.scan(spring); - engine.analyzeDependencies(); + engine.analyzeDependencies(); Dependency gdep = null; Dependency sdep = null; for (Dependency d : engine.getDependencies()) { @@ -91,18 +92,16 @@ public class HintAnalyzerTest extends BaseDBTestCase { final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH); final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH); final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH); - - Set evidence = gdep.getEvidence().getEvidence(); - assertFalse(evidence.contains(springTest1)); - assertFalse(evidence.contains(springTest2)); - assertFalse(evidence.contains(springTest3)); - assertFalse(evidence.contains(springTest4)); - assertFalse(evidence.contains(springTest5)); - - evidence = sdep.getEvidence().getEvidence(); - assertTrue(evidence.contains(springTest1)); - assertTrue(evidence.contains(springTest2)); - assertTrue(evidence.contains(springTest3)); + + assertFalse(gdep.contains(EvidenceType.PRODUCT, springTest1)); + assertFalse(gdep.contains(EvidenceType.VENDOR, springTest2)); + assertFalse(gdep.contains(EvidenceType.VENDOR, springTest3)); + assertFalse(gdep.contains(EvidenceType.PRODUCT, springTest4)); + assertFalse(gdep.contains(EvidenceType.VENDOR, springTest5)); + + assertTrue(sdep.contains(EvidenceType.PRODUCT, springTest1)); + assertTrue(sdep.contains(EvidenceType.VENDOR, springTest2)); + assertTrue(sdep.contains(EvidenceType.VENDOR, springTest3)); //assertTrue(evidence.contains(springTest4)); //assertTrue(evidence.contains(springTest5)); } @@ -118,21 +117,21 @@ public class HintAnalyzerTest extends BaseDBTestCase { instance.initializeSettings(getSettings()); instance.initialize(null); Dependency d = new Dependency(); - d.getVersionEvidence().addEvidence("version source", "given version name", "1.2.3", Confidence.HIGH); - d.getVersionEvidence().addEvidence("hint analyzer", "remove version name", "value", Confidence.HIGH); - d.getVendorEvidence().addEvidence("hint analyzer", "remove vendor name", "vendor", Confidence.HIGH); - d.getProductEvidence().addEvidence("hint analyzer", "remove product name", "product", Confidence.HIGH); - d.getVersionEvidence().addEvidence("hint analyzer", "other version name", "value", Confidence.HIGH); - d.getVendorEvidence().addEvidence("hint analyzer", "other vendor name", "vendor", Confidence.HIGH); - d.getProductEvidence().addEvidence("hint analyzer", "other product name", "product", Confidence.HIGH); - - assertEquals("vendor evidence mismatch", 2, d.getVendorEvidence().size()); - assertEquals("product evidence mismatch", 2, d.getProductEvidence().size()); - assertEquals("version evidence mismatch", 3, d.getVersionEvidence().size()); + d.addEvidence(EvidenceType.VERSION, "version source", "given version name", "1.2.3", Confidence.HIGH); + d.addEvidence(EvidenceType.VERSION, "hint analyzer", "remove version name", "value", Confidence.HIGH); + d.addEvidence(EvidenceType.VENDOR, "hint analyzer", "remove vendor name", "vendor", Confidence.HIGH); + d.addEvidence(EvidenceType.PRODUCT, "hint analyzer", "remove product name", "product", Confidence.HIGH); + d.addEvidence(EvidenceType.VERSION, "hint analyzer", "other version name", "value", Confidence.HIGH); + d.addEvidence(EvidenceType.VENDOR, "hint analyzer", "other vendor name", "vendor", Confidence.HIGH); + d.addEvidence(EvidenceType.PRODUCT, "hint analyzer", "other product name", "product", Confidence.HIGH); + + assertEquals("vendor evidence mismatch", 2, d.getEvidence(EvidenceType.VENDOR).size()); + assertEquals("product evidence mismatch", 2, d.getEvidence(EvidenceType.PRODUCT).size()); + assertEquals("version evidence mismatch", 3, d.getEvidence(EvidenceType.VERSION).size()); instance.analyze(d, null); - assertEquals("vendor evidence mismatch", 1, d.getVendorEvidence().size()); - assertEquals("product evidence mismatch", 1, d.getProductEvidence().size()); - assertEquals("version evidence mismatch", 2, d.getVersionEvidence().size()); - + assertEquals("vendor evidence mismatch", 1, d.getEvidence(EvidenceType.VENDOR).size()); + assertEquals("product evidence mismatch", 1, d.getEvidence(EvidenceType.PRODUCT).size()); + assertEquals("version evidence mismatch", 2, d.getEvidence(EvidenceType.VERSION).size()); + } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java index d66a30aff..4c4f5b4de 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java @@ -33,6 +33,7 @@ import org.owasp.dependencycheck.utils.Settings; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * @author Jeremy Long @@ -53,14 +54,14 @@ public class JarAnalyzerTest extends BaseTest { instance.initializeSettings(getSettings()); instance.initializeFileTypeAnalyzer(null); instance.analyze(result, null); - assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache")); - assertTrue(result.getVendorEvidence().getWeighting().contains("apache")); + assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().toLowerCase().contains("apache")); + assertTrue(result.getVendorWeightings().contains("apache")); file = BaseTest.getResourceAsFile(this, "dwr.jar"); result = new Dependency(file); instance.analyze(result, null); boolean found = false; - for (Evidence e : result.getVendorEvidence()) { + for (Evidence e : result.getEvidence(EvidenceType.VENDOR)) { if (e.getName().equals("url")) { assertEquals("Project url was not as expected in dwr.jar", e.getValue(), "http://getahead.ltd.uk/dwr"); found = true; @@ -74,7 +75,7 @@ public class JarAnalyzerTest extends BaseTest { result = new Dependency(file); instance.analyze(result, null); found = false; - for (Evidence e : result.getProductEvidence()) { + for (Evidence e : result.getEvidence(EvidenceType.PRODUCT)) { if (e.getName().equalsIgnoreCase("package-title") && e.getValue().equalsIgnoreCase("org.mortbay.http")) { found = true; @@ -84,7 +85,7 @@ public class JarAnalyzerTest extends BaseTest { assertTrue("package-title of org.mortbay.http not found in org.mortbay.jetty.jar", found); found = false; - for (Evidence e : result.getVendorEvidence()) { + for (Evidence e : result.getEvidence(EvidenceType.VENDOR)) { if (e.getName().equalsIgnoreCase("implementation-url") && e.getValue().equalsIgnoreCase("http://jetty.mortbay.org")) { found = true; @@ -94,7 +95,7 @@ public class JarAnalyzerTest extends BaseTest { assertTrue("implementation-url of http://jetty.mortbay.org not found in org.mortbay.jetty.jar", found); found = false; - for (Evidence e : result.getVersionEvidence()) { + for (Evidence e : result.getEvidence(EvidenceType.VERSION)) { if (e.getName().equalsIgnoreCase("Implementation-Version") && e.getValue().equalsIgnoreCase("4.2.27")) { found = true; @@ -107,7 +108,7 @@ public class JarAnalyzerTest extends BaseTest { file = BaseTest.getResourceAsFile(this, "org.mortbay.jmx.jar"); result = new Dependency(file); instance.analyze(result, null); - assertEquals("org.mortbar.jmx.jar has version evidence?", result.getVersionEvidence().size(), 0); + assertEquals("org.mortbar.jmx.jar has version evidence?", result.getEvidence(EvidenceType.VERSION).size(), 0); } /** @@ -144,7 +145,7 @@ public class JarAnalyzerTest extends BaseTest { List cni = new ArrayList<>(); instance.parseManifest(result, cni); - assertTrue(result.getVersionEvidence().getEvidence("manifest: org/apache/xalan/").size() > 0); + assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("manifest: org/apache/xalan/")); } /** diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java index b43c1e5bf..f98402fcd 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java @@ -29,6 +29,7 @@ import java.io.File; import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.is; import static org.junit.Assert.*; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Unit tests for NodePackageAnalyzer. @@ -95,10 +96,10 @@ public class NodePackageAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nodejs/node_modules/dns-sync/package.json")); analyzer.analyze(result, null); - final String vendorString = result.getVendorEvidence().toString(); + final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString(); assertThat(vendorString, containsString("Sanjeev Koranga")); assertThat(vendorString, containsString("dns-sync_project")); - assertThat(result.getProductEvidence().toString(), containsString("dns-sync")); - assertThat(result.getVersionEvidence().toString(), containsString("0.1.0")); + assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("dns-sync")); + assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("0.1.0")); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java index 598972782..9fa5d2002 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java @@ -11,8 +11,10 @@ import java.io.File; import static org.hamcrest.CoreMatchers.is; import static org.junit.Assert.*; +import org.owasp.dependencycheck.dependency.EvidenceType; public class NspAnalyzerTest extends BaseTest { + private NspAnalyzer analyzer; @Before @@ -47,18 +49,19 @@ public class NspAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/package.json")); analyzer.analyze(result, null); - assertEquals(result.getVendorEvidence().toString(), "owasp-nodejs-goat_project "); - assertEquals(result.getProductEvidence().toString(), "A tool to learn OWASP Top 10 for node.js developers owasp-nodejs-goat "); - assertEquals(result.getVersionEvidence().toString(), "1.3.0 "); + assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("owasp-nodejs-goat_project")); + assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("A tool to learn OWASP Top 10 for node.js developers")); + assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("1.3.0")); } + @Test public void testAnalyzeEmpty() throws AnalysisException { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/empty.json")); analyzer.analyze(result, null); - assertEquals(result.getVendorEvidence().size(), 0); - assertEquals(result.getProductEvidence().size(), 0); - assertEquals(result.getVersionEvidence().size(), 0); + assertEquals(result.getEvidence(EvidenceType.VENDOR).size(), 0); + assertEquals(result.getEvidence(EvidenceType.PRODUCT).size(), 0); + assertEquals(result.getEvidence(EvidenceType.VERSION).size(), 0); } @Test @@ -66,9 +69,9 @@ public class NspAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/bundled.deps.package.json")); analyzer.analyze(result, null); - assertEquals(result.getVendorEvidence().toString(), "Philipp Dunkel fsevents_project "); - assertEquals(result.getProductEvidence().toString(), "Native Access to Mac OS-X FSEvents fsevents "); - assertEquals(result.getVersionEvidence().toString(), "1.1.1 "); + assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("Philipp Dunkel ")); + assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("Native Access to Mac OS-X FSEvents")); + assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("1.1.1")); } @Test @@ -76,20 +79,16 @@ public class NspAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/license.obj.package.json")); analyzer.analyze(result, null); - assertEquals(result.getVendorEvidence().toString(), "Twitter, Inc. bootstrap_project "); - assertEquals(result.getProductEvidence().toString(), "The most popular front-end framework for developing responsive, mobile first projects on the web. bootstrap "); - assertEquals(result.getVersionEvidence().toString(), "3.2.0 "); + assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("Twitter, Inc.")); + assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("The most popular front-end framework for developing responsive, mobile first projects on the web")); + assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("3.2.0")); } @Test public void testAnalyzePackageJsonInNodeModulesDirectory() throws AnalysisException { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nodejs/node_modules/dns-sync/package.json")); analyzer.analyze(result, null); - final String vendorString = result.getVendorEvidence().toString(); - - // node modules are not scanned - assertTrue(vendorString.isEmpty()); - assertEquals(result.getProductEvidence().size(), 0); - assertEquals(result.getVersionEvidence().size(), 0); + // node modules are not scanned - no evidence is collected + assertTrue(result.size() == 0); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java index 06205bbeb..b81e136b8 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -28,6 +28,7 @@ import java.io.File; import static org.hamcrest.CoreMatchers.containsString; import static org.junit.Assert.*; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Unit tests for OpenSSLAnalyzerAnalyzer. @@ -108,8 +109,8 @@ public class OpenSSLAnalyzerTest extends BaseTest { this, "openssl/opensslv.h")); analyzer.analyze(result, null); - assertThat(result.getProductEvidence().toString(), containsString("OpenSSL")); - assertThat(result.getVendorEvidence().toString(), containsString("OpenSSL")); - assertThat(result.getVersionEvidence().toString(), containsString("1.0.2c")); + assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("OpenSSL")); + assertThat(result.getEvidence(EvidenceType.VENDOR).toString(), containsString("OpenSSL")); + assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("1.0.2c")); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java index 599ca7051..88b5ba44c 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java @@ -30,6 +30,7 @@ import java.io.File; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Unit tests for PythonDistributionAnalyzer. @@ -127,8 +128,8 @@ public class PythonDistributionAnalyzerTest extends BaseTest { boolean found = false; analyzer.analyze(result, null); assertTrue("Expected vendor evidence to contain \"djangoproject\".", - result.getVendorEvidence().toString().contains("djangoproject")); - for (final Evidence e : result.getVersionEvidence()) { + result.getEvidence(EvidenceType.VENDOR).toString().contains("djangoproject")); + for (final Evidence e : result.getEvidence(EvidenceType.VERSION)) { if ("Version".equals(e.getName()) && "1.7.2".equals(e.getValue())) { found = true; break; @@ -179,8 +180,8 @@ public class PythonDistributionAnalyzerTest extends BaseTest { context, resource)); analyzer.analyze(result, null); assertTrue("Expected vendor evidence to contain \"example\".", result - .getVendorEvidence().toString().contains("example")); - for (final Evidence e : result.getVersionEvidence()) { + .getEvidence(EvidenceType.VENDOR).toString().contains("example")); + for (final Evidence e : result.getEvidence(EvidenceType.VERSION)) { if ("0.0.1".equals(e.getValue())) { found = true; break; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java index 39354a515..ab29d6986 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java @@ -29,6 +29,7 @@ import java.io.File; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Unit tests for PythonPackageAnalyzer. @@ -93,9 +94,9 @@ public class PythonPackageAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile( this, "python/eggtest/__init__.py")); analyzer.analyze(result, null); - assertTrue("Expected vendor evidence to contain \"example\".", result - .getVendorEvidence().toString().contains("example")); - for (final Evidence e : result.getVersionEvidence()) { + assertTrue("Expected vendor evidence to contain \"example\".", + result.getEvidence(EvidenceType.VENDOR).toString().contains("example")); + for (final Evidence e : result.getEvidence(EvidenceType.VERSION)) { if ("0.0.1".equals(e.getValue())) { found = true; break; @@ -103,5 +104,4 @@ public class PythonPackageAnalyzerTest extends BaseTest { } assertTrue("Version 0.0.1 not found in EggTest dependency.", found); } - } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerIT.java index ceb8003df..b9ea39f87 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerIT.java @@ -45,6 +45,7 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertThat; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Unit tests for {@link RubyBundleAuditAnalyzer}. @@ -127,8 +128,8 @@ public class RubyBundleAuditAnalyzerIT extends BaseDBTestCase { assertTrue(size >= 1); boolean found = false; for (Dependency dependency : dependencies) { - found = dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet"); - found &= dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2"); + found = dependency.getEvidence(EvidenceType.PRODUCT).toString().toLowerCase().contains("redcarpet"); + found &= dependency.getEvidence(EvidenceType.VERSION).toString().toLowerCase().contains("2.2.2"); found &= dependency.getFilePath().endsWith(resource); found &= dependency.getFileName().equals("Gemfile.lock"); if (found) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java index fc5662d19..27ff42afd 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java @@ -29,6 +29,7 @@ import java.io.File; import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.is; import static org.junit.Assert.*; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Unit tests for {@link RubyBundlerAnalyzer}. @@ -97,14 +98,14 @@ public class RubyBundlerAnalyzerTest extends BaseTest { "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/specifications/dalli-2.7.5.gemspec")); analyzer.analyze(result, null); - final String vendorString = result.getVendorEvidence().toString(); + final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString(); assertThat(vendorString, containsString("Peter M. Goldstein")); assertThat(vendorString, containsString("Mike Perham")); assertThat(vendorString, containsString("peter.m.goldstein@gmail.com")); assertThat(vendorString, containsString("https://github.com/petergoldstein/dalli")); assertThat(vendorString, containsString("MIT")); - assertThat(result.getProductEvidence().toString(), containsString("dalli")); - assertThat(result.getProductEvidence().toString(), containsString("High performance memcached client for Ruby")); - assertThat(result.getVersionEvidence().toString(), containsString("2.7.5")); + assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("dalli")); + assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("High performance memcached client for Ruby")); + assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("2.7.5")); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java index 96ceb9e80..3a49cfb65 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java @@ -29,6 +29,7 @@ import java.io.File; import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.is; import static org.junit.Assert.*; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Unit tests for {@link RubyGemspecAnalyzer}. @@ -96,13 +97,13 @@ public class RubyGemspecAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "ruby/vulnerable/gems/specifications/rest-client-1.7.2.gemspec")); analyzer.analyze(result, null); - final String vendorString = result.getVendorEvidence().toString(); + final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString(); assertThat(vendorString, containsString("REST Client Team")); assertThat(vendorString, containsString("rest-client_project")); assertThat(vendorString, containsString("rest.client@librelist.com")); assertThat(vendorString, containsString("https://github.com/rest-client/rest-client")); - assertThat(result.getProductEvidence().toString(), containsString("rest-client")); - assertThat(result.getVersionEvidence().toString(), containsString("1.7.2")); + assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("rest-client")); + assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("1.7.2")); } /** @@ -115,6 +116,6 @@ public class RubyGemspecAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/gems/pg-0.18.4/Rakefile")); analyzer.analyze(result, null); - assertTrue(result.getEvidence().size()>0); + assertTrue(result.size()>0); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java index 7ca4a6852..9ac9c11c4 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java @@ -12,6 +12,7 @@ import static org.hamcrest.CoreMatchers.is; import static org.junit.Assert.assertThat; import java.io.File; +import org.owasp.dependencycheck.dependency.EvidenceType; /** * Unit tests for CocoaPodsAnalyzer. @@ -105,13 +106,13 @@ public class SwiftAnalyzersTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "swift/cocoapods/EasyPeasy.podspec")); podsAnalyzer.analyze(result, null); - final String vendorString = result.getVendorEvidence().toString(); + final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString(); assertThat(vendorString, containsString("Carlos Vidal")); assertThat(vendorString, containsString("https://github.com/nakiostudio/EasyPeasy")); assertThat(vendorString, containsString("MIT")); - assertThat(result.getProductEvidence().toString(), containsString("EasyPeasy")); - assertThat(result.getVersionEvidence().toString(), containsString("0.2.3")); + assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("EasyPeasy")); + assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("0.2.3")); } /** @@ -125,6 +126,6 @@ public class SwiftAnalyzersTest extends BaseTest { "swift/Gloss/Package.swift")); spmAnalyzer.analyze(result, null); - assertThat(result.getProductEvidence().toString(), containsString("Gloss")); + assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("Gloss")); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java index d8c957f1c..b268578ee 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java @@ -22,7 +22,7 @@ import static org.junit.Assert.*; import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.utils.Settings; /** @@ -73,40 +73,39 @@ public class VersionFilterAnalyzerTest extends BaseTest { @Test public void testAnalyzeDependency() throws Exception { Dependency dependency = new Dependency(); - EvidenceCollection versions = dependency.getVersionEvidence(); - versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST); - versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); - versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); VersionFilterAnalyzer instance = new VersionFilterAnalyzer(); instance.initializeSettings(getSettings()); instance.analyzeDependency(dependency, null); - assertEquals(3, versions.size()); + assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "pom", "version", "1.2.3", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(4, versions.size()); + assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "file", "version", "1.2.3", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(2, versions.size()); + assertEquals(2, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(3, versions.size()); + assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST); - versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "nexus", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(4, versions.size()); + assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST); - versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "central", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(5, versions.size()); + assertEquals(5, dependency.getEvidence(EvidenceType.VERSION).size()); } /** @@ -115,36 +114,35 @@ public class VersionFilterAnalyzerTest extends BaseTest { @Test public void testAnalyzeDependencyFilePom() throws Exception { Dependency dependency = new Dependency(); - EvidenceCollection versions = dependency.getVersionEvidence(); - versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST); - versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); - versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); VersionFilterAnalyzer instance = new VersionFilterAnalyzer(); instance.initializeSettings(getSettings()); instance.analyzeDependency(dependency, null); - assertEquals(3, versions.size()); + assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "pom", "version", "1.2.3", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(4, versions.size()); + assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "file", "version", "1.2.3", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(2, versions.size()); + assertEquals(2, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST); - versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "nexus", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(3, versions.size()); + assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST); - versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "central", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(4, versions.size()); + assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size()); } /** @@ -153,26 +151,25 @@ public class VersionFilterAnalyzerTest extends BaseTest { @Test public void testAnalyzeDependencyFileManifest() throws Exception { Dependency dependency = new Dependency(); - EvidenceCollection versions = dependency.getVersionEvidence(); - versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST); - versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); - versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); VersionFilterAnalyzer instance = new VersionFilterAnalyzer(); instance.initializeSettings(getSettings()); instance.analyzeDependency(dependency, null); - assertEquals(3, versions.size()); + assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(4, versions.size()); + assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "file", "version", "1.2.3", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(2, versions.size()); + assertEquals(2, dependency.getEvidence(EvidenceType.VERSION).size()); } /** @@ -181,35 +178,34 @@ public class VersionFilterAnalyzerTest extends BaseTest { @Test public void testAnalyzeDependencyPomManifest() throws Exception { Dependency dependency = new Dependency(); - EvidenceCollection versions = dependency.getVersionEvidence(); - versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST); - versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); - versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); VersionFilterAnalyzer instance = new VersionFilterAnalyzer(); instance.initializeSettings(getSettings()); instance.analyzeDependency(dependency, null); - assertEquals(3, versions.size()); + assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "pom", "version", "1.2.3", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(4, versions.size()); + assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(2, versions.size()); + assertEquals(2, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST); - versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "nexus", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(3, versions.size()); + assertEquals(3, dependency.getEvidence(EvidenceType.VERSION).size()); - versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST); - versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "central", "version", "1.2.3", Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "other", "version", "alpha", Confidence.HIGHEST); instance.analyzeDependency(dependency, null); - assertEquals(4, versions.size()); + assertEquals(4, dependency.getEvidence(EvidenceType.VERSION).size()); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java index 762d7bed4..4b303e7a3 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java @@ -203,57 +203,11 @@ public class DependencyTest extends BaseTest { @Test public void testGetEvidence() { Dependency instance = new Dependency(); - EvidenceCollection result = instance.getEvidence(); + Set result = instance.getEvidence(EvidenceType.VENDOR); assertNotNull(result); - } - - /** - * Test of getEvidenceUsed method, of class Dependency. - */ - @Test - public void testGetEvidenceUsed() { - Dependency instance = new Dependency(); - String expResult = "used"; - - instance.getProductEvidence().addEvidence("used", "used", "used", Confidence.HIGH); - instance.getProductEvidence().addEvidence("not", "not", "not", Confidence.MEDIUM); - for (Evidence e : instance.getProductEvidence().iterator(Confidence.HIGH)) { - e.getValue(); - } - - EvidenceCollection result = instance.getEvidenceUsed(); - - assertEquals(1, result.size()); - assertTrue(result.containsUsedString(expResult)); - } - - /** - * Test of getVendorEvidence method, of class Dependency. - */ - @Test - public void testGetVendorEvidence() { - Dependency instance = new Dependency(); - EvidenceCollection result = instance.getVendorEvidence(); + result = instance.getEvidence(EvidenceType.PRODUCT); assertNotNull(result); - } - - /** - * Test of getProductEvidence method, of class Dependency. - */ - @Test - public void testGetProductEvidence() { - Dependency instance = new Dependency(); - EvidenceCollection result = instance.getProductEvidence(); - assertNotNull(result); - } - - /** - * Test of getVersionEvidence method, of class Dependency. - */ - @Test - public void testGetVersionEvidence() { - Dependency instance = new Dependency(); - EvidenceCollection result = instance.getVersionEvidence(); + result = instance.getEvidence(EvidenceType.VERSION); assertNotNull(result); } @@ -265,10 +219,8 @@ public class DependencyTest extends BaseTest { Dependency instance = new Dependency(); MavenArtifact mavenArtifact = new MavenArtifact("group", "artifact", "version", "url"); instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH); - assertTrue(instance.getEvidence().contains(Confidence.HIGH)); - assertFalse(instance.getEvidence().getEvidence("pom", "groupid").isEmpty()); - assertFalse(instance.getEvidence().getEvidence("pom", "artifactid").isEmpty()); - assertFalse(instance.getEvidence().getEvidence("pom", "version").isEmpty()); + assertTrue(instance.contains(EvidenceType.VENDOR, Confidence.HIGH)); + assertTrue(instance.size()>1); assertFalse(instance.getIdentifiers().isEmpty()); } @@ -280,10 +232,8 @@ public class DependencyTest extends BaseTest { Dependency instance = new Dependency(); MavenArtifact mavenArtifact = new MavenArtifact(null, null, null, null); instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH); - assertFalse(instance.getEvidence().contains(Confidence.HIGH)); - assertTrue(instance.getEvidence().getEvidence("pom", "groupid").isEmpty()); - assertTrue(instance.getEvidence().getEvidence("pom", "artifactid").isEmpty()); - assertTrue(instance.getEvidence().getEvidence("pom", "version").isEmpty()); + assertFalse(instance.getEvidence(EvidenceType.VENDOR).contains(Confidence.HIGH)); + assertTrue(instance.size()==0); assertTrue(instance.getIdentifiers().isEmpty()); } }