mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-04-23 00:38:51 +02:00
bug fixes/checkstyle fixes
This commit is contained in:
Jeremy Long
@@ -258,9 +258,9 @@ public class CPEQuery {
|
||||
StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
|
||||
for (Evidence e : ec.iterator(confidenceFilter)) {
|
||||
String value = e.getValue();
|
||||
if (sb.indexOf(value)<0) {
|
||||
if (value.length()>200) {
|
||||
sb.append(value.substring(0,200));
|
||||
if (sb.indexOf(value) < 0) {
|
||||
if (value.length() > 200) {
|
||||
sb.append(value.substring(0, 200));
|
||||
} else {
|
||||
sb.append(value).append(' ');
|
||||
}
|
||||
|
||||
@@ -26,6 +26,7 @@ import java.util.ServiceLoader;
|
||||
* @author Jeremy Long (jeremy.long@gmail.com)
|
||||
*/
|
||||
public class AnalyzerService {
|
||||
|
||||
private static AnalyzerService service;
|
||||
private ServiceLoader<Analyzer> loader;
|
||||
|
||||
|
||||
@@ -22,11 +22,7 @@ import java.io.File;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.Set;
|
||||
import java.util.jar.Attributes;
|
||||
@@ -52,12 +48,11 @@ import org.codesecure.dependencycheck.utils.Checksum;
|
||||
*/
|
||||
public class JarAnalyzer extends AbstractAnalyzer {
|
||||
|
||||
private final static String ANALYZER_NAME = "Jar Analyzer";
|
||||
|
||||
private static final String ANALYZER_NAME = "Jar Analyzer";
|
||||
/**
|
||||
* A list of elements in the manifest to ignore.
|
||||
*/
|
||||
private final static Set<String> IGNORE_LIST = newHashSet(
|
||||
private static final Set<String> IGNORE_LIST = newHashSet(
|
||||
"built-by",
|
||||
"created-by",
|
||||
"license",
|
||||
@@ -70,9 +65,10 @@ public class JarAnalyzer extends AbstractAnalyzer {
|
||||
"archiver-version",
|
||||
"classpath",
|
||||
"bundle-manifestversion");
|
||||
|
||||
private final static Set<String> extensions = newHashSet("jar");
|
||||
|
||||
/**
|
||||
* The set of file extensions supported by this analyzer.
|
||||
*/
|
||||
private static final Set<String> EXTENSIONS = newHashSet("jar");
|
||||
/**
|
||||
* item in some manifest, should be considered medium confidence.
|
||||
*/
|
||||
@@ -91,11 +87,11 @@ public class JarAnalyzer extends AbstractAnalyzer {
|
||||
private static final String BUNDLE_VENDOR = "Bundle-Vendor"; //: Apache Software Foundation
|
||||
|
||||
/**
|
||||
* Returns a list of file extensions supported by this analyzer.
|
||||
* @return a list of file extensions supported by this analyzer.
|
||||
* Returns a list of file EXTENSIONS supported by this analyzer.
|
||||
* @return a list of file EXTENSIONS supported by this analyzer.
|
||||
*/
|
||||
public Set<String> getSupportedExtensions() {
|
||||
return extensions;
|
||||
return EXTENSIONS;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -112,7 +108,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
|
||||
* @return whether or not the specified file extension is supported by tihs analyzer.
|
||||
*/
|
||||
public boolean supportsExtension(String extension) {
|
||||
return extensions.contains(extension);
|
||||
return EXTENSIONS.contains(extension);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -187,9 +183,10 @@ public class JarAnalyzer extends AbstractAnalyzer {
|
||||
fileNameEvidence, Evidence.Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("jar", "file name",
|
||||
fileNameEvidence, Evidence.Confidence.HIGH);
|
||||
dependency.getVersionEvidence().addEvidence("jar", "file name",
|
||||
fileNameEvidence, Evidence.Confidence.HIGH);
|
||||
|
||||
if (fileNameEvidence.matches(".*\\d.*")) {
|
||||
dependency.getVersionEvidence().addEvidence("jar", "file name",
|
||||
fileNameEvidence, Evidence.Confidence.HIGH);
|
||||
}
|
||||
String md5 = null;
|
||||
String sha1 = null;
|
||||
try {
|
||||
@@ -206,11 +203,6 @@ public class JarAnalyzer extends AbstractAnalyzer {
|
||||
parseManifest(dependency);
|
||||
analyzePackageNames(dependency);
|
||||
|
||||
//TODO - can we get "version" information from the filename? add it as medium confidence?
|
||||
// strip extension. find first numeric, chop off the first part. consider replacing [_-] with .
|
||||
//dependency.getVersionEvidence().addEvidence("jar", "file name",
|
||||
// version from file, Evidence.Confidence.MEDIUM);
|
||||
|
||||
return dependency;
|
||||
}
|
||||
|
||||
@@ -389,7 +381,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
|
||||
|
||||
EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
|
||||
EvidenceCollection titleEvidence = dependency.getTitleEvidence();
|
||||
EvidenceCollection versionEvidence = dependency.getVendorEvidence();
|
||||
EvidenceCollection versionEvidence = dependency.getVersionEvidence();
|
||||
|
||||
String source = "Manifest";
|
||||
|
||||
|
||||
@@ -21,14 +21,10 @@ package org.codesecure.dependencycheck.scanner;
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.codesecure.dependencycheck.utils.Settings;
|
||||
import org.codesecure.dependencycheck.utils.Settings.KEYS;
|
||||
|
||||
/**
|
||||
* Scans files, directories, etc. for Dependencies. Analyzers are loaded and
|
||||
@@ -62,7 +58,7 @@ public class Scanner {
|
||||
private void loadAnalyzers() {
|
||||
AnalyzerService service = AnalyzerService.getInstance();
|
||||
Iterator<Analyzer> iterator = service.getAnalyzers();
|
||||
while(iterator.hasNext()) {
|
||||
while (iterator.hasNext()) {
|
||||
Analyzer a = iterator.next();
|
||||
analyzers.add(a);
|
||||
}
|
||||
|
||||
@@ -135,6 +135,7 @@ public final class CliParser {
|
||||
throw new FileNotFoundException("Invalid file argument: " + path);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates an Options collection that is used to parse the command line
|
||||
* and to display the help message.
|
||||
@@ -156,7 +157,8 @@ public final class CliParser {
|
||||
.withDescription("the name of the application being scanned").create(ArgumentName.APPNAME_SHORT);
|
||||
|
||||
Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
|
||||
.withDescription("the path to scan - this option can be specified multiple times.").create(ArgumentName.SCAN_SHORT);
|
||||
.withDescription("the path to scan - this option can be specified multiple times.")
|
||||
.create(ArgumentName.SCAN_SHORT);
|
||||
|
||||
Option load = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.CPE)
|
||||
.withDescription("load the CPE xml file").create(ArgumentName.CPE_SHORT);
|
||||
@@ -225,11 +227,11 @@ public final class CliParser {
|
||||
formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
|
||||
"\n" + Settings.getString("application.name", "DependencyCheck")
|
||||
+ " can be used to identify if there are any known CVE vulnerabilities in libraries utillized by an application. "
|
||||
+ Settings.getString("application.name", "DependencyCheck") + " will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov.\n",
|
||||
+ Settings.getString("application.name", "DependencyCheck")
|
||||
+ " will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov.\n",
|
||||
options, "", true);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Retrieves the file command line parameter(s) specified for the 'cpe' argument.
|
||||
*
|
||||
@@ -264,6 +266,7 @@ public final class CliParser {
|
||||
public String getApplicationName() {
|
||||
return line.getOptionValue(ArgumentName.APPNAME);
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>Prints the manifest information to standard output:</p>
|
||||
* <ul><li>Implementation-Title: ${pom.name}</li>
|
||||
@@ -291,6 +294,7 @@ public final class CliParser {
|
||||
* line arguments.
|
||||
*/
|
||||
public static class ArgumentName {
|
||||
|
||||
/**
|
||||
* The long CLI argument name specifing the directory/file to scan
|
||||
*/
|
||||
@@ -347,6 +351,5 @@ public final class CliParser {
|
||||
* The short CLI argument name asking for the version.
|
||||
*/
|
||||
public static final String VERSION = "version";
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,12 +1,27 @@
|
||||
/*
|
||||
* To change this template, choose Tools | Templates
|
||||
* and open the template in the editor.
|
||||
*/
|
||||
package org.codesecure.dependencycheck.utils;
|
||||
/*
|
||||
* This file is part of DependencyCheck.
|
||||
*
|
||||
* DependencyCheck is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* DependencyCheck is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
|
||||
*
|
||||
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* An exception used when a download fails.
|
||||
*
|
||||
* @author Jeremy Long (jeremy.long@gmail.com)
|
||||
*/
|
||||
@@ -14,17 +29,35 @@ public class DownloadFailedException extends IOException {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
/**
|
||||
* Creates a new DownloadFailedException.
|
||||
*/
|
||||
public DownloadFailedException() {
|
||||
super();
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new DownloadFailedException.
|
||||
* @param msg a message for the exception.
|
||||
*/
|
||||
public DownloadFailedException(String msg) {
|
||||
super(msg);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new DownloadFailedException.
|
||||
* @param ex the cause of te download failure.
|
||||
*/
|
||||
public DownloadFailedException(Throwable ex) {
|
||||
super(ex);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new DownloadFailedException.
|
||||
* @param msg a message for the exception.
|
||||
* @param ex the cause of te download failure.
|
||||
*/
|
||||
public DownloadFailedException(String msg, Throwable ex) {
|
||||
super(msg,ex);
|
||||
super(msg, ex);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -42,7 +42,6 @@ public class Downloader {
|
||||
* Private constructor for utility class.
|
||||
*/
|
||||
private Downloader() {
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -84,7 +83,7 @@ public class Downloader {
|
||||
conn.connect();
|
||||
} catch (IOException ex) {
|
||||
try {
|
||||
if (conn!=null) {
|
||||
if (conn != null) {
|
||||
conn.disconnect();
|
||||
}
|
||||
} finally {
|
||||
|
||||
@@ -20,9 +20,6 @@ package org.codesecure.dependencycheck.utils;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.util.Enumeration;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.Properties;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
@@ -34,7 +31,6 @@ import java.util.logging.Logger;
|
||||
*/
|
||||
public class Settings {
|
||||
|
||||
|
||||
/**
|
||||
* The collection of keys used within the properties file.
|
||||
*/
|
||||
@@ -60,10 +56,6 @@ public class Settings {
|
||||
* The properties key for the path where the OSVDB Lucene Index will be stored.
|
||||
*/
|
||||
public static final String OSVDB_INDEX = "osvdb";
|
||||
/**
|
||||
* The properties key prefix for the analyzer assocations.
|
||||
*/
|
||||
public static final String FILE_EXTENSION_ANALYZER_ASSOCIATION_PREFIX = "file.extension.analyzer.association.";
|
||||
/**
|
||||
* The properties key for the proxy url.
|
||||
*/
|
||||
@@ -146,6 +138,7 @@ public class Settings {
|
||||
public static int getInt(String key) {
|
||||
return Integer.parseInt(Settings.getString(key));
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a boolean value from the properties file. If the value was specified as a
|
||||
* system property or passed in via the -Dprop=value argument - this method
|
||||
|
||||
@@ -53,6 +53,41 @@ public class JarAnalyzerTest {
|
||||
assertEquals("89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B", result.getSha1sum());
|
||||
assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache"));
|
||||
assertTrue(result.getVendorEvidence().getWeighting().contains("apache"));
|
||||
|
||||
|
||||
file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
|
||||
|
||||
result = instance.insepct(file);
|
||||
boolean found = false;
|
||||
for (Evidence e : result.getTitleEvidence()) {
|
||||
if (e.getName().equals("package-title") && e.getValue().equals("org.mortbay.http")) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
assertTrue("package-title of org.mortbay.http not found in org.mortbay.jetty.jar", found);
|
||||
|
||||
found = false;
|
||||
for (Evidence e : result.getVendorEvidence()) {
|
||||
if (e.getName().equals("implementation-url") && e.getValue().equals("http://jetty.mortbay.org")) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
assertTrue("implementation-url of http://jetty.mortbay.org not found in org.mortbay.jetty.jar", found);
|
||||
|
||||
found = false;
|
||||
for (Evidence e : result.getVersionEvidence()) {
|
||||
if (e.getName().equals("Implementation-Version") && e.getValue().equals("4.2.27")) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
assertTrue("implementation-version of 4.2.27 not found in org.mortbay.jetty.jar", found);
|
||||
|
||||
file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
|
||||
result = instance.insepct(file);
|
||||
assertEquals("org.mortbar,jmx.jar has version evidence?",result.getVersionEvidence().size(),0);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user