mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-13 23:33:37 +01:00
capture licenses and homepage in Ruby bundler analyzer
This commit is contained in:
bjiang
@@ -17,6 +17,14 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.analyzer;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileFilter;
|
||||
import java.io.FilenameFilter;
|
||||
import java.io.IOException;
|
||||
import java.util.List;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.apache.commons.io.FileUtils;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
@@ -26,17 +34,6 @@ import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.File;
|
||||
import java.io.FileFilter;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.FileReader;
|
||||
import java.io.FilenameFilter;
|
||||
import java.io.IOException;
|
||||
import java.util.List;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
/**
|
||||
* Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE. Regular
|
||||
* expressions are used to parse the well-defined Ruby syntax that forms the specification.
|
||||
@@ -60,8 +57,6 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
private static final FileFilter FILTER
|
||||
= FileFilterBuilder.newInstance().addExtensions(GEMSPEC).build();
|
||||
|
||||
private static final String EMAIL = "email";
|
||||
|
||||
private static final String VERSION_FILE_NAME = "VERSION";
|
||||
|
||||
/**
|
||||
@@ -128,46 +123,59 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
contents = contents.substring(matcher.end());
|
||||
final String blockVariable = matcher.group(1);
|
||||
final EvidenceCollection vendor = dependency.getVendorEvidence();
|
||||
addStringEvidence(vendor, contents, blockVariable, "author", Confidence.HIGHEST);
|
||||
addListEvidence(vendor, contents, blockVariable, "authors", Confidence.HIGHEST);
|
||||
final String email = addStringEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM);
|
||||
if (email.isEmpty()) {
|
||||
addListEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM);
|
||||
}
|
||||
addStringEvidence(vendor, contents, blockVariable, "homepage", Confidence.HIGHEST);
|
||||
addStringEvidence(vendor, contents, blockVariable, "licenses", Confidence.HIGHEST);
|
||||
addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST);
|
||||
// addListEvidence(vendor, contents, blockVariable, "authors", Confidence.HIGHEST);
|
||||
addStringEvidence(vendor, contents, blockVariable, "email", "emails?", Confidence.MEDIUM);
|
||||
// if (email.isEmpty()) {
|
||||
// addListEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM);
|
||||
// }
|
||||
addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST);
|
||||
addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es", Confidence.HIGHEST);
|
||||
|
||||
final EvidenceCollection product = dependency.getProductEvidence();
|
||||
final String name = addStringEvidence(product, contents, blockVariable, "name", Confidence.HIGHEST);
|
||||
final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST);
|
||||
if (!name.isEmpty()) {
|
||||
vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW);
|
||||
}
|
||||
addStringEvidence(product, contents, blockVariable, "summary", Confidence.LOW);
|
||||
String value = addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, "version", Confidence.HIGHEST);
|
||||
addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.LOW);
|
||||
String value = addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, "version", "version", Confidence.HIGHEST);
|
||||
if(value.length() < 1)
|
||||
addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence());
|
||||
}
|
||||
}
|
||||
|
||||
private void addListEvidence(EvidenceCollection evidences, String contents,
|
||||
String blockVariable, String field, Confidence confidence) {
|
||||
final Matcher matcher = Pattern.compile(
|
||||
String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
|
||||
if (matcher.find()) {
|
||||
final String value = matcher.group(1).replaceAll("['\"]", " ").trim();
|
||||
evidences.addEvidence(GEMSPEC, field, value, confidence);
|
||||
}
|
||||
}
|
||||
// private void addListEvidence(EvidenceCollection evidences, String contents,
|
||||
// String blockVariable, String field, Confidence confidence) {
|
||||
// final Matcher matcher = Pattern.compile(
|
||||
// String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
|
||||
// if (matcher.find()) {
|
||||
// final String value = matcher.group(1).replaceAll("['\"]", " ").trim();
|
||||
// evidences.addEvidence(GEMSPEC, field, value, confidence);
|
||||
// }
|
||||
// }
|
||||
|
||||
private String addStringEvidence(EvidenceCollection evidences, String contents,
|
||||
String blockVariable, String field, Confidence confidence) {
|
||||
final Matcher matcher = Pattern.compile(
|
||||
String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents);
|
||||
String blockVariable, String field, String fieldPattern, Confidence confidence) {
|
||||
String value = "";
|
||||
if (matcher.find()) {
|
||||
value = matcher.group(2);
|
||||
evidences.addEvidence(GEMSPEC, field, value, confidence);
|
||||
}
|
||||
|
||||
//capture array value between [ ]
|
||||
final Matcher arrayMatcher = Pattern.compile(
|
||||
String.format("\\s*?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
|
||||
if(arrayMatcher.find()) {
|
||||
String arrayValue = arrayMatcher.group(1);
|
||||
value = arrayValue.replaceAll("\\s*?['\"]", "").trim(); //strip quotes
|
||||
}
|
||||
//capture single value between quotes
|
||||
else {
|
||||
final Matcher matcher = Pattern.compile(
|
||||
String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
|
||||
if (matcher.find()) {
|
||||
value = matcher.group(2);
|
||||
}
|
||||
}
|
||||
if(value.length() > 0)
|
||||
evidences.addEvidence(GEMSPEC, field, value, confidence);
|
||||
|
||||
return value;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user