From 6c0b65acd4e043bf2bb7f780862c8c795d34ada4 Mon Sep 17 00:00:00 2001
From: bjiang <bjiang@us.ibm.com>
Date: Fri, 1 Apr 2016 13:30:36 -0400
Subject: [PATCH] capture licenses and homepage in Ruby bundler analyzer

---
 .../analyzer/RubyGemspecAnalyzer.java         | 88 ++++++++++---------
 1 file changed, 48 insertions(+), 40 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
index ac29838d4..00c9c6065 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
@@ -17,6 +17,14 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.File;
+import java.io.FileFilter;
+import java.io.FilenameFilter;
+import java.io.IOException;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -26,17 +34,6 @@ import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileFilter;
-import java.io.FileNotFoundException;
-import java.io.FileReader;
-import java.io.FilenameFilter;
-import java.io.IOException;
-import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
 /**
  * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE. Regular
  * expressions are used to parse the well-defined Ruby syntax that forms the specification.
@@ -60,8 +57,6 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     private static final FileFilter FILTER
             = FileFilterBuilder.newInstance().addExtensions(GEMSPEC).build();
 
-    private static final String EMAIL = "email";
-
     private static final String VERSION_FILE_NAME = "VERSION";
 
     /**
@@ -128,46 +123,59 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
             contents = contents.substring(matcher.end());
             final String blockVariable = matcher.group(1);
             final EvidenceCollection vendor = dependency.getVendorEvidence();
-            addStringEvidence(vendor, contents, blockVariable, "author", Confidence.HIGHEST);
-            addListEvidence(vendor, contents, blockVariable, "authors", Confidence.HIGHEST);
-            final String email = addStringEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM);
-            if (email.isEmpty()) {
-                addListEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM);
-            }
-            addStringEvidence(vendor, contents, blockVariable, "homepage", Confidence.HIGHEST);
-            addStringEvidence(vendor, contents, blockVariable, "licenses", Confidence.HIGHEST);
+            addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST);
+//            addListEvidence(vendor, contents, blockVariable, "authors", Confidence.HIGHEST);
+            addStringEvidence(vendor, contents, blockVariable, "email", "emails?", Confidence.MEDIUM);
+//            if (email.isEmpty()) {
+//                addListEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM);
+//            }
+            addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST);
+            addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es", Confidence.HIGHEST);
             
             final EvidenceCollection product = dependency.getProductEvidence();
-            final String name = addStringEvidence(product, contents, blockVariable, "name", Confidence.HIGHEST);
+            final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST);
             if (!name.isEmpty()) {
                 vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW);
             }
-            addStringEvidence(product, contents, blockVariable, "summary", Confidence.LOW);
-            String value = addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, "version", Confidence.HIGHEST);
+            addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.LOW);
+            String value = addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, "version", "version", Confidence.HIGHEST);
             if(value.length() < 1) 
             	addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence());
         }
     }
 
-    private void addListEvidence(EvidenceCollection evidences, String contents,
-            String blockVariable, String field, Confidence confidence) {
-        final Matcher matcher = Pattern.compile(
-                String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
-        if (matcher.find()) {
-            final String value = matcher.group(1).replaceAll("['\"]", " ").trim();
-            evidences.addEvidence(GEMSPEC, field, value, confidence);
-        }
-    }
+//    private void addListEvidence(EvidenceCollection evidences, String contents,
+//            String blockVariable, String field, Confidence confidence) {
+//        final Matcher matcher = Pattern.compile(
+//                String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
+//        if (matcher.find()) {
+//            final String value = matcher.group(1).replaceAll("['\"]", " ").trim();
+//            evidences.addEvidence(GEMSPEC, field, value, confidence);
+//        }
+//    }
 
     private String addStringEvidence(EvidenceCollection evidences, String contents,
-            String blockVariable, String field, Confidence confidence) {
-        final Matcher matcher = Pattern.compile(
-                String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents);
+            String blockVariable, String field, String fieldPattern, Confidence confidence) {
         String value = "";
-        if (matcher.find()) {
-            value = matcher.group(2);
-            evidences.addEvidence(GEMSPEC, field, value, confidence);
-        }
+        
+    	//capture array value between [ ]
+    	final Matcher arrayMatcher = Pattern.compile(
+                String.format("\\s*?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
+    	if(arrayMatcher.find()) {
+    		String arrayValue = arrayMatcher.group(1);
+    		value = arrayValue.replaceAll("\\s*?['\"]", "").trim(); //strip quotes
+    	}
+    	//capture single value between quotes
+    	else {
+	        final Matcher matcher = Pattern.compile(
+	                String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
+	        if (matcher.find()) {
+	            value = matcher.group(2);
+	        }
+    	}
+    	if(value.length() > 0)
+    		evidences.addEvidence(GEMSPEC, field, value, confidence);
+    	
         return value;
     }