github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 07:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

checkstyle updates

Browse Source 
Former-commit-id: e18a6c9a01cf3fdbbdd87446bb25b77e3e455c0f
This commit is contained in:
Jeremy Long
2013-03-30 22:11:04 -04:00
parent 13eb2b75d5
commit 772b0ca2b0
45 changed files with 743 additions and 503 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/main/config/checkstyle-checks.xml
View File

@@ -83,7 +83,7 @@
</module>
<module name="LeftCurly">
<property name="option" value="nlow"/>
<property name="option" value="eol"/>
<property name="tokens" value="CLASS_DEF"/>
<property name="tokens" value="CTOR_DEF"/>
<property name="tokens" value="INTERFACE_DEF"/>
@@ -107,7 +107,7 @@
</module>
<module name="MethodCount">
<property name="maxTotal" value="30"/>
<property name="maxTotal" value="35"/>
</module>
<module name="LocalFinalVariableName"/>
@@ -115,7 +115,10 @@
<module name="MemberName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="MethodLength"/>
<module name="MethodLength">
<property name="max" value="160"/>
<property name="countEmpty" value="false"/>
</module>
<module name="MethodName"/>
<module name="MethodParamPad"/>
<module name="ModifierOrder"/>
@@ -182,11 +185,11 @@
<module name="FinalClass"/>
<module name="MissingSwitchDefault"/>
<!--module name="MagicNumber"/-->
<module name="Indentation">
<!--module name="Indentation">
<property name="basicOffset" value="4"/>
<property name="braceAdjustment" value="0"/>
<property name="caseIndent" value="0"/>
</module>
</module-->
<module name="ArrayTrailingComma"/>
<module name="FinalLocalVariable"/>
<module name="EqualsAvoidNull"/>
@@ -201,10 +204,12 @@
<property name="max" value="2"/>
</module>
<module name="NestedIfDepth">
<property name="max" value="3"/>
<property name="max" value="4"/>
</module>
<module name="NestedTryDepth"/>
<module name="ExplicitInitialization"/>
<module name="NestedTryDepth">
<property name="max" value="2"/>
</module>
<!--module name="ExplicitInitialization"/-->
<module name="AnnotationUseStyle"/>
<module name="MissingDeprecated"/>
<module name="MissingOverride">

2
src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -225,7 +225,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
if (pom == null) {
final NonClosingStream stream = new NonClosingStream(zin);
final JAXBElement obj = (JAXBElement) pomUnmarshaller.unmarshal(stream);
pom = (org.owasp.dependencycheck.analyzer.pom.generated.Model) obj.getValue();
pom = (Model) obj.getValue();
zin.closeEntry();
} else {
throw new AnalysisException("JAR file contains multiple pom.xml files - unable to process POM");

12
src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
View File

@@ -97,10 +97,16 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
* file.
*/
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)");
final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)");
}
/**
* Adds license information to the given dependency.
*
* @param d the dependency
* @param license the license
*/
private void addLicense(Dependency d, String license) {
if (d.getLicense() == null) {
d.setLicense(license);
@@ -110,14 +116,14 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
}
/**
* The initialize method does nothing for this Analyzer
* The initialize method does nothing for this Analyzer.
*/
public void initialize() {
//do nothing
}
/**
* The close method does nothing for this Analyzer
* The close method does nothing for this Analyzer.
*/
public void close() {
//do nothing

30
src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java
View File

@@ -87,7 +87,8 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
}
/**
* The initialize method does nothing for this Analyzer
* The initialize method does nothing for this Analyzer.
*
* @throws Exception never thrown by this analyzer
*/
public void initialize() throws Exception {
@@ -95,13 +96,17 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
}
/**
* The close method does nothing for this Analyzer
* The close method does nothing for this Analyzer.
*
* @throws Exception never thrown by this analyzer
*/
public void close() throws Exception {
//do nothing
}
private List<Identifier> springVersions = null;
/**
* a list of spring versions.
*/
private List<Identifier> springVersions;
/**
* Determines if several "spring" libraries were scanned and trims the
@@ -117,7 +122,7 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
collectSpringFrameworkIdentifiers(engine);
List<Identifier> identifiersToRemove = new ArrayList<Identifier>();
final List<Identifier> identifiersToRemove = new ArrayList<Identifier>();
for (Identifier identifier : dependency.getIdentifiers()) {
if (springVersions.contains(identifier) && !isCoreFramework(dependency.getFileName())) {
identifiersToRemove.add(identifier);
@@ -129,6 +134,11 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
}
}
/**
* Cycles through the dependencies and creates a collection of the spring identifiers.
*
* @param engine the core engine.
*/
private void collectSpringFrameworkIdentifiers(Engine engine) {
//check to see if any of the libs are the core framework
if (springVersions == null) {
@@ -147,12 +157,24 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
}
}
/**
* Attempts to determine if the identifier is for the spring framework.
*
* @param identifier an identifier
* @return whether or not it is believed to be a spring identifier
*/
private boolean isSpringFrameworkCpe(Identifier identifier) {
return "cpe".equals(identifier.getType())
&& (identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:")
|| identifier.getValue().startsWith("cpe:/a:vmware:springsource_spring_framework"));
}
/**
* Attempts to determine if the file name passed in is for the core spring-framework.
*
* @param filename a file name
* @return whether or not it is believed the file name is for the core spring framework
*/
private boolean isCoreFramework(String filename) {
return filename.toLowerCase().matches("^spring([ _-]?core)?[ _-]?\\d.*");
}

3
src/main/java/org/owasp/dependencycheck/data/UpdateException.java
View File

@@ -27,6 +27,9 @@ import java.io.IOException;
*/
public class UpdateException extends IOException {
/**
* The serial version uid.
*/
private static final long serialVersionUID = 1L;
/**

8
src/main/java/org/owasp/dependencycheck/data/UpdateService.java
View File

@@ -25,9 +25,15 @@ import java.util.ServiceLoader;
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class UpdateService {
public final class UpdateService {
/**
* the singleton reference to the service.
*/
private static UpdateService service;
/**
* the service loader for CachedWebDataSource.
*/
private final ServiceLoader<CachedWebDataSource> loader;
/**

51
src/main/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzer.java
View File

@@ -60,7 +60,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
* utilized within the CPE Names.
*/
static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
/*
/**
* A string representation of a regular expression used to remove all but
* alpha characters.
*/
@@ -73,7 +73,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
/**
* The CPE Index.
*/
protected Index cpe = null;
private Index cpe;
/**
* Opens the data source.
@@ -137,7 +137,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
boolean found = false;
int ctr = 0;
do {
List<Entry> entries = searchCPE(vendors, products, versions, dependency.getProductEvidence().getWeighting(),
final List<Entry> entries = searchCPE(vendors, products, versions, dependency.getProductEvidence().getWeighting(),
dependency.getVendorEvidence().getWeighting());
@@ -197,8 +197,8 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
* @return the new evidence text
*/
private String addEvidenceWithoutDuplicateTerms(final String text, final EvidenceCollection ec, Confidence confidenceFilter) {
String txt = (text == null) ? "" : text;
StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
final String txt = (text == null) ? "" : text;
final StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
sb.append(txt);
for (Evidence e : ec.iterator(confidenceFilter)) {
String value = e.getValue();
@@ -255,17 +255,17 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
protected List<Entry> searchCPE(String vendor, String product, String version,
Set<String> vendorWeightings, Set<String> productWeightings)
throws CorruptIndexException, IOException, ParseException {
ArrayList<Entry> ret = new ArrayList<Entry>(MAX_QUERY_RESULTS);
final ArrayList<Entry> ret = new ArrayList<Entry>(MAX_QUERY_RESULTS);
String searchString = buildSearch(vendor, product, version, vendorWeightings, productWeightings);
final String searchString = buildSearch(vendor, product, version, vendorWeightings, productWeightings);
if (searchString == null) {
return ret;
}
TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
for (ScoreDoc d : docs.scoreDocs) {
Document doc = cpe.getDocument(d.doc);
Entry entry = Entry.parse(doc);
final Document doc = cpe.getDocument(d.doc);
final Entry entry = Entry.parse(doc);
entry.setSearchScore(d.score);
if (!ret.contains(entry)) {
ret.add(entry);
@@ -294,7 +294,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
protected String buildSearch(String vendor, String product, String version,
Set<String> vendorWeighting, Set<String> productWeightings) {
StringBuilder sb = new StringBuilder(vendor.length() + product.length()
final StringBuilder sb = new StringBuilder(vendor.length() + product.length()
+ version.length() + Fields.PRODUCT.length() + Fields.VERSION.length()
+ Fields.VENDOR.length() + STRING_BUILDER_BUFFER);
@@ -349,7 +349,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
//TODO add a mutator or special analyzer that combines words next to each other and adds them as a key.
sb.append(" ").append(field).append(":( ");
String cleanText = cleanseText(searchText);
final String cleanText = cleanseText(searchText);
if ("".equals(cleanText)) {
return false;
@@ -358,12 +358,12 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
if (weightedText == null || weightedText.isEmpty()) {
LuceneUtils.appendEscapedLuceneQuery(sb, cleanText);
} else {
StringTokenizer tokens = new StringTokenizer(cleanText);
final StringTokenizer tokens = new StringTokenizer(cleanText);
while (tokens.hasMoreElements()) {
String word = tokens.nextToken();
final String word = tokens.nextToken();
String temp = null;
for (String weighted : weightedText) {
String weightedStr = cleanseText(weighted);
final String weightedStr = cleanseText(weighted);
if (equalsIgnoreCaseAndNonAlpha(word, weightedStr)) {
temp = LuceneUtils.escapeLuceneQuery(word) + WEIGHTING_BOOST;
if (!word.equalsIgnoreCase(weightedStr)) {
@@ -405,8 +405,8 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
return false;
}
String left = l.replaceAll(CLEANSE_NONALPHA_RX, "");
String right = r.replaceAll(CLEANSE_NONALPHA_RX, "");
final String left = l.replaceAll(CLEANSE_NONALPHA_RX, "");
final String right = r.replaceAll(CLEANSE_NONALPHA_RX, "");
return left.equalsIgnoreCase(right);
}
@@ -422,16 +422,23 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
private boolean verifyEntry(final Entry entry, final Dependency dependency) {
boolean isValid = false;
if (collectionContainsStrings(dependency.getProductEvidence(), entry.getProduct())
&& collectionContainsStrings(dependency.getVendorEvidence(), entry.getVendor())
&& collectionContainsStrings(dependency.getVersionEvidence(), entry.getVersion())) {
if (collectionContainsString(dependency.getProductEvidence(), entry.getProduct())
&& collectionContainsString(dependency.getVendorEvidence(), entry.getVendor())
&& collectionContainsString(dependency.getVersionEvidence(), entry.getVersion())) {
isValid = true;
}
return isValid;
}
private boolean collectionContainsStrings(EvidenceCollection ec, String text) {
String[] words = text.split("[\\s_-]");
/**
* Used to determine if the EvidenceCollection contains a specific string.
*
* @param ec an EvidenceCollection
* @param text the text to search for
* @return whether or not the EvidenceCollection contains the string
*/
private boolean collectionContainsString(EvidenceCollection ec, String text) {
final String[] words = text.split("[\\s_-]");
boolean contains = true;
for (String word : words) {
contains &= ec.containsUsedString(word);

43
src/main/java/org/owasp/dependencycheck/data/cpe/Entry.java
View File

@@ -32,6 +32,9 @@ import org.apache.lucene.document.Document;
*/
public class Entry implements Serializable {
/**
* the serial version uid.
*/
static final long serialVersionUID = 8011924485946326934L;
/**
@@ -42,7 +45,7 @@ public class Entry implements Serializable {
* @return a CPE Entry.
*/
public static Entry parse(Document doc) {
Entry entry = new Entry();
final Entry entry = new Entry();
try {
entry.parseName(doc.get(Fields.NAME));
} catch (UnsupportedEncodingException ex) {
@@ -54,10 +57,10 @@ public class Entry implements Serializable {
/**
* The name of the CPE entry.
*/
protected String name;
private String name;
/**
* Get the value of name
* Get the value of name.
*
* @return the value of name
*/
@@ -66,7 +69,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of name
* Set the value of name.
*
* @param name new value of name
*/
@@ -76,10 +79,10 @@ public class Entry implements Serializable {
/**
* The vendor name.
*/
protected String vendor;
private String vendor;
/**
* Get the value of vendor
* Get the value of vendor.
*
* @return the value of vendor
*/
@@ -88,7 +91,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of vendor
* Set the value of vendor.
*
* @param vendor new value of vendor
*/
@@ -98,10 +101,10 @@ public class Entry implements Serializable {
/**
* The product name.
*/
protected String product;
private String product;
/**
* Get the value of product
* Get the value of product.
*
* @return the value of product
*/
@@ -110,7 +113,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of product
* Set the value of product.
*
* @param product new value of product
*/
@@ -120,10 +123,10 @@ public class Entry implements Serializable {
/**
* The product version.
*/
protected String version;
private String version;
/**
* Get the value of version
* Get the value of version.
*
* @return the value of version
*/
@@ -132,7 +135,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of version
* Set the value of version.
*
* @param version new value of version
*/
@@ -142,10 +145,10 @@ public class Entry implements Serializable {
/**
* The product revision.
*/
protected String revision;
private String revision;
/**
* Get the value of revision
* Get the value of revision.
*
* @return the value of revision
*/
@@ -154,7 +157,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of revision
* Set the value of revision.
*
* @param revision new value of revision
*/
@@ -164,10 +167,10 @@ public class Entry implements Serializable {
/**
* The search score.
*/
protected float searchScore;
private float searchScore;
/**
* Get the value of searchScore
* Get the value of searchScore.
*
* @return the value of searchScore
*/
@@ -176,7 +179,7 @@ public class Entry implements Serializable {
}
/**
* Set the value of searchScore
* Set the value of searchScore.
*
* @param searchScore new value of searchScore
*/
@@ -199,7 +202,7 @@ public class Entry implements Serializable {
public void parseName(String cpeName) throws UnsupportedEncodingException {
this.name = cpeName;
if (cpeName != null && cpeName.length() > 7) {
String[] data = cpeName.substring(7).split(":");
final String[] data = cpeName.substring(7).split(":");
if (data.length >= 1) {
vendor = URLDecoder.decode(data[0], "UTF-8").replaceAll("[_-]", " ");
if (data.length >= 2) {

46
src/main/java/org/owasp/dependencycheck/data/cpe/Index.java
View File

@@ -57,9 +57,8 @@ public class Index extends AbstractIndex {
* @throws IOException is thrown if an IOException occurs.
*/
public Directory getDirectory() throws IOException {
File path = getDataDirectory();
Directory dir = FSDirectory.open(path);
final File path = getDataDirectory();
final Directory dir = FSDirectory.open(path);
return dir;
}
@@ -71,9 +70,9 @@ public class Index extends AbstractIndex {
* @throws IOException is thrown if an IOException occurs of course...
*/
public File getDataDirectory() throws IOException {
String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
String decodedPath = URLDecoder.decode(filePath, "UTF-8");
final String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
final String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
exePath = exePath.getParentFile();
@@ -97,19 +96,25 @@ public class Index extends AbstractIndex {
*/
@SuppressWarnings("unchecked")
public Analyzer createIndexingAnalyzer() {
Map fieldAnalyzers = new HashMap();
final Map fieldAnalyzers = new HashMap();
//fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
fieldAnalyzers.put(Fields.VERSION, new VersionAnalyzer(Version.LUCENE_40));
fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
return wrapper;
}
private SearchFieldAnalyzer productSearchFieldAnalyzer = null;
private SearchFieldAnalyzer vendorSearchFieldAnalyzer = null;
/**
* The search field analyzer for the product field.
*/
private SearchFieldAnalyzer productSearchFieldAnalyzer;
/**
* The search field analyzer for the vendor field.
*/
private SearchFieldAnalyzer vendorSearchFieldAnalyzer;
/**
* Creates an Analyzer for searching the CPE Index.
@@ -118,7 +123,7 @@ public class Index extends AbstractIndex {
*/
@SuppressWarnings("unchecked")
public Analyzer createSearchingAnalyzer() {
Map fieldAnalyzers = new HashMap();
final Map fieldAnalyzers = new HashMap();
fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
//fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
@@ -128,14 +133,15 @@ public class Index extends AbstractIndex {
fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);
fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer);
PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
return wrapper;
}
/**
* Creates the Lucene QueryParser used when querying the index
* Creates the Lucene QueryParser used when querying the index.
*
* @return a QueryParser.
*/
public QueryParser createQueryParser() {
@@ -162,10 +168,10 @@ public class Index extends AbstractIndex {
* @throws IOException is thrown if an IOException occurs.
*/
public void saveEntry(Entry entry) throws CorruptIndexException, IOException {
Document doc = convertEntryToDoc(entry);
final Document doc = convertEntryToDoc(entry);
//Term term = new Term(Fields.NVDID, LuceneUtils.escapeLuceneQuery(entry.getNvdId()));
Term term = new Term(Fields.NAME, entry.getName());
indexWriter.updateDocument(term, doc);
final Term term = new Term(Fields.NAME, entry.getName());
getIndexWriter().updateDocument(term, doc);
}
/**
@@ -175,16 +181,16 @@ public class Index extends AbstractIndex {
* @return a Lucene Document containing a CPE Entry.
*/
protected Document convertEntryToDoc(Entry entry) {
Document doc = new Document();
final Document doc = new Document();
Field name = new StoredField(Fields.NAME, entry.getName());
final Field name = new StoredField(Fields.NAME, entry.getName());
doc.add(name);
Field vendor = new TextField(Fields.VENDOR, entry.getVendor(), Field.Store.NO);
final Field vendor = new TextField(Fields.VENDOR, entry.getVendor(), Field.Store.NO);
vendor.setBoost(5.0F);
doc.add(vendor);
Field product = new TextField(Fields.PRODUCT, entry.getProduct(), Field.Store.NO);
final Field product = new TextField(Fields.PRODUCT, entry.getProduct(), Field.Store.NO);
product.setBoost(5.0F);
doc.add(product);

23
src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
View File

@@ -29,21 +29,32 @@ import java.util.logging.Logger;
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class CweDB {
public final class CweDB {
/**
* Empty private constructor as this is a utility class.
*/
private CweDB() {
//empty constructor for utility class
//empty
}
/**
* A hashmap of the CWE data.
*/
private static final HashMap<String, String> CWE = loadData();
/**
* Loads a hashmap containing the CWE data from a resource found in the jar.
*
* @return a hashmap of CWE data
*/
private static HashMap<String, String> loadData() {
ObjectInputStream oin = null;
try {
String filePath = "data/cwe.hashmap.serialized";
InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
final String filePath = "data/cwe.hashmap.serialized";
final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
oin = new ObjectInputStream(input);
@SuppressWarnings("unchecked")
HashMap<String, String> data = (HashMap<String, String>) oin.readObject();
final HashMap<String, String> data = (HashMap<String, String>) oin.readObject();
return data;
} catch (ClassNotFoundException ex) {
Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
@@ -63,7 +74,7 @@ public class CweDB {
/**
* <p>Returns the full CWE name from the CWE ID.</p>
* @param cweId te CWE ID
* @param cweId the CWE ID
* @return the full name of the CWE
*/
public static String getCweName(String cweId) {

7
src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java
View File

@@ -30,6 +30,9 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class CweHandler extends DefaultHandler {
/**
* a hashmap containing the CWE data.
*/
private HashMap<String, String> cwe = new HashMap<String, String>();
/**
@@ -44,8 +47,8 @@ public class CweHandler extends DefaultHandler {
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
if ("Weakness".equals(qName) || "Category".equals(qName)) {
String id = "CWE-" + attributes.getValue("ID");
String name = attributes.getValue("Name");
final String id = "CWE-" + attributes.getValue("ID");
final String name = attributes.getValue("Name");
cwe.put(id, name);
}
}

53
src/main/java/org/owasp/dependencycheck/data/lucene/AbstractIndex.java
View File

@@ -48,31 +48,31 @@ public abstract class AbstractIndex {
/**
* The Lucene directory containing the index.
*/
protected Directory directory = null;
private Directory directory;
/**
* The IndexWriter for the Lucene index.
*/
protected IndexWriter indexWriter = null;
private IndexWriter indexWriter;
/**
* The Lucene IndexReader.
*/
private IndexReader indexReader = null;
private IndexReader indexReader;
/**
* The Lucene IndexSearcher.
*/
private IndexSearcher indexSearcher = null;
private IndexSearcher indexSearcher;
/**
* The Lucene Analyzer used for Indexing.
*/
private Analyzer indexingAnalyzer = null;
private Analyzer indexingAnalyzer;
/**
* The Lucene Analyzer used for Searching
* The Lucene Analyzer used for Searching.
*/
private Analyzer searchingAnalyzer = null;
private Analyzer searchingAnalyzer;
/**
* The Lucene QueryParser used for Searching
* The Lucene QueryParser used for Searching.
*/
private QueryParser queryParser = null;
private QueryParser queryParser;
/**
* Indicates whether or not the Lucene Index is open.
*/
@@ -155,7 +155,7 @@ public abstract class AbstractIndex {
if (!isOpen()) {
open();
}
IndexWriterConfig conf = new IndexWriterConfig(Version.LUCENE_40, indexingAnalyzer);
final IndexWriterConfig conf = new IndexWriterConfig(Version.LUCENE_40, indexingAnalyzer);
indexWriter = new IndexWriter(directory, conf);
}
@@ -241,7 +241,8 @@ public abstract class AbstractIndex {
}
/**
* Searches the index using the given search string
* Searches the index using the given search string.
*
* @param searchString the query text
* @param maxQueryResults the maximum number of documents to return
* @return the TopDocs found by the search
@@ -250,21 +251,18 @@ public abstract class AbstractIndex {
*/
public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
QueryParser parser = getQueryParser();
Query query = parser.parse(searchString);
final QueryParser parser = getQueryParser();
final Query query = parser.parse(searchString);
resetSearchingAnalyzer();
IndexSearcher is = getIndexSearcher();
TopDocs docs = is.search(query, maxQueryResults);
final IndexSearcher is = getIndexSearcher();
final TopDocs docs = is.search(query, maxQueryResults);
return docs;
}
/**
* Searches the index using the given query
* Searches the index using the given query.
*
* @param query the query used to search the index
* @param maxQueryResults the max number of results to return
* @return the TopDocs found be the query
@@ -272,23 +270,24 @@ public abstract class AbstractIndex {
* @throws IOException thrown if there is an IOException
*/
public TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException {
IndexSearcher is = getIndexSearcher();
final IndexSearcher is = getIndexSearcher();
return is.search(query, maxQueryResults);
}
/**
* Retrieves a document from the Index
* Retrieves a document from the Index.
*
* @param documentId the id of the document to retrieve
* @return the Document
* @throws IOException thrown if there is an IOException
*/
public Document getDocument(int documentId) throws IOException {
IndexSearcher is = getIndexSearcher();
final IndexSearcher is = getIndexSearcher();
return is.doc(documentId);
}
/**
* Gets the directory that contains the Lucene Index
* Gets the directory that contains the Lucene Index.
*
* @return a Lucene Directory
* @throws IOException is thrown when an IOException occurs
@@ -296,21 +295,21 @@ public abstract class AbstractIndex {
public abstract Directory getDirectory() throws IOException;
/**
* Creates the Lucene Analyzer used when indexing
* Creates the Lucene Analyzer used when indexing.
*
* @return a Lucene Analyzer
*/
public abstract Analyzer createIndexingAnalyzer();
/**
* Creates the Lucene Analyzer used when querying the index
* Creates the Lucene Analyzer used when querying the index.
*
* @return a Lucene Analyzer
*/
public abstract Analyzer createSearchingAnalyzer();
/**
* Creates the Lucene QueryParser used when querying the index
* Creates the Lucene QueryParser used when querying the index.
* @return a QueryParser
*/
public abstract QueryParser createQueryParser();

3
src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java
View File

@@ -26,6 +26,9 @@ import org.apache.lucene.search.similarities.DefaultSimilarity;
*/
public class DependencySimilarity extends DefaultSimilarity {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L;
/**

9
src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java
View File

@@ -39,12 +39,13 @@ import org.apache.lucene.util.Version;
public class FieldAnalyzer extends Analyzer {
/**
* The Lucene Version used
* The Lucene Version used.
*/
private Version version = null;
private Version version;
/**
* Creates a new FieldAnalyzer
* Creates a new FieldAnalyzer.
*
* @param version the Lucene version
*/
public FieldAnalyzer(Version version) {
@@ -60,7 +61,7 @@ public class FieldAnalyzer extends Analyzer {
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader);
final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;

4
src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
View File

@@ -48,7 +48,7 @@ public final class LuceneUtils {
}
for (int i = 0; i < text.length(); i++) {
char c = text.charAt(i);
final char c = text.charAt(i);
switch (c) {
case '+':
case '-':
@@ -91,7 +91,7 @@ public final class LuceneUtils {
int size = text.length();
size = size >> 1;
StringBuilder buf = new StringBuilder(size);
final StringBuilder buf = new StringBuilder(size);
appendEscapedLuceneQuery(buf, text);

11
src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java
View File

@@ -37,17 +37,18 @@ import org.apache.lucene.util.Version;
public class SearchFieldAnalyzer extends Analyzer {
/**
* The Lucene Version used
* The Lucene Version used.
*/
private Version version = null;
private Version version;
/**
* A local reference to the TokenPairConcatenatingFilter so that we
* can clear any left over state if this analyzer is re-used.
*/
private TokenPairConcatenatingFilter concatenatingFilter = null;
private TokenPairConcatenatingFilter concatenatingFilter;
/**
* Constructs a new SearchFieldAnalyzer
* Constructs a new SearchFieldAnalyzer.
*
* @param version the Lucene version
*/
public SearchFieldAnalyzer(Version version) {
@@ -62,7 +63,7 @@ public class SearchFieldAnalyzer extends Analyzer {
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader);
final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;

9
src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java
View File

@@ -40,12 +40,13 @@ public class SearchVersionAnalyzer extends Analyzer {
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
/**
* The Lucene Version used
* The Lucene Version used.
*/
private Version version = null;
private Version version;
/**
* Creates a new SearchVersionAnalyzer
* Creates a new SearchVersionAnalyzer.
*
* @param version the Lucene version
*/
public SearchVersionAnalyzer(Version version) {
@@ -61,7 +62,7 @@ public class SearchVersionAnalyzer extends Analyzer {
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader);
final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;
stream = new LowerCaseFilter(version, stream);
stream = new VersionTokenizingFilter(stream);

38
src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java
View File

@@ -26,20 +26,35 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
import org.apache.lucene.analysis.tokenattributes.PositionIncrementAttribute;
/**
* <p>Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
* <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
* <p>Takes a TokenStream and adds additional tokens by concatenating pairs of
* words.</p>
* <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework
* Framework FrameworkCore Core".</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public final class TokenPairConcatenatingFilter extends TokenFilter {
/**
* The char term attribute.
*/
private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
/**
* The position increment attribute.
*/
private final PositionIncrementAttribute posIncAtt = addAttribute(PositionIncrementAttribute.class);
private String previousWord = null;
private LinkedList<String> words = null;
/**
* The previous word parsed.
*/
private String previousWord;
/**
* A list of words parsed.
*/
private LinkedList<String> words;
/**
* Constructs a new TokenPairConcatenatingFilter
* Constructs a new TokenPairConcatenatingFilter.
*
* @param stream the TokenStream that this filter will process
*/
public TokenPairConcatenatingFilter(TokenStream stream) {
@@ -60,14 +75,14 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
//collect all the terms into the words collection
while (input.incrementToken()) {
String word = new String(termAtt.buffer(), 0, termAtt.length());
final String word = new String(termAtt.buffer(), 0, termAtt.length());
words.add(word);
}
//if we have a previousTerm - write it out as its own token concatenated
// with the current word (if one is available).
if (previousWord != null && words.size() > 0) {
String word = words.getFirst();
final String word = words.getFirst();
clearAttributes();
termAtt.append(previousWord).append(word);
posIncAtt.setPositionIncrement(0);
@@ -76,7 +91,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
}
//if we have words, write it out as a single token
if (words.size() > 0) {
String word = words.removeFirst();
final String word = words.removeFirst();
clearAttributes();
termAtt.append(word);
previousWord = word;
@@ -86,9 +101,10 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
}
/**
* <p>Resets the Filter and clears any internal state data that may
* have been left-over from previous uses of the Filter.</p>
* <p><b>If this Filter is re-used this method must be called between uses.</b></p>
* <p>Resets the Filter and clears any internal state data that may have
* been left-over from previous uses of the Filter.</p>
* <p><b>If this Filter is re-used this method must be called between
* uses.</b></p>
*/
public void clear() {
previousWord = null;

9
src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java
View File

@@ -40,12 +40,13 @@ public class VersionAnalyzer extends Analyzer {
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
/**
* The Lucene Version used
* The Lucene Version used.
*/
private Version version = null;
private Version version;
/**
* Creates a new VersionAnalyzer
* Creates a new VersionAnalyzer.
*
* @param version the Lucene version
*/
public VersionAnalyzer(Version version) {
@@ -61,7 +62,7 @@ public class VersionAnalyzer extends Analyzer {
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader);
final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;
stream = new LowerCaseFilter(version, stream);
return new TokenStreamComponents(source, stream);

37
src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java
View File

@@ -25,21 +25,27 @@ import org.apache.lucene.analysis.TokenStream;
import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
/**
* <p>Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
* <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
* <p>Takes a TokenStream and splits or adds tokens to correctly index version
* numbers.</p>
* <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
* 3.0.0.RELEASE".</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public final class VersionTokenizingFilter extends TokenFilter {
/**
* The char term attribute.
*/
private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
/**
* A collection of tokens to add to the stream.
*/
protected LinkedList<String> tokens = null;
private LinkedList<String> tokens;
/**
* Constructs a new VersionTokenizingFilter
* Constructs a new VersionTokenizingFilter.
*
* @param stream the TokenStream that this filter will process
*/
public VersionTokenizingFilter(TokenStream stream) {
@@ -58,8 +64,8 @@ public final class VersionTokenizingFilter extends TokenFilter {
@Override
public boolean incrementToken() throws IOException {
if (tokens.size() == 0 && input.incrementToken()) {
String version = new String(termAtt.buffer(), 0, termAtt.length());
String[] toAnalyze = version.split("[_-]");
final String version = new String(termAtt.buffer(), 0, termAtt.length());
final String[] toAnalyze = version.split("[_-]");
if (toAnalyze.length > 1) { //ensure we analyze the whole string as one too
analyzeVersion(version);
}
@@ -72,23 +78,34 @@ public final class VersionTokenizingFilter extends TokenFilter {
/**
* Adds a term, if one exists, from the tokens collection.
*
* @return whether or not a new term was added
*/
private boolean addTerm() {
boolean termAdded = tokens.size() > 0;
final boolean termAdded = tokens.size() > 0;
if (termAdded) {
String version = tokens.pop();
final String version = tokens.pop();
clearAttributes();
termAtt.append(version);
}
return termAdded;
}
//major.minor[.maintenance[.build]]
/**
* <p>Analyzes the version and adds several copies of the version as
* different tokens. For example, the version 1.2.7 would create the tokens
* 1 1.2 1.2.7. This is useful in discovering the correct version -
* sometimes a maintenance or build number will throw off the version
* identification.</p>
*
* <p>expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
*
* @param version the version to analyze
*/
private void analyzeVersion(String version) {
//todo should we also be splitting on dash or underscore? we would need
// to incorporate the dash or underscore back in...
String[] versionParts = version.split("\\.");
final String[] versionParts = version.split("\\.");
String dottedVersion = null;
for (String current : versionParts) {
if (!current.matches("^/d+$")) {

4
src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java
View File

@@ -25,6 +25,10 @@ package org.owasp.dependencycheck.data.nvdcve;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
class CorruptDatabaseException extends DatabaseException {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L;
/**

109
src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -48,131 +48,131 @@ public class CveDB {
//<editor-fold defaultstate="collapsed" desc="Constants to create, maintain, and retrieve data from the CVE Database">
/**
* SQL Statement to create an index on the reference table
* SQL Statement to create an index on the reference table.
*/
public static final String CREATE_INDEX_IDXREFERENCE = "CREATE INDEX IF NOT EXISTS idxReference ON reference(cveid)";
/**
* SQL Statement to create an index on the software for finding CVE entries based on CPE data
* SQL Statement to create an index on the software for finding CVE entries based on CPE data.
*/
public static final String CREATE_INDEX_IDXSOFTWARE = "CREATE INDEX IF NOT EXISTS idxSoftware ON software(product, vendor, version)";
/**
* SQL Statement to create an index for retrieving software by CVEID
* SQL Statement to create an index for retrieving software by CVEID.
*/
public static final String CREATE_INDEX_IDXSOFTWARECVE = "CREATE INDEX IF NOT EXISTS idxSoftwareCve ON software(cveid)";
/**
* SQL Statement to create an index on the vulnerability table
* SQL Statement to create an index on the vulnerability table.
*/
public static final String CREATE_INDEX_IDXVULNERABILITY = "CREATE INDEX IF NOT EXISTS idxVulnerability ON vulnerability(cveid)";
/**
* SQL Statement to create the reference table
* SQL Statement to create the reference table.
*/
public static final String CREATE_TABLE_REFERENCE = "CREATE TABLE IF NOT EXISTS reference (cveid CHAR(13), "
+ "name varchar(1000), url varchar(1000), source varchar(255))";
/**
* SQL Statement to create the software table
* SQL Statement to create the software table.
*/
public static final String CREATE_TABLE_SOFTWARE = "CREATE TABLE IF NOT EXISTS software (cveid CHAR(13), cpe varchar(500), "
+ "vendor varchar(255), product varchar(255), version varchar(50), previousVersion varchar(50))";
/**
* SQL Statement to create the vulnerability table
* SQL Statement to create the vulnerability table.
*/
public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability (cveid CHAR(13) PRIMARY KEY, "
+ "description varchar(8000), cwe varchar(10), cvssScore DECIMAL(3,1), cvssAccessVector varchar(20), "
+ "cvssAccessComplexity varchar(20), cvssAuthentication varchar(20), cvssConfidentialityImpact varchar(20), "
+ "cvssIntegrityImpact varchar(20), cvssAvailabilityImpact varchar(20))";
/**
* SQL Statement to delete references by CVEID
* SQL Statement to delete references by CVEID.
*/
public static final String DELETE_REFERENCE = "DELETE FROM reference WHERE cveid = ?";
/**
* SQL Statement to delete software by CVEID
* SQL Statement to delete software by CVEID.
*/
public static final String DELETE_SOFTWARE = "DELETE FROM software WHERE cveid = ?";
/**
* SQL Statement to delete a vulnerability by CVEID
* SQL Statement to delete a vulnerability by CVEID.
*/
public static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE cveid = ?";
/**
* SQL Statement to insert a new reference
* SQL Statement to insert a new reference.
*/
public static final String INSERT_REFERENCE = "INSERT INTO reference (cveid, name, url, source) VALUES (?, ?, ?, ?)";
/**
* SQL Statement to insert a new software
* SQL Statement to insert a new software.
*/
public static final String INSERT_SOFTWARE = "INSERT INTO software (cveid, cpe, vendor, product, version, previousVersion) "
+ "VALUES (?, ?, ?, ?, ?, ?)";
/**
* SQL Statement to insert a new vulnerability
* SQL Statement to insert a new vulnerability.
*/
public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description, cwe, cvssScore, cvssAccessVector, "
+ "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
+ "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
/**
* SQL Statement to find CVE entries based on CPE data
* SQL Statement to find CVE entries based on CPE data.
*/
public static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cveid FROM software WHERE Vendor = ? AND Product = ? AND "
+ "(version = '-' OR previousVersion IS NOT NULL OR version=?)";
/**
* SQL Statement to select references by CVEID
* SQL Statement to select references by CVEID.
*/
public static final String SELECT_REFERENCE = "SELECT source, name, url FROM reference WHERE cveid = ?";
/**
* SQL Statement to select software by CVEID
* SQL Statement to select software by CVEID.
*/
public static final String SELECT_SOFTWARE = "SELECT cpe, previousVersion FROM software WHERE cveid = ?";
/**
* SQL Statement to select a vulnerability by CVEID
* SQL Statement to select a vulnerability by CVEID.
*/
public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, "
+ "cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Collection of CallableStatements to work with the DB">
/**
* delete reference - parameters (cveid)
* delete reference - parameters (cveid).
*/
private CallableStatement deleteReferences = null;
private CallableStatement deleteReferences;
/**
* delete software - parameters (cveid)
* delete software - parameters (cveid).
*/
private CallableStatement deleteSoftware = null;
private CallableStatement deleteSoftware;
/**
* delete vulnerability - parameters (cveid)
* delete vulnerability - parameters (cveid).
*/
private CallableStatement deleteVulnerabilities = null;
private CallableStatement deleteVulnerabilities;
/**
* insert reference - parameters (cveid, name, url, source)
* insert reference - parameters (cveid, name, url, source).
*/
private CallableStatement insertReference = null;
private CallableStatement insertReference;
/**
* insert software - parameters (cveid, cpe, vendor, product, version, previousVersion)
* insert software - parameters (cveid, cpe, vendor, product, version, previousVersion).
*/
private CallableStatement insertSoftware = null;
private CallableStatement insertSoftware;
/**
* insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector,
* cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
* cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact).
*/
private CallableStatement insertVulnerability = null;
private CallableStatement insertVulnerability;
/**
* select cve from software - parameters (vendor, product, version)
* select cve from software - parameters (vendor, product, version).
*/
private CallableStatement selectCveFromSoftware = null;
private CallableStatement selectCveFromSoftware;
/**
* select vulnerability - parameters (cveid)
* select vulnerability - parameters (cveid).
*/
private CallableStatement selectVulnerability = null;
private CallableStatement selectVulnerability;
/**
* select reference - parameters (cveid)
* select reference - parameters (cveid).
*/
private CallableStatement selectReferences = null;
private CallableStatement selectReferences;
/**
* select software - parameters (cveid)
* select software - parameters (cveid).
*/
private CallableStatement selectSoftware = null;
private CallableStatement selectSoftware;
//</editor-fold>
/**
* Database connection
*/
protected Connection conn = null;
private Connection conn;
/**
* Opens the database connection. If the database does not exist, it will
@@ -183,12 +183,12 @@ public class CveDB {
* @throws DatabaseException thrown if there is an error initializing a new database
*/
public void open() throws IOException, SQLException, DatabaseException {
String fileName = CveDB.getDataDirectory().getCanonicalPath()
final String fileName = CveDB.getDataDirectory().getCanonicalPath()
+ File.separator
+ "cve";
File f = new File(fileName);
boolean createTables = !f.exists();
String connStr = "jdbc:h2:file:" + fileName;
final File f = new File(fileName);
final boolean createTables = !f.exists();
final String connStr = "jdbc:h2:file:" + fileName;
conn = DriverManager.getConnection(connStr, "sa", "");
if (createTables) {
createTables();
@@ -236,7 +236,7 @@ public class CveDB {
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
}
List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
try {
selectCveFromSoftware.setString(1, cpe.getVendor());
@@ -244,7 +244,7 @@ public class CveDB {
selectCveFromSoftware.setString(3, cpe.getVersion());
rs = selectCveFromSoftware.executeQuery();
while (rs.next()) {
Vulnerability v = getVulnerability(rs.getString("cveid"));
final Vulnerability v = getVulnerability(rs.getString("cveid"));
vulnerabilities.add(v);
}
} catch (SQLException ex) {
@@ -261,6 +261,13 @@ public class CveDB {
return vulnerabilities;
}
/**
* Gets a vulnerability for the provided CVE.
*
* @param cve the CVE to lookup
* @return a vulnerability object
* @throws DatabaseException if an exception occurs
*/
private Vulnerability getVulnerability(String cve) throws DatabaseException {
ResultSet rsV = null;
ResultSet rsR = null;
@@ -275,7 +282,7 @@ public class CveDB {
vuln.setDescription(rsV.getString(2));
String cwe = rsV.getString(3);
if (cwe != null) {
String name = CweDB.getCweName(cwe);
final String name = CweDB.getCweName(cwe);
if (name != null) {
cwe += " " + name;
}
@@ -297,8 +304,8 @@ public class CveDB {
selectSoftware.setString(1, cve);
rsS = selectSoftware.executeQuery();
while (rsS.next()) {
String cpe = rsS.getString(1);
String prevVers = rsS.getString(2);
final String cpe = rsS.getString(1);
final String prevVers = rsS.getString(2);
if (prevVers == null) {
vuln.addVulnerableSoftware(cpe);
} else {
@@ -399,9 +406,9 @@ public class CveDB {
* @throws IOException is thrown if an IOException occurs of course...
*/
public static File getDataDirectory() throws IOException {
String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath();
String decodedPath = URLDecoder.decode(filePath, "UTF-8");
final String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
final String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath();
final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
@@ -450,7 +457,7 @@ public class CveDB {
/**
* Builds the CallableStatements used by the application.
* @throws DatabaseException
* @throws DatabaseException thrown if there is a database exception
*/
private void buildStatements() throws DatabaseException {
try {

8
src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java
View File

@@ -24,9 +24,13 @@ package org.owasp.dependencycheck.data.nvdcve;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class DatabaseException extends Exception {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L;
/**
* Creates an DatabaseException
* Creates an DatabaseException.
*
* @param msg the exception message
*/
@@ -35,7 +39,7 @@ public class DatabaseException extends Exception {
}
/**
* Creates an DatabaseException
* Creates an DatabaseException.
*
* @param msg the exception message
* @param ex the cause of the exception

6
src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
View File

@@ -45,7 +45,7 @@ public class NvdCveAnalyzer implements org.owasp.dependencycheck.analyzer.Analyz
/**
* The CVE Index.
*/
protected CveDB cveDB = null;
private CveDB cveDB;
/**
* Opens the data source.
@@ -102,8 +102,8 @@ public class NvdCveAnalyzer implements org.owasp.dependencycheck.analyzer.Analyz
for (Identifier id : dependency.getIdentifiers()) {
if ("cpe".equals(id.getType())) {
try {
String value = id.getValue();
List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
final String value = id.getValue();
final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
for (Vulnerability v : vulns) {
dependency.addVulnerability(v);
}

75
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
View File

@@ -75,7 +75,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
*/
private static final String LAST_UPDATED_BASE = "lastupdated.";
/**
* The current version of the database
* The current version of the database.
*/
public static final String DATABASE_VERSION = "2.2";
@@ -87,7 +87,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
*/
public void update() throws UpdateException {
try {
Map<String, NvdCveUrl> update = updateNeeded();
final Map<String, NvdCveUrl> update = updateNeeded();
int maxUpdates = 0;
for (NvdCveUrl cve : update.values()) {
if (cve.getNeedsUpdate()) {
@@ -164,6 +164,11 @@ public class DatabaseUpdater implements CachedWebDataSource {
*
* @param file the file containing the NVD CVE XML
* @param oldVersion contains the file containing the NVD CVE XML 1.2
* @throws ParserConfigurationException is thrown if there is a parserconfigurationexception
* @throws SAXException is thrown if there is a saxexception
* @throws IOException is thrown if there is a ioexception
* @throws SQLException is thrown if there is a sql exception
* @throws DatabaseException is thrown if there is a database exception
*/
private void importXML(File file, File oldVersion)
throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException {
@@ -177,12 +182,12 @@ public class DatabaseUpdater implements CachedWebDataSource {
cpeIndex = new Index();
cpeIndex.openIndexWriter();
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
final SAXParserFactory factory = SAXParserFactory.newInstance();
final SAXParser saxParser = factory.newSAXParser();
NvdCve12Handler cve12Handler = new NvdCve12Handler();
saxParser.parse(oldVersion, cve12Handler);
Map<String, List<VulnerableSoftware>> prevVersionVulnMap = cve12Handler.getVulnerabilities();
final Map<String, List<VulnerableSoftware>> prevVersionVulnMap = cve12Handler.getVulnerabilities();
cve12Handler = null;
NvdCve20Handler cve20Handler = new NvdCve20Handler();
@@ -209,19 +214,19 @@ public class DatabaseUpdater implements CachedWebDataSource {
* Writes a properties file containing the last updated date to the
* VULNERABLE_CPE directory.
*
* @param updated a map of the updated nvdcve.
* @param updated a map of the updated nvdcve
* @throws UpdateException is thrown if there is an update exception
*/
private void writeLastUpdatedPropertyFile(Map<String, NvdCveUrl> updated) throws UpdateException {
String dir;
try {
dir = CveDB.getDataDirectory().getCanonicalPath();
} catch (IOException ex) {
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
throw new UpdateException("Unable to locate last updated properties file.", ex);
}
File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
Properties prop = new Properties();
final File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
final Properties prop = new Properties();
prop.put("version", DATABASE_VERSION);
for (NvdCveUrl cve : updated.values()) {
prop.put(LAST_UPDATED_BASE + cve.id, String.valueOf(cve.getTimestamp()));
@@ -288,11 +293,11 @@ public class DatabaseUpdater implements CachedWebDataSource {
throw new UpdateException("Unable to locate last updated properties file.", ex);
}
File f = new File(dir);
final File f = new File(dir);
if (f.exists()) {
File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
final File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
if (cveProp.exists()) {
Properties prop = new Properties();
final Properties prop = new Properties();
InputStream is = null;
try {
is = new FileInputStream(cveProp);
@@ -306,7 +311,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} else {
try {
version = Float.parseFloat(prop.getProperty("version"));
float currentVersion = Float.parseFloat(DATABASE_VERSION);
final float currentVersion = Float.parseFloat(DATABASE_VERSION);
if (currentVersion > version) {
deleteAndRecreate = true;
}
@@ -321,16 +326,16 @@ public class DatabaseUpdater implements CachedWebDataSource {
FileUtils.delete(f);
//this importer also updates the CPE index and it is also using an old version
org.owasp.dependencycheck.data.cpe.Index cpeid = new org.owasp.dependencycheck.data.cpe.Index();
File cpeDir = cpeid.getDataDirectory();
final org.owasp.dependencycheck.data.cpe.Index cpeid = new org.owasp.dependencycheck.data.cpe.Index();
final File cpeDir = cpeid.getDataDirectory();
FileUtils.delete(cpeDir);
return currentlyPublished;
}
long lastUpdated = Long.parseLong(prop.getProperty(LAST_UPDATED_MODIFIED));
Date now = new Date();
int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS);
int maxEntries = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
final long lastUpdated = Long.parseLong(prop.getProperty(LAST_UPDATED_MODIFIED));
final Date now = new Date();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS);
final int maxEntries = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
if (lastUpdated == currentlyPublished.get("modified").timestamp) {
currentlyPublished.clear(); //we don't need to update anything.
} else if (withinRange(lastUpdated, now.getTime(), days)) {
@@ -341,7 +346,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} else { //we figure out which of the several XML files need to be downloaded.
currentlyPublished.get("modified").setNeedsUpdate(false);
for (int i = 1; i <= maxEntries; i++) {
NvdCveUrl cve = currentlyPublished.get(String.valueOf(i));
final NvdCveUrl cve = currentlyPublished.get(String.valueOf(i));
long currentTimestamp = 0;
try {
currentTimestamp = Long.parseLong(prop.getProperty(LAST_UPDATED_BASE + String.valueOf(i), "0"));
@@ -386,7 +391,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
* @return whether or not the date is within the range.
*/
private boolean withinRange(long date, long compareTo, int range) {
double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
return differenceInDays < range;
}
@@ -405,7 +410,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
protected Map<String, NvdCveUrl> retrieveCurrentTimestampsFromWeb()
throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException {
Map<String, NvdCveUrl> map = new HashMap<String, NvdCveUrl>();
final Map<String, NvdCveUrl> map = new HashMap<String, NvdCveUrl>();
String retrieveUrl = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
NvdCveUrl item = new NvdCveUrl();
@@ -417,7 +422,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
item.timestamp = Downloader.getLastModified(new URL(retrieveUrl));
map.put("modified", item);
int max = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
final int max = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
for (int i = 1; i <= max; i++) {
retrieveUrl = Settings.getString(Settings.KEYS.CVE_BASE_URL + Settings.KEYS.CVE_SCHEMA_2_0 + i);
item = new NvdCveUrl();
@@ -442,7 +447,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private String id;
/**
* Get the value of id
* Get the value of id.
*
* @return the value of id
*/
@@ -451,7 +456,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
* Set the value of id
* Set the value of id.
*
* @param id new value of id
*/
@@ -464,7 +469,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private String url;
/**
* Get the value of url
* Get the value of url.
*
* @return the value of url
*/
@@ -473,7 +478,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
* Set the value of url
* Set the value of url.
*
* @param url new value of url
*/
@@ -481,12 +486,12 @@ public class DatabaseUpdater implements CachedWebDataSource {
this.url = url;
}
/**
* The 1.2 schema URL
* The 1.2 schema URL.
*/
protected String oldSchemaVersionUrl;
private String oldSchemaVersionUrl;
/**
* Get the value of oldSchemaVersionUrl
* Get the value of oldSchemaVersionUrl.
*
* @return the value of oldSchemaVersionUrl
*/
@@ -495,7 +500,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
* Set the value of oldSchemaVersionUrl
* Set the value of oldSchemaVersionUrl.
*
* @param oldSchemaVersionUrl new value of oldSchemaVersionUrl
*/
@@ -510,7 +515,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private long timestamp;
/**
* Get the value of timestamp - epoch time
* Get the value of timestamp - epoch time.
*
* @return the value of timestamp - epoch time
*/
@@ -519,7 +524,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
* Set the value of timestamp - epoch time
* Set the value of timestamp - epoch time.
*
* @param timestamp new value of timestamp - epoch time
*/
@@ -532,7 +537,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private boolean needsUpdate = true;
/**
* Get the value of needsUpdate
* Get the value of needsUpdate.
*
* @return the value of needsUpdate
*/
@@ -541,7 +546,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
* Set the value of needsUpdate
* Set the value of needsUpdate.
*
* @param needsUpdate new value of needsUpdate
*/

7
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/InvalidDataException.java
View File

@@ -25,10 +25,13 @@ package org.owasp.dependencycheck.data.nvdcve.xml;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class InvalidDataException extends Exception {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L;
/**
* Creates an InvalidDataException
* Creates an InvalidDataException.
*
* @param msg the exception message
*/
@@ -37,7 +40,7 @@ public class InvalidDataException extends Exception {
}
/**
* Creates an InvalidDataException
* Creates an InvalidDataException.
*
* @param msg the exception message
* @param ex the cause of the exception

82
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java
View File

@@ -38,18 +38,45 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class NvdCve12Handler extends DefaultHandler {
/**
* the supported schema version.
*/
private static final String CURRENT_SCHEMA_VERSION = "1.2";
private String vulnerability = null;
private List<VulnerableSoftware> software = null;
private String vendor = null;
private String product = null;
/**
* the current vulnerability.
*/
private String vulnerability;
/**
* a list of vulnerable software.
*/
private List<VulnerableSoftware> software;
/**
* the vendor name.
*/
private String vendor;
/**
* the product name.
*/
private String product;
/**
* if the nvd cve should be skipped because it was rejected.
*/
private boolean skip = false;
/**
* flag indicating if there is a previous version.
*/
private boolean hasPreviousVersion = false;
/**
* The current element.
*/
private Element current = new Element();
private Map<String, List<VulnerableSoftware>> vulnerabilities = null;
/**
* a map of vulnerabilities.
*/
private Map<String, List<VulnerableSoftware>> vulnerabilities;
/**
* Get the value of vulnerabilities
* Get the value of vulnerabilities.
*
* @return the value of vulnerabilities
*/
@@ -64,8 +91,8 @@ public class NvdCve12Handler extends DefaultHandler {
vendor = null;
product = null;
hasPreviousVersion = false;
String reject = attributes.getValue("reject");
skip = (reject != null && reject.equals("1"));
final String reject = attributes.getValue("reject");
skip = "1".equals(reject);
if (!skip) {
vulnerability = attributes.getValue("name");
software = new ArrayList<VulnerableSoftware>();
@@ -78,11 +105,11 @@ public class NvdCve12Handler extends DefaultHandler {
vendor = attributes.getValue("vendor");
product = attributes.getValue("name");
} else if (!skip && current.isVersNode()) {
String prev = attributes.getValue("prev");
final String prev = attributes.getValue("prev");
if (prev != null && "1".equals(prev)) {
hasPreviousVersion = true;
String edition = attributes.getValue("edition");
String num = attributes.getValue("num");
final String edition = attributes.getValue("edition");
final String num = attributes.getValue("num");
/*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
purposes this is good enough as we won't use this if we don't find a corresponding "a"
@@ -94,13 +121,13 @@ public class NvdCve12Handler extends DefaultHandler {
if (edition != null) {
cpe += ":" + edition;
}
VulnerableSoftware vs = new VulnerableSoftware();
final VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe(cpe);
vs.setPreviousVersion(prev);
software.add(vs);
}
} else if (current.isNVDNode()) {
String nvdVer = attributes.getValue("nvd_xml_version");
final String nvdVer = attributes.getValue("nvd_xml_version");
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
}
@@ -128,29 +155,32 @@ public class NvdCve12Handler extends DefaultHandler {
protected static class Element {
/**
* A node type in the NVD CVE Schema 1.2
* A node type in the NVD CVE Schema 1.2.
*/
public static final String NVD = "nvd";
/**
* A node type in the NVD CVE Schema 1.2
* A node type in the NVD CVE Schema 1.2.
*/
public static final String ENTRY = "entry";
/**
* A node type in the NVD CVE Schema 1.2
* A node type in the NVD CVE Schema 1.2.
*/
public static final String VULN_SOFTWARE = "vuln_soft";
/**
* A node type in the NVD CVE Schema 1.2
* A node type in the NVD CVE Schema 1.2.
*/
public static final String PROD = "prod";
/**
* A node type in the NVD CVE Schema 1.2
* A node type in the NVD CVE Schema 1.2.
*/
public static final String VERS = "vers";
private String node = null;
/**
* The name of the current node.
*/
private String node;
/**
* Gets the value of node
* Gets the value of node.
*
* @return the value of node
*/
@@ -159,7 +189,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Sets the value of node
* Sets the value of node.
*
* @param node new value of node
*/
@@ -168,7 +198,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the NVD node
* Checks if the handler is at the NVD node.
*
* @return true or false
*/
@@ -177,7 +207,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the ENTRY node
* Checks if the handler is at the ENTRY node.
*
* @return true or false
*/
@@ -186,7 +216,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VULN_SOFTWARE node
* Checks if the handler is at the VULN_SOFTWARE node.
*
* @return true or false
*/
@@ -195,7 +225,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the PROD node
* Checks if the handler is at the PROD node.
*
* @return true or false
*/
@@ -204,7 +234,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VERS node
* Checks if the handler is at the VERS node.
*
* @return true or false
*/

96
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
View File

@@ -42,12 +42,30 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class NvdCve20Handler extends DefaultHandler {
/**
* the current supported schema version.
*/
private static final String CURRENT_SCHEMA_VERSION = "2.0";
/**
* the current element.
*/
private Element current = new Element();
StringBuilder nodeText = null;
Vulnerability vulnerability = null;
Reference reference = null;
boolean hasApplicationCpe = false;
/**
* the text of the node.
*/
private StringBuilder nodeText;
/**
* the vulnerability.
*/
private Vulnerability vulnerability;
/**
* a reference for the cve.
*/
private Reference reference;
/**
* flag indicating whether the application has a cpe.
*/
private boolean hasApplicationCpe = false;
@Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
@@ -59,7 +77,7 @@ public class NvdCve20Handler extends DefaultHandler {
} else if (current.isVulnProductNode()) {
nodeText = new StringBuilder(100);
} else if (current.isVulnReferencesNode()) {
String lang = attributes.getValue("xml:lang");
final String lang = attributes.getValue("xml:lang");
if ("en".equals(lang)) {
reference = new Reference();
} else {
@@ -73,7 +91,7 @@ public class NvdCve20Handler extends DefaultHandler {
} else if (current.isVulnSummaryNode()) {
nodeText = new StringBuilder(500);
} else if (current.isNVDNode()) {
String nvdVer = attributes.getValue("nvd_xml_version");
final String nvdVer = attributes.getValue("nvd_xml_version");
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
}
@@ -121,7 +139,7 @@ public class NvdCve20Handler extends DefaultHandler {
vulnerability = null;
} else if (current.isCVSSScoreNode()) {
try {
float score = Float.parseFloat(nodeText.toString());
final float score = Float.parseFloat(nodeText.toString());
vulnerability.setCvssScore(score);
} catch (NumberFormatException ex) {
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
@@ -146,7 +164,7 @@ public class NvdCve20Handler extends DefaultHandler {
vulnerability.setCvssIntegrityImpact(nodeText.toString());
nodeText = null;
} else if (current.isVulnProductNode()) {
String cpe = nodeText.toString();
final String cpe = nodeText.toString();
if (cpe.startsWith("cpe:/a:")) {
hasApplicationCpe = true;
vulnerability.addVulnerableSoftware(cpe);
@@ -166,10 +184,14 @@ public class NvdCve20Handler extends DefaultHandler {
nodeText = null;
}
}
private CveDB cveDB = null;
/**
* the cve database.
*/
private CveDB cveDB;
/**
* Sets the cveDB
* Sets the cveDB.
*
* @param db a reference to the CveDB
*/
public void setCveDB(CveDB db) {
@@ -179,7 +201,7 @@ public class NvdCve20Handler extends DefaultHandler {
* A list of CVE entries and associated VulnerableSoftware entries that contain
* previous entries.
*/
private Map<String, List<VulnerableSoftware>> prevVersionVulnMap = null;
private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
/**
* Sets the prevVersionVulnMap.
@@ -202,9 +224,9 @@ public class NvdCve20Handler extends DefaultHandler {
if (cveDB == null) {
return;
}
String cveName = vuln.getName();
final String cveName = vuln.getName();
if (prevVersionVulnMap.containsKey(cveName)) {
List<VulnerableSoftware> vulnSoftware = prevVersionVulnMap.get(cveName);
final List<VulnerableSoftware> vulnSoftware = prevVersionVulnMap.get(cveName);
for (VulnerableSoftware vs : vulnSoftware) {
vuln.updateVulnerableSoftware(vs);
}
@@ -216,10 +238,14 @@ public class NvdCve20Handler extends DefaultHandler {
}
cveDB.updateVulnerability(vuln);
}
private Index cpeIndex = null;
/**
* the cpe index.
*/
private Index cpeIndex;
/**
* Sets the cpe index
* Sets the cpe index.
*
* @param index the CPE Lucene Index
*/
void setCpeIndex(Index index) {
@@ -261,7 +287,6 @@ public class NvdCve20Handler extends DefaultHandler {
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_SUMMARY = "vuln:summary";
/**
* A node type in the NVD CVE Schema 2.0
*/
@@ -295,10 +320,13 @@ public class NvdCve20Handler extends DefaultHandler {
*/
public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
private String node = null;
/**
* The current node.
*/
private String node;
/**
* Gets the value of node
* Gets the value of node.
*
* @return the value of node
*/
@@ -307,7 +335,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Sets the value of node
* Sets the value of node.
*
* @param node new value of node
*/
@@ -316,7 +344,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the NVD node
* Checks if the handler is at the NVD node.
*
* @return true or false
*/
@@ -325,7 +353,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the ENTRY node
* Checks if the handler is at the ENTRY node.
*
* @return true or false
*/
@@ -334,7 +362,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VULN_PRODUCT node
* Checks if the handler is at the VULN_PRODUCT node.
*
* @return true or false
*/
@@ -343,7 +371,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the REFERENCES node
* Checks if the handler is at the REFERENCES node.
*
* @return true or false
*/
@@ -352,7 +380,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the REFERENCE node
* Checks if the handler is at the REFERENCE node.
*
* @return true or false
*/
@@ -361,7 +389,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VULN_SOURCE node
* Checks if the handler is at the VULN_SOURCE node.
*
* @return true or false
*/
@@ -370,7 +398,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VULN_SUMMARY node
* Checks if the handler is at the VULN_SUMMARY node.
*
* @return true or false
*/
@@ -379,7 +407,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
* Checks if the handler is at the VULN_CWE node
* Checks if the handler is at the VULN_CWE node.
*
* @return true or false
*/
@@ -387,7 +415,7 @@ public class NvdCve20Handler extends DefaultHandler {
return VULN_CWE.equals(node);
}
/**
* Checks if the handler is at the CVSS_SCORE node
* Checks if the handler is at the CVSS_SCORE node.
*
* @return true or false
*/
@@ -395,7 +423,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_SCORE.equals(node);
}
/**
* Checks if the handler is at the CVSS_ACCESS_VECTOR node
* Checks if the handler is at the CVSS_ACCESS_VECTOR node.
*
* @return true or false
*/
@@ -403,7 +431,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_ACCESS_VECTOR.equals(node);
}
/**
* Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node
* Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node.
*
* @return true or false
*/
@@ -411,7 +439,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_ACCESS_COMPLEXITY.equals(node);
}
/**
* Checks if the handler is at the CVSS_AUTHENTICATION node
* Checks if the handler is at the CVSS_AUTHENTICATION node.
*
* @return true or false
*/
@@ -419,7 +447,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_AUTHENTICATION.equals(node);
}
/**
* Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node
* Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node.
*
* @return true or false
*/
@@ -427,7 +455,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
}
/**
* Checks if the handler is at the CVSS_INTEGRITY_IMPACT node
* Checks if the handler is at the CVSS_INTEGRITY_IMPACT node.
*
* @return true or false
*/
@@ -435,7 +463,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_INTEGRITY_IMPACT.equals(node);
}
/**
* Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node
* Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node.
*
* @return true or false
*/

49
src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -44,43 +44,43 @@ public class Dependency {
/**
* The actual file path of the dependency on disk.
*/
private String actualFilePath = null;
private String actualFilePath;
/**
* The file path to display.
*/
private String filePath = null;
private String filePath;
/**
* The file name of the dependency.
*/
private String fileName = null;
private String fileName;
/**
* The file extension of the dependency.
*/
private String fileExtension = null;
private String fileExtension;
/**
* The md5 hash of the dependency.
*/
private String md5sum = null;
private String md5sum;
/**
* The SHA1 hash of the dependency.
*/
private String sha1sum = null;
private String sha1sum;
/**
* A list of Identifiers.
*/
private List<Identifier> identifiers = null;
private List<Identifier> identifiers;
/**
* A collection of vendor evidence.
*/
protected EvidenceCollection vendorEvidence = null;
private EvidenceCollection vendorEvidence;
/**
* A collection of product evidence.
*/
protected EvidenceCollection productEvidence = null;
private EvidenceCollection productEvidence;
/**
* A collection of version evidence.
*/
protected EvidenceCollection versionEvidence = null;
private EvidenceCollection versionEvidence;
/**
* Constructs a new Dependency object.
@@ -244,7 +244,7 @@ public class Dependency {
* @param url the URL of the identifier.
*/
public void addIdentifier(String type, String value, String url) {
Identifier i = new Identifier(type, value, url);
final Identifier i = new Identifier(type, value, url);
this.identifiers.add(i);
}
@@ -295,10 +295,10 @@ public class Dependency {
/**
* A list of exceptions that occurred during analysis of this dependency.
*/
protected List<Exception> analysisExceptions = new ArrayList<Exception>();
private List<Exception> analysisExceptions = new ArrayList<Exception>();
/**
* Get the value of analysisExceptions
* Get the value of analysisExceptions.
*
* @return the value of analysisExceptions
*/
@@ -307,7 +307,7 @@ public class Dependency {
}
/**
* Set the value of analysisExceptions
* Set the value of analysisExceptions.
*
* @param analysisExceptions new value of analysisExceptions
*/
@@ -326,10 +326,10 @@ public class Dependency {
/**
* The description of the JAR file.
*/
protected String description;
private String description;
/**
* Get the value of description
* Get the value of description.
*
* @return the value of description
*/
@@ -338,7 +338,7 @@ public class Dependency {
}
/**
* Set the value of description
* Set the value of description.
*
* @param description new value of description
*/
@@ -351,7 +351,7 @@ public class Dependency {
private String license;
/**
* Get the value of license
* Get the value of license.
*
* @return the value of license
*/
@@ -360,7 +360,7 @@ public class Dependency {
}
/**
* Set the value of license
* Set the value of license.
*
* @param license new value of license
*/
@@ -392,12 +392,12 @@ public class Dependency {
return false;
}
/**
* A list of vulnerabilities for this dependency
* A list of vulnerabilities for this dependency.
*/
private SortedSet<Vulnerability> vulnerabilities;
/**
* Get the list of vulnerabilities
* Get the list of vulnerabilities.
*
* @return the list of vulnerabilities
*/
@@ -406,7 +406,7 @@ public class Dependency {
}
/**
* Set the value of vulnerabilities
* Set the value of vulnerabilities.
*
* @param vulnerabilities new value of vulnerabilities
*/
@@ -414,6 +414,11 @@ public class Dependency {
this.vulnerabilities = vulnerabilities;
}
/**
* Determines the sha1 and md5 sum for the given file.
*
* @param file the file to create checksums for
*/
private void determineHashes(File file) {
String md5 = null;
String sha1 = null;

32
src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
View File

@@ -67,10 +67,10 @@ public class Evidence {
/**
* The name of the evidence.
*/
protected String name;
private String name;
/**
* Get the value of name
* Get the value of name.
*
* @return the value of name
*/
@@ -79,7 +79,7 @@ public class Evidence {
}
/**
* Set the value of name
* Set the value of name.
*
* @param name new value of name
*/
@@ -89,10 +89,10 @@ public class Evidence {
/**
* The source of the evidence.
*/
protected String source;
private String source;
/**
* Get the value of source
* Get the value of source.
*
* @return the value of source
*/
@@ -101,7 +101,7 @@ public class Evidence {
}
/**
* Set the value of source
* Set the value of source.
*
* @param source new value of source
*/
@@ -111,10 +111,10 @@ public class Evidence {
/**
* The value of the evidence.
*/
protected String value;
private String value;
/**
* Get the value of value
* Get the value of value.
*
* @return the value of value
*/
@@ -124,7 +124,7 @@ public class Evidence {
}
/**
* Set the value of value
* Set the value of value.
*
* @param value new value of value
*/
@@ -134,10 +134,10 @@ public class Evidence {
/**
* A value indicating if the Evidence has been "used" (aka read).
*/
protected boolean used;
private boolean used;
/**
* Get the value of used
* Get the value of used.
*
* @return the value of used
*/
@@ -146,7 +146,7 @@ public class Evidence {
}
/**
* Set the value of used
* Set the value of used.
*
* @param used new value of used
*/
@@ -156,10 +156,10 @@ public class Evidence {
/**
* The confidence level for the evidence.
*/
protected Confidence confidence;
private Confidence confidence;
/**
* Get the value of confidence
* Get the value of confidence.
*
* @return the value of confidence
*/
@@ -168,7 +168,7 @@ public class Evidence {
}
/**
* Set the value of confidence
* Set the value of confidence.
*
* @param confidence new value of confidence
*/
@@ -205,7 +205,7 @@ public class Evidence {
if (!(that instanceof Evidence)) {
return false;
}
Evidence e = (Evidence) that;
final Evidence e = (Evidence) that;
return testEquality(name, e.name) && testEquality(source, e.source) && testEquality(value, e.value)
&& (confidence == null ? e.confidence == null : confidence == e.confidence);

26
src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -52,7 +52,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
return evidence.getConfidence() == Evidence.Confidence.MEDIUM;
}
};
/*
/**
* Used to iterate over low confidence evidence contained in the collection.
*/
private static final Filter<Evidence> LOW_CONFIDENCE =
@@ -90,8 +90,14 @@ public class EvidenceCollection implements Iterable<Evidence> {
return EvidenceCollection.LOW_CONFIDENCE.filter(this.list);
}
}
private Set<Evidence> list = null;
private Set<String> weightedStrings = null;
/**
* A collection of evidence.
*/
private Set<Evidence> list;
/**
* A collection of strings used to adjust lucene's term weighting.
*/
private Set<String> weightedStrings;
/**
* Creates a new EvidenceCollection.
@@ -120,7 +126,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
* @param confidence the confidence of the Evidence.
*/
public void addEvidence(String source, String name, String value, Evidence.Confidence confidence) {
Evidence e = new Evidence(source, name, value, confidence);
final Evidence e = new Evidence(source, name, value, confidence);
addEvidence(e);
}
@@ -181,10 +187,10 @@ public class EvidenceCollection implements Iterable<Evidence> {
if (text == null) {
return false;
}
text = text.toLowerCase();
final String textToTest = text.toLowerCase();
for (Evidence e : this.list) {
if (e.used && e.value.toLowerCase().contains(text)) {
if (e.isUsed() && e.getValue().toLowerCase().contains(textToTest)) {
return true;
}
}
@@ -200,7 +206,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
*/
public boolean contains(Evidence.Confidence confidence) {
for (Evidence e : list) {
if (e.confidence == confidence) {
if (e.getConfidence().equals(confidence)) {
return true;
}
}
@@ -215,7 +221,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
* @return a new EvidenceCollection containing the used evidence.
*/
public static EvidenceCollection mergeUsed(EvidenceCollection... ec) {
EvidenceCollection ret = new EvidenceCollection();
final EvidenceCollection ret = new EvidenceCollection();
for (EvidenceCollection col : ec) {
for (Evidence e : col.list) {
if (e.isUsed()) {
@@ -233,7 +239,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
* @return a new EvidenceCollection.
*/
public static EvidenceCollection merge(EvidenceCollection... ec) {
EvidenceCollection ret = new EvidenceCollection();
final EvidenceCollection ret = new EvidenceCollection();
for (EvidenceCollection col : ec) {
ret.list.addAll(col.list);
ret.weightedStrings.addAll(col.weightedStrings);
@@ -248,7 +254,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
final StringBuilder sb = new StringBuilder();
for (Evidence e : this.list) {
sb.append(e.getValue()).append(' ');
}

26
src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
View File

@@ -52,10 +52,10 @@ public class Identifier {
/**
* The value of the identifier
*/
protected String value;
private String value;
/**
* Get the value of value
* Get the value of value.
*
* @return the value of value
*/
@@ -64,7 +64,7 @@ public class Identifier {
}
/**
* Set the value of value
* Set the value of value.
*
* @param value new value of value
*/
@@ -73,12 +73,12 @@ public class Identifier {
}
/**
* The url for the identifier
* The url for the identifier.
*/
protected String url;
private String url;
/**
* Get the value of url
* Get the value of url.
*
* @return the value of url
*/
@@ -87,7 +87,7 @@ public class Identifier {
}
/**
* Set the value of url
* Set the value of url.
*
* @param url new value of url
*/
@@ -95,12 +95,12 @@ public class Identifier {
this.url = url;
}
/**
* The type of the identifier
* The type of the identifier.
*/
protected String type;
private String type;
/**
* Get the value of type
* Get the value of type.
*
* @return the value of type
*/
@@ -119,10 +119,10 @@ public class Identifier {
/**
* A description of the identifier.
*/
protected String description;
private String description;
/**
* Get the value of description
* Get the value of description.
*
* @return the value of description
*/
@@ -131,7 +131,7 @@ public class Identifier {
}
/**
* Set the value of description
* Set the value of description.
*
* @param description new value of description
*/

17
src/main/java/org/owasp/dependencycheck/dependency/Reference.java
View File

@@ -28,6 +28,9 @@ import java.io.Serializable;
*/
public class Reference implements Serializable {
/**
* the serial version uid.
*/
private static final long serialVersionUID = -3444464824563008021L;
/**
* The name of the reference.
@@ -35,7 +38,7 @@ public class Reference implements Serializable {
private String name;
/**
* Get the value of name
* Get the value of name.
*
* @return the value of name
*/
@@ -44,7 +47,7 @@ public class Reference implements Serializable {
}
/**
* Set the value of name
* Set the value of name.
*
* @param name new value of name
*/
@@ -52,12 +55,12 @@ public class Reference implements Serializable {
this.name = name;
}
/**
* the url for the reference
* the url for the reference.
*/
private String url;
/**
* Get the value of url
* Get the value of url.
*
* @return the value of url
*/
@@ -66,7 +69,7 @@ public class Reference implements Serializable {
}
/**
* Set the value of url
* Set the value of url.
*
* @param url new value of url
*/
@@ -79,7 +82,7 @@ public class Reference implements Serializable {
private String source;
/**
* Get the value of source
* Get the value of source.
*
* @return the value of source
*/
@@ -88,7 +91,7 @@ public class Reference implements Serializable {
}
/**
* Set the value of source
* Set the value of source.
*
* @param source new value of source
*/

120
src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
View File

@@ -29,14 +29,17 @@ import java.util.Set;
*/
public class Vulnerability implements Serializable, Comparable<Vulnerability> {
/**
* The serial version uid.
*/
private static final long serialVersionUID = 307319490326651052L;
/**
* The name of the vulnerability
* The name of the vulnerability.
*/
private String name;
/**
* Get the value of name
* Get the value of name.
*
* @return the value of name
*/
@@ -45,7 +48,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of name
* Set the value of name.
*
* @param name new value of name
*/
@@ -53,12 +56,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.name = name;
}
/**
* the description of the vulnerability
* the description of the vulnerability.
*/
private String description;
/**
* Get the value of description
* Get the value of description.
*
* @return the value of description
*/
@@ -67,7 +70,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of description
* Set the value of description.
*
* @param description new value of description
*/
@@ -75,12 +78,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.description = description;
}
/**
* References for this vulnerability
* References for this vulnerability.
*/
private Set<Reference> references = new HashSet<Reference>();
/**
* Get the value of references
* Get the value of references.
*
* @return the value of references
*/
@@ -89,7 +92,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of references
* Set the value of references.
*
* @param references new value of references
*/
@@ -98,7 +101,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Adds a reference to the references collection
* Adds a reference to the references collection.
*
* @param ref a reference for the vulnerability
*/
@@ -107,25 +110,26 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Adds a reference
* Adds a reference.
*
* @param referenceSource the source of the reference
* @param referenceName the referenceName of the reference
* @param referenceUrl the url of the reference
*/
public void addReference(String referenceSource, String referenceName, String referenceUrl) {
Reference ref = new Reference();
final Reference ref = new Reference();
ref.setSource(referenceSource);
ref.setName(referenceName);
ref.setUrl(referenceUrl);
this.references.add(ref);
}
/**
* a set of vulnerable software
* A set of vulnerable software.
*/
protected Set<VulnerableSoftware> vulnerableSoftware = new HashSet<VulnerableSoftware>();
private Set<VulnerableSoftware> vulnerableSoftware = new HashSet<VulnerableSoftware>();
/**
* Get the value of vulnerableSoftware
* Get the value of vulnerableSoftware.
*
* @return the value of vulnerableSoftware
*/
@@ -134,7 +138,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of vulnerableSoftware
* Set the value of vulnerableSoftware.
*
* @param vulnerableSoftware new value of vulnerableSoftware
*/
@@ -143,7 +147,8 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Adds an entry for vulnerable software
* Adds an entry for vulnerable software.
*
* @param cpe string representation of a CPE entry
* @return if the add succeeded
*/
@@ -152,13 +157,15 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Adds an entry for vulnerable software
* Adds an entry for vulnerable software.
*
* @param cpe string representation of a cpe
* @param previousVersion the previous version (previousVersion - cpe would be considered vulnerable)
* @param previousVersion the previous version (previousVersion - cpe would
* be considered vulnerable)
* @return if the add succeeded
*/
public boolean addVulnerableSoftware(String cpe, String previousVersion) {
VulnerableSoftware vs = new VulnerableSoftware();
final VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe(cpe);
if (previousVersion != null) {
vs.setPreviousVersion(previousVersion);
@@ -167,7 +174,8 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Adds or updates a vulnerable software entry
* Adds or updates a vulnerable software entry.
*
* @param vulnSoftware the vulnerable software
* @return if the update succeeded
*/
@@ -178,12 +186,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
return vulnerableSoftware.add(vulnSoftware);
}
/**
* The CWE for the vulnerability
* The CWE for the vulnerability.
*/
protected String cwe;
private String cwe;
/**
* Get the value of cwe
* Get the value of cwe.
*
* @return the value of cwe
*/
@@ -192,7 +200,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of cwe
* Set the value of cwe.
*
* @param cwe new value of cwe
*/
@@ -200,12 +208,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cwe = cwe;
}
/**
* CVSS Score
* CVSS Score.
*/
protected float cvssScore;
private float cvssScore;
/**
* Get the value of cvssScore
* Get the value of cvssScore.
*
* @return the value of cvssScore
*/
@@ -214,7 +222,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of cvssScore
* Set the value of cvssScore.
*
* @param cvssScore new value of cvssScore
*/
@@ -222,12 +230,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssScore = cvssScore;
}
/**
* CVSS Access Vector
* CVSS Access Vector.
*/
protected String cvssAccessVector;
private String cvssAccessVector;
/**
* Get the value of cvssAccessVector
* Get the value of cvssAccessVector.
*
* @return the value of cvssAccessVector
*/
@@ -236,7 +244,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of cvssAccessVector
* Set the value of cvssAccessVector.
*
* @param cvssAccessVector new value of cvssAccessVector
*/
@@ -244,12 +252,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssAccessVector = cvssAccessVector;
}
/**
* CVSS Access Complexity
* CVSS Access Complexity.
*/
protected String cvssAccessComplexity;
private String cvssAccessComplexity;
/**
* Get the value of cvssAccessComplexity
* Get the value of cvssAccessComplexity.
*
* @return the value of cvssAccessComplexity
*/
@@ -258,7 +266,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of cvssAccessComplexity
* Set the value of cvssAccessComplexity.
*
* @param cvssAccessComplexity new value of cvssAccessComplexity
*/
@@ -266,12 +274,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssAccessComplexity = cvssAccessComplexity;
}
/**
* CVSS Authentication
* CVSS Authentication.
*/
protected String cvssAuthentication;
private String cvssAuthentication;
/**
* Get the value of cvssAuthentication
* Get the value of cvssAuthentication.
*
* @return the value of cvssAuthentication
*/
@@ -280,7 +288,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of cvssAuthentication
* Set the value of cvssAuthentication.
*
* @param cvssAuthentication new value of cvssAuthentication
*/
@@ -288,12 +296,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssAuthentication = cvssAuthentication;
}
/**
* CVSS Confidentiality Impact
* CVSS Confidentiality Impact.
*/
protected String cvssConfidentialityImpact;
private String cvssConfidentialityImpact;
/**
* Get the value of cvssConfidentialityImpact
* Get the value of cvssConfidentialityImpact.
*
* @return the value of cvssConfidentialityImpact
*/
@@ -302,7 +310,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of cvssConfidentialityImpact
* Set the value of cvssConfidentialityImpact.
*
* @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
*/
@@ -310,12 +318,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssConfidentialityImpact = cvssConfidentialityImpact;
}
/**
* CVSS Integrity Impact
* CVSS Integrity Impact.
*/
protected String cvssIntegrityImpact;
private String cvssIntegrityImpact;
/**
* Get the value of cvssIntegrityImpact
* Get the value of cvssIntegrityImpact.
*
* @return the value of cvssIntegrityImpact
*/
@@ -324,7 +332,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of cvssIntegrityImpact
* Set the value of cvssIntegrityImpact.
*
* @param cvssIntegrityImpact new value of cvssIntegrityImpact
*/
@@ -332,12 +340,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssIntegrityImpact = cvssIntegrityImpact;
}
/**
* CVSS Availability Impact
* CVSS Availability Impact.
*/
protected String cvssAvailabilityImpact;
private String cvssAvailabilityImpact;
/**
* Get the value of cvssAvailabilityImpact
* Get the value of cvssAvailabilityImpact.
*
* @return the value of cvssAvailabilityImpact
*/
@@ -346,7 +354,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
/**
* Set the value of cvssAvailabilityImpact
* Set the value of cvssAvailabilityImpact.
*
* @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
*/
@@ -375,11 +383,13 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0);
return hash;
}
/**
* Compares two vulnerabilities
* Compares two vulnerabilities.
*
* @param v a vulnerability to be compared
* @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than the specified vulnerability
* @return a negative integer, zero, or a positive integer as this object is
* less than, equal to, or greater than the specified vulnerability
*/
public int compareTo(Vulnerability v) {
return v.getName().compareTo(this.getName());

3
src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java
View File

@@ -26,6 +26,9 @@ import java.util.Comparator;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class VulnerabilityComparator implements Comparator<Vulnerability>, Serializable {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 1L;
/**

19
src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
View File

@@ -32,10 +32,13 @@ import org.owasp.dependencycheck.data.cpe.Entry;
*/
public class VulnerableSoftware extends Entry implements Serializable {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 307319490326651052L;
/**
* Parse a CPE entry from the cpe string representation
* Parse a CPE entry from the cpe string representation.
*
* @param cpe a cpe entry (e.g. cpe:/a:vendor:software:version)
*/
@@ -49,12 +52,12 @@ public class VulnerableSoftware extends Entry implements Serializable {
}
/**
* If present, indicates that previous version are vulnerable
* If present, indicates that previous version are vulnerable.
*/
protected String previousVersion = null;
private String previousVersion;
/**
* Indicates if previous versions of this software are vulnerable
* Indicates if previous versions of this software are vulnerable.
*
* @return if previous versions of this software are vulnerable
*/
@@ -63,7 +66,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
}
/**
* Get the value of previousVersion
* Get the value of previousVersion.
*
* @return the value of previousVersion
*/
@@ -72,7 +75,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
}
/**
* Set the value of previousVersion
* Set the value of previousVersion.
*
* @param previousVersion new value of previousVersion
*/
@@ -89,7 +92,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
return false;
}
final VulnerableSoftware other = (VulnerableSoftware) obj;
if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
if ((this.getName() == null) ? (other.getName() != null) : !this.getName().equals(other.getName())) {
return false;
}
return true;
@@ -98,7 +101,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
@Override
public int hashCode() {
int hash = 7;
hash = 83 * hash + (this.name != null ? this.name.hashCode() : 0);
hash = 83 * hash + (this.getName() != null ? this.getName().hashCode() : 0);
return hash;
}
}

20
src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -51,11 +51,11 @@ public class ReportGenerator {
/**
* The Velocity Engine.
*/
private VelocityEngine engine = null;
private VelocityEngine engine;
/**
* The Velocity Engine Context.
*/
private Context context = null;
private Context context;
/**
* Constructs a new ReportGenerator.
@@ -77,10 +77,11 @@ public class ReportGenerator {
/**
* Creates a new Velocity Engine.
*
* @return a velocity engine.
*/
private VelocityEngine createVelocityEngine() {
VelocityEngine ve = new VelocityEngine();
final VelocityEngine ve = new VelocityEngine();
ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName());
return ve;
@@ -88,12 +89,13 @@ public class ReportGenerator {
/**
* Creates a new Velocity Context initialized with escape and date tools.
*
* @return a Velocity Context.
*/
private Context createContext() {
ToolManager manager = new ToolManager();
Context c = manager.createContext();
EasyFactoryConfiguration config = new EasyFactoryConfiguration();
final ToolManager manager = new ToolManager();
final Context c = manager.createContext();
final EasyFactoryConfiguration config = new EasyFactoryConfiguration();
config.addDefaultTools();
config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool");
manager.configure(config);
@@ -110,7 +112,7 @@ public class ReportGenerator {
* reports.
*/
public void generateReports(String outputDir, String outputFormat) throws IOException, Exception {
if (outputFormat.equalsIgnoreCase("XML")) {
if ("XML".equalsIgnoreCase(outputFormat)) {
generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
} else {
generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
@@ -130,7 +132,7 @@ public class ReportGenerator {
public void generateReport(String templateName, String outFileName) throws IOException, Exception {
InputStream input = null;
String templatePath = null;
File f = new File(templateName);
final File f = new File(templateName);
if (f.exists() && f.isFile()) {
try {
templatePath = templateName;
@@ -146,7 +148,7 @@ public class ReportGenerator {
throw new IOException("Template file doesn't exist");
}
InputStreamReader reader = new InputStreamReader(input, "UTF-8");
final InputStreamReader reader = new InputStreamReader(input, "UTF-8");
OutputStreamWriter writer = null;
OutputStream outputStream = null;

61
src/main/java/org/owasp/dependencycheck/utils/CliParser.java
View File

@@ -40,15 +40,15 @@ public final class CliParser {
/**
* The command line.
*/
private CommandLine line = null;
private CommandLine line;
/**
* The options for the command line parser.
*/
private Options options = createCommandLineOptions();
/**
* indicates whether the arguments are valid.
* Indicates whether the arguments are valid.
*/
boolean isValid = true;
private boolean isValid = true;
/**
* Parses the arguments passed in and captures the results for later use.
@@ -74,8 +74,8 @@ public final class CliParser {
* @throws ParseException if the arguments are invalid
*/
private CommandLine parseArgs(String[] args) throws ParseException {
CommandLineParser parser = new PosixParser();
CommandLine ln = parser.parse(options, args);
final CommandLineParser parser = new PosixParser();
final CommandLine ln = parser.parse(options, args);
return ln;
}
@@ -84,6 +84,7 @@ public final class CliParser {
*
* @throws FileNotFoundException if there is a file specified by either the
* SCAN or CPE command line arguments that does not exist.
* @throws ParseException is thrown if there is an exception parsing the command line.
*/
private void validateArgs() throws FileNotFoundException, ParseException {
if (isRunScan()) {
@@ -93,8 +94,8 @@ public final class CliParser {
throw new ParseException("Scan cannot be run without specifying a directory "
+ "to write the reports to via the 'out' argument.");
} else {
String p = line.getOptionValue(ArgumentName.OUT, "");
File f = new File(p);
final String p = line.getOptionValue(ArgumentName.OUT, "");
final File f = new File(p);
if ("".equals(p) || !(f.exists() && f.isDirectory())) {
//TODO - need a new exception type here, this isn't really a ParseException.
throw new ParseException("A valid directory name must be specified for "
@@ -106,8 +107,8 @@ public final class CliParser {
+ "name via the 'app' argument.");
}
if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
if (!(format.equalsIgnoreCase("XML") || format.equalsIgnoreCase("HTML"))) {
final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
if (!("XML".equalsIgnoreCase(format) || "HTML".equalsIgnoreCase(format))) {
throw new ParseException("Supported output formats are XML and HTML");
}
}
@@ -139,7 +140,7 @@ public final class CliParser {
* not exist.
*/
private void validatePathExists(String path) throws FileNotFoundException {
File f = new File(path);
final File f = new File(path);
if (!f.exists()) {
isValid = false;
throw new FileNotFoundException("Invalid file argument: " + path);
@@ -154,47 +155,47 @@ public final class CliParser {
*/
@SuppressWarnings("static-access")
private Options createCommandLineOptions() {
Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
"print this message.");
Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false,
final Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false,
"shows additional help regarding properties file.");
Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
final Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
"extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
false, "print the version information.");
Option noupdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
final Option noupdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
false, "disables the automatic updating of the CPE data.");
Option appname = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APPNAME)
final Option appname = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APPNAME)
.withDescription("the name of the application being scanned.")
.create(ArgumentName.APPNAME_SHORT);
Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
.withDescription("the path to scan - this option can be specified multiple times.")
.create(ArgumentName.SCAN_SHORT);
Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
.withDescription("a property file to load.")
.create(ArgumentName.PROP_SHORT);
Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
.withDescription("the folder to write reports to.")
.create(ArgumentName.OUT_SHORT);
Option outputformat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
final Option outputformat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
.withDescription("the output format to write to.")
.create(ArgumentName.OUTPUT_FORMAT_SHORT);
//TODO add the ability to load a properties file to override the defaults...
OptionGroup og = new OptionGroup();
final OptionGroup og = new OptionGroup();
og.addOption(path);
Options opts = new Options();
final Options opts = new Options();
opts.addOptionGroup(og);
opts.addOption(out);
opts.addOption(outputformat);
@@ -205,6 +206,7 @@ public final class CliParser {
opts.addOption(deepScan);
opts.addOption(props);
opts.addOption(advancedHelp);
return opts;
}
@@ -239,8 +241,8 @@ public final class CliParser {
* Displays the command line help message to the standard output.
*/
public void printHelp() {
HelpFormatter formatter = new HelpFormatter();
String nl = System.getProperty("line.separator");
final HelpFormatter formatter = new HelpFormatter();
final String nl = System.getProperty("line.separator");
String advancedHelp = null;
if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
advancedHelp = nl + nl
@@ -273,11 +275,10 @@ public final class CliParser {
*/
public String[] getScanFiles() {
return line.getOptionValues(ArgumentName.SCAN);
}
/**
* returns the directory to write the reports to specified on the command
* Returns the directory to write the reports to specified on the command
* line.
*
* @return the path to the reports directory.
@@ -306,12 +307,12 @@ public final class CliParser {
}
/**
* <p>Prints the manifest information to standard output:</p>
* <p>Prints the manifest information to standard output.</p>
* <ul><li>Implementation-Title: ${pom.name}</li>
* <li>Implementation-Version: ${pom.version}</li></ul>
*/
public void printVersionInfo() {
String version = String.format("%s version %s",
final String version = String.format("%s version %s",
Settings.getString("application.name", "DependencyCheck"),
Settings.getString("application.version", "Unknown"));
System.out.println(version);
@@ -341,11 +342,11 @@ public final class CliParser {
public static class ArgumentName {
/**
* The long CLI argument name specifying the directory/file to scan
* The long CLI argument name specifying the directory/file to scan.
*/
public static final String SCAN = "scan";
/**
* The short CLI argument name specifying the directory/file to scan
* The short CLI argument name specifying the directory/file to scan.
*/
public static final String SCAN_SHORT = "s";
/**

3
src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java
View File

@@ -27,6 +27,9 @@ import java.io.IOException;
*/
public class DownloadFailedException extends IOException {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 1L;
/**

16
src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -38,7 +38,7 @@ import java.util.zip.InflaterInputStream;
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class Downloader {
public final class Downloader {
/**
* Private constructor for utility class.
@@ -69,7 +69,7 @@ public class Downloader {
* downloading the file.
*/
public static void fetchFile(URL url, String outputPath, boolean unzip) throws DownloadFailedException {
File f = new File(outputPath);
final File f = new File(outputPath);
fetchFile(url, f, unzip);
}
@@ -111,7 +111,7 @@ public class Downloader {
}
throw new DownloadFailedException("Error downloading file.", ex);
}
String encoding = conn.getContentEncoding();
final String encoding = conn.getContentEncoding();
BufferedOutputStream writer = null;
InputStream reader = null;
@@ -125,7 +125,7 @@ public class Downloader {
}
writer = new BufferedOutputStream(new FileOutputStream(outputPath));
byte[] buffer = new byte[4096];
final byte[] buffer = new byte[4096];
int bytesRead = 0;
while ((bytesRead = reader.read(buffer)) > 0) {
writer.write(buffer, 0, bytesRead);
@@ -201,18 +201,18 @@ public class Downloader {
private static HttpURLConnection getConnection(URL url) throws DownloadFailedException {
HttpURLConnection conn = null;
Proxy proxy = null;
String proxyUrl = Settings.getString(Settings.KEYS.PROXY_URL);
final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_URL);
try {
if (proxyUrl != null) {
int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
SocketAddress addr = new InetSocketAddress(proxyUrl, proxyPort);
final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
final SocketAddress addr = new InetSocketAddress(proxyUrl, proxyPort);
proxy = new Proxy(Proxy.Type.HTTP, addr);
conn = (HttpURLConnection) url.openConnection(proxy);
} else {
conn = (HttpURLConnection) url.openConnection();
}
if (Settings.getString(Settings.KEYS.CONNECTION_TIMEOUT) != null) {
int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT);
final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT);
conn.setConnectTimeout(timeout);
}
} catch (IOException ex) {

4
src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
View File

@@ -27,7 +27,7 @@ import java.io.IOException;
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class FileUtils {
public final class FileUtils {
/**
* Private constructor for a utility class.
@@ -43,7 +43,7 @@ public class FileUtils {
*/
public static String getFileExtension(String fileName) {
String ret = null;
int pos = fileName.lastIndexOf(".");
final int pos = fileName.lastIndexOf(".");
if (pos >= 0) {
ret = fileName.substring(pos + 1, fileName.length()).toLowerCase();
}

3
src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java
View File

@@ -27,6 +27,9 @@ import java.io.IOException;
*/
public class InvalidSettingException extends IOException {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 1L;
/**

10
src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java
View File

@@ -22,17 +22,17 @@ import java.io.FilterInputStream;
import java.io.InputStream;
/**
* NonClosingStream is a stream filter which prevents
* another class that processes the stream from closing
* it. This is necessary when dealing with things like
* JAXB and zipInputStreams.
* NonClosingStream is a stream filter which prevents another class that
* processes the stream from closing it. This is necessary when dealing with
* things like JAXB and zipInputStreams.
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class NonClosingStream extends FilterInputStream {
/**
* Constructs a new NonClosingStream
* Constructs a new NonClosingStream.
*
* @param in an input stream.
*/
public NonClosingStream(InputStream in) {

23
src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -31,12 +31,12 @@ import java.util.logging.Logger;
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class Settings {
public final class Settings {
/**
* The collection of keys used within the properties file.
*/
public static class KEYS {
public static final class KEYS {
/**
* private constructor because this is a "utility" class containing constants
@@ -95,11 +95,11 @@ public class Settings {
*/
public static final String CVE_BASE_URL = "cve.url-";
/**
* The properties key for the CVE schema version 1.2
* The properties key for the CVE schema version 1.2.
*/
public static final String CVE_SCHEMA_1_2 = "1.2.";
/**
* The properties key for the CVE schema version 2.0
* The properties key for the CVE schema version 2.0.
*/
public static final String CVE_SCHEMA_2_0 = "2.0.";
@@ -122,8 +122,17 @@ public class Settings {
*/
public static final String PERFORM_DEEP_SCAN = "perform.deepscan";
}
/**
* The properties file location.
*/
private static final String PROPERTIES_FILE = "configuration/dependencycheck.properties";
/**
* The singleton instance variable.
*/
private static final Settings INSTANCE = new Settings();
/**
* The properties.
*/
private Properties props = null;
/**
@@ -131,7 +140,7 @@ public class Settings {
* properties files.
*/
private Settings() {
InputStream in = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
final InputStream in = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
props = new Properties();
try {
props.load(in);
@@ -176,7 +185,7 @@ public class Settings {
* the properties.
*/
public static void mergeProperties(String filePath) throws FileNotFoundException, IOException {
FileInputStream fis = new FileInputStream(filePath);
final FileInputStream fis = new FileInputStream(filePath);
mergeProperties(fis);
}
@@ -287,4 +296,4 @@ public class Settings {
}
return value;
}
}
}

8
src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
View File

@@ -46,16 +46,16 @@ public class DependencyTest {
String str = "apache";
String str2 = "owasp";
Dependency instance = new Dependency();
instance.vendorEvidence.addEvidence("manifest", "something", "apache", Evidence.Confidence.HIGH);
instance.vendorEvidence.addEvidence("manifest", "something", "owasp", Evidence.Confidence.MEDIUM);
instance.getVendorEvidence().addEvidence("manifest", "something", "apache", Evidence.Confidence.HIGH);
instance.getVendorEvidence().addEvidence("manifest", "something", "owasp", Evidence.Confidence.MEDIUM);
assertFalse(instance.containsUsedString(str));
assertFalse(instance.containsUsedString(str2));
for (Evidence i : instance.vendorEvidence.iterator(Evidence.Confidence.HIGH)) {
for (Evidence i : instance.getVendorEvidence().iterator(Evidence.Confidence.HIGH)) {
String readValue = i.getValue();
}
assertTrue(instance.containsUsedString(str));
assertFalse(instance.containsUsedString(str2));
for (Evidence i : instance.vendorEvidence.iterator(Evidence.Confidence.MEDIUM)) {
for (Evidence i : instance.getVendorEvidence().iterator(Evidence.Confidence.MEDIUM)) {
String readValue = i.getValue();
}
assertTrue(instance.containsUsedString(str));