github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-21 08:39:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

checkstyle updates

Browse Source 
Former-commit-id: e18a6c9a01cf3fdbbdd87446bb25b77e3e455c0f
This commit is contained in:
Jeremy Long
2013-03-30 22:11:04 -04:00
parent 13eb2b75d5
commit 772b0ca2b0
45 changed files with 743 additions and 503 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/main/config/checkstyle-checks.xml
View File

@@ -83,7 +83,7 @@
</module> </module>
<module name="LeftCurly"> <module name="LeftCurly">
<property name="option" value="nlow"/> <property name="option" value="eol"/>
<property name="tokens" value="CLASS_DEF"/> <property name="tokens" value="CLASS_DEF"/>
<property name="tokens" value="CTOR_DEF"/> <property name="tokens" value="CTOR_DEF"/>
<property name="tokens" value="INTERFACE_DEF"/> <property name="tokens" value="INTERFACE_DEF"/>
@@ -107,7 +107,7 @@
</module> </module>
<module name="MethodCount"> <module name="MethodCount">
<property name="maxTotal" value="30"/> <property name="maxTotal" value="35"/>
</module> </module>
<module name="LocalFinalVariableName"/> <module name="LocalFinalVariableName"/>
@@ -115,7 +115,10 @@
<module name="MemberName"> <module name="MemberName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/> <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module> </module>
<module name="MethodLength"/> <module name="MethodLength">
<property name="max" value="160"/>
<property name="countEmpty" value="false"/>
</module>
<module name="MethodName"/> <module name="MethodName"/>
<module name="MethodParamPad"/> <module name="MethodParamPad"/>
<module name="ModifierOrder"/> <module name="ModifierOrder"/>
@@ -182,11 +185,11 @@
<module name="FinalClass"/> <module name="FinalClass"/>
<module name="MissingSwitchDefault"/> <module name="MissingSwitchDefault"/>
<!--module name="MagicNumber"/--> <!--module name="MagicNumber"/-->
<module name="Indentation"> <!--module name="Indentation">
<property name="basicOffset" value="4"/> <property name="basicOffset" value="4"/>
<property name="braceAdjustment" value="0"/> <property name="braceAdjustment" value="0"/>
<property name="caseIndent" value="0"/> <property name="caseIndent" value="0"/>
</module> </module-->
<module name="ArrayTrailingComma"/> <module name="ArrayTrailingComma"/>
<module name="FinalLocalVariable"/> <module name="FinalLocalVariable"/>
<module name="EqualsAvoidNull"/> <module name="EqualsAvoidNull"/>
@@ -201,10 +204,12 @@
<property name="max" value="2"/> <property name="max" value="2"/>
</module> </module>
<module name="NestedIfDepth"> <module name="NestedIfDepth">
<property name="max" value="3"/> <property name="max" value="4"/>
</module> </module>
<module name="NestedTryDepth"/> <module name="NestedTryDepth">
<module name="ExplicitInitialization"/> <property name="max" value="2"/>
</module>
<!--module name="ExplicitInitialization"/-->
<module name="AnnotationUseStyle"/> <module name="AnnotationUseStyle"/>
<module name="MissingDeprecated"/> <module name="MissingDeprecated"/>
<module name="MissingOverride"> <module name="MissingOverride">

2
src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -225,7 +225,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
if (pom == null) { if (pom == null) {
final NonClosingStream stream = new NonClosingStream(zin); final NonClosingStream stream = new NonClosingStream(zin);
final JAXBElement obj = (JAXBElement) pomUnmarshaller.unmarshal(stream); final JAXBElement obj = (JAXBElement) pomUnmarshaller.unmarshal(stream);
pom = (org.owasp.dependencycheck.analyzer.pom.generated.Model) obj.getValue(); pom = (Model) obj.getValue();
zin.closeEntry(); zin.closeEntry();
} else { } else {
throw new AnalysisException("JAR file contains multiple pom.xml files - unable to process POM"); throw new AnalysisException("JAR file contains multiple pom.xml files - unable to process POM");

12
src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
View File

@@ -97,10 +97,16 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
* file. * file.
*/ */
public void analyze(Dependency dependency, Engine engine) throws AnalysisException { public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)"); final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)");
} }
/**
* Adds license information to the given dependency.
*
* @param d the dependency
* @param license the license
*/
private void addLicense(Dependency d, String license) { private void addLicense(Dependency d, String license) {
if (d.getLicense() == null) { if (d.getLicense() == null) {
d.setLicense(license); d.setLicense(license);
@@ -110,14 +116,14 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
} }
/** /**
* The initialize method does nothing for this Analyzer * The initialize method does nothing for this Analyzer.
*/ */
public void initialize() { public void initialize() {
//do nothing //do nothing
} }
/** /**
* The close method does nothing for this Analyzer * The close method does nothing for this Analyzer.
*/ */
public void close() { public void close() {
//do nothing //do nothing

30
src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java
View File

@@ -87,7 +87,8 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
} }
/** /**
* The initialize method does nothing for this Analyzer * The initialize method does nothing for this Analyzer.
*
* @throws Exception never thrown by this analyzer * @throws Exception never thrown by this analyzer
*/ */
public void initialize() throws Exception { public void initialize() throws Exception {
@@ -95,13 +96,17 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
} }
/** /**
* The close method does nothing for this Analyzer * The close method does nothing for this Analyzer.
*
* @throws Exception never thrown by this analyzer * @throws Exception never thrown by this analyzer
*/ */
public void close() throws Exception { public void close() throws Exception {
//do nothing //do nothing
} }
private List<Identifier> springVersions = null; /**
* a list of spring versions.
*/
private List<Identifier> springVersions;
/** /**
* Determines if several "spring" libraries were scanned and trims the * Determines if several "spring" libraries were scanned and trims the
@@ -117,7 +122,7 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
collectSpringFrameworkIdentifiers(engine); collectSpringFrameworkIdentifiers(engine);
List<Identifier> identifiersToRemove = new ArrayList<Identifier>(); final List<Identifier> identifiersToRemove = new ArrayList<Identifier>();
for (Identifier identifier : dependency.getIdentifiers()) { for (Identifier identifier : dependency.getIdentifiers()) {
if (springVersions.contains(identifier) && !isCoreFramework(dependency.getFileName())) { if (springVersions.contains(identifier) && !isCoreFramework(dependency.getFileName())) {
identifiersToRemove.add(identifier); identifiersToRemove.add(identifier);
@@ -129,6 +134,11 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
} }
} }
/**
* Cycles through the dependencies and creates a collection of the spring identifiers.
*
* @param engine the core engine.
*/
private void collectSpringFrameworkIdentifiers(Engine engine) { private void collectSpringFrameworkIdentifiers(Engine engine) {
//check to see if any of the libs are the core framework //check to see if any of the libs are the core framework
if (springVersions == null) { if (springVersions == null) {
@@ -147,12 +157,24 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
} }
} }
/**
* Attempts to determine if the identifier is for the spring framework.
*
* @param identifier an identifier
* @return whether or not it is believed to be a spring identifier
*/
private boolean isSpringFrameworkCpe(Identifier identifier) { private boolean isSpringFrameworkCpe(Identifier identifier) {
return "cpe".equals(identifier.getType()) return "cpe".equals(identifier.getType())
&& (identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:") && (identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:")
|| identifier.getValue().startsWith("cpe:/a:vmware:springsource_spring_framework")); || identifier.getValue().startsWith("cpe:/a:vmware:springsource_spring_framework"));
} }
/**
* Attempts to determine if the file name passed in is for the core spring-framework.
*
* @param filename a file name
* @return whether or not it is believed the file name is for the core spring framework
*/
private boolean isCoreFramework(String filename) { private boolean isCoreFramework(String filename) {
return filename.toLowerCase().matches("^spring([ _-]?core)?[ _-]?\\d.*"); return filename.toLowerCase().matches("^spring([ _-]?core)?[ _-]?\\d.*");
} }

3
src/main/java/org/owasp/dependencycheck/data/UpdateException.java
View File

@@ -27,6 +27,9 @@ import java.io.IOException;
*/ */
public class UpdateException extends IOException { public class UpdateException extends IOException {
/**
* The serial version uid.
*/
private static final long serialVersionUID = 1L; private static final long serialVersionUID = 1L;
/** /**

8
src/main/java/org/owasp/dependencycheck/data/UpdateService.java
View File

@@ -25,9 +25,15 @@ import java.util.ServiceLoader;
* *
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public class UpdateService { public final class UpdateService {
/**
* the singleton reference to the service.
*/
private static UpdateService service; private static UpdateService service;
/**
* the service loader for CachedWebDataSource.
*/
private final ServiceLoader<CachedWebDataSource> loader; private final ServiceLoader<CachedWebDataSource> loader;
/** /**

51
src/main/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzer.java
View File

@@ -60,7 +60,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
* utilized within the CPE Names. * utilized within the CPE Names.
*/ */
static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]"; static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
/* /**
* A string representation of a regular expression used to remove all but * A string representation of a regular expression used to remove all but
* alpha characters. * alpha characters.
*/ */
@@ -73,7 +73,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
/** /**
* The CPE Index. * The CPE Index.
*/ */
protected Index cpe = null; private Index cpe;
/** /**
* Opens the data source. * Opens the data source.
@@ -137,7 +137,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
boolean found = false; boolean found = false;
int ctr = 0; int ctr = 0;
do { do {
List<Entry> entries = searchCPE(vendors, products, versions, dependency.getProductEvidence().getWeighting(), final List<Entry> entries = searchCPE(vendors, products, versions, dependency.getProductEvidence().getWeighting(),
dependency.getVendorEvidence().getWeighting()); dependency.getVendorEvidence().getWeighting());
@@ -197,8 +197,8 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
* @return the new evidence text * @return the new evidence text
*/ */
private String addEvidenceWithoutDuplicateTerms(final String text, final EvidenceCollection ec, Confidence confidenceFilter) { private String addEvidenceWithoutDuplicateTerms(final String text, final EvidenceCollection ec, Confidence confidenceFilter) {
String txt = (text == null) ? "" : text; final String txt = (text == null) ? "" : text;
StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size())); final StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
sb.append(txt); sb.append(txt);
for (Evidence e : ec.iterator(confidenceFilter)) { for (Evidence e : ec.iterator(confidenceFilter)) {
String value = e.getValue(); String value = e.getValue();
@@ -255,17 +255,17 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
protected List<Entry> searchCPE(String vendor, String product, String version, protected List<Entry> searchCPE(String vendor, String product, String version,
Set<String> vendorWeightings, Set<String> productWeightings) Set<String> vendorWeightings, Set<String> productWeightings)
throws CorruptIndexException, IOException, ParseException { throws CorruptIndexException, IOException, ParseException {
ArrayList<Entry> ret = new ArrayList<Entry>(MAX_QUERY_RESULTS); final ArrayList<Entry> ret = new ArrayList<Entry>(MAX_QUERY_RESULTS);
String searchString = buildSearch(vendor, product, version, vendorWeightings, productWeightings); final String searchString = buildSearch(vendor, product, version, vendorWeightings, productWeightings);
if (searchString == null) { if (searchString == null) {
return ret; return ret;
} }
TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS); final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
for (ScoreDoc d : docs.scoreDocs) { for (ScoreDoc d : docs.scoreDocs) {
Document doc = cpe.getDocument(d.doc); final Document doc = cpe.getDocument(d.doc);
Entry entry = Entry.parse(doc); final Entry entry = Entry.parse(doc);
entry.setSearchScore(d.score); entry.setSearchScore(d.score);
if (!ret.contains(entry)) { if (!ret.contains(entry)) {
ret.add(entry); ret.add(entry);
@@ -294,7 +294,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
protected String buildSearch(String vendor, String product, String version, protected String buildSearch(String vendor, String product, String version,
Set<String> vendorWeighting, Set<String> productWeightings) { Set<String> vendorWeighting, Set<String> productWeightings) {
StringBuilder sb = new StringBuilder(vendor.length() + product.length() final StringBuilder sb = new StringBuilder(vendor.length() + product.length()
+ version.length() + Fields.PRODUCT.length() + Fields.VERSION.length() + version.length() + Fields.PRODUCT.length() + Fields.VERSION.length()
+ Fields.VENDOR.length() + STRING_BUILDER_BUFFER); + Fields.VENDOR.length() + STRING_BUILDER_BUFFER);
@@ -349,7 +349,7 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
//TODO add a mutator or special analyzer that combines words next to each other and adds them as a key. //TODO add a mutator or special analyzer that combines words next to each other and adds them as a key.
sb.append(" ").append(field).append(":( "); sb.append(" ").append(field).append(":( ");
String cleanText = cleanseText(searchText); final String cleanText = cleanseText(searchText);
if ("".equals(cleanText)) { if ("".equals(cleanText)) {
return false; return false;
@@ -358,12 +358,12 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
if (weightedText == null || weightedText.isEmpty()) { if (weightedText == null || weightedText.isEmpty()) {
LuceneUtils.appendEscapedLuceneQuery(sb, cleanText); LuceneUtils.appendEscapedLuceneQuery(sb, cleanText);
} else { } else {
StringTokenizer tokens = new StringTokenizer(cleanText); final StringTokenizer tokens = new StringTokenizer(cleanText);
while (tokens.hasMoreElements()) { while (tokens.hasMoreElements()) {
String word = tokens.nextToken(); final String word = tokens.nextToken();
String temp = null; String temp = null;
for (String weighted : weightedText) { for (String weighted : weightedText) {
String weightedStr = cleanseText(weighted); final String weightedStr = cleanseText(weighted);
if (equalsIgnoreCaseAndNonAlpha(word, weightedStr)) { if (equalsIgnoreCaseAndNonAlpha(word, weightedStr)) {
temp = LuceneUtils.escapeLuceneQuery(word) + WEIGHTING_BOOST; temp = LuceneUtils.escapeLuceneQuery(word) + WEIGHTING_BOOST;
if (!word.equalsIgnoreCase(weightedStr)) { if (!word.equalsIgnoreCase(weightedStr)) {
@@ -405,8 +405,8 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
return false; return false;
} }
String left = l.replaceAll(CLEANSE_NONALPHA_RX, ""); final String left = l.replaceAll(CLEANSE_NONALPHA_RX, "");
String right = r.replaceAll(CLEANSE_NONALPHA_RX, ""); final String right = r.replaceAll(CLEANSE_NONALPHA_RX, "");
return left.equalsIgnoreCase(right); return left.equalsIgnoreCase(right);
} }
@@ -422,16 +422,23 @@ public class CPEAnalyzer implements org.owasp.dependencycheck.analyzer.Analyzer
private boolean verifyEntry(final Entry entry, final Dependency dependency) { private boolean verifyEntry(final Entry entry, final Dependency dependency) {
boolean isValid = false; boolean isValid = false;
if (collectionContainsStrings(dependency.getProductEvidence(), entry.getProduct()) if (collectionContainsString(dependency.getProductEvidence(), entry.getProduct())
&& collectionContainsStrings(dependency.getVendorEvidence(), entry.getVendor()) && collectionContainsString(dependency.getVendorEvidence(), entry.getVendor())
&& collectionContainsStrings(dependency.getVersionEvidence(), entry.getVersion())) { && collectionContainsString(dependency.getVersionEvidence(), entry.getVersion())) {
isValid = true; isValid = true;
} }
return isValid; return isValid;
} }
private boolean collectionContainsStrings(EvidenceCollection ec, String text) { /**
String[] words = text.split("[\\s_-]"); * Used to determine if the EvidenceCollection contains a specific string.
*
* @param ec an EvidenceCollection
* @param text the text to search for
* @return whether or not the EvidenceCollection contains the string
*/
private boolean collectionContainsString(EvidenceCollection ec, String text) {
final String[] words = text.split("[\\s_-]");
boolean contains = true; boolean contains = true;
for (String word : words) { for (String word : words) {
contains &= ec.containsUsedString(word); contains &= ec.containsUsedString(word);

43
src/main/java/org/owasp/dependencycheck/data/cpe/Entry.java
View File

@@ -32,6 +32,9 @@ import org.apache.lucene.document.Document;
*/ */
public class Entry implements Serializable { public class Entry implements Serializable {
/**
* the serial version uid.
*/
static final long serialVersionUID = 8011924485946326934L; static final long serialVersionUID = 8011924485946326934L;
/** /**
@@ -42,7 +45,7 @@ public class Entry implements Serializable {
* @return a CPE Entry. * @return a CPE Entry.
*/ */
public static Entry parse(Document doc) { public static Entry parse(Document doc) {
Entry entry = new Entry(); final Entry entry = new Entry();
try { try {
entry.parseName(doc.get(Fields.NAME)); entry.parseName(doc.get(Fields.NAME));
} catch (UnsupportedEncodingException ex) { } catch (UnsupportedEncodingException ex) {
@@ -54,10 +57,10 @@ public class Entry implements Serializable {
/** /**
* The name of the CPE entry. * The name of the CPE entry.
*/ */
protected String name; private String name;
/** /**
* Get the value of name * Get the value of name.
* *
* @return the value of name * @return the value of name
*/ */
@@ -66,7 +69,7 @@ public class Entry implements Serializable {
} }
/** /**
* Set the value of name * Set the value of name.
* *
* @param name new value of name * @param name new value of name
*/ */
@@ -76,10 +79,10 @@ public class Entry implements Serializable {
/** /**
* The vendor name. * The vendor name.
*/ */
protected String vendor; private String vendor;
/** /**
* Get the value of vendor * Get the value of vendor.
* *
* @return the value of vendor * @return the value of vendor
*/ */
@@ -88,7 +91,7 @@ public class Entry implements Serializable {
} }
/** /**
* Set the value of vendor * Set the value of vendor.
* *
* @param vendor new value of vendor * @param vendor new value of vendor
*/ */
@@ -98,10 +101,10 @@ public class Entry implements Serializable {
/** /**
* The product name. * The product name.
*/ */
protected String product; private String product;
/** /**
* Get the value of product * Get the value of product.
* *
* @return the value of product * @return the value of product
*/ */
@@ -110,7 +113,7 @@ public class Entry implements Serializable {
} }
/** /**
* Set the value of product * Set the value of product.
* *
* @param product new value of product * @param product new value of product
*/ */
@@ -120,10 +123,10 @@ public class Entry implements Serializable {
/** /**
* The product version. * The product version.
*/ */
protected String version; private String version;
/** /**
* Get the value of version * Get the value of version.
* *
* @return the value of version * @return the value of version
*/ */
@@ -132,7 +135,7 @@ public class Entry implements Serializable {
} }
/** /**
* Set the value of version * Set the value of version.
* *
* @param version new value of version * @param version new value of version
*/ */
@@ -142,10 +145,10 @@ public class Entry implements Serializable {
/** /**
* The product revision. * The product revision.
*/ */
protected String revision; private String revision;
/** /**
* Get the value of revision * Get the value of revision.
* *
* @return the value of revision * @return the value of revision
*/ */
@@ -154,7 +157,7 @@ public class Entry implements Serializable {
} }
/** /**
* Set the value of revision * Set the value of revision.
* *
* @param revision new value of revision * @param revision new value of revision
*/ */
@@ -164,10 +167,10 @@ public class Entry implements Serializable {
/** /**
* The search score. * The search score.
*/ */
protected float searchScore; private float searchScore;
/** /**
* Get the value of searchScore * Get the value of searchScore.
* *
* @return the value of searchScore * @return the value of searchScore
*/ */
@@ -176,7 +179,7 @@ public class Entry implements Serializable {
} }
/** /**
* Set the value of searchScore * Set the value of searchScore.
* *
* @param searchScore new value of searchScore * @param searchScore new value of searchScore
*/ */
@@ -199,7 +202,7 @@ public class Entry implements Serializable {
public void parseName(String cpeName) throws UnsupportedEncodingException { public void parseName(String cpeName) throws UnsupportedEncodingException {
this.name = cpeName; this.name = cpeName;
if (cpeName != null && cpeName.length() > 7) { if (cpeName != null && cpeName.length() > 7) {
String[] data = cpeName.substring(7).split(":"); final String[] data = cpeName.substring(7).split(":");
if (data.length >= 1) { if (data.length >= 1) {
vendor = URLDecoder.decode(data[0], "UTF-8").replaceAll("[_-]", " "); vendor = URLDecoder.decode(data[0], "UTF-8").replaceAll("[_-]", " ");
if (data.length >= 2) { if (data.length >= 2) {

46
src/main/java/org/owasp/dependencycheck/data/cpe/Index.java
View File

@@ -57,9 +57,8 @@ public class Index extends AbstractIndex {
* @throws IOException is thrown if an IOException occurs. * @throws IOException is thrown if an IOException occurs.
*/ */
public Directory getDirectory() throws IOException { public Directory getDirectory() throws IOException {
File path = getDataDirectory(); final File path = getDataDirectory();
Directory dir = FSDirectory.open(path); final Directory dir = FSDirectory.open(path);
return dir; return dir;
} }
@@ -71,9 +70,9 @@ public class Index extends AbstractIndex {
* @throws IOException is thrown if an IOException occurs of course... * @throws IOException is thrown if an IOException occurs of course...
*/ */
public File getDataDirectory() throws IOException { public File getDataDirectory() throws IOException {
String fileName = Settings.getString(Settings.KEYS.CPE_INDEX); final String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath(); final String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
String decodedPath = URLDecoder.decode(filePath, "UTF-8"); final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath); File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) { if (exePath.getName().toLowerCase().endsWith(".jar")) {
exePath = exePath.getParentFile(); exePath = exePath.getParentFile();
@@ -97,19 +96,25 @@ public class Index extends AbstractIndex {
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public Analyzer createIndexingAnalyzer() { public Analyzer createIndexingAnalyzer() {
Map fieldAnalyzers = new HashMap(); final Map fieldAnalyzers = new HashMap();
//fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer()); //fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
fieldAnalyzers.put(Fields.VERSION, new VersionAnalyzer(Version.LUCENE_40)); fieldAnalyzers.put(Fields.VERSION, new VersionAnalyzer(Version.LUCENE_40));
fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer()); fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper( final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers); new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
return wrapper; return wrapper;
} }
private SearchFieldAnalyzer productSearchFieldAnalyzer = null; /**
private SearchFieldAnalyzer vendorSearchFieldAnalyzer = null; * The search field analyzer for the product field.
*/
private SearchFieldAnalyzer productSearchFieldAnalyzer;
/**
* The search field analyzer for the vendor field.
*/
private SearchFieldAnalyzer vendorSearchFieldAnalyzer;
/** /**
* Creates an Analyzer for searching the CPE Index. * Creates an Analyzer for searching the CPE Index.
@@ -118,7 +123,7 @@ public class Index extends AbstractIndex {
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public Analyzer createSearchingAnalyzer() { public Analyzer createSearchingAnalyzer() {
Map fieldAnalyzers = new HashMap(); final Map fieldAnalyzers = new HashMap();
fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer()); fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
//fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer()); //fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
@@ -128,14 +133,15 @@ public class Index extends AbstractIndex {
fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer); fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);
fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer); fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer);
PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper( final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers); new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
return wrapper; return wrapper;
} }
/** /**
* Creates the Lucene QueryParser used when querying the index * Creates the Lucene QueryParser used when querying the index.
*
* @return a QueryParser. * @return a QueryParser.
*/ */
public QueryParser createQueryParser() { public QueryParser createQueryParser() {
@@ -162,10 +168,10 @@ public class Index extends AbstractIndex {
* @throws IOException is thrown if an IOException occurs. * @throws IOException is thrown if an IOException occurs.
*/ */
public void saveEntry(Entry entry) throws CorruptIndexException, IOException { public void saveEntry(Entry entry) throws CorruptIndexException, IOException {
Document doc = convertEntryToDoc(entry); final Document doc = convertEntryToDoc(entry);
//Term term = new Term(Fields.NVDID, LuceneUtils.escapeLuceneQuery(entry.getNvdId())); //Term term = new Term(Fields.NVDID, LuceneUtils.escapeLuceneQuery(entry.getNvdId()));
Term term = new Term(Fields.NAME, entry.getName()); final Term term = new Term(Fields.NAME, entry.getName());
indexWriter.updateDocument(term, doc); getIndexWriter().updateDocument(term, doc);
} }
/** /**
@@ -175,16 +181,16 @@ public class Index extends AbstractIndex {
* @return a Lucene Document containing a CPE Entry. * @return a Lucene Document containing a CPE Entry.
*/ */
protected Document convertEntryToDoc(Entry entry) { protected Document convertEntryToDoc(Entry entry) {
Document doc = new Document(); final Document doc = new Document();
Field name = new StoredField(Fields.NAME, entry.getName()); final Field name = new StoredField(Fields.NAME, entry.getName());
doc.add(name); doc.add(name);
Field vendor = new TextField(Fields.VENDOR, entry.getVendor(), Field.Store.NO); final Field vendor = new TextField(Fields.VENDOR, entry.getVendor(), Field.Store.NO);
vendor.setBoost(5.0F); vendor.setBoost(5.0F);
doc.add(vendor); doc.add(vendor);
Field product = new TextField(Fields.PRODUCT, entry.getProduct(), Field.Store.NO); final Field product = new TextField(Fields.PRODUCT, entry.getProduct(), Field.Store.NO);
product.setBoost(5.0F); product.setBoost(5.0F);
doc.add(product); doc.add(product);

23
src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
View File

@@ -29,21 +29,32 @@ import java.util.logging.Logger;
* *
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public class CweDB { public final class CweDB {
/**
* Empty private constructor as this is a utility class.
*/
private CweDB() { private CweDB() {
//empty constructor for utility class //empty
} }
/**
* A hashmap of the CWE data.
*/
private static final HashMap<String, String> CWE = loadData(); private static final HashMap<String, String> CWE = loadData();
/**
* Loads a hashmap containing the CWE data from a resource found in the jar.
*
* @return a hashmap of CWE data
*/
private static HashMap<String, String> loadData() { private static HashMap<String, String> loadData() {
ObjectInputStream oin = null; ObjectInputStream oin = null;
try { try {
String filePath = "data/cwe.hashmap.serialized"; final String filePath = "data/cwe.hashmap.serialized";
InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath); final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
oin = new ObjectInputStream(input); oin = new ObjectInputStream(input);
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
HashMap<String, String> data = (HashMap<String, String>) oin.readObject(); final HashMap<String, String> data = (HashMap<String, String>) oin.readObject();
return data; return data;
} catch (ClassNotFoundException ex) { } catch (ClassNotFoundException ex) {
Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex); Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
@@ -63,7 +74,7 @@ public class CweDB {
/** /**
* <p>Returns the full CWE name from the CWE ID.</p> * <p>Returns the full CWE name from the CWE ID.</p>
* @param cweId te CWE ID * @param cweId the CWE ID
* @return the full name of the CWE * @return the full name of the CWE
*/ */
public static String getCweName(String cweId) { public static String getCweName(String cweId) {

7
src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java
View File

@@ -30,6 +30,9 @@ import org.xml.sax.helpers.DefaultHandler;
*/ */
public class CweHandler extends DefaultHandler { public class CweHandler extends DefaultHandler {
/**
* a hashmap containing the CWE data.
*/
private HashMap<String, String> cwe = new HashMap<String, String>(); private HashMap<String, String> cwe = new HashMap<String, String>();
/** /**
@@ -44,8 +47,8 @@ public class CweHandler extends DefaultHandler {
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException { public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
if ("Weakness".equals(qName) || "Category".equals(qName)) { if ("Weakness".equals(qName) || "Category".equals(qName)) {
String id = "CWE-" + attributes.getValue("ID"); final String id = "CWE-" + attributes.getValue("ID");
String name = attributes.getValue("Name"); final String name = attributes.getValue("Name");
cwe.put(id, name); cwe.put(id, name);
} }
} }

53
src/main/java/org/owasp/dependencycheck/data/lucene/AbstractIndex.java
View File

@@ -48,31 +48,31 @@ public abstract class AbstractIndex {
/** /**
* The Lucene directory containing the index. * The Lucene directory containing the index.
*/ */
protected Directory directory = null; private Directory directory;
/** /**
* The IndexWriter for the Lucene index. * The IndexWriter for the Lucene index.
*/ */
protected IndexWriter indexWriter = null; private IndexWriter indexWriter;
/** /**
* The Lucene IndexReader. * The Lucene IndexReader.
*/ */
private IndexReader indexReader = null; private IndexReader indexReader;
/** /**
* The Lucene IndexSearcher. * The Lucene IndexSearcher.
*/ */
private IndexSearcher indexSearcher = null; private IndexSearcher indexSearcher;
/** /**
* The Lucene Analyzer used for Indexing. * The Lucene Analyzer used for Indexing.
*/ */
private Analyzer indexingAnalyzer = null; private Analyzer indexingAnalyzer;
/** /**
* The Lucene Analyzer used for Searching * The Lucene Analyzer used for Searching.
*/ */
private Analyzer searchingAnalyzer = null; private Analyzer searchingAnalyzer;
/** /**
* The Lucene QueryParser used for Searching * The Lucene QueryParser used for Searching.
*/ */
private QueryParser queryParser = null; private QueryParser queryParser;
/** /**
* Indicates whether or not the Lucene Index is open. * Indicates whether or not the Lucene Index is open.
*/ */
@@ -155,7 +155,7 @@ public abstract class AbstractIndex {
if (!isOpen()) { if (!isOpen()) {
open(); open();
} }
IndexWriterConfig conf = new IndexWriterConfig(Version.LUCENE_40, indexingAnalyzer); final IndexWriterConfig conf = new IndexWriterConfig(Version.LUCENE_40, indexingAnalyzer);
indexWriter = new IndexWriter(directory, conf); indexWriter = new IndexWriter(directory, conf);
} }
@@ -241,7 +241,8 @@ public abstract class AbstractIndex {
} }
/** /**
* Searches the index using the given search string * Searches the index using the given search string.
*
* @param searchString the query text * @param searchString the query text
* @param maxQueryResults the maximum number of documents to return * @param maxQueryResults the maximum number of documents to return
* @return the TopDocs found by the search * @return the TopDocs found by the search
@@ -250,21 +251,18 @@ public abstract class AbstractIndex {
*/ */
public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException { public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
QueryParser parser = getQueryParser(); final QueryParser parser = getQueryParser();
final Query query = parser.parse(searchString);
Query query = parser.parse(searchString);
resetSearchingAnalyzer(); resetSearchingAnalyzer();
final IndexSearcher is = getIndexSearcher();
IndexSearcher is = getIndexSearcher(); final TopDocs docs = is.search(query, maxQueryResults);
TopDocs docs = is.search(query, maxQueryResults);
return docs; return docs;
} }
/** /**
* Searches the index using the given query * Searches the index using the given query.
*
* @param query the query used to search the index * @param query the query used to search the index
* @param maxQueryResults the max number of results to return * @param maxQueryResults the max number of results to return
* @return the TopDocs found be the query * @return the TopDocs found be the query
@@ -272,23 +270,24 @@ public abstract class AbstractIndex {
* @throws IOException thrown if there is an IOException * @throws IOException thrown if there is an IOException
*/ */
public TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException { public TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException {
IndexSearcher is = getIndexSearcher(); final IndexSearcher is = getIndexSearcher();
return is.search(query, maxQueryResults); return is.search(query, maxQueryResults);
} }
/** /**
* Retrieves a document from the Index * Retrieves a document from the Index.
*
* @param documentId the id of the document to retrieve * @param documentId the id of the document to retrieve
* @return the Document * @return the Document
* @throws IOException thrown if there is an IOException * @throws IOException thrown if there is an IOException
*/ */
public Document getDocument(int documentId) throws IOException { public Document getDocument(int documentId) throws IOException {
IndexSearcher is = getIndexSearcher(); final IndexSearcher is = getIndexSearcher();
return is.doc(documentId); return is.doc(documentId);
} }
/** /**
* Gets the directory that contains the Lucene Index * Gets the directory that contains the Lucene Index.
* *
* @return a Lucene Directory * @return a Lucene Directory
* @throws IOException is thrown when an IOException occurs * @throws IOException is thrown when an IOException occurs
@@ -296,21 +295,21 @@ public abstract class AbstractIndex {
public abstract Directory getDirectory() throws IOException; public abstract Directory getDirectory() throws IOException;
/** /**
* Creates the Lucene Analyzer used when indexing * Creates the Lucene Analyzer used when indexing.
* *
* @return a Lucene Analyzer * @return a Lucene Analyzer
*/ */
public abstract Analyzer createIndexingAnalyzer(); public abstract Analyzer createIndexingAnalyzer();
/** /**
* Creates the Lucene Analyzer used when querying the index * Creates the Lucene Analyzer used when querying the index.
* *
* @return a Lucene Analyzer * @return a Lucene Analyzer
*/ */
public abstract Analyzer createSearchingAnalyzer(); public abstract Analyzer createSearchingAnalyzer();
/** /**
* Creates the Lucene QueryParser used when querying the index * Creates the Lucene QueryParser used when querying the index.
* @return a QueryParser * @return a QueryParser
*/ */
public abstract QueryParser createQueryParser(); public abstract QueryParser createQueryParser();

3
src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java
View File

@@ -26,6 +26,9 @@ import org.apache.lucene.search.similarities.DefaultSimilarity;
*/ */
public class DependencySimilarity extends DefaultSimilarity { public class DependencySimilarity extends DefaultSimilarity {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L; private static final long serialVersionUID = 1L;
/** /**

9
src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java
View File

@@ -39,12 +39,13 @@ import org.apache.lucene.util.Version;
public class FieldAnalyzer extends Analyzer { public class FieldAnalyzer extends Analyzer {
/** /**
* The Lucene Version used * The Lucene Version used.
*/ */
private Version version = null; private Version version;
/** /**
* Creates a new FieldAnalyzer * Creates a new FieldAnalyzer.
*
* @param version the Lucene version * @param version the Lucene version
*/ */
public FieldAnalyzer(Version version) { public FieldAnalyzer(Version version) {
@@ -60,7 +61,7 @@ public class FieldAnalyzer extends Analyzer {
*/ */
@Override @Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) { protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader); final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source; TokenStream stream = source;

4
src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
View File

@@ -48,7 +48,7 @@ public final class LuceneUtils {
} }
for (int i = 0; i < text.length(); i++) { for (int i = 0; i < text.length(); i++) {
char c = text.charAt(i); final char c = text.charAt(i);
switch (c) { switch (c) {
case '+': case '+':
case '-': case '-':
@@ -91,7 +91,7 @@ public final class LuceneUtils {
int size = text.length(); int size = text.length();
size = size >> 1; size = size >> 1;
StringBuilder buf = new StringBuilder(size); final StringBuilder buf = new StringBuilder(size);
appendEscapedLuceneQuery(buf, text); appendEscapedLuceneQuery(buf, text);

11
src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java
View File

@@ -37,17 +37,18 @@ import org.apache.lucene.util.Version;
public class SearchFieldAnalyzer extends Analyzer { public class SearchFieldAnalyzer extends Analyzer {
/** /**
* The Lucene Version used * The Lucene Version used.
*/ */
private Version version = null; private Version version;
/** /**
* A local reference to the TokenPairConcatenatingFilter so that we * A local reference to the TokenPairConcatenatingFilter so that we
* can clear any left over state if this analyzer is re-used. * can clear any left over state if this analyzer is re-used.
*/ */
private TokenPairConcatenatingFilter concatenatingFilter = null; private TokenPairConcatenatingFilter concatenatingFilter;
/** /**
* Constructs a new SearchFieldAnalyzer * Constructs a new SearchFieldAnalyzer.
*
* @param version the Lucene version * @param version the Lucene version
*/ */
public SearchFieldAnalyzer(Version version) { public SearchFieldAnalyzer(Version version) {
@@ -62,7 +63,7 @@ public class SearchFieldAnalyzer extends Analyzer {
*/ */
@Override @Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) { protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader); final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source; TokenStream stream = source;

9
src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java
View File

@@ -40,12 +40,13 @@ public class SearchVersionAnalyzer extends Analyzer {
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/ // http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
/** /**
* The Lucene Version used * The Lucene Version used.
*/ */
private Version version = null; private Version version;
/** /**
* Creates a new SearchVersionAnalyzer * Creates a new SearchVersionAnalyzer.
*
* @param version the Lucene version * @param version the Lucene version
*/ */
public SearchVersionAnalyzer(Version version) { public SearchVersionAnalyzer(Version version) {
@@ -61,7 +62,7 @@ public class SearchVersionAnalyzer extends Analyzer {
*/ */
@Override @Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) { protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader); final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source; TokenStream stream = source;
stream = new LowerCaseFilter(version, stream); stream = new LowerCaseFilter(version, stream);
stream = new VersionTokenizingFilter(stream); stream = new VersionTokenizingFilter(stream);

38
src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java
View File

@@ -26,20 +26,35 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
import org.apache.lucene.analysis.tokenattributes.PositionIncrementAttribute; import org.apache.lucene.analysis.tokenattributes.PositionIncrementAttribute;
/** /**
* <p>Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p> * <p>Takes a TokenStream and adds additional tokens by concatenating pairs of
* <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p> * words.</p>
* <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework
* Framework FrameworkCore Core".</p>
* *
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public final class TokenPairConcatenatingFilter extends TokenFilter { public final class TokenPairConcatenatingFilter extends TokenFilter {
/**
* The char term attribute.
*/
private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class); private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
/**
* The position increment attribute.
*/
private final PositionIncrementAttribute posIncAtt = addAttribute(PositionIncrementAttribute.class); private final PositionIncrementAttribute posIncAtt = addAttribute(PositionIncrementAttribute.class);
private String previousWord = null; /**
private LinkedList<String> words = null; * The previous word parsed.
*/
private String previousWord;
/**
* A list of words parsed.
*/
private LinkedList<String> words;
/** /**
* Constructs a new TokenPairConcatenatingFilter * Constructs a new TokenPairConcatenatingFilter.
*
* @param stream the TokenStream that this filter will process * @param stream the TokenStream that this filter will process
*/ */
public TokenPairConcatenatingFilter(TokenStream stream) { public TokenPairConcatenatingFilter(TokenStream stream) {
@@ -60,14 +75,14 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
//collect all the terms into the words collection //collect all the terms into the words collection
while (input.incrementToken()) { while (input.incrementToken()) {
String word = new String(termAtt.buffer(), 0, termAtt.length()); final String word = new String(termAtt.buffer(), 0, termAtt.length());
words.add(word); words.add(word);
} }
//if we have a previousTerm - write it out as its own token concatenated //if we have a previousTerm - write it out as its own token concatenated
// with the current word (if one is available). // with the current word (if one is available).
if (previousWord != null && words.size() > 0) { if (previousWord != null && words.size() > 0) {
String word = words.getFirst(); final String word = words.getFirst();
clearAttributes(); clearAttributes();
termAtt.append(previousWord).append(word); termAtt.append(previousWord).append(word);
posIncAtt.setPositionIncrement(0); posIncAtt.setPositionIncrement(0);
@@ -76,7 +91,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
} }
//if we have words, write it out as a single token //if we have words, write it out as a single token
if (words.size() > 0) { if (words.size() > 0) {
String word = words.removeFirst(); final String word = words.removeFirst();
clearAttributes(); clearAttributes();
termAtt.append(word); termAtt.append(word);
previousWord = word; previousWord = word;
@@ -86,9 +101,10 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
} }
/** /**
* <p>Resets the Filter and clears any internal state data that may * <p>Resets the Filter and clears any internal state data that may have
* have been left-over from previous uses of the Filter.</p> * been left-over from previous uses of the Filter.</p>
* <p><b>If this Filter is re-used this method must be called between uses.</b></p> * <p><b>If this Filter is re-used this method must be called between
* uses.</b></p>
*/ */
public void clear() { public void clear() {
previousWord = null; previousWord = null;

9
src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java
View File

@@ -40,12 +40,13 @@ public class VersionAnalyzer extends Analyzer {
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/ // http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
/** /**
* The Lucene Version used * The Lucene Version used.
*/ */
private Version version = null; private Version version;
/** /**
* Creates a new VersionAnalyzer * Creates a new VersionAnalyzer.
*
* @param version the Lucene version * @param version the Lucene version
*/ */
public VersionAnalyzer(Version version) { public VersionAnalyzer(Version version) {
@@ -61,7 +62,7 @@ public class VersionAnalyzer extends Analyzer {
*/ */
@Override @Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) { protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
Tokenizer source = new WhitespaceTokenizer(version, reader); final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source; TokenStream stream = source;
stream = new LowerCaseFilter(version, stream); stream = new LowerCaseFilter(version, stream);
return new TokenStreamComponents(source, stream); return new TokenStreamComponents(source, stream);

37
src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java
View File

@@ -25,21 +25,27 @@ import org.apache.lucene.analysis.TokenStream;
import org.apache.lucene.analysis.tokenattributes.CharTermAttribute; import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
/** /**
* <p>Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p> * <p>Takes a TokenStream and splits or adds tokens to correctly index version
* <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p> * numbers.</p>
* <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
* 3.0.0.RELEASE".</p>
* *
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public final class VersionTokenizingFilter extends TokenFilter { public final class VersionTokenizingFilter extends TokenFilter {
/**
* The char term attribute.
*/
private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class); private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
/** /**
* A collection of tokens to add to the stream. * A collection of tokens to add to the stream.
*/ */
protected LinkedList<String> tokens = null; private LinkedList<String> tokens;
/** /**
* Constructs a new VersionTokenizingFilter * Constructs a new VersionTokenizingFilter.
*
* @param stream the TokenStream that this filter will process * @param stream the TokenStream that this filter will process
*/ */
public VersionTokenizingFilter(TokenStream stream) { public VersionTokenizingFilter(TokenStream stream) {
@@ -58,8 +64,8 @@ public final class VersionTokenizingFilter extends TokenFilter {
@Override @Override
public boolean incrementToken() throws IOException { public boolean incrementToken() throws IOException {
if (tokens.size() == 0 && input.incrementToken()) { if (tokens.size() == 0 && input.incrementToken()) {
String version = new String(termAtt.buffer(), 0, termAtt.length()); final String version = new String(termAtt.buffer(), 0, termAtt.length());
String[] toAnalyze = version.split("[_-]"); final String[] toAnalyze = version.split("[_-]");
if (toAnalyze.length > 1) { //ensure we analyze the whole string as one too if (toAnalyze.length > 1) { //ensure we analyze the whole string as one too
analyzeVersion(version); analyzeVersion(version);
} }
@@ -72,23 +78,34 @@ public final class VersionTokenizingFilter extends TokenFilter {
/** /**
* Adds a term, if one exists, from the tokens collection. * Adds a term, if one exists, from the tokens collection.
*
* @return whether or not a new term was added * @return whether or not a new term was added
*/ */
private boolean addTerm() { private boolean addTerm() {
boolean termAdded = tokens.size() > 0; final boolean termAdded = tokens.size() > 0;
if (termAdded) { if (termAdded) {
String version = tokens.pop(); final String version = tokens.pop();
clearAttributes(); clearAttributes();
termAtt.append(version); termAtt.append(version);
} }
return termAdded; return termAdded;
} }
//major.minor[.maintenance[.build]] /**
* <p>Analyzes the version and adds several copies of the version as
* different tokens. For example, the version 1.2.7 would create the tokens
* 1 1.2 1.2.7. This is useful in discovering the correct version -
* sometimes a maintenance or build number will throw off the version
* identification.</p>
*
* <p>expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
*
* @param version the version to analyze
*/
private void analyzeVersion(String version) { private void analyzeVersion(String version) {
//todo should we also be splitting on dash or underscore? we would need //todo should we also be splitting on dash or underscore? we would need
// to incorporate the dash or underscore back in... // to incorporate the dash or underscore back in...
String[] versionParts = version.split("\\."); final String[] versionParts = version.split("\\.");
String dottedVersion = null; String dottedVersion = null;
for (String current : versionParts) { for (String current : versionParts) {
if (!current.matches("^/d+$")) { if (!current.matches("^/d+$")) {

4
src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java
View File

@@ -25,6 +25,10 @@ package org.owasp.dependencycheck.data.nvdcve;
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
class CorruptDatabaseException extends DatabaseException { class CorruptDatabaseException extends DatabaseException {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L; private static final long serialVersionUID = 1L;
/** /**

109
src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -48,131 +48,131 @@ public class CveDB {
//<editor-fold defaultstate="collapsed" desc="Constants to create, maintain, and retrieve data from the CVE Database"> //<editor-fold defaultstate="collapsed" desc="Constants to create, maintain, and retrieve data from the CVE Database">
/** /**
* SQL Statement to create an index on the reference table * SQL Statement to create an index on the reference table.
*/ */
public static final String CREATE_INDEX_IDXREFERENCE = "CREATE INDEX IF NOT EXISTS idxReference ON reference(cveid)"; public static final String CREATE_INDEX_IDXREFERENCE = "CREATE INDEX IF NOT EXISTS idxReference ON reference(cveid)";
/** /**
* SQL Statement to create an index on the software for finding CVE entries based on CPE data * SQL Statement to create an index on the software for finding CVE entries based on CPE data.
*/ */
public static final String CREATE_INDEX_IDXSOFTWARE = "CREATE INDEX IF NOT EXISTS idxSoftware ON software(product, vendor, version)"; public static final String CREATE_INDEX_IDXSOFTWARE = "CREATE INDEX IF NOT EXISTS idxSoftware ON software(product, vendor, version)";
/** /**
* SQL Statement to create an index for retrieving software by CVEID * SQL Statement to create an index for retrieving software by CVEID.
*/ */
public static final String CREATE_INDEX_IDXSOFTWARECVE = "CREATE INDEX IF NOT EXISTS idxSoftwareCve ON software(cveid)"; public static final String CREATE_INDEX_IDXSOFTWARECVE = "CREATE INDEX IF NOT EXISTS idxSoftwareCve ON software(cveid)";
/** /**
* SQL Statement to create an index on the vulnerability table * SQL Statement to create an index on the vulnerability table.
*/ */
public static final String CREATE_INDEX_IDXVULNERABILITY = "CREATE INDEX IF NOT EXISTS idxVulnerability ON vulnerability(cveid)"; public static final String CREATE_INDEX_IDXVULNERABILITY = "CREATE INDEX IF NOT EXISTS idxVulnerability ON vulnerability(cveid)";
/** /**
* SQL Statement to create the reference table * SQL Statement to create the reference table.
*/ */
public static final String CREATE_TABLE_REFERENCE = "CREATE TABLE IF NOT EXISTS reference (cveid CHAR(13), " public static final String CREATE_TABLE_REFERENCE = "CREATE TABLE IF NOT EXISTS reference (cveid CHAR(13), "
+ "name varchar(1000), url varchar(1000), source varchar(255))"; + "name varchar(1000), url varchar(1000), source varchar(255))";
/** /**
* SQL Statement to create the software table * SQL Statement to create the software table.
*/ */
public static final String CREATE_TABLE_SOFTWARE = "CREATE TABLE IF NOT EXISTS software (cveid CHAR(13), cpe varchar(500), " public static final String CREATE_TABLE_SOFTWARE = "CREATE TABLE IF NOT EXISTS software (cveid CHAR(13), cpe varchar(500), "
+ "vendor varchar(255), product varchar(255), version varchar(50), previousVersion varchar(50))"; + "vendor varchar(255), product varchar(255), version varchar(50), previousVersion varchar(50))";
/** /**
* SQL Statement to create the vulnerability table * SQL Statement to create the vulnerability table.
*/ */
public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability (cveid CHAR(13) PRIMARY KEY, " public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability (cveid CHAR(13) PRIMARY KEY, "
+ "description varchar(8000), cwe varchar(10), cvssScore DECIMAL(3,1), cvssAccessVector varchar(20), " + "description varchar(8000), cwe varchar(10), cvssScore DECIMAL(3,1), cvssAccessVector varchar(20), "
+ "cvssAccessComplexity varchar(20), cvssAuthentication varchar(20), cvssConfidentialityImpact varchar(20), " + "cvssAccessComplexity varchar(20), cvssAuthentication varchar(20), cvssConfidentialityImpact varchar(20), "
+ "cvssIntegrityImpact varchar(20), cvssAvailabilityImpact varchar(20))"; + "cvssIntegrityImpact varchar(20), cvssAvailabilityImpact varchar(20))";
/** /**
* SQL Statement to delete references by CVEID * SQL Statement to delete references by CVEID.
*/ */
public static final String DELETE_REFERENCE = "DELETE FROM reference WHERE cveid = ?"; public static final String DELETE_REFERENCE = "DELETE FROM reference WHERE cveid = ?";
/** /**
* SQL Statement to delete software by CVEID * SQL Statement to delete software by CVEID.
*/ */
public static final String DELETE_SOFTWARE = "DELETE FROM software WHERE cveid = ?"; public static final String DELETE_SOFTWARE = "DELETE FROM software WHERE cveid = ?";
/** /**
* SQL Statement to delete a vulnerability by CVEID * SQL Statement to delete a vulnerability by CVEID.
*/ */
public static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE cveid = ?"; public static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE cveid = ?";
/** /**
* SQL Statement to insert a new reference * SQL Statement to insert a new reference.
*/ */
public static final String INSERT_REFERENCE = "INSERT INTO reference (cveid, name, url, source) VALUES (?, ?, ?, ?)"; public static final String INSERT_REFERENCE = "INSERT INTO reference (cveid, name, url, source) VALUES (?, ?, ?, ?)";
/** /**
* SQL Statement to insert a new software * SQL Statement to insert a new software.
*/ */
public static final String INSERT_SOFTWARE = "INSERT INTO software (cveid, cpe, vendor, product, version, previousVersion) " public static final String INSERT_SOFTWARE = "INSERT INTO software (cveid, cpe, vendor, product, version, previousVersion) "
+ "VALUES (?, ?, ?, ?, ?, ?)"; + "VALUES (?, ?, ?, ?, ?, ?)";
/** /**
* SQL Statement to insert a new vulnerability * SQL Statement to insert a new vulnerability.
*/ */
public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description, cwe, cvssScore, cvssAccessVector, " public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description, cwe, cvssScore, cvssAccessVector, "
+ "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) " + "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
+ "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"; + "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
/** /**
* SQL Statement to find CVE entries based on CPE data * SQL Statement to find CVE entries based on CPE data.
*/ */
public static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cveid FROM software WHERE Vendor = ? AND Product = ? AND " public static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cveid FROM software WHERE Vendor = ? AND Product = ? AND "
+ "(version = '-' OR previousVersion IS NOT NULL OR version=?)"; + "(version = '-' OR previousVersion IS NOT NULL OR version=?)";
/** /**
* SQL Statement to select references by CVEID * SQL Statement to select references by CVEID.
*/ */
public static final String SELECT_REFERENCE = "SELECT source, name, url FROM reference WHERE cveid = ?"; public static final String SELECT_REFERENCE = "SELECT source, name, url FROM reference WHERE cveid = ?";
/** /**
* SQL Statement to select software by CVEID * SQL Statement to select software by CVEID.
*/ */
public static final String SELECT_SOFTWARE = "SELECT cpe, previousVersion FROM software WHERE cveid = ?"; public static final String SELECT_SOFTWARE = "SELECT cpe, previousVersion FROM software WHERE cveid = ?";
/** /**
* SQL Statement to select a vulnerability by CVEID * SQL Statement to select a vulnerability by CVEID.
*/ */
public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, " public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, "
+ "cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?"; + "cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
//</editor-fold> //</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Collection of CallableStatements to work with the DB"> //<editor-fold defaultstate="collapsed" desc="Collection of CallableStatements to work with the DB">
/** /**
* delete reference - parameters (cveid) * delete reference - parameters (cveid).
*/ */
private CallableStatement deleteReferences = null; private CallableStatement deleteReferences;
/** /**
* delete software - parameters (cveid) * delete software - parameters (cveid).
*/ */
private CallableStatement deleteSoftware = null; private CallableStatement deleteSoftware;
/** /**
* delete vulnerability - parameters (cveid) * delete vulnerability - parameters (cveid).
*/ */
private CallableStatement deleteVulnerabilities = null; private CallableStatement deleteVulnerabilities;
/** /**
* insert reference - parameters (cveid, name, url, source) * insert reference - parameters (cveid, name, url, source).
*/ */
private CallableStatement insertReference = null; private CallableStatement insertReference;
/** /**
* insert software - parameters (cveid, cpe, vendor, product, version, previousVersion) * insert software - parameters (cveid, cpe, vendor, product, version, previousVersion).
*/ */
private CallableStatement insertSoftware = null; private CallableStatement insertSoftware;
/** /**
* insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector, * insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector,
* cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) * cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact).
*/ */
private CallableStatement insertVulnerability = null; private CallableStatement insertVulnerability;
/** /**
* select cve from software - parameters (vendor, product, version) * select cve from software - parameters (vendor, product, version).
*/ */
private CallableStatement selectCveFromSoftware = null; private CallableStatement selectCveFromSoftware;
/** /**
* select vulnerability - parameters (cveid) * select vulnerability - parameters (cveid).
*/ */
private CallableStatement selectVulnerability = null; private CallableStatement selectVulnerability;
/** /**
* select reference - parameters (cveid) * select reference - parameters (cveid).
*/ */
private CallableStatement selectReferences = null; private CallableStatement selectReferences;
/** /**
* select software - parameters (cveid) * select software - parameters (cveid).
*/ */
private CallableStatement selectSoftware = null; private CallableStatement selectSoftware;
//</editor-fold> //</editor-fold>
/** /**
* Database connection * Database connection
*/ */
protected Connection conn = null; private Connection conn;
/** /**
* Opens the database connection. If the database does not exist, it will * Opens the database connection. If the database does not exist, it will
@@ -183,12 +183,12 @@ public class CveDB {
* @throws DatabaseException thrown if there is an error initializing a new database * @throws DatabaseException thrown if there is an error initializing a new database
*/ */
public void open() throws IOException, SQLException, DatabaseException { public void open() throws IOException, SQLException, DatabaseException {
String fileName = CveDB.getDataDirectory().getCanonicalPath() final String fileName = CveDB.getDataDirectory().getCanonicalPath()
+ File.separator + File.separator
+ "cve"; + "cve";
File f = new File(fileName); final File f = new File(fileName);
boolean createTables = !f.exists(); final boolean createTables = !f.exists();
String connStr = "jdbc:h2:file:" + fileName; final String connStr = "jdbc:h2:file:" + fileName;
conn = DriverManager.getConnection(connStr, "sa", ""); conn = DriverManager.getConnection(connStr, "sa", "");
if (createTables) { if (createTables) {
createTables(); createTables();
@@ -236,7 +236,7 @@ public class CveDB {
} catch (UnsupportedEncodingException ex) { } catch (UnsupportedEncodingException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex); Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
} }
List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>(); final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
try { try {
selectCveFromSoftware.setString(1, cpe.getVendor()); selectCveFromSoftware.setString(1, cpe.getVendor());
@@ -244,7 +244,7 @@ public class CveDB {
selectCveFromSoftware.setString(3, cpe.getVersion()); selectCveFromSoftware.setString(3, cpe.getVersion());
rs = selectCveFromSoftware.executeQuery(); rs = selectCveFromSoftware.executeQuery();
while (rs.next()) { while (rs.next()) {
Vulnerability v = getVulnerability(rs.getString("cveid")); final Vulnerability v = getVulnerability(rs.getString("cveid"));
vulnerabilities.add(v); vulnerabilities.add(v);
} }
} catch (SQLException ex) { } catch (SQLException ex) {
@@ -261,6 +261,13 @@ public class CveDB {
return vulnerabilities; return vulnerabilities;
} }
/**
* Gets a vulnerability for the provided CVE.
*
* @param cve the CVE to lookup
* @return a vulnerability object
* @throws DatabaseException if an exception occurs
*/
private Vulnerability getVulnerability(String cve) throws DatabaseException { private Vulnerability getVulnerability(String cve) throws DatabaseException {
ResultSet rsV = null; ResultSet rsV = null;
ResultSet rsR = null; ResultSet rsR = null;
@@ -275,7 +282,7 @@ public class CveDB {
vuln.setDescription(rsV.getString(2)); vuln.setDescription(rsV.getString(2));
String cwe = rsV.getString(3); String cwe = rsV.getString(3);
if (cwe != null) { if (cwe != null) {
String name = CweDB.getCweName(cwe); final String name = CweDB.getCweName(cwe);
if (name != null) { if (name != null) {
cwe += " " + name; cwe += " " + name;
} }
@@ -297,8 +304,8 @@ public class CveDB {
selectSoftware.setString(1, cve); selectSoftware.setString(1, cve);
rsS = selectSoftware.executeQuery(); rsS = selectSoftware.executeQuery();
while (rsS.next()) { while (rsS.next()) {
String cpe = rsS.getString(1); final String cpe = rsS.getString(1);
String prevVers = rsS.getString(2); final String prevVers = rsS.getString(2);
if (prevVers == null) { if (prevVers == null) {
vuln.addVulnerableSoftware(cpe); vuln.addVulnerableSoftware(cpe);
} else { } else {
@@ -399,9 +406,9 @@ public class CveDB {
* @throws IOException is thrown if an IOException occurs of course... * @throws IOException is thrown if an IOException occurs of course...
*/ */
public static File getDataDirectory() throws IOException { public static File getDataDirectory() throws IOException {
String fileName = Settings.getString(Settings.KEYS.CVE_INDEX); final String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath(); final String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath();
String decodedPath = URLDecoder.decode(filePath, "UTF-8"); final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath); File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) { if (exePath.getName().toLowerCase().endsWith(".jar")) {
@@ -450,7 +457,7 @@ public class CveDB {
/** /**
* Builds the CallableStatements used by the application. * Builds the CallableStatements used by the application.
* @throws DatabaseException * @throws DatabaseException thrown if there is a database exception
*/ */
private void buildStatements() throws DatabaseException { private void buildStatements() throws DatabaseException {
try { try {

8
src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java
View File

@@ -24,9 +24,13 @@ package org.owasp.dependencycheck.data.nvdcve;
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public class DatabaseException extends Exception { public class DatabaseException extends Exception {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L;
/** /**
* Creates an DatabaseException * Creates an DatabaseException.
* *
* @param msg the exception message * @param msg the exception message
*/ */
@@ -35,7 +39,7 @@ public class DatabaseException extends Exception {
} }
/** /**
* Creates an DatabaseException * Creates an DatabaseException.
* *
* @param msg the exception message * @param msg the exception message
* @param ex the cause of the exception * @param ex the cause of the exception

6
src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
View File

@@ -45,7 +45,7 @@ public class NvdCveAnalyzer implements org.owasp.dependencycheck.analyzer.Analyz
/** /**
* The CVE Index. * The CVE Index.
*/ */
protected CveDB cveDB = null; private CveDB cveDB;
/** /**
* Opens the data source. * Opens the data source.
@@ -102,8 +102,8 @@ public class NvdCveAnalyzer implements org.owasp.dependencycheck.analyzer.Analyz
for (Identifier id : dependency.getIdentifiers()) { for (Identifier id : dependency.getIdentifiers()) {
if ("cpe".equals(id.getType())) { if ("cpe".equals(id.getType())) {
try { try {
String value = id.getValue(); final String value = id.getValue();
List<Vulnerability> vulns = cveDB.getVulnerabilities(value); final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
for (Vulnerability v : vulns) { for (Vulnerability v : vulns) {
dependency.addVulnerability(v); dependency.addVulnerability(v);
} }

75
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
View File

@@ -75,7 +75,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
*/ */
private static final String LAST_UPDATED_BASE = "lastupdated."; private static final String LAST_UPDATED_BASE = "lastupdated.";
/** /**
* The current version of the database * The current version of the database.
*/ */
public static final String DATABASE_VERSION = "2.2"; public static final String DATABASE_VERSION = "2.2";
@@ -87,7 +87,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
*/ */
public void update() throws UpdateException { public void update() throws UpdateException {
try { try {
Map<String, NvdCveUrl> update = updateNeeded(); final Map<String, NvdCveUrl> update = updateNeeded();
int maxUpdates = 0; int maxUpdates = 0;
for (NvdCveUrl cve : update.values()) { for (NvdCveUrl cve : update.values()) {
if (cve.getNeedsUpdate()) { if (cve.getNeedsUpdate()) {
@@ -164,6 +164,11 @@ public class DatabaseUpdater implements CachedWebDataSource {
* *
* @param file the file containing the NVD CVE XML * @param file the file containing the NVD CVE XML
* @param oldVersion contains the file containing the NVD CVE XML 1.2 * @param oldVersion contains the file containing the NVD CVE XML 1.2
* @throws ParserConfigurationException is thrown if there is a parserconfigurationexception
* @throws SAXException is thrown if there is a saxexception
* @throws IOException is thrown if there is a ioexception
* @throws SQLException is thrown if there is a sql exception
* @throws DatabaseException is thrown if there is a database exception
*/ */
private void importXML(File file, File oldVersion) private void importXML(File file, File oldVersion)
throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException { throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException {
@@ -177,12 +182,12 @@ public class DatabaseUpdater implements CachedWebDataSource {
cpeIndex = new Index(); cpeIndex = new Index();
cpeIndex.openIndexWriter(); cpeIndex.openIndexWriter();
SAXParserFactory factory = SAXParserFactory.newInstance(); final SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser(); final SAXParser saxParser = factory.newSAXParser();
NvdCve12Handler cve12Handler = new NvdCve12Handler(); NvdCve12Handler cve12Handler = new NvdCve12Handler();
saxParser.parse(oldVersion, cve12Handler); saxParser.parse(oldVersion, cve12Handler);
Map<String, List<VulnerableSoftware>> prevVersionVulnMap = cve12Handler.getVulnerabilities(); final Map<String, List<VulnerableSoftware>> prevVersionVulnMap = cve12Handler.getVulnerabilities();
cve12Handler = null; cve12Handler = null;
NvdCve20Handler cve20Handler = new NvdCve20Handler(); NvdCve20Handler cve20Handler = new NvdCve20Handler();
@@ -209,19 +214,19 @@ public class DatabaseUpdater implements CachedWebDataSource {
* Writes a properties file containing the last updated date to the * Writes a properties file containing the last updated date to the
* VULNERABLE_CPE directory. * VULNERABLE_CPE directory.
* *
* @param updated a map of the updated nvdcve. * @param updated a map of the updated nvdcve
* @throws UpdateException is thrown if there is an update exception
*/ */
private void writeLastUpdatedPropertyFile(Map<String, NvdCveUrl> updated) throws UpdateException { private void writeLastUpdatedPropertyFile(Map<String, NvdCveUrl> updated) throws UpdateException {
String dir; String dir;
try { try {
dir = CveDB.getDataDirectory().getCanonicalPath(); dir = CveDB.getDataDirectory().getCanonicalPath();
} catch (IOException ex) { } catch (IOException ex) {
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex); Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
throw new UpdateException("Unable to locate last updated properties file.", ex); throw new UpdateException("Unable to locate last updated properties file.", ex);
} }
File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE); final File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
Properties prop = new Properties(); final Properties prop = new Properties();
prop.put("version", DATABASE_VERSION); prop.put("version", DATABASE_VERSION);
for (NvdCveUrl cve : updated.values()) { for (NvdCveUrl cve : updated.values()) {
prop.put(LAST_UPDATED_BASE + cve.id, String.valueOf(cve.getTimestamp())); prop.put(LAST_UPDATED_BASE + cve.id, String.valueOf(cve.getTimestamp()));
@@ -288,11 +293,11 @@ public class DatabaseUpdater implements CachedWebDataSource {
throw new UpdateException("Unable to locate last updated properties file.", ex); throw new UpdateException("Unable to locate last updated properties file.", ex);
} }
File f = new File(dir); final File f = new File(dir);
if (f.exists()) { if (f.exists()) {
File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE); final File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
if (cveProp.exists()) { if (cveProp.exists()) {
Properties prop = new Properties(); final Properties prop = new Properties();
InputStream is = null; InputStream is = null;
try { try {
is = new FileInputStream(cveProp); is = new FileInputStream(cveProp);
@@ -306,7 +311,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} else { } else {
try { try {
version = Float.parseFloat(prop.getProperty("version")); version = Float.parseFloat(prop.getProperty("version"));
float currentVersion = Float.parseFloat(DATABASE_VERSION); final float currentVersion = Float.parseFloat(DATABASE_VERSION);
if (currentVersion > version) { if (currentVersion > version) {
deleteAndRecreate = true; deleteAndRecreate = true;
} }
@@ -321,16 +326,16 @@ public class DatabaseUpdater implements CachedWebDataSource {
FileUtils.delete(f); FileUtils.delete(f);
//this importer also updates the CPE index and it is also using an old version //this importer also updates the CPE index and it is also using an old version
org.owasp.dependencycheck.data.cpe.Index cpeid = new org.owasp.dependencycheck.data.cpe.Index(); final org.owasp.dependencycheck.data.cpe.Index cpeid = new org.owasp.dependencycheck.data.cpe.Index();
File cpeDir = cpeid.getDataDirectory(); final File cpeDir = cpeid.getDataDirectory();
FileUtils.delete(cpeDir); FileUtils.delete(cpeDir);
return currentlyPublished; return currentlyPublished;
} }
long lastUpdated = Long.parseLong(prop.getProperty(LAST_UPDATED_MODIFIED)); final long lastUpdated = Long.parseLong(prop.getProperty(LAST_UPDATED_MODIFIED));
Date now = new Date(); final Date now = new Date();
int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS); final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS);
int maxEntries = Settings.getInt(Settings.KEYS.CVE_URL_COUNT); final int maxEntries = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
if (lastUpdated == currentlyPublished.get("modified").timestamp) { if (lastUpdated == currentlyPublished.get("modified").timestamp) {
currentlyPublished.clear(); //we don't need to update anything. currentlyPublished.clear(); //we don't need to update anything.
} else if (withinRange(lastUpdated, now.getTime(), days)) { } else if (withinRange(lastUpdated, now.getTime(), days)) {
@@ -341,7 +346,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} else { //we figure out which of the several XML files need to be downloaded. } else { //we figure out which of the several XML files need to be downloaded.
currentlyPublished.get("modified").setNeedsUpdate(false); currentlyPublished.get("modified").setNeedsUpdate(false);
for (int i = 1; i <= maxEntries; i++) { for (int i = 1; i <= maxEntries; i++) {
NvdCveUrl cve = currentlyPublished.get(String.valueOf(i)); final NvdCveUrl cve = currentlyPublished.get(String.valueOf(i));
long currentTimestamp = 0; long currentTimestamp = 0;
try { try {
currentTimestamp = Long.parseLong(prop.getProperty(LAST_UPDATED_BASE + String.valueOf(i), "0")); currentTimestamp = Long.parseLong(prop.getProperty(LAST_UPDATED_BASE + String.valueOf(i), "0"));
@@ -386,7 +391,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
* @return whether or not the date is within the range. * @return whether or not the date is within the range.
*/ */
private boolean withinRange(long date, long compareTo, int range) { private boolean withinRange(long date, long compareTo, int range) {
double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0; final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
return differenceInDays < range; return differenceInDays < range;
} }
@@ -405,7 +410,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
protected Map<String, NvdCveUrl> retrieveCurrentTimestampsFromWeb() protected Map<String, NvdCveUrl> retrieveCurrentTimestampsFromWeb()
throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException { throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException {
Map<String, NvdCveUrl> map = new HashMap<String, NvdCveUrl>(); final Map<String, NvdCveUrl> map = new HashMap<String, NvdCveUrl>();
String retrieveUrl = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL); String retrieveUrl = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
NvdCveUrl item = new NvdCveUrl(); NvdCveUrl item = new NvdCveUrl();
@@ -417,7 +422,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
item.timestamp = Downloader.getLastModified(new URL(retrieveUrl)); item.timestamp = Downloader.getLastModified(new URL(retrieveUrl));
map.put("modified", item); map.put("modified", item);
int max = Settings.getInt(Settings.KEYS.CVE_URL_COUNT); final int max = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
for (int i = 1; i <= max; i++) { for (int i = 1; i <= max; i++) {
retrieveUrl = Settings.getString(Settings.KEYS.CVE_BASE_URL + Settings.KEYS.CVE_SCHEMA_2_0 + i); retrieveUrl = Settings.getString(Settings.KEYS.CVE_BASE_URL + Settings.KEYS.CVE_SCHEMA_2_0 + i);
item = new NvdCveUrl(); item = new NvdCveUrl();
@@ -442,7 +447,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private String id; private String id;
/** /**
* Get the value of id * Get the value of id.
* *
* @return the value of id * @return the value of id
*/ */
@@ -451,7 +456,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} }
/** /**
* Set the value of id * Set the value of id.
* *
* @param id new value of id * @param id new value of id
*/ */
@@ -464,7 +469,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private String url; private String url;
/** /**
* Get the value of url * Get the value of url.
* *
* @return the value of url * @return the value of url
*/ */
@@ -473,7 +478,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} }
/** /**
* Set the value of url * Set the value of url.
* *
* @param url new value of url * @param url new value of url
*/ */
@@ -481,12 +486,12 @@ public class DatabaseUpdater implements CachedWebDataSource {
this.url = url; this.url = url;
} }
/** /**
* The 1.2 schema URL * The 1.2 schema URL.
*/ */
protected String oldSchemaVersionUrl; private String oldSchemaVersionUrl;
/** /**
* Get the value of oldSchemaVersionUrl * Get the value of oldSchemaVersionUrl.
* *
* @return the value of oldSchemaVersionUrl * @return the value of oldSchemaVersionUrl
*/ */
@@ -495,7 +500,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} }
/** /**
* Set the value of oldSchemaVersionUrl * Set the value of oldSchemaVersionUrl.
* *
* @param oldSchemaVersionUrl new value of oldSchemaVersionUrl * @param oldSchemaVersionUrl new value of oldSchemaVersionUrl
*/ */
@@ -510,7 +515,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private long timestamp; private long timestamp;
/** /**
* Get the value of timestamp - epoch time * Get the value of timestamp - epoch time.
* *
* @return the value of timestamp - epoch time * @return the value of timestamp - epoch time
*/ */
@@ -519,7 +524,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} }
/** /**
* Set the value of timestamp - epoch time * Set the value of timestamp - epoch time.
* *
* @param timestamp new value of timestamp - epoch time * @param timestamp new value of timestamp - epoch time
*/ */
@@ -532,7 +537,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private boolean needsUpdate = true; private boolean needsUpdate = true;
/** /**
* Get the value of needsUpdate * Get the value of needsUpdate.
* *
* @return the value of needsUpdate * @return the value of needsUpdate
*/ */
@@ -541,7 +546,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} }
/** /**
* Set the value of needsUpdate * Set the value of needsUpdate.
* *
* @param needsUpdate new value of needsUpdate * @param needsUpdate new value of needsUpdate
*/ */

7
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/InvalidDataException.java
View File

@@ -25,10 +25,13 @@ package org.owasp.dependencycheck.data.nvdcve.xml;
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public class InvalidDataException extends Exception { public class InvalidDataException extends Exception {
/**
* the serial version uid.
*/
private static final long serialVersionUID = 1L; private static final long serialVersionUID = 1L;
/** /**
* Creates an InvalidDataException * Creates an InvalidDataException.
* *
* @param msg the exception message * @param msg the exception message
*/ */
@@ -37,7 +40,7 @@ public class InvalidDataException extends Exception {
} }
/** /**
* Creates an InvalidDataException * Creates an InvalidDataException.
* *
* @param msg the exception message * @param msg the exception message
* @param ex the cause of the exception * @param ex the cause of the exception

82
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java
View File

@@ -38,18 +38,45 @@ import org.xml.sax.helpers.DefaultHandler;
*/ */
public class NvdCve12Handler extends DefaultHandler { public class NvdCve12Handler extends DefaultHandler {
/**
* the supported schema version.
*/
private static final String CURRENT_SCHEMA_VERSION = "1.2"; private static final String CURRENT_SCHEMA_VERSION = "1.2";
private String vulnerability = null; /**
private List<VulnerableSoftware> software = null; * the current vulnerability.
private String vendor = null; */
private String product = null; private String vulnerability;
/**
* a list of vulnerable software.
*/
private List<VulnerableSoftware> software;
/**
* the vendor name.
*/
private String vendor;
/**
* the product name.
*/
private String product;
/**
* if the nvd cve should be skipped because it was rejected.
*/
private boolean skip = false; private boolean skip = false;
/**
* flag indicating if there is a previous version.
*/
private boolean hasPreviousVersion = false; private boolean hasPreviousVersion = false;
/**
* The current element.
*/
private Element current = new Element(); private Element current = new Element();
private Map<String, List<VulnerableSoftware>> vulnerabilities = null; /**
* a map of vulnerabilities.
*/
private Map<String, List<VulnerableSoftware>> vulnerabilities;
/** /**
* Get the value of vulnerabilities * Get the value of vulnerabilities.
* *
* @return the value of vulnerabilities * @return the value of vulnerabilities
*/ */
@@ -64,8 +91,8 @@ public class NvdCve12Handler extends DefaultHandler {
vendor = null; vendor = null;
product = null; product = null;
hasPreviousVersion = false; hasPreviousVersion = false;
String reject = attributes.getValue("reject"); final String reject = attributes.getValue("reject");
skip = (reject != null && reject.equals("1")); skip = "1".equals(reject);
if (!skip) { if (!skip) {
vulnerability = attributes.getValue("name"); vulnerability = attributes.getValue("name");
software = new ArrayList<VulnerableSoftware>(); software = new ArrayList<VulnerableSoftware>();
@@ -78,11 +105,11 @@ public class NvdCve12Handler extends DefaultHandler {
vendor = attributes.getValue("vendor"); vendor = attributes.getValue("vendor");
product = attributes.getValue("name"); product = attributes.getValue("name");
} else if (!skip && current.isVersNode()) { } else if (!skip && current.isVersNode()) {
String prev = attributes.getValue("prev"); final String prev = attributes.getValue("prev");
if (prev != null && "1".equals(prev)) { if (prev != null && "1".equals(prev)) {
hasPreviousVersion = true; hasPreviousVersion = true;
String edition = attributes.getValue("edition"); final String edition = attributes.getValue("edition");
String num = attributes.getValue("num"); final String num = attributes.getValue("num");
/*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our /*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
purposes this is good enough as we won't use this if we don't find a corresponding "a" purposes this is good enough as we won't use this if we don't find a corresponding "a"
@@ -94,13 +121,13 @@ public class NvdCve12Handler extends DefaultHandler {
if (edition != null) { if (edition != null) {
cpe += ":" + edition; cpe += ":" + edition;
} }
VulnerableSoftware vs = new VulnerableSoftware(); final VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe(cpe); vs.setCpe(cpe);
vs.setPreviousVersion(prev); vs.setPreviousVersion(prev);
software.add(vs); software.add(vs);
} }
} else if (current.isNVDNode()) { } else if (current.isNVDNode()) {
String nvdVer = attributes.getValue("nvd_xml_version"); final String nvdVer = attributes.getValue("nvd_xml_version");
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) { if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported"); throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
} }
@@ -128,29 +155,32 @@ public class NvdCve12Handler extends DefaultHandler {
protected static class Element { protected static class Element {
/** /**
* A node type in the NVD CVE Schema 1.2 * A node type in the NVD CVE Schema 1.2.
*/ */
public static final String NVD = "nvd"; public static final String NVD = "nvd";
/** /**
* A node type in the NVD CVE Schema 1.2 * A node type in the NVD CVE Schema 1.2.
*/ */
public static final String ENTRY = "entry"; public static final String ENTRY = "entry";
/** /**
* A node type in the NVD CVE Schema 1.2 * A node type in the NVD CVE Schema 1.2.
*/ */
public static final String VULN_SOFTWARE = "vuln_soft"; public static final String VULN_SOFTWARE = "vuln_soft";
/** /**
* A node type in the NVD CVE Schema 1.2 * A node type in the NVD CVE Schema 1.2.
*/ */
public static final String PROD = "prod"; public static final String PROD = "prod";
/** /**
* A node type in the NVD CVE Schema 1.2 * A node type in the NVD CVE Schema 1.2.
*/ */
public static final String VERS = "vers"; public static final String VERS = "vers";
private String node = null; /**
* The name of the current node.
*/
private String node;
/** /**
* Gets the value of node * Gets the value of node.
* *
* @return the value of node * @return the value of node
*/ */
@@ -159,7 +189,7 @@ public class NvdCve12Handler extends DefaultHandler {
} }
/** /**
* Sets the value of node * Sets the value of node.
* *
* @param node new value of node * @param node new value of node
*/ */
@@ -168,7 +198,7 @@ public class NvdCve12Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the NVD node * Checks if the handler is at the NVD node.
* *
* @return true or false * @return true or false
*/ */
@@ -177,7 +207,7 @@ public class NvdCve12Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the ENTRY node * Checks if the handler is at the ENTRY node.
* *
* @return true or false * @return true or false
*/ */
@@ -186,7 +216,7 @@ public class NvdCve12Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the VULN_SOFTWARE node * Checks if the handler is at the VULN_SOFTWARE node.
* *
* @return true or false * @return true or false
*/ */
@@ -195,7 +225,7 @@ public class NvdCve12Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the PROD node * Checks if the handler is at the PROD node.
* *
* @return true or false * @return true or false
*/ */
@@ -204,7 +234,7 @@ public class NvdCve12Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the VERS node * Checks if the handler is at the VERS node.
* *
* @return true or false * @return true or false
*/ */

96
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
View File

@@ -42,12 +42,30 @@ import org.xml.sax.helpers.DefaultHandler;
*/ */
public class NvdCve20Handler extends DefaultHandler { public class NvdCve20Handler extends DefaultHandler {
/**
* the current supported schema version.
*/
private static final String CURRENT_SCHEMA_VERSION = "2.0"; private static final String CURRENT_SCHEMA_VERSION = "2.0";
/**
* the current element.
*/
private Element current = new Element(); private Element current = new Element();
StringBuilder nodeText = null; /**
Vulnerability vulnerability = null; * the text of the node.
Reference reference = null; */
boolean hasApplicationCpe = false; private StringBuilder nodeText;
/**
* the vulnerability.
*/
private Vulnerability vulnerability;
/**
* a reference for the cve.
*/
private Reference reference;
/**
* flag indicating whether the application has a cpe.
*/
private boolean hasApplicationCpe = false;
@Override @Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException { public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
@@ -59,7 +77,7 @@ public class NvdCve20Handler extends DefaultHandler {
} else if (current.isVulnProductNode()) { } else if (current.isVulnProductNode()) {
nodeText = new StringBuilder(100); nodeText = new StringBuilder(100);
} else if (current.isVulnReferencesNode()) { } else if (current.isVulnReferencesNode()) {
String lang = attributes.getValue("xml:lang"); final String lang = attributes.getValue("xml:lang");
if ("en".equals(lang)) { if ("en".equals(lang)) {
reference = new Reference(); reference = new Reference();
} else { } else {
@@ -73,7 +91,7 @@ public class NvdCve20Handler extends DefaultHandler {
} else if (current.isVulnSummaryNode()) { } else if (current.isVulnSummaryNode()) {
nodeText = new StringBuilder(500); nodeText = new StringBuilder(500);
} else if (current.isNVDNode()) { } else if (current.isNVDNode()) {
String nvdVer = attributes.getValue("nvd_xml_version"); final String nvdVer = attributes.getValue("nvd_xml_version");
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) { if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported"); throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
} }
@@ -121,7 +139,7 @@ public class NvdCve20Handler extends DefaultHandler {
vulnerability = null; vulnerability = null;
} else if (current.isCVSSScoreNode()) { } else if (current.isCVSSScoreNode()) {
try { try {
float score = Float.parseFloat(nodeText.toString()); final float score = Float.parseFloat(nodeText.toString());
vulnerability.setCvssScore(score); vulnerability.setCvssScore(score);
} catch (NumberFormatException ex) { } catch (NumberFormatException ex) {
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex); Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
@@ -146,7 +164,7 @@ public class NvdCve20Handler extends DefaultHandler {
vulnerability.setCvssIntegrityImpact(nodeText.toString()); vulnerability.setCvssIntegrityImpact(nodeText.toString());
nodeText = null; nodeText = null;
} else if (current.isVulnProductNode()) { } else if (current.isVulnProductNode()) {
String cpe = nodeText.toString(); final String cpe = nodeText.toString();
if (cpe.startsWith("cpe:/a:")) { if (cpe.startsWith("cpe:/a:")) {
hasApplicationCpe = true; hasApplicationCpe = true;
vulnerability.addVulnerableSoftware(cpe); vulnerability.addVulnerableSoftware(cpe);
@@ -166,10 +184,14 @@ public class NvdCve20Handler extends DefaultHandler {
nodeText = null; nodeText = null;
} }
} }
private CveDB cveDB = null; /**
* the cve database.
*/
private CveDB cveDB;
/** /**
* Sets the cveDB * Sets the cveDB.
*
* @param db a reference to the CveDB * @param db a reference to the CveDB
*/ */
public void setCveDB(CveDB db) { public void setCveDB(CveDB db) {
@@ -179,7 +201,7 @@ public class NvdCve20Handler extends DefaultHandler {
* A list of CVE entries and associated VulnerableSoftware entries that contain * A list of CVE entries and associated VulnerableSoftware entries that contain
* previous entries. * previous entries.
*/ */
private Map<String, List<VulnerableSoftware>> prevVersionVulnMap = null; private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
/** /**
* Sets the prevVersionVulnMap. * Sets the prevVersionVulnMap.
@@ -202,9 +224,9 @@ public class NvdCve20Handler extends DefaultHandler {
if (cveDB == null) { if (cveDB == null) {
return; return;
} }
String cveName = vuln.getName(); final String cveName = vuln.getName();
if (prevVersionVulnMap.containsKey(cveName)) { if (prevVersionVulnMap.containsKey(cveName)) {
List<VulnerableSoftware> vulnSoftware = prevVersionVulnMap.get(cveName); final List<VulnerableSoftware> vulnSoftware = prevVersionVulnMap.get(cveName);
for (VulnerableSoftware vs : vulnSoftware) { for (VulnerableSoftware vs : vulnSoftware) {
vuln.updateVulnerableSoftware(vs); vuln.updateVulnerableSoftware(vs);
} }
@@ -216,10 +238,14 @@ public class NvdCve20Handler extends DefaultHandler {
} }
cveDB.updateVulnerability(vuln); cveDB.updateVulnerability(vuln);
} }
private Index cpeIndex = null; /**
* the cpe index.
*/
private Index cpeIndex;
/** /**
* Sets the cpe index * Sets the cpe index.
*
* @param index the CPE Lucene Index * @param index the CPE Lucene Index
*/ */
void setCpeIndex(Index index) { void setCpeIndex(Index index) {
@@ -261,7 +287,6 @@ public class NvdCve20Handler extends DefaultHandler {
* A node type in the NVD CVE Schema 2.0 * A node type in the NVD CVE Schema 2.0
*/ */
public static final String VULN_SUMMARY = "vuln:summary"; public static final String VULN_SUMMARY = "vuln:summary";
/** /**
* A node type in the NVD CVE Schema 2.0 * A node type in the NVD CVE Schema 2.0
*/ */
@@ -295,10 +320,13 @@ public class NvdCve20Handler extends DefaultHandler {
*/ */
public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact"; public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
private String node = null; /**
* The current node.
*/
private String node;
/** /**
* Gets the value of node * Gets the value of node.
* *
* @return the value of node * @return the value of node
*/ */
@@ -307,7 +335,7 @@ public class NvdCve20Handler extends DefaultHandler {
} }
/** /**
* Sets the value of node * Sets the value of node.
* *
* @param node new value of node * @param node new value of node
*/ */
@@ -316,7 +344,7 @@ public class NvdCve20Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the NVD node * Checks if the handler is at the NVD node.
* *
* @return true or false * @return true or false
*/ */
@@ -325,7 +353,7 @@ public class NvdCve20Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the ENTRY node * Checks if the handler is at the ENTRY node.
* *
* @return true or false * @return true or false
*/ */
@@ -334,7 +362,7 @@ public class NvdCve20Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the VULN_PRODUCT node * Checks if the handler is at the VULN_PRODUCT node.
* *
* @return true or false * @return true or false
*/ */
@@ -343,7 +371,7 @@ public class NvdCve20Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the REFERENCES node * Checks if the handler is at the REFERENCES node.
* *
* @return true or false * @return true or false
*/ */
@@ -352,7 +380,7 @@ public class NvdCve20Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the REFERENCE node * Checks if the handler is at the REFERENCE node.
* *
* @return true or false * @return true or false
*/ */
@@ -361,7 +389,7 @@ public class NvdCve20Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the VULN_SOURCE node * Checks if the handler is at the VULN_SOURCE node.
* *
* @return true or false * @return true or false
*/ */
@@ -370,7 +398,7 @@ public class NvdCve20Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the VULN_SUMMARY node * Checks if the handler is at the VULN_SUMMARY node.
* *
* @return true or false * @return true or false
*/ */
@@ -379,7 +407,7 @@ public class NvdCve20Handler extends DefaultHandler {
} }
/** /**
* Checks if the handler is at the VULN_CWE node * Checks if the handler is at the VULN_CWE node.
* *
* @return true or false * @return true or false
*/ */
@@ -387,7 +415,7 @@ public class NvdCve20Handler extends DefaultHandler {
return VULN_CWE.equals(node); return VULN_CWE.equals(node);
} }
/** /**
* Checks if the handler is at the CVSS_SCORE node * Checks if the handler is at the CVSS_SCORE node.
* *
* @return true or false * @return true or false
*/ */
@@ -395,7 +423,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_SCORE.equals(node); return CVSS_SCORE.equals(node);
} }
/** /**
* Checks if the handler is at the CVSS_ACCESS_VECTOR node * Checks if the handler is at the CVSS_ACCESS_VECTOR node.
* *
* @return true or false * @return true or false
*/ */
@@ -403,7 +431,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_ACCESS_VECTOR.equals(node); return CVSS_ACCESS_VECTOR.equals(node);
} }
/** /**
* Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node * Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node.
* *
* @return true or false * @return true or false
*/ */
@@ -411,7 +439,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_ACCESS_COMPLEXITY.equals(node); return CVSS_ACCESS_COMPLEXITY.equals(node);
} }
/** /**
* Checks if the handler is at the CVSS_AUTHENTICATION node * Checks if the handler is at the CVSS_AUTHENTICATION node.
* *
* @return true or false * @return true or false
*/ */
@@ -419,7 +447,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_AUTHENTICATION.equals(node); return CVSS_AUTHENTICATION.equals(node);
} }
/** /**
* Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node * Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node.
* *
* @return true or false * @return true or false
*/ */
@@ -427,7 +455,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_CONFIDENTIALITY_IMPACT.equals(node); return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
} }
/** /**
* Checks if the handler is at the CVSS_INTEGRITY_IMPACT node * Checks if the handler is at the CVSS_INTEGRITY_IMPACT node.
* *
* @return true or false * @return true or false
*/ */
@@ -435,7 +463,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_INTEGRITY_IMPACT.equals(node); return CVSS_INTEGRITY_IMPACT.equals(node);
} }
/** /**
* Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node * Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node.
* *
* @return true or false * @return true or false
*/ */

49
src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -44,43 +44,43 @@ public class Dependency {
/** /**
* The actual file path of the dependency on disk. * The actual file path of the dependency on disk.
*/ */
private String actualFilePath = null; private String actualFilePath;
/** /**
* The file path to display. * The file path to display.
*/ */
private String filePath = null; private String filePath;
/** /**
* The file name of the dependency. * The file name of the dependency.
*/ */
private String fileName = null; private String fileName;
/** /**
* The file extension of the dependency. * The file extension of the dependency.
*/ */
private String fileExtension = null; private String fileExtension;
/** /**
* The md5 hash of the dependency. * The md5 hash of the dependency.
*/ */
private String md5sum = null; private String md5sum;
/** /**
* The SHA1 hash of the dependency. * The SHA1 hash of the dependency.
*/ */
private String sha1sum = null; private String sha1sum;
/** /**
* A list of Identifiers. * A list of Identifiers.
*/ */
private List<Identifier> identifiers = null; private List<Identifier> identifiers;
/** /**
* A collection of vendor evidence. * A collection of vendor evidence.
*/ */
protected EvidenceCollection vendorEvidence = null; private EvidenceCollection vendorEvidence;
/** /**
* A collection of product evidence. * A collection of product evidence.
*/ */
protected EvidenceCollection productEvidence = null; private EvidenceCollection productEvidence;
/** /**
* A collection of version evidence. * A collection of version evidence.
*/ */
protected EvidenceCollection versionEvidence = null; private EvidenceCollection versionEvidence;
/** /**
* Constructs a new Dependency object. * Constructs a new Dependency object.
@@ -244,7 +244,7 @@ public class Dependency {
* @param url the URL of the identifier. * @param url the URL of the identifier.
*/ */
public void addIdentifier(String type, String value, String url) { public void addIdentifier(String type, String value, String url) {
Identifier i = new Identifier(type, value, url); final Identifier i = new Identifier(type, value, url);
this.identifiers.add(i); this.identifiers.add(i);
} }
@@ -295,10 +295,10 @@ public class Dependency {
/** /**
* A list of exceptions that occurred during analysis of this dependency. * A list of exceptions that occurred during analysis of this dependency.
*/ */
protected List<Exception> analysisExceptions = new ArrayList<Exception>(); private List<Exception> analysisExceptions = new ArrayList<Exception>();
/** /**
* Get the value of analysisExceptions * Get the value of analysisExceptions.
* *
* @return the value of analysisExceptions * @return the value of analysisExceptions
*/ */
@@ -307,7 +307,7 @@ public class Dependency {
} }
/** /**
* Set the value of analysisExceptions * Set the value of analysisExceptions.
* *
* @param analysisExceptions new value of analysisExceptions * @param analysisExceptions new value of analysisExceptions
*/ */
@@ -326,10 +326,10 @@ public class Dependency {
/** /**
* The description of the JAR file. * The description of the JAR file.
*/ */
protected String description; private String description;
/** /**
* Get the value of description * Get the value of description.
* *
* @return the value of description * @return the value of description
*/ */
@@ -338,7 +338,7 @@ public class Dependency {
} }
/** /**
* Set the value of description * Set the value of description.
* *
* @param description new value of description * @param description new value of description
*/ */
@@ -351,7 +351,7 @@ public class Dependency {
private String license; private String license;
/** /**
* Get the value of license * Get the value of license.
* *
* @return the value of license * @return the value of license
*/ */
@@ -360,7 +360,7 @@ public class Dependency {
} }
/** /**
* Set the value of license * Set the value of license.
* *
* @param license new value of license * @param license new value of license
*/ */
@@ -392,12 +392,12 @@ public class Dependency {
return false; return false;
} }
/** /**
* A list of vulnerabilities for this dependency * A list of vulnerabilities for this dependency.
*/ */
private SortedSet<Vulnerability> vulnerabilities; private SortedSet<Vulnerability> vulnerabilities;
/** /**
* Get the list of vulnerabilities * Get the list of vulnerabilities.
* *
* @return the list of vulnerabilities * @return the list of vulnerabilities
*/ */
@@ -406,7 +406,7 @@ public class Dependency {
} }
/** /**
* Set the value of vulnerabilities * Set the value of vulnerabilities.
* *
* @param vulnerabilities new value of vulnerabilities * @param vulnerabilities new value of vulnerabilities
*/ */
@@ -414,6 +414,11 @@ public class Dependency {
this.vulnerabilities = vulnerabilities; this.vulnerabilities = vulnerabilities;
} }
/**
* Determines the sha1 and md5 sum for the given file.
*
* @param file the file to create checksums for
*/
private void determineHashes(File file) { private void determineHashes(File file) {
String md5 = null; String md5 = null;
String sha1 = null; String sha1 = null;

32
src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
View File

@@ -67,10 +67,10 @@ public class Evidence {
/** /**
* The name of the evidence. * The name of the evidence.
*/ */
protected String name; private String name;
/** /**
* Get the value of name * Get the value of name.
* *
* @return the value of name * @return the value of name
*/ */
@@ -79,7 +79,7 @@ public class Evidence {
} }
/** /**
* Set the value of name * Set the value of name.
* *
* @param name new value of name * @param name new value of name
*/ */
@@ -89,10 +89,10 @@ public class Evidence {
/** /**
* The source of the evidence. * The source of the evidence.
*/ */
protected String source; private String source;
/** /**
* Get the value of source * Get the value of source.
* *
* @return the value of source * @return the value of source
*/ */
@@ -101,7 +101,7 @@ public class Evidence {
} }
/** /**
* Set the value of source * Set the value of source.
* *
* @param source new value of source * @param source new value of source
*/ */
@@ -111,10 +111,10 @@ public class Evidence {
/** /**
* The value of the evidence. * The value of the evidence.
*/ */
protected String value; private String value;
/** /**
* Get the value of value * Get the value of value.
* *
* @return the value of value * @return the value of value
*/ */
@@ -124,7 +124,7 @@ public class Evidence {
} }
/** /**
* Set the value of value * Set the value of value.
* *
* @param value new value of value * @param value new value of value
*/ */
@@ -134,10 +134,10 @@ public class Evidence {
/** /**
* A value indicating if the Evidence has been "used" (aka read). * A value indicating if the Evidence has been "used" (aka read).
*/ */
protected boolean used; private boolean used;
/** /**
* Get the value of used * Get the value of used.
* *
* @return the value of used * @return the value of used
*/ */
@@ -146,7 +146,7 @@ public class Evidence {
} }
/** /**
* Set the value of used * Set the value of used.
* *
* @param used new value of used * @param used new value of used
*/ */
@@ -156,10 +156,10 @@ public class Evidence {
/** /**
* The confidence level for the evidence. * The confidence level for the evidence.
*/ */
protected Confidence confidence; private Confidence confidence;
/** /**
* Get the value of confidence * Get the value of confidence.
* *
* @return the value of confidence * @return the value of confidence
*/ */
@@ -168,7 +168,7 @@ public class Evidence {
} }
/** /**
* Set the value of confidence * Set the value of confidence.
* *
* @param confidence new value of confidence * @param confidence new value of confidence
*/ */
@@ -205,7 +205,7 @@ public class Evidence {
if (!(that instanceof Evidence)) { if (!(that instanceof Evidence)) {
return false; return false;
} }
Evidence e = (Evidence) that; final Evidence e = (Evidence) that;
return testEquality(name, e.name) && testEquality(source, e.source) && testEquality(value, e.value) return testEquality(name, e.name) && testEquality(source, e.source) && testEquality(value, e.value)
&& (confidence == null ? e.confidence == null : confidence == e.confidence); && (confidence == null ? e.confidence == null : confidence == e.confidence);

26
src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -52,7 +52,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
return evidence.getConfidence() == Evidence.Confidence.MEDIUM; return evidence.getConfidence() == Evidence.Confidence.MEDIUM;
} }
}; };
/* /**
* Used to iterate over low confidence evidence contained in the collection. * Used to iterate over low confidence evidence contained in the collection.
*/ */
private static final Filter<Evidence> LOW_CONFIDENCE = private static final Filter<Evidence> LOW_CONFIDENCE =
@@ -90,8 +90,14 @@ public class EvidenceCollection implements Iterable<Evidence> {
return EvidenceCollection.LOW_CONFIDENCE.filter(this.list); return EvidenceCollection.LOW_CONFIDENCE.filter(this.list);
} }
} }
private Set<Evidence> list = null; /**
private Set<String> weightedStrings = null; * A collection of evidence.
*/
private Set<Evidence> list;
/**
* A collection of strings used to adjust lucene's term weighting.
*/
private Set<String> weightedStrings;
/** /**
* Creates a new EvidenceCollection. * Creates a new EvidenceCollection.
@@ -120,7 +126,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
* @param confidence the confidence of the Evidence. * @param confidence the confidence of the Evidence.
*/ */
public void addEvidence(String source, String name, String value, Evidence.Confidence confidence) { public void addEvidence(String source, String name, String value, Evidence.Confidence confidence) {
Evidence e = new Evidence(source, name, value, confidence); final Evidence e = new Evidence(source, name, value, confidence);
addEvidence(e); addEvidence(e);
} }
@@ -181,10 +187,10 @@ public class EvidenceCollection implements Iterable<Evidence> {
if (text == null) { if (text == null) {
return false; return false;
} }
text = text.toLowerCase(); final String textToTest = text.toLowerCase();
for (Evidence e : this.list) { for (Evidence e : this.list) {
if (e.used && e.value.toLowerCase().contains(text)) { if (e.isUsed() && e.getValue().toLowerCase().contains(textToTest)) {
return true; return true;
} }
} }
@@ -200,7 +206,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
*/ */
public boolean contains(Evidence.Confidence confidence) { public boolean contains(Evidence.Confidence confidence) {
for (Evidence e : list) { for (Evidence e : list) {
if (e.confidence == confidence) { if (e.getConfidence().equals(confidence)) {
return true; return true;
} }
} }
@@ -215,7 +221,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
* @return a new EvidenceCollection containing the used evidence. * @return a new EvidenceCollection containing the used evidence.
*/ */
public static EvidenceCollection mergeUsed(EvidenceCollection... ec) { public static EvidenceCollection mergeUsed(EvidenceCollection... ec) {
EvidenceCollection ret = new EvidenceCollection(); final EvidenceCollection ret = new EvidenceCollection();
for (EvidenceCollection col : ec) { for (EvidenceCollection col : ec) {
for (Evidence e : col.list) { for (Evidence e : col.list) {
if (e.isUsed()) { if (e.isUsed()) {
@@ -233,7 +239,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
* @return a new EvidenceCollection. * @return a new EvidenceCollection.
*/ */
public static EvidenceCollection merge(EvidenceCollection... ec) { public static EvidenceCollection merge(EvidenceCollection... ec) {
EvidenceCollection ret = new EvidenceCollection(); final EvidenceCollection ret = new EvidenceCollection();
for (EvidenceCollection col : ec) { for (EvidenceCollection col : ec) {
ret.list.addAll(col.list); ret.list.addAll(col.list);
ret.weightedStrings.addAll(col.weightedStrings); ret.weightedStrings.addAll(col.weightedStrings);
@@ -248,7 +254,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
*/ */
@Override @Override
public String toString() { public String toString() {
StringBuilder sb = new StringBuilder(); final StringBuilder sb = new StringBuilder();
for (Evidence e : this.list) { for (Evidence e : this.list) {
sb.append(e.getValue()).append(' '); sb.append(e.getValue()).append(' ');
} }

26
src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
View File

@@ -52,10 +52,10 @@ public class Identifier {
/** /**
* The value of the identifier * The value of the identifier
*/ */
protected String value; private String value;
/** /**
* Get the value of value * Get the value of value.
* *
* @return the value of value * @return the value of value
*/ */
@@ -64,7 +64,7 @@ public class Identifier {
} }
/** /**
* Set the value of value * Set the value of value.
* *
* @param value new value of value * @param value new value of value
*/ */
@@ -73,12 +73,12 @@ public class Identifier {
} }
/** /**
* The url for the identifier * The url for the identifier.
*/ */
protected String url; private String url;
/** /**
* Get the value of url * Get the value of url.
* *
* @return the value of url * @return the value of url
*/ */
@@ -87,7 +87,7 @@ public class Identifier {
} }
/** /**
* Set the value of url * Set the value of url.
* *
* @param url new value of url * @param url new value of url
*/ */
@@ -95,12 +95,12 @@ public class Identifier {
this.url = url; this.url = url;
} }
/** /**
* The type of the identifier * The type of the identifier.
*/ */
protected String type; private String type;
/** /**
* Get the value of type * Get the value of type.
* *
* @return the value of type * @return the value of type
*/ */
@@ -119,10 +119,10 @@ public class Identifier {
/** /**
* A description of the identifier. * A description of the identifier.
*/ */
protected String description; private String description;
/** /**
* Get the value of description * Get the value of description.
* *
* @return the value of description * @return the value of description
*/ */
@@ -131,7 +131,7 @@ public class Identifier {
} }
/** /**
* Set the value of description * Set the value of description.
* *
* @param description new value of description * @param description new value of description
*/ */

17
src/main/java/org/owasp/dependencycheck/dependency/Reference.java
View File

@@ -28,6 +28,9 @@ import java.io.Serializable;
*/ */
public class Reference implements Serializable { public class Reference implements Serializable {
/**
* the serial version uid.
*/
private static final long serialVersionUID = -3444464824563008021L; private static final long serialVersionUID = -3444464824563008021L;
/** /**
* The name of the reference. * The name of the reference.
@@ -35,7 +38,7 @@ public class Reference implements Serializable {
private String name; private String name;
/** /**
* Get the value of name * Get the value of name.
* *
* @return the value of name * @return the value of name
*/ */
@@ -44,7 +47,7 @@ public class Reference implements Serializable {
} }
/** /**
* Set the value of name * Set the value of name.
* *
* @param name new value of name * @param name new value of name
*/ */
@@ -52,12 +55,12 @@ public class Reference implements Serializable {
this.name = name; this.name = name;
} }
/** /**
* the url for the reference * the url for the reference.
*/ */
private String url; private String url;
/** /**
* Get the value of url * Get the value of url.
* *
* @return the value of url * @return the value of url
*/ */
@@ -66,7 +69,7 @@ public class Reference implements Serializable {
} }
/** /**
* Set the value of url * Set the value of url.
* *
* @param url new value of url * @param url new value of url
*/ */
@@ -79,7 +82,7 @@ public class Reference implements Serializable {
private String source; private String source;
/** /**
* Get the value of source * Get the value of source.
* *
* @return the value of source * @return the value of source
*/ */
@@ -88,7 +91,7 @@ public class Reference implements Serializable {
} }
/** /**
* Set the value of source * Set the value of source.
* *
* @param source new value of source * @param source new value of source
*/ */

120
src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
View File

@@ -29,14 +29,17 @@ import java.util.Set;
*/ */
public class Vulnerability implements Serializable, Comparable<Vulnerability> { public class Vulnerability implements Serializable, Comparable<Vulnerability> {
/**
* The serial version uid.
*/
private static final long serialVersionUID = 307319490326651052L; private static final long serialVersionUID = 307319490326651052L;
/** /**
* The name of the vulnerability * The name of the vulnerability.
*/ */
private String name; private String name;
/** /**
* Get the value of name * Get the value of name.
* *
* @return the value of name * @return the value of name
*/ */
@@ -45,7 +48,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of name * Set the value of name.
* *
* @param name new value of name * @param name new value of name
*/ */
@@ -53,12 +56,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.name = name; this.name = name;
} }
/** /**
* the description of the vulnerability * the description of the vulnerability.
*/ */
private String description; private String description;
/** /**
* Get the value of description * Get the value of description.
* *
* @return the value of description * @return the value of description
*/ */
@@ -67,7 +70,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of description * Set the value of description.
* *
* @param description new value of description * @param description new value of description
*/ */
@@ -75,12 +78,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.description = description; this.description = description;
} }
/** /**
* References for this vulnerability * References for this vulnerability.
*/ */
private Set<Reference> references = new HashSet<Reference>(); private Set<Reference> references = new HashSet<Reference>();
/** /**
* Get the value of references * Get the value of references.
* *
* @return the value of references * @return the value of references
*/ */
@@ -89,7 +92,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of references * Set the value of references.
* *
* @param references new value of references * @param references new value of references
*/ */
@@ -98,7 +101,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Adds a reference to the references collection * Adds a reference to the references collection.
* *
* @param ref a reference for the vulnerability * @param ref a reference for the vulnerability
*/ */
@@ -107,25 +110,26 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Adds a reference * Adds a reference.
*
* @param referenceSource the source of the reference * @param referenceSource the source of the reference
* @param referenceName the referenceName of the reference * @param referenceName the referenceName of the reference
* @param referenceUrl the url of the reference * @param referenceUrl the url of the reference
*/ */
public void addReference(String referenceSource, String referenceName, String referenceUrl) { public void addReference(String referenceSource, String referenceName, String referenceUrl) {
Reference ref = new Reference(); final Reference ref = new Reference();
ref.setSource(referenceSource); ref.setSource(referenceSource);
ref.setName(referenceName); ref.setName(referenceName);
ref.setUrl(referenceUrl); ref.setUrl(referenceUrl);
this.references.add(ref); this.references.add(ref);
} }
/** /**
* a set of vulnerable software * A set of vulnerable software.
*/ */
protected Set<VulnerableSoftware> vulnerableSoftware = new HashSet<VulnerableSoftware>(); private Set<VulnerableSoftware> vulnerableSoftware = new HashSet<VulnerableSoftware>();
/** /**
* Get the value of vulnerableSoftware * Get the value of vulnerableSoftware.
* *
* @return the value of vulnerableSoftware * @return the value of vulnerableSoftware
*/ */
@@ -134,7 +138,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of vulnerableSoftware * Set the value of vulnerableSoftware.
* *
* @param vulnerableSoftware new value of vulnerableSoftware * @param vulnerableSoftware new value of vulnerableSoftware
*/ */
@@ -143,7 +147,8 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Adds an entry for vulnerable software * Adds an entry for vulnerable software.
*
* @param cpe string representation of a CPE entry * @param cpe string representation of a CPE entry
* @return if the add succeeded * @return if the add succeeded
*/ */
@@ -152,13 +157,15 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Adds an entry for vulnerable software * Adds an entry for vulnerable software.
*
* @param cpe string representation of a cpe * @param cpe string representation of a cpe
* @param previousVersion the previous version (previousVersion - cpe would be considered vulnerable) * @param previousVersion the previous version (previousVersion - cpe would
* be considered vulnerable)
* @return if the add succeeded * @return if the add succeeded
*/ */
public boolean addVulnerableSoftware(String cpe, String previousVersion) { public boolean addVulnerableSoftware(String cpe, String previousVersion) {
VulnerableSoftware vs = new VulnerableSoftware(); final VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe(cpe); vs.setCpe(cpe);
if (previousVersion != null) { if (previousVersion != null) {
vs.setPreviousVersion(previousVersion); vs.setPreviousVersion(previousVersion);
@@ -167,7 +174,8 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Adds or updates a vulnerable software entry * Adds or updates a vulnerable software entry.
*
* @param vulnSoftware the vulnerable software * @param vulnSoftware the vulnerable software
* @return if the update succeeded * @return if the update succeeded
*/ */
@@ -178,12 +186,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
return vulnerableSoftware.add(vulnSoftware); return vulnerableSoftware.add(vulnSoftware);
} }
/** /**
* The CWE for the vulnerability * The CWE for the vulnerability.
*/ */
protected String cwe; private String cwe;
/** /**
* Get the value of cwe * Get the value of cwe.
* *
* @return the value of cwe * @return the value of cwe
*/ */
@@ -192,7 +200,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of cwe * Set the value of cwe.
* *
* @param cwe new value of cwe * @param cwe new value of cwe
*/ */
@@ -200,12 +208,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cwe = cwe; this.cwe = cwe;
} }
/** /**
* CVSS Score * CVSS Score.
*/ */
protected float cvssScore; private float cvssScore;
/** /**
* Get the value of cvssScore * Get the value of cvssScore.
* *
* @return the value of cvssScore * @return the value of cvssScore
*/ */
@@ -214,7 +222,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of cvssScore * Set the value of cvssScore.
* *
* @param cvssScore new value of cvssScore * @param cvssScore new value of cvssScore
*/ */
@@ -222,12 +230,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssScore = cvssScore; this.cvssScore = cvssScore;
} }
/** /**
* CVSS Access Vector * CVSS Access Vector.
*/ */
protected String cvssAccessVector; private String cvssAccessVector;
/** /**
* Get the value of cvssAccessVector * Get the value of cvssAccessVector.
* *
* @return the value of cvssAccessVector * @return the value of cvssAccessVector
*/ */
@@ -236,7 +244,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of cvssAccessVector * Set the value of cvssAccessVector.
* *
* @param cvssAccessVector new value of cvssAccessVector * @param cvssAccessVector new value of cvssAccessVector
*/ */
@@ -244,12 +252,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssAccessVector = cvssAccessVector; this.cvssAccessVector = cvssAccessVector;
} }
/** /**
* CVSS Access Complexity * CVSS Access Complexity.
*/ */
protected String cvssAccessComplexity; private String cvssAccessComplexity;
/** /**
* Get the value of cvssAccessComplexity * Get the value of cvssAccessComplexity.
* *
* @return the value of cvssAccessComplexity * @return the value of cvssAccessComplexity
*/ */
@@ -258,7 +266,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of cvssAccessComplexity * Set the value of cvssAccessComplexity.
* *
* @param cvssAccessComplexity new value of cvssAccessComplexity * @param cvssAccessComplexity new value of cvssAccessComplexity
*/ */
@@ -266,12 +274,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssAccessComplexity = cvssAccessComplexity; this.cvssAccessComplexity = cvssAccessComplexity;
} }
/** /**
* CVSS Authentication * CVSS Authentication.
*/ */
protected String cvssAuthentication; private String cvssAuthentication;
/** /**
* Get the value of cvssAuthentication * Get the value of cvssAuthentication.
* *
* @return the value of cvssAuthentication * @return the value of cvssAuthentication
*/ */
@@ -280,7 +288,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of cvssAuthentication * Set the value of cvssAuthentication.
* *
* @param cvssAuthentication new value of cvssAuthentication * @param cvssAuthentication new value of cvssAuthentication
*/ */
@@ -288,12 +296,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssAuthentication = cvssAuthentication; this.cvssAuthentication = cvssAuthentication;
} }
/** /**
* CVSS Confidentiality Impact * CVSS Confidentiality Impact.
*/ */
protected String cvssConfidentialityImpact; private String cvssConfidentialityImpact;
/** /**
* Get the value of cvssConfidentialityImpact * Get the value of cvssConfidentialityImpact.
* *
* @return the value of cvssConfidentialityImpact * @return the value of cvssConfidentialityImpact
*/ */
@@ -302,7 +310,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of cvssConfidentialityImpact * Set the value of cvssConfidentialityImpact.
* *
* @param cvssConfidentialityImpact new value of cvssConfidentialityImpact * @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
*/ */
@@ -310,12 +318,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssConfidentialityImpact = cvssConfidentialityImpact; this.cvssConfidentialityImpact = cvssConfidentialityImpact;
} }
/** /**
* CVSS Integrity Impact * CVSS Integrity Impact.
*/ */
protected String cvssIntegrityImpact; private String cvssIntegrityImpact;
/** /**
* Get the value of cvssIntegrityImpact * Get the value of cvssIntegrityImpact.
* *
* @return the value of cvssIntegrityImpact * @return the value of cvssIntegrityImpact
*/ */
@@ -324,7 +332,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of cvssIntegrityImpact * Set the value of cvssIntegrityImpact.
* *
* @param cvssIntegrityImpact new value of cvssIntegrityImpact * @param cvssIntegrityImpact new value of cvssIntegrityImpact
*/ */
@@ -332,12 +340,12 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssIntegrityImpact = cvssIntegrityImpact; this.cvssIntegrityImpact = cvssIntegrityImpact;
} }
/** /**
* CVSS Availability Impact * CVSS Availability Impact.
*/ */
protected String cvssAvailabilityImpact; private String cvssAvailabilityImpact;
/** /**
* Get the value of cvssAvailabilityImpact * Get the value of cvssAvailabilityImpact.
* *
* @return the value of cvssAvailabilityImpact * @return the value of cvssAvailabilityImpact
*/ */
@@ -346,7 +354,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
} }
/** /**
* Set the value of cvssAvailabilityImpact * Set the value of cvssAvailabilityImpact.
* *
* @param cvssAvailabilityImpact new value of cvssAvailabilityImpact * @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
*/ */
@@ -375,11 +383,13 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0); hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0);
return hash; return hash;
} }
/** /**
* Compares two vulnerabilities * Compares two vulnerabilities.
* *
* @param v a vulnerability to be compared * @param v a vulnerability to be compared
* @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than the specified vulnerability * @return a negative integer, zero, or a positive integer as this object is
* less than, equal to, or greater than the specified vulnerability
*/ */
public int compareTo(Vulnerability v) { public int compareTo(Vulnerability v) {
return v.getName().compareTo(this.getName()); return v.getName().compareTo(this.getName());

3
src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java
View File

@@ -26,6 +26,9 @@ import java.util.Comparator;
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public class VulnerabilityComparator implements Comparator<Vulnerability>, Serializable { public class VulnerabilityComparator implements Comparator<Vulnerability>, Serializable {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 1L; private static final long serialVersionUID = 1L;
/** /**

19
src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
View File

@@ -32,10 +32,13 @@ import org.owasp.dependencycheck.data.cpe.Entry;
*/ */
public class VulnerableSoftware extends Entry implements Serializable { public class VulnerableSoftware extends Entry implements Serializable {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 307319490326651052L; private static final long serialVersionUID = 307319490326651052L;
/** /**
* Parse a CPE entry from the cpe string representation * Parse a CPE entry from the cpe string representation.
* *
* @param cpe a cpe entry (e.g. cpe:/a:vendor:software:version) * @param cpe a cpe entry (e.g. cpe:/a:vendor:software:version)
*/ */
@@ -49,12 +52,12 @@ public class VulnerableSoftware extends Entry implements Serializable {
} }
/** /**
* If present, indicates that previous version are vulnerable * If present, indicates that previous version are vulnerable.
*/ */
protected String previousVersion = null; private String previousVersion;
/** /**
* Indicates if previous versions of this software are vulnerable * Indicates if previous versions of this software are vulnerable.
* *
* @return if previous versions of this software are vulnerable * @return if previous versions of this software are vulnerable
*/ */
@@ -63,7 +66,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
} }
/** /**
* Get the value of previousVersion * Get the value of previousVersion.
* *
* @return the value of previousVersion * @return the value of previousVersion
*/ */
@@ -72,7 +75,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
} }
/** /**
* Set the value of previousVersion * Set the value of previousVersion.
* *
* @param previousVersion new value of previousVersion * @param previousVersion new value of previousVersion
*/ */
@@ -89,7 +92,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
return false; return false;
} }
final VulnerableSoftware other = (VulnerableSoftware) obj; final VulnerableSoftware other = (VulnerableSoftware) obj;
if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) { if ((this.getName() == null) ? (other.getName() != null) : !this.getName().equals(other.getName())) {
return false; return false;
} }
return true; return true;
@@ -98,7 +101,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
@Override @Override
public int hashCode() { public int hashCode() {
int hash = 7; int hash = 7;
hash = 83 * hash + (this.name != null ? this.name.hashCode() : 0); hash = 83 * hash + (this.getName() != null ? this.getName().hashCode() : 0);
return hash; return hash;
} }
} }

20
src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -51,11 +51,11 @@ public class ReportGenerator {
/** /**
* The Velocity Engine. * The Velocity Engine.
*/ */
private VelocityEngine engine = null; private VelocityEngine engine;
/** /**
* The Velocity Engine Context. * The Velocity Engine Context.
*/ */
private Context context = null; private Context context;
/** /**
* Constructs a new ReportGenerator. * Constructs a new ReportGenerator.
@@ -77,10 +77,11 @@ public class ReportGenerator {
/** /**
* Creates a new Velocity Engine. * Creates a new Velocity Engine.
*
* @return a velocity engine. * @return a velocity engine.
*/ */
private VelocityEngine createVelocityEngine() { private VelocityEngine createVelocityEngine() {
VelocityEngine ve = new VelocityEngine(); final VelocityEngine ve = new VelocityEngine();
ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName()); ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName());
return ve; return ve;
@@ -88,12 +89,13 @@ public class ReportGenerator {
/** /**
* Creates a new Velocity Context initialized with escape and date tools. * Creates a new Velocity Context initialized with escape and date tools.
*
* @return a Velocity Context. * @return a Velocity Context.
*/ */
private Context createContext() { private Context createContext() {
ToolManager manager = new ToolManager(); final ToolManager manager = new ToolManager();
Context c = manager.createContext(); final Context c = manager.createContext();
EasyFactoryConfiguration config = new EasyFactoryConfiguration(); final EasyFactoryConfiguration config = new EasyFactoryConfiguration();
config.addDefaultTools(); config.addDefaultTools();
config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool"); config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool");
manager.configure(config); manager.configure(config);
@@ -110,7 +112,7 @@ public class ReportGenerator {
* reports. * reports.
*/ */
public void generateReports(String outputDir, String outputFormat) throws IOException, Exception { public void generateReports(String outputDir, String outputFormat) throws IOException, Exception {
if (outputFormat.equalsIgnoreCase("XML")) { if ("XML".equalsIgnoreCase(outputFormat)) {
generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml"); generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
} else { } else {
generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html"); generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
@@ -130,7 +132,7 @@ public class ReportGenerator {
public void generateReport(String templateName, String outFileName) throws IOException, Exception { public void generateReport(String templateName, String outFileName) throws IOException, Exception {
InputStream input = null; InputStream input = null;
String templatePath = null; String templatePath = null;
File f = new File(templateName); final File f = new File(templateName);
if (f.exists() && f.isFile()) { if (f.exists() && f.isFile()) {
try { try {
templatePath = templateName; templatePath = templateName;
@@ -146,7 +148,7 @@ public class ReportGenerator {
throw new IOException("Template file doesn't exist"); throw new IOException("Template file doesn't exist");
} }
InputStreamReader reader = new InputStreamReader(input, "UTF-8"); final InputStreamReader reader = new InputStreamReader(input, "UTF-8");
OutputStreamWriter writer = null; OutputStreamWriter writer = null;
OutputStream outputStream = null; OutputStream outputStream = null;

61
src/main/java/org/owasp/dependencycheck/utils/CliParser.java
View File

@@ -40,15 +40,15 @@ public final class CliParser {
/** /**
* The command line. * The command line.
*/ */
private CommandLine line = null; private CommandLine line;
/** /**
* The options for the command line parser. * The options for the command line parser.
*/ */
private Options options = createCommandLineOptions(); private Options options = createCommandLineOptions();
/** /**
* indicates whether the arguments are valid. * Indicates whether the arguments are valid.
*/ */
boolean isValid = true; private boolean isValid = true;
/** /**
* Parses the arguments passed in and captures the results for later use. * Parses the arguments passed in and captures the results for later use.
@@ -74,8 +74,8 @@ public final class CliParser {
* @throws ParseException if the arguments are invalid * @throws ParseException if the arguments are invalid
*/ */
private CommandLine parseArgs(String[] args) throws ParseException { private CommandLine parseArgs(String[] args) throws ParseException {
CommandLineParser parser = new PosixParser(); final CommandLineParser parser = new PosixParser();
CommandLine ln = parser.parse(options, args); final CommandLine ln = parser.parse(options, args);
return ln; return ln;
} }
@@ -84,6 +84,7 @@ public final class CliParser {
* *
* @throws FileNotFoundException if there is a file specified by either the * @throws FileNotFoundException if there is a file specified by either the
* SCAN or CPE command line arguments that does not exist. * SCAN or CPE command line arguments that does not exist.
* @throws ParseException is thrown if there is an exception parsing the command line.
*/ */
private void validateArgs() throws FileNotFoundException, ParseException { private void validateArgs() throws FileNotFoundException, ParseException {
if (isRunScan()) { if (isRunScan()) {
@@ -93,8 +94,8 @@ public final class CliParser {
throw new ParseException("Scan cannot be run without specifying a directory " throw new ParseException("Scan cannot be run without specifying a directory "
+ "to write the reports to via the 'out' argument."); + "to write the reports to via the 'out' argument.");
} else { } else {
String p = line.getOptionValue(ArgumentName.OUT, ""); final String p = line.getOptionValue(ArgumentName.OUT, "");
File f = new File(p); final File f = new File(p);
if ("".equals(p) || !(f.exists() && f.isDirectory())) { if ("".equals(p) || !(f.exists() && f.isDirectory())) {
//TODO - need a new exception type here, this isn't really a ParseException. //TODO - need a new exception type here, this isn't really a ParseException.
throw new ParseException("A valid directory name must be specified for " throw new ParseException("A valid directory name must be specified for "
@@ -106,8 +107,8 @@ public final class CliParser {
+ "name via the 'app' argument."); + "name via the 'app' argument.");
} }
if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) { if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT); final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
if (!(format.equalsIgnoreCase("XML") || format.equalsIgnoreCase("HTML"))) { if (!("XML".equalsIgnoreCase(format) || "HTML".equalsIgnoreCase(format))) {
throw new ParseException("Supported output formats are XML and HTML"); throw new ParseException("Supported output formats are XML and HTML");
} }
} }
@@ -139,7 +140,7 @@ public final class CliParser {
* not exist. * not exist.
*/ */
private void validatePathExists(String path) throws FileNotFoundException { private void validatePathExists(String path) throws FileNotFoundException {
File f = new File(path); final File f = new File(path);
if (!f.exists()) { if (!f.exists()) {
isValid = false; isValid = false;
throw new FileNotFoundException("Invalid file argument: " + path); throw new FileNotFoundException("Invalid file argument: " + path);
@@ -154,47 +155,47 @@ public final class CliParser {
*/ */
@SuppressWarnings("static-access") @SuppressWarnings("static-access")
private Options createCommandLineOptions() { private Options createCommandLineOptions() {
Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false, final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
"print this message."); "print this message.");
Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false, final Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false,
"shows additional help regarding properties file."); "shows additional help regarding properties file.");
Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false, final Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
"extracts extra information from dependencies that may increase false positives, but also decrease false negatives."); "extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION, final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
false, "print the version information."); false, "print the version information.");
Option noupdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE, final Option noupdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
false, "disables the automatic updating of the CPE data."); false, "disables the automatic updating of the CPE data.");
Option appname = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APPNAME) final Option appname = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APPNAME)
.withDescription("the name of the application being scanned.") .withDescription("the name of the application being scanned.")
.create(ArgumentName.APPNAME_SHORT); .create(ArgumentName.APPNAME_SHORT);
Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN) final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
.withDescription("the path to scan - this option can be specified multiple times.") .withDescription("the path to scan - this option can be specified multiple times.")
.create(ArgumentName.SCAN_SHORT); .create(ArgumentName.SCAN_SHORT);
Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP) final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
.withDescription("a property file to load.") .withDescription("a property file to load.")
.create(ArgumentName.PROP_SHORT); .create(ArgumentName.PROP_SHORT);
Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT) final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
.withDescription("the folder to write reports to.") .withDescription("the folder to write reports to.")
.create(ArgumentName.OUT_SHORT); .create(ArgumentName.OUT_SHORT);
Option outputformat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT) final Option outputformat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
.withDescription("the output format to write to.") .withDescription("the output format to write to.")
.create(ArgumentName.OUTPUT_FORMAT_SHORT); .create(ArgumentName.OUTPUT_FORMAT_SHORT);
//TODO add the ability to load a properties file to override the defaults... //TODO add the ability to load a properties file to override the defaults...
OptionGroup og = new OptionGroup(); final OptionGroup og = new OptionGroup();
og.addOption(path); og.addOption(path);
Options opts = new Options(); final Options opts = new Options();
opts.addOptionGroup(og); opts.addOptionGroup(og);
opts.addOption(out); opts.addOption(out);
opts.addOption(outputformat); opts.addOption(outputformat);
@@ -205,6 +206,7 @@ public final class CliParser {
opts.addOption(deepScan); opts.addOption(deepScan);
opts.addOption(props); opts.addOption(props);
opts.addOption(advancedHelp); opts.addOption(advancedHelp);
return opts; return opts;
} }
@@ -239,8 +241,8 @@ public final class CliParser {
* Displays the command line help message to the standard output. * Displays the command line help message to the standard output.
*/ */
public void printHelp() { public void printHelp() {
HelpFormatter formatter = new HelpFormatter(); final HelpFormatter formatter = new HelpFormatter();
String nl = System.getProperty("line.separator"); final String nl = System.getProperty("line.separator");
String advancedHelp = null; String advancedHelp = null;
if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) { if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
advancedHelp = nl + nl advancedHelp = nl + nl
@@ -273,11 +275,10 @@ public final class CliParser {
*/ */
public String[] getScanFiles() { public String[] getScanFiles() {
return line.getOptionValues(ArgumentName.SCAN); return line.getOptionValues(ArgumentName.SCAN);
} }
/** /**
* returns the directory to write the reports to specified on the command * Returns the directory to write the reports to specified on the command
* line. * line.
* *
* @return the path to the reports directory. * @return the path to the reports directory.
@@ -306,12 +307,12 @@ public final class CliParser {
} }
/** /**
* <p>Prints the manifest information to standard output:</p> * <p>Prints the manifest information to standard output.</p>
* <ul><li>Implementation-Title: ${pom.name}</li> * <ul><li>Implementation-Title: ${pom.name}</li>
* <li>Implementation-Version: ${pom.version}</li></ul> * <li>Implementation-Version: ${pom.version}</li></ul>
*/ */
public void printVersionInfo() { public void printVersionInfo() {
String version = String.format("%s version %s", final String version = String.format("%s version %s",
Settings.getString("application.name", "DependencyCheck"), Settings.getString("application.name", "DependencyCheck"),
Settings.getString("application.version", "Unknown")); Settings.getString("application.version", "Unknown"));
System.out.println(version); System.out.println(version);
@@ -341,11 +342,11 @@ public final class CliParser {
public static class ArgumentName { public static class ArgumentName {
/** /**
* The long CLI argument name specifying the directory/file to scan * The long CLI argument name specifying the directory/file to scan.
*/ */
public static final String SCAN = "scan"; public static final String SCAN = "scan";
/** /**
* The short CLI argument name specifying the directory/file to scan * The short CLI argument name specifying the directory/file to scan.
*/ */
public static final String SCAN_SHORT = "s"; public static final String SCAN_SHORT = "s";
/** /**

3
src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java
View File

@@ -27,6 +27,9 @@ import java.io.IOException;
*/ */
public class DownloadFailedException extends IOException { public class DownloadFailedException extends IOException {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 1L; private static final long serialVersionUID = 1L;
/** /**

16
src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -38,7 +38,7 @@ import java.util.zip.InflaterInputStream;
* *
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public class Downloader { public final class Downloader {
/** /**
* Private constructor for utility class. * Private constructor for utility class.
@@ -69,7 +69,7 @@ public class Downloader {
* downloading the file. * downloading the file.
*/ */
public static void fetchFile(URL url, String outputPath, boolean unzip) throws DownloadFailedException { public static void fetchFile(URL url, String outputPath, boolean unzip) throws DownloadFailedException {
File f = new File(outputPath); final File f = new File(outputPath);
fetchFile(url, f, unzip); fetchFile(url, f, unzip);
} }
@@ -111,7 +111,7 @@ public class Downloader {
} }
throw new DownloadFailedException("Error downloading file.", ex); throw new DownloadFailedException("Error downloading file.", ex);
} }
String encoding = conn.getContentEncoding(); final String encoding = conn.getContentEncoding();
BufferedOutputStream writer = null; BufferedOutputStream writer = null;
InputStream reader = null; InputStream reader = null;
@@ -125,7 +125,7 @@ public class Downloader {
} }
writer = new BufferedOutputStream(new FileOutputStream(outputPath)); writer = new BufferedOutputStream(new FileOutputStream(outputPath));
byte[] buffer = new byte[4096]; final byte[] buffer = new byte[4096];
int bytesRead = 0; int bytesRead = 0;
while ((bytesRead = reader.read(buffer)) > 0) { while ((bytesRead = reader.read(buffer)) > 0) {
writer.write(buffer, 0, bytesRead); writer.write(buffer, 0, bytesRead);
@@ -201,18 +201,18 @@ public class Downloader {
private static HttpURLConnection getConnection(URL url) throws DownloadFailedException { private static HttpURLConnection getConnection(URL url) throws DownloadFailedException {
HttpURLConnection conn = null; HttpURLConnection conn = null;
Proxy proxy = null; Proxy proxy = null;
String proxyUrl = Settings.getString(Settings.KEYS.PROXY_URL); final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_URL);
try { try {
if (proxyUrl != null) { if (proxyUrl != null) {
int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT); final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
SocketAddress addr = new InetSocketAddress(proxyUrl, proxyPort); final SocketAddress addr = new InetSocketAddress(proxyUrl, proxyPort);
proxy = new Proxy(Proxy.Type.HTTP, addr); proxy = new Proxy(Proxy.Type.HTTP, addr);
conn = (HttpURLConnection) url.openConnection(proxy); conn = (HttpURLConnection) url.openConnection(proxy);
} else { } else {
conn = (HttpURLConnection) url.openConnection(); conn = (HttpURLConnection) url.openConnection();
} }
if (Settings.getString(Settings.KEYS.CONNECTION_TIMEOUT) != null) { if (Settings.getString(Settings.KEYS.CONNECTION_TIMEOUT) != null) {
int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT); final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT);
conn.setConnectTimeout(timeout); conn.setConnectTimeout(timeout);
} }
} catch (IOException ex) { } catch (IOException ex) {

4
src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
View File

@@ -27,7 +27,7 @@ import java.io.IOException;
* *
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public class FileUtils { public final class FileUtils {
/** /**
* Private constructor for a utility class. * Private constructor for a utility class.
@@ -43,7 +43,7 @@ public class FileUtils {
*/ */
public static String getFileExtension(String fileName) { public static String getFileExtension(String fileName) {
String ret = null; String ret = null;
int pos = fileName.lastIndexOf("."); final int pos = fileName.lastIndexOf(".");
if (pos >= 0) { if (pos >= 0) {
ret = fileName.substring(pos + 1, fileName.length()).toLowerCase(); ret = fileName.substring(pos + 1, fileName.length()).toLowerCase();
} }

3
src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java
View File

@@ -27,6 +27,9 @@ import java.io.IOException;
*/ */
public class InvalidSettingException extends IOException { public class InvalidSettingException extends IOException {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 1L; private static final long serialVersionUID = 1L;
/** /**

10
src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java
View File

@@ -22,17 +22,17 @@ import java.io.FilterInputStream;
import java.io.InputStream; import java.io.InputStream;
/** /**
* NonClosingStream is a stream filter which prevents * NonClosingStream is a stream filter which prevents another class that
* another class that processes the stream from closing * processes the stream from closing it. This is necessary when dealing with
* it. This is necessary when dealing with things like * things like JAXB and zipInputStreams.
* JAXB and zipInputStreams.
* *
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public class NonClosingStream extends FilterInputStream { public class NonClosingStream extends FilterInputStream {
/** /**
* Constructs a new NonClosingStream * Constructs a new NonClosingStream.
*
* @param in an input stream. * @param in an input stream.
*/ */
public NonClosingStream(InputStream in) { public NonClosingStream(InputStream in) {

21
src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -31,12 +31,12 @@ import java.util.logging.Logger;
* *
* @author Jeremy Long (jeremy.long@gmail.com) * @author Jeremy Long (jeremy.long@gmail.com)
*/ */
public class Settings { public final class Settings {
/** /**
* The collection of keys used within the properties file. * The collection of keys used within the properties file.
*/ */
public static class KEYS { public static final class KEYS {
/** /**
* private constructor because this is a "utility" class containing constants * private constructor because this is a "utility" class containing constants
@@ -95,11 +95,11 @@ public class Settings {
*/ */
public static final String CVE_BASE_URL = "cve.url-"; public static final String CVE_BASE_URL = "cve.url-";
/** /**
* The properties key for the CVE schema version 1.2 * The properties key for the CVE schema version 1.2.
*/ */
public static final String CVE_SCHEMA_1_2 = "1.2."; public static final String CVE_SCHEMA_1_2 = "1.2.";
/** /**
* The properties key for the CVE schema version 2.0 * The properties key for the CVE schema version 2.0.
*/ */
public static final String CVE_SCHEMA_2_0 = "2.0."; public static final String CVE_SCHEMA_2_0 = "2.0.";
@@ -122,8 +122,17 @@ public class Settings {
*/ */
public static final String PERFORM_DEEP_SCAN = "perform.deepscan"; public static final String PERFORM_DEEP_SCAN = "perform.deepscan";
} }
/**
* The properties file location.
*/
private static final String PROPERTIES_FILE = "configuration/dependencycheck.properties"; private static final String PROPERTIES_FILE = "configuration/dependencycheck.properties";
/**
* The singleton instance variable.
*/
private static final Settings INSTANCE = new Settings(); private static final Settings INSTANCE = new Settings();
/**
* The properties.
*/
private Properties props = null; private Properties props = null;
/** /**
@@ -131,7 +140,7 @@ public class Settings {
* properties files. * properties files.
*/ */
private Settings() { private Settings() {
InputStream in = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE); final InputStream in = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
props = new Properties(); props = new Properties();
try { try {
props.load(in); props.load(in);
@@ -176,7 +185,7 @@ public class Settings {
* the properties. * the properties.
*/ */
public static void mergeProperties(String filePath) throws FileNotFoundException, IOException { public static void mergeProperties(String filePath) throws FileNotFoundException, IOException {
FileInputStream fis = new FileInputStream(filePath); final FileInputStream fis = new FileInputStream(filePath);
mergeProperties(fis); mergeProperties(fis);
} }

8
src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
View File

@@ -46,16 +46,16 @@ public class DependencyTest {
String str = "apache"; String str = "apache";
String str2 = "owasp"; String str2 = "owasp";
Dependency instance = new Dependency(); Dependency instance = new Dependency();
instance.vendorEvidence.addEvidence("manifest", "something", "apache", Evidence.Confidence.HIGH); instance.getVendorEvidence().addEvidence("manifest", "something", "apache", Evidence.Confidence.HIGH);
instance.vendorEvidence.addEvidence("manifest", "something", "owasp", Evidence.Confidence.MEDIUM); instance.getVendorEvidence().addEvidence("manifest", "something", "owasp", Evidence.Confidence.MEDIUM);
assertFalse(instance.containsUsedString(str)); assertFalse(instance.containsUsedString(str));
assertFalse(instance.containsUsedString(str2)); assertFalse(instance.containsUsedString(str2));
for (Evidence i : instance.vendorEvidence.iterator(Evidence.Confidence.HIGH)) { for (Evidence i : instance.getVendorEvidence().iterator(Evidence.Confidence.HIGH)) {
String readValue = i.getValue(); String readValue = i.getValue();
} }
assertTrue(instance.containsUsedString(str)); assertTrue(instance.containsUsedString(str));
assertFalse(instance.containsUsedString(str2)); assertFalse(instance.containsUsedString(str2));
for (Evidence i : instance.vendorEvidence.iterator(Evidence.Confidence.MEDIUM)) { for (Evidence i : instance.getVendorEvidence().iterator(Evidence.Confidence.MEDIUM)) {
String readValue = i.getValue(); String readValue = i.getValue();
} }
assertTrue(instance.containsUsedString(str)); assertTrue(instance.containsUsedString(str));