github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

checkstyle fixes

Browse Source 
Former-commit-id: 31ff9324a8acd201002e4843deb5a2cfb08f2d88
This commit is contained in:
Jeremy Long
2013-03-16 16:53:41 -04:00
parent 5ef02290dd
commit 7bce07aa0e
5 changed files with 55 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -113,7 +113,8 @@ public class App {
if (cli.isGetVersion()) {
cli.printVersionInfo();
} else if (cli.isRunScan()) {
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.isAutoUpdate(), cli.isDeepScan());
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(),
cli.getScanFiles(), cli.isAutoUpdate(), cli.isDeepScan());
} else {
cli.printHelp();
}

7
src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -80,6 +80,13 @@ public class HintAnalyzer implements Analyzer {
return ANALYSIS_PHASE;
}
/**
* The HintAnalyzer uses knowledge about a dependency to add additional information
* to help in identification of identifiers or vulnerabilities.
* @param dependency The dependency being analyzed
* @param engine The scanning engine
* @throws AnalysisException is thrown if there is an exception analyzing the dependency.
*/
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
Evidence springTest1 = new Evidence("Manifest",
"Implementation-Title",

77
src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -171,7 +171,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
return ANALYSIS_PHASE;
}
private boolean evidenceFound;
/**
* Loads a specified JAR file and collects information from the manifest and
* checksums to identify the correct CPE information.
@@ -182,16 +181,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
* file.
*/
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
evidenceFound = false;
boolean addPackagesAsEvidence = false;
try {
evidenceFound |= parseManifest(dependency);
evidenceFound |= analyzePOM(dependency);
if (Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN) ||
!evidenceFound) {
//if no evidence was found - "they" likely stripped stuff, package names may be all we have.
analyzePackageNames(dependency);
}
addPackagesAsEvidence ^= parseManifest(dependency);
addPackagesAsEvidence ^= analyzePOM(dependency);
addPackagesAsEvidence ^= Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
analyzePackageNames(dependency, addPackagesAsEvidence);
} catch (IOException ex) {
throw new AnalysisException("Exception occurred reading the JAR file.", ex);
} catch (JAXBException ex) {
@@ -342,9 +337,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
* hashSets.
*
* @param dependency A reference to the dependency.
* @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
* @throws IOException is thrown if there is an error reading the JAR file.
*/
protected void analyzePackageNames(Dependency dependency) throws IOException {
protected void analyzePackageNames(Dependency dependency, boolean addPackagesAsEvidence)
throws IOException {
JarFile jar = null;
try {
@@ -415,8 +412,10 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
if (!"org".equals(s) && !"com".equals(s)) {
vendor.addWeighting(s);
product.addWeighting(s);
vendor.addEvidence("jar", "package", s, Evidence.Confidence.LOW);
product.addEvidence("jar", "package", s, Evidence.Confidence.LOW);
if (addPackagesAsEvidence) {
vendor.addEvidence("jar", "package", s, Evidence.Confidence.LOW);
product.addEvidence("jar", "package", s, Evidence.Confidence.LOW);
}
}
}
for (String s : level1.keySet()) {
@@ -426,12 +425,16 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
String[] parts = s.split("/");
if ("org".equals(parts[0]) || "com".equals(parts[0])) {
vendor.addWeighting(parts[1]);
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
if (addPackagesAsEvidence) {
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
}
} else {
vendor.addWeighting(parts[0]);
product.addWeighting(parts[1]);
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
if (addPackagesAsEvidence) {
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
}
}
}
}
@@ -443,17 +446,21 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
if ("org".equals(parts[0]) || "com".equals(parts[0])) {
vendor.addWeighting(parts[1]);
product.addWeighting(parts[2]);
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
if (addPackagesAsEvidence) {
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
}
} else {
vendor.addWeighting(parts[0]);
vendor.addWeighting(parts[1]);
product.addWeighting(parts[1]);
product.addWeighting(parts[2]);
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
if (addPackagesAsEvidence) {
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
}
}
}
}
@@ -467,11 +474,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
vendor.addWeighting(parts[2]);
product.addWeighting(parts[2]);
product.addWeighting(parts[3]);
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
vendor.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[3], Evidence.Confidence.LOW);
if (addPackagesAsEvidence) {
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
vendor.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[3], Evidence.Confidence.LOW);
}
} else {
vendor.addWeighting(parts[0]);
vendor.addWeighting(parts[1]);
@@ -479,12 +487,14 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
product.addWeighting(parts[1]);
product.addWeighting(parts[2]);
product.addWeighting(parts[3]);
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
vendor.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[3], Evidence.Confidence.LOW);
if (addPackagesAsEvidence) {
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
vendor.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
product.addEvidence("jar", "package", parts[3], Evidence.Confidence.LOW);
}
}
}
}
@@ -670,7 +680,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
sb.append(text.substring(end + 1));
return interpolateString(sb.toString(), properties); //yes yes, this should be a loop...
}
// private void addPredefinedData(Dependency dependency) {
// Evidence springTest1 = new Evidence("Manifest",
// "Implementation-Title",

4
src/main/java/org/owasp/dependencycheck/utils/CliParser.java
View File

@@ -412,12 +412,12 @@ public final class CliParser {
* The short CLI argument name asking for advanced help.
*/
public static final String ADVANCED_HELP = "advancedhelp";
/*
/**
* The short CLI argument name indicating a deep scan of the dependencies
* should be performed.
*/
public static final String PERFORM_DEEP_SCAN_SHORT = "d";
/*
/**
* The CLI argument name indicating a deep scan of the dependencies
* should be performed.
*/

2
src/test/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzerTest.java
View File

@@ -116,7 +116,7 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
instance.determineCPE(spring);
instance.determineCPE(spring3);
instance.close();
Assert.assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() == 1);
Assert.assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() >= 1);
Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult));
//the following two only work if the HintAnalyzer is used.
//Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);