mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-22 09:09:31 +01:00
checkstyle fixes
Former-commit-id: 31ff9324a8acd201002e4843deb5a2cfb08f2d88
This commit is contained in:
Jeremy Long
@@ -113,7 +113,8 @@ public class App {
|
|||||||
if (cli.isGetVersion()) {
|
if (cli.isGetVersion()) {
|
||||||
cli.printVersionInfo();
|
cli.printVersionInfo();
|
||||||
} else if (cli.isRunScan()) {
|
} else if (cli.isRunScan()) {
|
||||||
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.isAutoUpdate(), cli.isDeepScan());
|
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(),
|
||||||
|
cli.getScanFiles(), cli.isAutoUpdate(), cli.isDeepScan());
|
||||||
} else {
|
} else {
|
||||||
cli.printHelp();
|
cli.printHelp();
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -80,6 +80,13 @@ public class HintAnalyzer implements Analyzer {
|
|||||||
return ANALYSIS_PHASE;
|
return ANALYSIS_PHASE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The HintAnalyzer uses knowledge about a dependency to add additional information
|
||||||
|
* to help in identification of identifiers or vulnerabilities.
|
||||||
|
* @param dependency The dependency being analyzed
|
||||||
|
* @param engine The scanning engine
|
||||||
|
* @throws AnalysisException is thrown if there is an exception analyzing the dependency.
|
||||||
|
*/
|
||||||
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
|
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
|
||||||
Evidence springTest1 = new Evidence("Manifest",
|
Evidence springTest1 = new Evidence("Manifest",
|
||||||
"Implementation-Title",
|
"Implementation-Title",
|
||||||
|
|||||||
@@ -171,7 +171,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
return ANALYSIS_PHASE;
|
return ANALYSIS_PHASE;
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean evidenceFound;
|
|
||||||
/**
|
/**
|
||||||
* Loads a specified JAR file and collects information from the manifest and
|
* Loads a specified JAR file and collects information from the manifest and
|
||||||
* checksums to identify the correct CPE information.
|
* checksums to identify the correct CPE information.
|
||||||
@@ -182,16 +181,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
* file.
|
* file.
|
||||||
*/
|
*/
|
||||||
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
|
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
|
||||||
evidenceFound = false;
|
boolean addPackagesAsEvidence = false;
|
||||||
try {
|
try {
|
||||||
evidenceFound |= parseManifest(dependency);
|
addPackagesAsEvidence ^= parseManifest(dependency);
|
||||||
evidenceFound |= analyzePOM(dependency);
|
addPackagesAsEvidence ^= analyzePOM(dependency);
|
||||||
if (Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN) ||
|
addPackagesAsEvidence ^= Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
|
||||||
!evidenceFound) {
|
analyzePackageNames(dependency, addPackagesAsEvidence);
|
||||||
//if no evidence was found - "they" likely stripped stuff, package names may be all we have.
|
|
||||||
analyzePackageNames(dependency);
|
|
||||||
}
|
|
||||||
|
|
||||||
} catch (IOException ex) {
|
} catch (IOException ex) {
|
||||||
throw new AnalysisException("Exception occurred reading the JAR file.", ex);
|
throw new AnalysisException("Exception occurred reading the JAR file.", ex);
|
||||||
} catch (JAXBException ex) {
|
} catch (JAXBException ex) {
|
||||||
@@ -342,9 +337,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
* hashSets.
|
* hashSets.
|
||||||
*
|
*
|
||||||
* @param dependency A reference to the dependency.
|
* @param dependency A reference to the dependency.
|
||||||
|
* @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
|
||||||
* @throws IOException is thrown if there is an error reading the JAR file.
|
* @throws IOException is thrown if there is an error reading the JAR file.
|
||||||
*/
|
*/
|
||||||
protected void analyzePackageNames(Dependency dependency) throws IOException {
|
protected void analyzePackageNames(Dependency dependency, boolean addPackagesAsEvidence)
|
||||||
|
throws IOException {
|
||||||
|
|
||||||
JarFile jar = null;
|
JarFile jar = null;
|
||||||
try {
|
try {
|
||||||
@@ -415,10 +412,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
if (!"org".equals(s) && !"com".equals(s)) {
|
if (!"org".equals(s) && !"com".equals(s)) {
|
||||||
vendor.addWeighting(s);
|
vendor.addWeighting(s);
|
||||||
product.addWeighting(s);
|
product.addWeighting(s);
|
||||||
|
if (addPackagesAsEvidence) {
|
||||||
vendor.addEvidence("jar", "package", s, Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", s, Evidence.Confidence.LOW);
|
||||||
product.addEvidence("jar", "package", s, Evidence.Confidence.LOW);
|
product.addEvidence("jar", "package", s, Evidence.Confidence.LOW);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
for (String s : level1.keySet()) {
|
for (String s : level1.keySet()) {
|
||||||
float ratio = level1.get(s);
|
float ratio = level1.get(s);
|
||||||
ratio /= count;
|
ratio /= count;
|
||||||
@@ -426,15 +425,19 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
String[] parts = s.split("/");
|
String[] parts = s.split("/");
|
||||||
if ("org".equals(parts[0]) || "com".equals(parts[0])) {
|
if ("org".equals(parts[0]) || "com".equals(parts[0])) {
|
||||||
vendor.addWeighting(parts[1]);
|
vendor.addWeighting(parts[1]);
|
||||||
|
if (addPackagesAsEvidence) {
|
||||||
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
vendor.addWeighting(parts[0]);
|
vendor.addWeighting(parts[0]);
|
||||||
product.addWeighting(parts[1]);
|
product.addWeighting(parts[1]);
|
||||||
|
if (addPackagesAsEvidence) {
|
||||||
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
|
||||||
product.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
product.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
for (String s : level2.keySet()) {
|
for (String s : level2.keySet()) {
|
||||||
float ratio = level2.get(s);
|
float ratio = level2.get(s);
|
||||||
ratio /= count;
|
ratio /= count;
|
||||||
@@ -443,13 +446,16 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
if ("org".equals(parts[0]) || "com".equals(parts[0])) {
|
if ("org".equals(parts[0]) || "com".equals(parts[0])) {
|
||||||
vendor.addWeighting(parts[1]);
|
vendor.addWeighting(parts[1]);
|
||||||
product.addWeighting(parts[2]);
|
product.addWeighting(parts[2]);
|
||||||
|
if (addPackagesAsEvidence) {
|
||||||
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
||||||
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
|
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
vendor.addWeighting(parts[0]);
|
vendor.addWeighting(parts[0]);
|
||||||
vendor.addWeighting(parts[1]);
|
vendor.addWeighting(parts[1]);
|
||||||
product.addWeighting(parts[1]);
|
product.addWeighting(parts[1]);
|
||||||
product.addWeighting(parts[2]);
|
product.addWeighting(parts[2]);
|
||||||
|
if (addPackagesAsEvidence) {
|
||||||
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
|
||||||
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
||||||
product.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
product.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
||||||
@@ -457,6 +463,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
for (String s : level3.keySet()) {
|
for (String s : level3.keySet()) {
|
||||||
float ratio = level3.get(s);
|
float ratio = level3.get(s);
|
||||||
ratio /= count;
|
ratio /= count;
|
||||||
@@ -467,11 +474,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
vendor.addWeighting(parts[2]);
|
vendor.addWeighting(parts[2]);
|
||||||
product.addWeighting(parts[2]);
|
product.addWeighting(parts[2]);
|
||||||
product.addWeighting(parts[3]);
|
product.addWeighting(parts[3]);
|
||||||
|
if (addPackagesAsEvidence) {
|
||||||
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
||||||
vendor.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
|
||||||
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
|
product.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
|
||||||
product.addEvidence("jar", "package", parts[3], Evidence.Confidence.LOW);
|
product.addEvidence("jar", "package", parts[3], Evidence.Confidence.LOW);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
vendor.addWeighting(parts[0]);
|
vendor.addWeighting(parts[0]);
|
||||||
vendor.addWeighting(parts[1]);
|
vendor.addWeighting(parts[1]);
|
||||||
@@ -479,6 +487,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
product.addWeighting(parts[1]);
|
product.addWeighting(parts[1]);
|
||||||
product.addWeighting(parts[2]);
|
product.addWeighting(parts[2]);
|
||||||
product.addWeighting(parts[3]);
|
product.addWeighting(parts[3]);
|
||||||
|
if (addPackagesAsEvidence) {
|
||||||
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", parts[0], Evidence.Confidence.LOW);
|
||||||
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", parts[1], Evidence.Confidence.LOW);
|
||||||
vendor.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
|
vendor.addEvidence("jar", "package", parts[2], Evidence.Confidence.LOW);
|
||||||
@@ -488,6 +497,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
} finally {
|
} finally {
|
||||||
if (jar != null) {
|
if (jar != null) {
|
||||||
jar.close();
|
jar.close();
|
||||||
@@ -670,7 +680,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
sb.append(text.substring(end + 1));
|
sb.append(text.substring(end + 1));
|
||||||
return interpolateString(sb.toString(), properties); //yes yes, this should be a loop...
|
return interpolateString(sb.toString(), properties); //yes yes, this should be a loop...
|
||||||
}
|
}
|
||||||
|
|
||||||
// private void addPredefinedData(Dependency dependency) {
|
// private void addPredefinedData(Dependency dependency) {
|
||||||
// Evidence springTest1 = new Evidence("Manifest",
|
// Evidence springTest1 = new Evidence("Manifest",
|
||||||
// "Implementation-Title",
|
// "Implementation-Title",
|
||||||
|
|||||||
@@ -412,12 +412,12 @@ public final class CliParser {
|
|||||||
* The short CLI argument name asking for advanced help.
|
* The short CLI argument name asking for advanced help.
|
||||||
*/
|
*/
|
||||||
public static final String ADVANCED_HELP = "advancedhelp";
|
public static final String ADVANCED_HELP = "advancedhelp";
|
||||||
/*
|
/**
|
||||||
* The short CLI argument name indicating a deep scan of the dependencies
|
* The short CLI argument name indicating a deep scan of the dependencies
|
||||||
* should be performed.
|
* should be performed.
|
||||||
*/
|
*/
|
||||||
public static final String PERFORM_DEEP_SCAN_SHORT = "d";
|
public static final String PERFORM_DEEP_SCAN_SHORT = "d";
|
||||||
/*
|
/**
|
||||||
* The CLI argument name indicating a deep scan of the dependencies
|
* The CLI argument name indicating a deep scan of the dependencies
|
||||||
* should be performed.
|
* should be performed.
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -116,7 +116,7 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
|
|||||||
instance.determineCPE(spring);
|
instance.determineCPE(spring);
|
||||||
instance.determineCPE(spring3);
|
instance.determineCPE(spring3);
|
||||||
instance.close();
|
instance.close();
|
||||||
Assert.assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() == 1);
|
Assert.assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() >= 1);
|
||||||
Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult));
|
Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult));
|
||||||
//the following two only work if the HintAnalyzer is used.
|
//the following two only work if the HintAnalyzer is used.
|
||||||
//Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
|
//Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
|
||||||
|
|||||||
Reference in New Issue
Block a user