From 804f8e38da42b94978b739679cf3950e5d1effcd Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 18 Nov 2017 16:32:40 -0500 Subject: [PATCH] checkstyle suggested changes --- .../analyzer/DependencyBundlingAnalyzer.java | 23 ++++++++++++ .../analyzer/DependencyMergingAnalyzer.java | 3 +- .../analyzer/NodePackageAnalyzer.java | 5 +++ .../dependencycheck/analyzer/NspAnalyzer.java | 36 ++++++++++++++----- .../dependencycheck/data/nsp/NspSearch.java | 2 +- 5 files changed, 58 insertions(+), 11 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index 02cf7d7d3..44aae96da 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -461,14 +461,37 @@ public class DependencyBundlingAnalyzer extends AbstractDependencyComparingAnaly return filePath != null && filePath.matches(".*\\.(ear|war)[\\\\/].*"); } + /** + * Determine if the dependency ecosystem is equal in the given dependencies. + * + * @param dependency a dependency to compare + * @param nextDependency a dependency to compare + * @return true if the ecosystem is equal in both dependencies; otherwise + * false + */ private boolean ecoSystemIs(String ecoSystem, Dependency dependency, Dependency nextDependency) { return ecoSystem.equals(dependency.getEcosystem()) && ecoSystem.equals(nextDependency.getEcosystem()); } + /** + * Determine if the dependency name is equal in the given dependencies. + * + * @param dependency a dependency to compare + * @param nextDependency a dependency to compare + * @return true if the name is equal in both dependencies; otherwise false + */ private boolean namesAreEqual(Dependency dependency, Dependency nextDependency) { return dependency.getName() != null && dependency.getName().equals(nextDependency.getName()); } + /** + * Determine if the dependency version is equal in the given dependencies. + * + * @param dependency a dependency to compare + * @param nextDependency a dependency to compare + * @return true if the version is equal in both dependencies; otherwise + * false + */ private boolean versionsAreEqual(Dependency dependency, Dependency nextDependency) { return dependency.getVersion() != null && dependency.getVersion().equals(nextDependency.getVersion()); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java index 5a21f2cad..62ebd50c4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java @@ -118,7 +118,8 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz * removed from the main analysis loop, this function adds to this * collection */ - public static void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set dependenciesToRemove) { + public static void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, + final Set dependenciesToRemove) { LOGGER.debug("Merging '{}' into '{}'", relatedDependency.getFilePath(), dependency.getFilePath()); dependency.addRelatedDependency(relatedDependency); for (Evidence e : relatedDependency.getEvidence(EvidenceType.VENDOR)) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index 1f9c0d734..ddbcc8e04 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -142,6 +142,11 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { } } + /** + * Collects evidence from the given JSON for the associated dependency. + * @param json the JSON that contains the evidence to collect + * @param dependency the dependency to add the evidence too + */ public static void gatherEvidence(final JsonObject json, Dependency dependency) { if (json.containsKey("name")) { final Object value = json.get("name"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java index 2a5956d74..4f7c3b53f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java @@ -25,7 +25,6 @@ import org.owasp.dependencycheck.data.nsp.NspSearch; import org.owasp.dependencycheck.data.nsp.SanitizePackage; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.dependency.VulnerableSoftware; import org.owasp.dependencycheck.utils.FileFilterBuilder; @@ -36,7 +35,6 @@ import java.io.File; import java.io.FileFilter; import java.io.IOException; import java.net.MalformedURLException; -import java.util.ArrayList; import java.util.Arrays; import java.util.HashSet; import java.util.List; @@ -236,9 +234,9 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { vs.setName(advisory.getModule() + ":" + advisory.getVulnerableVersions()); vuln.setVulnerableSoftware(new HashSet<>(Arrays.asList(vs))); - Dependency existing = findDependency(engine, advisory.getModule(), advisory.getVersion()); + final Dependency existing = findDependency(engine, advisory.getModule(), advisory.getVersion()); if (existing == null) { - Dependency nodeModule = createDependency(dependency, advisory.getModule(), advisory.getVersion(), "transitive"); + final Dependency nodeModule = createDependency(dependency, advisory.getModule(), advisory.getVersion(), "transitive"); nodeModule.addVulnerability(vuln); engine.addDependency(nodeModule); } else { @@ -257,6 +255,15 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { } } + /** + * Construct a dependency object. + * + * @param dependency the parent dependency + * @param name the name of the dependency to create + * @param version the version of the dependency to create + * @param scope the scope of the dependency being created + * @return the generated dependency + */ private Dependency createDependency(Dependency dependency, String name, String version, String scope) { final Dependency nodeModule = new Dependency(new File(dependency.getActualFile() + "?" + name), true); nodeModule.setEcosystem(DEPENDENCY_ECOSYSTEM); @@ -308,7 +315,7 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { if (entry.getValue() != null && entry.getValue().getValueType() == JsonValue.ValueType.STRING) { version = ((JsonString) entry.getValue()).getString(); } - Dependency existing = findDependency(engine, name, version); + final Dependency existing = findDependency(engine, name, version); if (existing == null) { final Dependency nodeModule = createDependency(dependency, name, version, depType); engine.addDependency(nodeModule); @@ -353,6 +360,15 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { } } + /** + * Locates the dependency from the list of dependencies that have been + * scanned by the engine. + * + * @param engine the dependency-check engine + * @param name the name of the dependency to find + * @param version the version of the dependency to find + * @return the identified dependency; otherwise null + */ private Dependency findDependency(Engine engine, String name, String version) { for (Dependency d : engine.getDependencies()) { if (DEPENDENCY_ECOSYSTEM.equals(d.getEcosystem()) && name.equals(d.getName()) && version != null && d.getVersion() != null) { @@ -374,16 +390,18 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { type = "*"; tmp = version; } - String[] v = tmp.split(" ")[0].split("\\."); - String[] depVersion = dependencyVersion.split("\\."); + final String[] v = tmp.split(" ")[0].split("\\."); + final String[] depVersion = dependencyVersion.split("\\."); if ("^".equals(type) && v[0].equals(depVersion[0])) { return d; - } else if ("~".equals(type) && v.length >= 2 && depVersion.length >= 2 && v[0].equals(depVersion[0]) && v[1].equals(depVersion[1])) { + } else if ("~".equals(type) && v.length >= 2 && depVersion.length >= 2 + && v[0].equals(depVersion[0]) && v[1].equals(depVersion[1])) { return d; } else if (v[0].equals("*") || (v.length >= 2 && v[0].equals(depVersion[0]) && v[1].equals("*")) - || (v.length >= 3 && depVersion.length >= 2 && v[0].equals(depVersion[0]) && v[1].equals(depVersion[1]) && v[2].equals("*"))) { + || (v.length >= 3 && depVersion.length >= 2 && v[0].equals(depVersion[0]) + && v[1].equals(depVersion[1]) && v[2].equals("*"))) { return d; } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java index 52bdd15b8..eb0815977 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java @@ -123,7 +123,7 @@ public class NspSearch { try (InputStream in = new BufferedInputStream(conn.getInputStream()); JsonReader jsonReader = Json.createReader(in)) { final JsonArray array = jsonReader.readArray(); - + if (array != null) { for (int i = 0; i < array.size(); i++) { final JsonObject object = array.getJsonObject(i);