mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-22 09:09:31 +01:00
checkstyle suggested changes
This commit is contained in:
Jeremy Long
@@ -461,14 +461,37 @@ public class DependencyBundlingAnalyzer extends AbstractDependencyComparingAnaly
|
|||||||
return filePath != null && filePath.matches(".*\\.(ear|war)[\\\\/].*");
|
return filePath != null && filePath.matches(".*\\.(ear|war)[\\\\/].*");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine if the dependency ecosystem is equal in the given dependencies.
|
||||||
|
*
|
||||||
|
* @param dependency a dependency to compare
|
||||||
|
* @param nextDependency a dependency to compare
|
||||||
|
* @return true if the ecosystem is equal in both dependencies; otherwise
|
||||||
|
* false
|
||||||
|
*/
|
||||||
private boolean ecoSystemIs(String ecoSystem, Dependency dependency, Dependency nextDependency) {
|
private boolean ecoSystemIs(String ecoSystem, Dependency dependency, Dependency nextDependency) {
|
||||||
return ecoSystem.equals(dependency.getEcosystem()) && ecoSystem.equals(nextDependency.getEcosystem());
|
return ecoSystem.equals(dependency.getEcosystem()) && ecoSystem.equals(nextDependency.getEcosystem());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine if the dependency name is equal in the given dependencies.
|
||||||
|
*
|
||||||
|
* @param dependency a dependency to compare
|
||||||
|
* @param nextDependency a dependency to compare
|
||||||
|
* @return true if the name is equal in both dependencies; otherwise false
|
||||||
|
*/
|
||||||
private boolean namesAreEqual(Dependency dependency, Dependency nextDependency) {
|
private boolean namesAreEqual(Dependency dependency, Dependency nextDependency) {
|
||||||
return dependency.getName() != null && dependency.getName().equals(nextDependency.getName());
|
return dependency.getName() != null && dependency.getName().equals(nextDependency.getName());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine if the dependency version is equal in the given dependencies.
|
||||||
|
*
|
||||||
|
* @param dependency a dependency to compare
|
||||||
|
* @param nextDependency a dependency to compare
|
||||||
|
* @return true if the version is equal in both dependencies; otherwise
|
||||||
|
* false
|
||||||
|
*/
|
||||||
private boolean versionsAreEqual(Dependency dependency, Dependency nextDependency) {
|
private boolean versionsAreEqual(Dependency dependency, Dependency nextDependency) {
|
||||||
return dependency.getVersion() != null && dependency.getVersion().equals(nextDependency.getVersion());
|
return dependency.getVersion() != null && dependency.getVersion().equals(nextDependency.getVersion());
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -118,7 +118,8 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz
|
|||||||
* removed from the main analysis loop, this function adds to this
|
* removed from the main analysis loop, this function adds to this
|
||||||
* collection
|
* collection
|
||||||
*/
|
*/
|
||||||
public static void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
|
public static void mergeDependencies(final Dependency dependency, final Dependency relatedDependency,
|
||||||
|
final Set<Dependency> dependenciesToRemove) {
|
||||||
LOGGER.debug("Merging '{}' into '{}'", relatedDependency.getFilePath(), dependency.getFilePath());
|
LOGGER.debug("Merging '{}' into '{}'", relatedDependency.getFilePath(), dependency.getFilePath());
|
||||||
dependency.addRelatedDependency(relatedDependency);
|
dependency.addRelatedDependency(relatedDependency);
|
||||||
for (Evidence e : relatedDependency.getEvidence(EvidenceType.VENDOR)) {
|
for (Evidence e : relatedDependency.getEvidence(EvidenceType.VENDOR)) {
|
||||||
|
|||||||
@@ -142,6 +142,11 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Collects evidence from the given JSON for the associated dependency.
|
||||||
|
* @param json the JSON that contains the evidence to collect
|
||||||
|
* @param dependency the dependency to add the evidence too
|
||||||
|
*/
|
||||||
public static void gatherEvidence(final JsonObject json, Dependency dependency) {
|
public static void gatherEvidence(final JsonObject json, Dependency dependency) {
|
||||||
if (json.containsKey("name")) {
|
if (json.containsKey("name")) {
|
||||||
final Object value = json.get("name");
|
final Object value = json.get("name");
|
||||||
|
|||||||
@@ -25,7 +25,6 @@ import org.owasp.dependencycheck.data.nsp.NspSearch;
|
|||||||
import org.owasp.dependencycheck.data.nsp.SanitizePackage;
|
import org.owasp.dependencycheck.data.nsp.SanitizePackage;
|
||||||
import org.owasp.dependencycheck.dependency.Confidence;
|
import org.owasp.dependencycheck.dependency.Confidence;
|
||||||
import org.owasp.dependencycheck.dependency.Dependency;
|
import org.owasp.dependencycheck.dependency.Dependency;
|
||||||
import org.owasp.dependencycheck.dependency.Identifier;
|
|
||||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||||
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
|
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
|
||||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||||
@@ -36,7 +35,6 @@ import java.io.File;
|
|||||||
import java.io.FileFilter;
|
import java.io.FileFilter;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.MalformedURLException;
|
import java.net.MalformedURLException;
|
||||||
import java.util.ArrayList;
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
@@ -236,9 +234,9 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
vs.setName(advisory.getModule() + ":" + advisory.getVulnerableVersions());
|
vs.setName(advisory.getModule() + ":" + advisory.getVulnerableVersions());
|
||||||
vuln.setVulnerableSoftware(new HashSet<>(Arrays.asList(vs)));
|
vuln.setVulnerableSoftware(new HashSet<>(Arrays.asList(vs)));
|
||||||
|
|
||||||
Dependency existing = findDependency(engine, advisory.getModule(), advisory.getVersion());
|
final Dependency existing = findDependency(engine, advisory.getModule(), advisory.getVersion());
|
||||||
if (existing == null) {
|
if (existing == null) {
|
||||||
Dependency nodeModule = createDependency(dependency, advisory.getModule(), advisory.getVersion(), "transitive");
|
final Dependency nodeModule = createDependency(dependency, advisory.getModule(), advisory.getVersion(), "transitive");
|
||||||
nodeModule.addVulnerability(vuln);
|
nodeModule.addVulnerability(vuln);
|
||||||
engine.addDependency(nodeModule);
|
engine.addDependency(nodeModule);
|
||||||
} else {
|
} else {
|
||||||
@@ -257,6 +255,15 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Construct a dependency object.
|
||||||
|
*
|
||||||
|
* @param dependency the parent dependency
|
||||||
|
* @param name the name of the dependency to create
|
||||||
|
* @param version the version of the dependency to create
|
||||||
|
* @param scope the scope of the dependency being created
|
||||||
|
* @return the generated dependency
|
||||||
|
*/
|
||||||
private Dependency createDependency(Dependency dependency, String name, String version, String scope) {
|
private Dependency createDependency(Dependency dependency, String name, String version, String scope) {
|
||||||
final Dependency nodeModule = new Dependency(new File(dependency.getActualFile() + "?" + name), true);
|
final Dependency nodeModule = new Dependency(new File(dependency.getActualFile() + "?" + name), true);
|
||||||
nodeModule.setEcosystem(DEPENDENCY_ECOSYSTEM);
|
nodeModule.setEcosystem(DEPENDENCY_ECOSYSTEM);
|
||||||
@@ -308,7 +315,7 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
if (entry.getValue() != null && entry.getValue().getValueType() == JsonValue.ValueType.STRING) {
|
if (entry.getValue() != null && entry.getValue().getValueType() == JsonValue.ValueType.STRING) {
|
||||||
version = ((JsonString) entry.getValue()).getString();
|
version = ((JsonString) entry.getValue()).getString();
|
||||||
}
|
}
|
||||||
Dependency existing = findDependency(engine, name, version);
|
final Dependency existing = findDependency(engine, name, version);
|
||||||
if (existing == null) {
|
if (existing == null) {
|
||||||
final Dependency nodeModule = createDependency(dependency, name, version, depType);
|
final Dependency nodeModule = createDependency(dependency, name, version, depType);
|
||||||
engine.addDependency(nodeModule);
|
engine.addDependency(nodeModule);
|
||||||
@@ -353,6 +360,15 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Locates the dependency from the list of dependencies that have been
|
||||||
|
* scanned by the engine.
|
||||||
|
*
|
||||||
|
* @param engine the dependency-check engine
|
||||||
|
* @param name the name of the dependency to find
|
||||||
|
* @param version the version of the dependency to find
|
||||||
|
* @return the identified dependency; otherwise null
|
||||||
|
*/
|
||||||
private Dependency findDependency(Engine engine, String name, String version) {
|
private Dependency findDependency(Engine engine, String name, String version) {
|
||||||
for (Dependency d : engine.getDependencies()) {
|
for (Dependency d : engine.getDependencies()) {
|
||||||
if (DEPENDENCY_ECOSYSTEM.equals(d.getEcosystem()) && name.equals(d.getName()) && version != null && d.getVersion() != null) {
|
if (DEPENDENCY_ECOSYSTEM.equals(d.getEcosystem()) && name.equals(d.getName()) && version != null && d.getVersion() != null) {
|
||||||
@@ -374,16 +390,18 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
type = "*";
|
type = "*";
|
||||||
tmp = version;
|
tmp = version;
|
||||||
}
|
}
|
||||||
String[] v = tmp.split(" ")[0].split("\\.");
|
final String[] v = tmp.split(" ")[0].split("\\.");
|
||||||
String[] depVersion = dependencyVersion.split("\\.");
|
final String[] depVersion = dependencyVersion.split("\\.");
|
||||||
|
|
||||||
if ("^".equals(type) && v[0].equals(depVersion[0])) {
|
if ("^".equals(type) && v[0].equals(depVersion[0])) {
|
||||||
return d;
|
return d;
|
||||||
} else if ("~".equals(type) && v.length >= 2 && depVersion.length >= 2 && v[0].equals(depVersion[0]) && v[1].equals(depVersion[1])) {
|
} else if ("~".equals(type) && v.length >= 2 && depVersion.length >= 2
|
||||||
|
&& v[0].equals(depVersion[0]) && v[1].equals(depVersion[1])) {
|
||||||
return d;
|
return d;
|
||||||
} else if (v[0].equals("*")
|
} else if (v[0].equals("*")
|
||||||
|| (v.length >= 2 && v[0].equals(depVersion[0]) && v[1].equals("*"))
|
|| (v.length >= 2 && v[0].equals(depVersion[0]) && v[1].equals("*"))
|
||||||
|| (v.length >= 3 && depVersion.length >= 2 && v[0].equals(depVersion[0]) && v[1].equals(depVersion[1]) && v[2].equals("*"))) {
|
|| (v.length >= 3 && depVersion.length >= 2 && v[0].equals(depVersion[0])
|
||||||
|
&& v[1].equals(depVersion[1]) && v[2].equals("*"))) {
|
||||||
return d;
|
return d;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user