From 80c46661980335416d4b2e134777a8bc9b6cce04 Mon Sep 17 00:00:00 2001
From: Dale Visser <dvisser@ida.org>
Date: Sun, 30 Aug 2015 14:16:32 -0400
Subject: [PATCH] Ruby bundler: More method extractions to eliminate monolithic
 method.

---
 .../analyzer/RubyBundleAuditAnalyzer.java     | 115 ++++++++++--------
 1 file changed, 66 insertions(+), 49 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
index c06d28c3e..a4988f5a1 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -208,58 +208,13 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                 dependency = map.get(gem);
                 LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
             } else if (nextLine.startsWith(VERSION)) {
-                if (null != dependency) {
-                    final String version = nextLine.substring(VERSION.length());
-                    dependency.getVersionEvidence().addEvidence(
-                            "bundler-audit",
-                            "Version",
-                            version,
-                            Confidence.HIGHEST);
-                    vulnerability = new Vulnerability(); // don't add to dependency until we have name set later
-                    vulnerability.setMatchedCPE(
-                            String.format("cpe:/a:%1$s_project:%1$s:%2$s::~~~ruby~~", gem, version),
-                            null);
-                }
-                LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
+                vulnerability = createVulnerability(parentName, dependency, vulnerability, gem, nextLine);
             } else if (nextLine.startsWith(ADVISORY)) {
-                final String advisory = nextLine.substring((ADVISORY.length()));
-                if (null != vulnerability) {
-                    vulnerability.setName(advisory);
-                    vulnerability.setCvssAccessVector("-");
-                    vulnerability.setCvssAccessComplexity("-");
-                    vulnerability.setCvssAuthentication("-");
-                    vulnerability.setCvssAvailabilityImpact("-");
-                    vulnerability.setCvssConfidentialityImpact("-");
-                    vulnerability.setCvssIntegrityImpact("-");
-                }
-                if (null != dependency) {
-                    dependency.getVulnerabilities().add(vulnerability);
-                }
-                LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
+                setVulnerabilityName(parentName, dependency, vulnerability, nextLine);
             } else if (nextLine.startsWith(CRITICALITY)) {
-                if (null != vulnerability) {
-                    final String criticality = nextLine.substring(CRITICALITY.length()).trim();
-                    if ("High".equals(criticality)) {
-                        vulnerability.setCvssScore(8.5f);
-                    } else if ("Medium".equals(criticality)) {
-                        vulnerability.setCvssScore(5.5f);
-                    } else if ("Low".equals(criticality)) {
-                        vulnerability.setCvssScore(2.0f);
-                    } else {
-                        vulnerability.setCvssScore(-1.0f);
-                    }
-                }
-                LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
+                addCriticalityToVulnerability(parentName, vulnerability, nextLine);
             } else if (nextLine.startsWith("URL: ")){
-                final String url = nextLine.substring(("URL: ").length());
-                if (null != vulnerability) {
-                    Reference ref = new Reference();
-                    ref.setName(vulnerability.getName());
-                    ref.setSource("bundle-audit");
-                    ref.setUrl(url);
-                    vulnerability.getReferences().add(ref);
-                }
-                LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
+                addReferenceToVulnerability(parentName, vulnerability, nextLine);
             } else if (nextLine.startsWith("Description:")) {
                 appendToDescription = true;
                 if (null != vulnerability) {
@@ -273,6 +228,68 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         }
     }
 
+    private void setVulnerabilityName(String parentName, Dependency dependency, Vulnerability vulnerability, String nextLine) {
+        final String advisory = nextLine.substring((ADVISORY.length()));
+        if (null != vulnerability) {
+            vulnerability.setName(advisory);
+        }
+        if (null != dependency) {
+            dependency.getVulnerabilities().add(vulnerability); // needed to wait for vulnerability name to avoid NPE
+        }
+        LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
+    }
+
+    private void addReferenceToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
+        final String url = nextLine.substring(("URL: ").length());
+        if (null != vulnerability) {
+            Reference ref = new Reference();
+            ref.setName(vulnerability.getName());
+            ref.setSource("bundle-audit");
+            ref.setUrl(url);
+            vulnerability.getReferences().add(ref);
+        }
+        LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
+    }
+
+    private void addCriticalityToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
+        if (null != vulnerability) {
+            final String criticality = nextLine.substring(CRITICALITY.length()).trim();
+            if ("High".equals(criticality)) {
+                vulnerability.setCvssScore(8.5f);
+            } else if ("Medium".equals(criticality)) {
+                vulnerability.setCvssScore(5.5f);
+            } else if ("Low".equals(criticality)) {
+                vulnerability.setCvssScore(2.0f);
+            } else {
+                vulnerability.setCvssScore(-1.0f);
+            }
+        }
+        LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
+    }
+
+    private Vulnerability createVulnerability(String parentName, Dependency dependency, Vulnerability vulnerability, String gem, String nextLine) {
+        if (null != dependency) {
+            final String version = nextLine.substring(VERSION.length());
+            dependency.getVersionEvidence().addEvidence(
+                    "bundler-audit",
+                    "Version",
+                    version,
+                    Confidence.HIGHEST);
+            vulnerability = new Vulnerability(); // don't add to dependency until we have name set later
+            vulnerability.setMatchedCPE(
+                    String.format("cpe:/a:%1$s_project:%1$s:%2$s::~~~ruby~~", gem, version),
+                    null);
+            vulnerability.setCvssAccessVector("-");
+            vulnerability.setCvssAccessComplexity("-");
+            vulnerability.setCvssAuthentication("-");
+            vulnerability.setCvssAvailabilityImpact("-");
+            vulnerability.setCvssConfidentialityImpact("-");
+            vulnerability.setCvssIntegrityImpact("-");
+        }
+        LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
+        return vulnerability;
+    }
+
     private Dependency createDependencyForGem(Engine engine, String parentName, String fileName, String gem) throws IOException {
         final File tempFile = File.createTempFile("Gemfile-" + gem, ".lock", Settings.getTempDirectory());
         final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem);