patch for issue #155

Former-commit-id: 57b144d94354c48c9bebabae2cc3d0c120fd2138

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -502,7 +502,7 @@ public class CPEAnalyzer implements Analyzer {
      * @return <code>true</code> if an identifier was added to the dependency; otherwise <code>false</code>
      * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
      */
-    private boolean determineIdentifiers(Dependency dependency, String vendor, String product,
+    protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
             Confidence currentConfidence) throws UnsupportedEncodingException {
         final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product);
         DependencyVersion bestGuess = new DependencyVersion("-");

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -400,7 +400,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * @return <code>true</code> if the leftPath is the shortest; otherwise <code>false</code>
      */
     protected boolean firstPathIsShortest(String left, String right) {
-        final String leftPath = right.replace('\\', '/');
+        final String leftPath = left.replace('\\', '/');
         final String rightPath = right.replace('\\', '/');
 
         final int leftCount = countChar(leftPath, '/');

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java

@@ -65,7 +65,7 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
     public final void parseVersion(String version) {
         versionParts = new ArrayList<String>();
         if (version != null) {
-            final Pattern rx = Pattern.compile("(\\d+|[a-z]+\\d+|(release|beta|alpha)$)");
+            final Pattern rx = Pattern.compile("(\\d+[a-z]{1,3}$|[a-z]+\\d+|\\d+|(release|beta|alpha)$)");
             final Matcher matcher = rx.matcher(version.toLowerCase());
             while (matcher.find()) {
                 versionParts.add(matcher.group());

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java

@@ -32,7 +32,7 @@ public final class DependencyVersionUtil {
     /**
      * Regular expression to extract version numbers from file names.
      */
-    private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d{1,6})+(\\.?([_-](release|beta|alpha)|[a-zA-Z_-]{1,3}\\d{1,8}))?");
+    private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d{1,6})+(\\.?([_-](release|beta|alpha|\\d+)|[a-zA-Z_-]{1,3}\\d{0,8}))?");
     /**
      * Regular expression to extract a single version number without periods. This is a last ditch effort just to check
      * in case we are missing a version number using the previous regex.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java

@@ -25,9 +25,11 @@ import java.util.Set;
 import org.apache.lucene.index.CorruptIndexException;
 import org.apache.lucene.queryparser.classic.ParseException;
 import org.junit.Assert;
+import static org.junit.Assert.assertTrue;
 import org.junit.Test;
 import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
+import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 
@@ -183,6 +185,30 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
         //Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));
     }
 
+    /**
+     * Test of determineIdentifiers method, of class CPEAnalyzer.
+     *
+     * @throws Exception is thrown when an exception occurs
+     */
+    @Test
+    public void testDetermineIdentifiers() throws Exception {
+        Dependency openssl = new Dependency();
+        openssl.getVendorEvidence().addEvidence("test", "vendor", "openssl", Confidence.HIGHEST);
+        openssl.getProductEvidence().addEvidence("test", "product", "openssl", Confidence.HIGHEST);
+        openssl.getVersionEvidence().addEvidence("test", "version", "1.0.1c", Confidence.HIGHEST);
+
+        CPEAnalyzer instance = new CPEAnalyzer();
+        instance.open();
+        instance.determineIdentifiers(openssl, "openssl", "openssl", Confidence.HIGHEST);
+        instance.close();
+
+        String expResult = "cpe:/a:openssl:openssl:1.0.1c";
+        Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
+
+        assertTrue(openssl.getIdentifiers().contains(expIdentifier));
+
+    }
+
     /**
      * Test of searchCPE method, of class CPEAnalyzer.
      *
@@ -193,12 +219,12 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
         String vendor = "apache software foundation";
         String product = "struts 2 core";
         String version = "2.1.2";
-        String expResult = "cpe:/a:apache:struts:2.1.2";
+        String expVendor = "apache";
+        String expProduct = "struts";
 
         CPEAnalyzer instance = new CPEAnalyzer();
         instance.open();
 
-        //TODO - yeah, not a very good test as the results are the same with or without weighting...
         Set<String> productWeightings = new HashSet<String>(1);
         productWeightings.add("struts2");
 
@@ -206,9 +232,16 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
         vendorWeightings.add("apache");
 
         List<IndexEntry> result = instance.searchCPE(vendor, product, productWeightings, vendorWeightings);
-        //TODO fix this assert
-        //Assert.assertEquals(expResult, result.get(0).getName());
-
         instance.close();
+
+        boolean found = false;
+        for (IndexEntry entry : result) {
+            if (expVendor.equals(entry.getVendor()) && expProduct.equals(entry.getProduct())) {
+                found = true;
+                break;
+            }
+        }
+        assertTrue("apache:struts was not identified", found);
+
     }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java

@@ -54,13 +54,13 @@ public class DependencyVersionUtilTest {
      * Test of parseVersion method, of class DependencyVersionUtil.
      */
     @Test
-    public void testParseVersionFromFileName() {
+    public void testParseVersion() {
         final String[] fileName = {"something-0.9.5.jar", "lib2-1.1.jar", "lib1.5r4-someflag-R26.jar",
             "lib-1.2.5-dev-20050313.jar", "testlib_V4.4.0.jar", "lib-core-2.0.0-RC1-SNAPSHOT.jar",
             "lib-jsp-2.0.1_R114940.jar", "dev-api-2.3.11_R121413.jar", "lib-api-3.7-SNAPSHOT.jar",
-            "-", "", "1.3-beta", "6"};
+            "-", "", "1.3-beta", "6", "openssl1.0.1c", "jsf-impl-2.2.8-02.jar"};
         final String[] expResult = {"0.9.5", "1.1", "1.5.r4", "1.2.5", "4.4.0", "2.0.0.rc1",
-            "2.0.1.r114940", "2.3.11.r121413", "3.7", "-", null, "1.3.beta", "6"};
+            "2.0.1.r114940", "2.3.11.r121413", "3.7", "-", null, "1.3.beta", "6", "1.0.1c", "2.2.8.02"};
 
         for (int i = 0; i < fileName.length; i++) {
             final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName[i]);