From 847bed2fa062dc30c89700a1f7e94d26c5c75ed3 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 22 Jan 2017 07:42:11 -0500 Subject: [PATCH] added manifest implementation-version --- .../analyzer/VersionFilterAnalyzer.java | 61 ++++++++-- .../analyzer/VersionFilterAnalyzerTest.java | 108 +++++++++++++++++- 2 files changed, 157 insertions(+), 12 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java index adbf4cc7b..7098149f1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java @@ -18,6 +18,7 @@ package org.owasp.dependencycheck.analyzer; import java.util.Iterator; +import java.util.Objects; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; @@ -38,7 +39,36 @@ import org.slf4j.LoggerFactory; */ public class VersionFilterAnalyzer extends AbstractAnalyzer { - // + // + /** + * Evidence source. + */ + private static final String FILE = "file"; + /** + * Evidence source. + */ + private static final String POM = "pom"; + /** + * Evidence source. + */ + private static final String NEXUS = "nexus"; + /** + * Evidence source. + */ + private static final String CENTRAL = "central"; + /** + * Evidence source. + */ + private static final String MANIFEST = "Manifest"; + /** + * Evidence name. + */ + private static final String VERSION = "version"; + /** + * Evidence name. + */ + private static final String IMPLEMENTATION_VERSION = "Implementation-Version"; + /** * The name of the analyzer. */ @@ -48,6 +78,8 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer { */ private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION; + // + // /** * Returns the name of the analyzer. * @@ -97,29 +129,36 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { String fileVersion = null; String pomVersion = null; + String manifestVersion = null; for (Evidence e : dependency.getVersionEvidence()) { - if ("file".equals(e.getSource()) && "version".equals(e.getName())) { + if (FILE.equals(e.getSource()) && VERSION.equals(e.getName())) { fileVersion = e.getValue(Boolean.FALSE); - } else if (("nexus".equals(e.getSource()) || "central".equals(e.getSource()) - || "pom".equals(e.getSource())) && "version".equals(e.getName())) { + } else if ((NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) + || POM.equals(e.getSource())) && VERSION.equals(e.getName())) { pomVersion = e.getValue(Boolean.FALSE); + } else if (MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName())) { + manifestVersion = e.getValue(Boolean.FALSE); } } - if (fileVersion != null && pomVersion != null) { + //ensure we have at least two not null + if (((fileVersion == null ? 0 : 1) + (pomVersion == null ? 0 : 1) + (manifestVersion == null ? 0 : 1)) > 1) { final DependencyVersion dvFile = new DependencyVersion(fileVersion); final DependencyVersion dvPom = new DependencyVersion(pomVersion); - if (dvPom.equals(dvFile)) { + final DependencyVersion dvManifest = new DependencyVersion(manifestVersion); + final boolean fileMatch = Objects.equals(dvFile, dvPom) || Objects.equals(dvFile, dvManifest); + final boolean manifestMatch = Objects.equals(dvManifest, dvPom) || Objects.equals(dvManifest, dvFile); + final boolean pomMatch = Objects.equals(dvPom, dvFile) || Objects.equals(dvPom, dvManifest); + if (fileMatch || manifestMatch || pomMatch) { LOGGER.debug("filtering evidence from {}", dependency.getFileName()); final EvidenceCollection versionEvidence = dependency.getVersionEvidence(); synchronized (versionEvidence) { final Iterator itr = versionEvidence.iterator(); while (itr.hasNext()) { final Evidence e = itr.next(); - if (!("version".equals(e.getName()) - && ("file".equals(e.getSource()) - || "nexus".equals(e.getSource()) - || "central".equals(e.getSource()) - || "pom".equals(e.getSource())))) { + if (!(pomMatch && VERSION.equals(e.getName()) + && (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource()))) + && !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource())) + && !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) { itr.remove(); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java index 389b03446..f92ea8809 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java @@ -75,7 +75,48 @@ public class VersionFilterAnalyzerTest extends BaseTest { versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST); versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); - versions.addEvidence("manifest", "implementation-version", "1.2.3", Confidence.HIGHEST); + versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + + VersionFilterAnalyzer instance = new VersionFilterAnalyzer(); + + instance.analyzeDependency(dependency, null); + assertEquals(3, versions.size()); + + versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST); + + instance.analyzeDependency(dependency, null); + assertEquals(4, versions.size()); + + versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST); + instance.analyzeDependency(dependency, null); + assertEquals(2, versions.size()); + + versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + instance.analyzeDependency(dependency, null); + assertEquals(3, versions.size()); + + versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST); + versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + instance.analyzeDependency(dependency, null); + assertEquals(4, versions.size()); + + versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST); + versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + instance.analyzeDependency(dependency, null); + assertEquals(5, versions.size()); + } + + /** + * Test of analyzeDependency method, of class VersionFilterAnalyzer. + */ + @Test + public void testAnalyzeDependencyFilePom() throws Exception { + Dependency dependency = new Dependency(); + EvidenceCollection versions = dependency.getVersionEvidence(); + + versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST); + versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); VersionFilterAnalyzer instance = new VersionFilterAnalyzer(); @@ -101,4 +142,69 @@ public class VersionFilterAnalyzerTest extends BaseTest { instance.analyzeDependency(dependency, null); assertEquals(4, versions.size()); } + + /** + * Test of analyzeDependency method, of class VersionFilterAnalyzer. + */ + @Test + public void testAnalyzeDependencyFileManifest() throws Exception { + Dependency dependency = new Dependency(); + EvidenceCollection versions = dependency.getVersionEvidence(); + + versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST); + versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + + VersionFilterAnalyzer instance = new VersionFilterAnalyzer(); + + instance.analyzeDependency(dependency, null); + assertEquals(3, versions.size()); + + versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + + instance.analyzeDependency(dependency, null); + assertEquals(4, versions.size()); + + versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST); + instance.analyzeDependency(dependency, null); + assertEquals(2, versions.size()); + } + + /** + * Test of analyzeDependency method, of class VersionFilterAnalyzer. + */ + @Test + public void testAnalyzeDependencyPomManifest() throws Exception { + Dependency dependency = new Dependency(); + EvidenceCollection versions = dependency.getVersionEvidence(); + + versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST); + versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + + VersionFilterAnalyzer instance = new VersionFilterAnalyzer(); + + instance.analyzeDependency(dependency, null); + assertEquals(3, versions.size()); + + versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST); + + instance.analyzeDependency(dependency, null); + assertEquals(4, versions.size()); + + versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST); + instance.analyzeDependency(dependency, null); + assertEquals(2, versions.size()); + + versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST); + versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + instance.analyzeDependency(dependency, null); + assertEquals(3, versions.size()); + + versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST); + versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST); + instance.analyzeDependency(dependency, null); + assertEquals(4, versions.size()); + } + }