Ruby Bundler: Disable Gemspec analysis if successful init. Moved to new analysis phase after init, before info collection.

2026-01-14 15:53:36 +01:00 · 2015-09-15 12:27:26 -04:00
parent 0c60c9ff75
commit 877a584a26
2 changed files with 26 additions and 1 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
@@ -28,6 +28,10 @@ public enum AnalysisPhase {
     * Initialization phase.
     */
    INITIAL,
+    /**
+     * Pre information collection phase
+     */
+    PRE_INFORMATION_COLLECTION,
    /**
     * Information collection phase.
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -49,7 +49,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The phase that this analyzer is intended to run in.
     */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;

    private static final FileFilter FILTER =
            FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
@@ -165,9 +165,30 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
        return Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED;
    }

+    /**
+     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will
+     * be necessary to disable {@link RubyGemspecAnalyzer}.
+     */
+    private boolean needToDisableGemspecAnalyzer = true;
+
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
+        if (needToDisableGemspecAnalyzer) {
+            boolean failed = true;
+            final String className = RubyGemspecAnalyzer.class.getName();
+            for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
+                if (analyzer instanceof RubyGemspecAnalyzer) {
+                    ((RubyGemspecAnalyzer) analyzer).setEnabled(false);
+                    LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
+                    failed = false;
+                }
+            }
+            if (failed) {
+                LOGGER.warn("Did not find" + className + '.');
+            }
+            needToDisableGemspecAnalyzer = false;
+        }
        final File parentFile = dependency.getActualFile().getParentFile();
        final Process process = launchBundleAudit(parentFile);
        try {