github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ruby Bundler: Successfully adding vulnerability into report, though all displayed info not looking great.

Browse Source
This commit is contained in:
Dale Visser
2015-08-28 19:56:35 -04:00
parent 95d3d17d83
commit 8853552161
1 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
View File

@@ -22,6 +22,7 @@ import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
@@ -188,12 +189,14 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
final String parentName = original.getActualFile().getParentFile().getName();
final String fileName = original.getFileName();
Dependency dependency = null;
Vulnerability vulnerability= null;
String gem = null;
while (rdr.ready()) {
final String nextLine = rdr.readLine();
if (null == nextLine) {
break;
} else if (nextLine.startsWith(NAME)) {
final String gem = nextLine.substring(NAME.length());
gem = nextLine.substring(NAME.length());
final File tempFile = File.createTempFile("Gemfile-" + gem, ".lock", Settings.getTempDirectory());
final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem);
FileUtils.write(tempFile, displayFileName); // unique contents to avoid dependency bundling
@@ -201,16 +204,27 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
engine.getDependencies().add(dependency);
dependency.setDisplayFileName(displayFileName);
dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST);
vulnerability = new Vulnerability();
vulnerability.setName(gem);
dependency.getVulnerabilities().add(vulnerability);
LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
} else if (nextLine.startsWith(VERSION)) {
if (null != dependency) {
final String version = nextLine.substring(VERSION.length());
dependency.getVersionEvidence().addEvidence(
"bundler-audit",
"Version",
nextLine.substring(VERSION.length()),
version,
Confidence.HIGHEST);
vulnerability.setMatchedCPE(
String.format("cpe:/a:%1$s_project:%1$s:%2$s::~~~ruby~~", gem, version),
null);
}
LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
} else if (nextLine.startsWith("Advisory: ")){
final String advisory = nextLine.substring(("Advisory: ".length()));
vulnerability.setName(advisory);
LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
}
}
}