diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index a44b7f5f5..f9c180446 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -657,6 +657,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { final String source = "Manifest"; + String specificationVersion = null; + boolean hasImplementationVersion = false; + for (Entry entry : atts.entrySet()) { String key = entry.getKey().toString(); String value = atts.getValue(key); @@ -670,8 +673,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { productEvidence.addEvidence(source, key, value, Confidence.HIGH); addMatchingValues(classInformation, value, productEvidence); } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) { + hasImplementationVersion = true; foundSomething = true; versionEvidence.addEvidence(source, key, value, Confidence.HIGH); + } else if ("specification-version".equalsIgnoreCase(key)) { + specificationVersion = key; } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) { foundSomething = true; vendorEvidence.addEvidence(source, key, value, Confidence.HIGH); @@ -724,9 +730,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { foundSomething = true; if (key.contains("version")) { - if (key.contains("specification")) { - versionEvidence.addEvidence(source, key, value, Confidence.LOW); - } else { + if (!key.contains("specification")) { + //versionEvidence.addEvidence(source, key, value, Confidence.LOW); + //} else { versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM); } } else if ("build-id".equals(key)) { @@ -778,6 +784,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } } } + if (specificationVersion != null && !hasImplementationVersion) { + foundSomething = true; + versionEvidence.addEvidence(source, "specificationn-version", specificationVersion, Confidence.HIGH); + } } finally { if (jar != null) { jar.close(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java index 2214c4d3b..3625537a3 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java @@ -96,7 +96,7 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase { callDetermineCPE_full("hazelcast-2.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:vmware:springsource_spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); - callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); + callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("ehcache-core-2.2.0.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); } finally {