changed how specification version is handled to resolve 262

Former-commit-id: c902d0683bec70a8254c7110e14b14bf0f3ad54a
2026-05-01 20:54:44 +02:00 · 2015-06-28 07:08:36 -04:00
parent d76799cfd0
commit 890bb4a2c3
2 changed files with 14 additions and 4 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -657,6 +657,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {

            final String source = "Manifest";

+            String specificationVersion = null;
+            boolean hasImplementationVersion = false;
+
            for (Entry<Object, Object> entry : atts.entrySet()) {
                String key = entry.getKey().toString();
                String value = atts.getValue(key);
@@ -670,8 +673,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                    productEvidence.addEvidence(source, key, value, Confidence.HIGH);
                    addMatchingValues(classInformation, value, productEvidence);
                } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
+                    hasImplementationVersion = true;
                    foundSomething = true;
                    versionEvidence.addEvidence(source, key, value, Confidence.HIGH);
+                } else if ("specification-version".equalsIgnoreCase(key)) {
+                    specificationVersion = key;
                } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
                    foundSomething = true;
                    vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
@@ -724,9 +730,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {

                        foundSomething = true;
                        if (key.contains("version")) {
-                            if (key.contains("specification")) {
-                                versionEvidence.addEvidence(source, key, value, Confidence.LOW);
-                            } else {
+                            if (!key.contains("specification")) {
+                                //versionEvidence.addEvidence(source, key, value, Confidence.LOW);
+                                //} else {
                                versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                            }
                        } else if ("build-id".equals(key)) {
@@ -778,6 +784,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                    }
                }
            }
+            if (specificationVersion != null && !hasImplementationVersion) {
+                foundSomething = true;
+                versionEvidence.addEvidence(source, "specificationn-version", specificationVersion, Confidence.HIGH);
+            }
        } finally {
            if (jar != null) {
                jar.close();