new Ruby bundler analyzer

2026-01-14 15:53:36 +01:00 · 2016-03-30 20:20:10 -04:00
parent 7aba2429af
commit 8c659acc82
5 changed files with 92 additions and 11 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
@@ -106,16 +106,16 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
        }

        //add as vendor and product evidence
-        if (fileName.contains("-")) {
-            dependency.getProductEvidence().addEvidence("file", "name",
-                    fileName, Confidence.HIGHEST);
-            dependency.getVendorEvidence().addEvidence("file", "name",
-                    fileName, Confidence.HIGHEST);
-        } else if (!IGNORED_FILES.accept(f)) {
+//        if (fileName.contains("-")) {
+//            dependency.getProductEvidence().addEvidence("file", "name",
+//                    fileName, Confidence.HIGHEST);
+//            dependency.getVendorEvidence().addEvidence("file", "name",
+//                    fileName, Confidence.HIGHEST);
+//        } else if (!IGNORED_FILES.accept(f)) {
            dependency.getProductEvidence().addEvidence("file", "name",
                    fileName, Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("file", "name",
                    fileName, Confidence.HIGH);
-        }
+//        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleInstallDeploymentAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleInstallDeploymentAnalyzer.java
@@ -0,0 +1,65 @@
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.FilenameFilter;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+
+public class RubyBundleInstallDeploymentAnalyzer extends RubyGemspecAnalyzer {
+	
+	private static final String SPECIFICATIONS = "specifications";
+	private static final String GEMS = "gems";
+
+    /**
+     * The logger.
+     */
+//    private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleInstallDeploymentAnalyzer.class);
+    
+    /**
+     * Only accept *.gemspec stubs generated by "bundle install --deployment" under "specifications" folder.
+     */
+	@Override
+    public boolean accept(File pathname) {
+		
+        boolean accepted = super.accept(pathname);
+        if(accepted == true) {
+	        File parentDir = pathname.getParentFile();
+	        accepted = parentDir != null && parentDir.exists() && parentDir.getName().equals(SPECIFICATIONS);
+        }
+        
+        return accepted;
+    }
+	
+	@Override
+    protected void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        super.analyzeFileType(dependency, engine);
+        
+        //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment"
+        File gemspecFile = dependency.getActualFile();
+        String gemFileName = gemspecFile.getName();
+        final String gemName = gemFileName.substring(0, gemFileName.lastIndexOf(".gemspec"));
+        File specificationsDir = gemspecFile.getParentFile();
+    	if(specificationsDir != null && specificationsDir.getName().equals(SPECIFICATIONS) && specificationsDir.exists()) {
+    		File parentDir = specificationsDir.getParentFile();
+    		if(parentDir != null && parentDir.exists()) {
+    			File gemsDir = new File(parentDir, GEMS);
+    			if(gemsDir != null && gemsDir.exists()) {
+		    		File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() {
+		    		    public boolean accept(File dir, String name) {
+		    		        return name.equals(gemName);
+		    		    }
+		    		});
+		    		
+		    		if(matchingFiles.length > 0) {
+		    			String gemPath = matchingFiles[0].getAbsolutePath();
+		    			if(gemPath != null)
+		    				dependency.setPackagePath(gemPath);
+		    		}
+    			}
+    		}
+    	}
+	}
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
@@ -134,7 +134,9 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
            if (email.isEmpty()) {
                addListEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM);
            }
-            addStringEvidence(vendor, contents, blockVariable, "homepage", Confidence.MEDIUM);
+            addStringEvidence(vendor, contents, blockVariable, "homepage", Confidence.HIGHEST);
+            addStringEvidence(vendor, contents, blockVariable, "licenses", Confidence.HIGHEST);
+            
            final EvidenceCollection product = dependency.getProductEvidence();
            final String name = addStringEvidence(product, contents, blockVariable, "name", Confidence.HIGHEST);
            if (!name.isEmpty()) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -72,7 +72,17 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     * The file name of the dependency.
     */
    private String fileName;
-    /**
+    
+    private String packagePath;
+    public String getPackagePath() {
+		return packagePath;
+	}
+
+	public void setPackagePath(String packagePath) {
+		this.packagePath = packagePath;
+	}
+
+	/**
     * The md5 hash of the dependency.
     */
    private String md5sum;
@@ -120,6 +130,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
        this.actualFilePath = file.getAbsolutePath();
        this.filePath = this.actualFilePath;
        this.fileName = file.getName();
+        this.packagePath = filePath;
        determineHashes(file);
    }

@@ -188,6 +199,9 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     * @param filePath the file path of the dependency
     */
    public void setFilePath(String filePath) {
+    	if(this.packagePath == null || this.packagePath.equals(this.filePath))
+    		this.packagePath = filePath;
+    	
        this.filePath = filePath;
    }

@@ -719,6 +733,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
                .append(this.actualFilePath, other.actualFilePath)
                .append(this.filePath, other.filePath)
                .append(this.fileName, other.fileName)
+                .append(this.packagePath, other.packagePath)
                .append(this.md5sum, other.md5sum)
                .append(this.sha1sum, other.sha1sum)
                .append(this.identifiers, other.identifiers)
--- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
+++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
@@ -18,6 +18,5 @@ org.owasp.dependencycheck.analyzer.AutoconfAnalyzer
 org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer
 org.owasp.dependencycheck.analyzer.CMakeAnalyzer
 org.owasp.dependencycheck.analyzer.NodePackageAnalyzer
-org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer
-org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer
+org.owasp.dependencycheck.analyzer.RubyBundleInstallDeploymentAnalyzer
 org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer