From 8c659acc82a9370448683c2b19d02ea71e7edf05 Mon Sep 17 00:00:00 2001 From: bjiang Date: Wed, 30 Mar 2016 20:20:10 -0400 Subject: [PATCH] new Ruby bundler analyzer --- .../analyzer/FileNameAnalyzer.java | 14 ++-- .../RubyBundleInstallDeploymentAnalyzer.java | 65 +++++++++++++++++++ .../analyzer/RubyGemspecAnalyzer.java | 4 +- .../dependency/Dependency.java | 17 ++++- ...rg.owasp.dependencycheck.analyzer.Analyzer | 3 +- 5 files changed, 92 insertions(+), 11 deletions(-) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleInstallDeploymentAnalyzer.java diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java index b7d23a3e3..cd6944111 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java @@ -106,16 +106,16 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer { } //add as vendor and product evidence - if (fileName.contains("-")) { - dependency.getProductEvidence().addEvidence("file", "name", - fileName, Confidence.HIGHEST); - dependency.getVendorEvidence().addEvidence("file", "name", - fileName, Confidence.HIGHEST); - } else if (!IGNORED_FILES.accept(f)) { +// if (fileName.contains("-")) { +// dependency.getProductEvidence().addEvidence("file", "name", +// fileName, Confidence.HIGHEST); +// dependency.getVendorEvidence().addEvidence("file", "name", +// fileName, Confidence.HIGHEST); +// } else if (!IGNORED_FILES.accept(f)) { dependency.getProductEvidence().addEvidence("file", "name", fileName, Confidence.HIGH); dependency.getVendorEvidence().addEvidence("file", "name", fileName, Confidence.HIGH); - } +// } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleInstallDeploymentAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleInstallDeploymentAnalyzer.java new file mode 100644 index 000000000..b7f0262f8 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleInstallDeploymentAnalyzer.java @@ -0,0 +1,65 @@ +package org.owasp.dependencycheck.analyzer; + +import java.io.File; +import java.io.FilenameFilter; + +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; + +public class RubyBundleInstallDeploymentAnalyzer extends RubyGemspecAnalyzer { + + private static final String SPECIFICATIONS = "specifications"; + private static final String GEMS = "gems"; + + /** + * The logger. + */ +// private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleInstallDeploymentAnalyzer.class); + + /** + * Only accept *.gemspec stubs generated by "bundle install --deployment" under "specifications" folder. + */ + @Override + public boolean accept(File pathname) { + + boolean accepted = super.accept(pathname); + if(accepted == true) { + File parentDir = pathname.getParentFile(); + accepted = parentDir != null && parentDir.exists() && parentDir.getName().equals(SPECIFICATIONS); + } + + return accepted; + } + + @Override + protected void analyzeFileType(Dependency dependency, Engine engine) + throws AnalysisException { + super.analyzeFileType(dependency, engine); + + //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment" + File gemspecFile = dependency.getActualFile(); + String gemFileName = gemspecFile.getName(); + final String gemName = gemFileName.substring(0, gemFileName.lastIndexOf(".gemspec")); + File specificationsDir = gemspecFile.getParentFile(); + if(specificationsDir != null && specificationsDir.getName().equals(SPECIFICATIONS) && specificationsDir.exists()) { + File parentDir = specificationsDir.getParentFile(); + if(parentDir != null && parentDir.exists()) { + File gemsDir = new File(parentDir, GEMS); + if(gemsDir != null && gemsDir.exists()) { + File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() { + public boolean accept(File dir, String name) { + return name.equals(gemName); + } + }); + + if(matchingFiles.length > 0) { + String gemPath = matchingFiles[0].getAbsolutePath(); + if(gemPath != null) + dependency.setPackagePath(gemPath); + } + } + } + } + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index 4ab52cf52..ac29838d4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -134,7 +134,9 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { if (email.isEmpty()) { addListEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM); } - addStringEvidence(vendor, contents, blockVariable, "homepage", Confidence.MEDIUM); + addStringEvidence(vendor, contents, blockVariable, "homepage", Confidence.HIGHEST); + addStringEvidence(vendor, contents, blockVariable, "licenses", Confidence.HIGHEST); + final EvidenceCollection product = dependency.getProductEvidence(); final String name = addStringEvidence(product, contents, blockVariable, "name", Confidence.HIGHEST); if (!name.isEmpty()) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 1f0b06fdd..d2ca412cd 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -72,7 +72,17 @@ public class Dependency implements Serializable, Comparable { * The file name of the dependency. */ private String fileName; - /** + + private String packagePath; + public String getPackagePath() { + return packagePath; + } + + public void setPackagePath(String packagePath) { + this.packagePath = packagePath; + } + + /** * The md5 hash of the dependency. */ private String md5sum; @@ -120,6 +130,7 @@ public class Dependency implements Serializable, Comparable { this.actualFilePath = file.getAbsolutePath(); this.filePath = this.actualFilePath; this.fileName = file.getName(); + this.packagePath = filePath; determineHashes(file); } @@ -188,6 +199,9 @@ public class Dependency implements Serializable, Comparable { * @param filePath the file path of the dependency */ public void setFilePath(String filePath) { + if(this.packagePath == null || this.packagePath.equals(this.filePath)) + this.packagePath = filePath; + this.filePath = filePath; } @@ -719,6 +733,7 @@ public class Dependency implements Serializable, Comparable { .append(this.actualFilePath, other.actualFilePath) .append(this.filePath, other.filePath) .append(this.fileName, other.fileName) + .append(this.packagePath, other.packagePath) .append(this.md5sum, other.md5sum) .append(this.sha1sum, other.sha1sum) .append(this.identifiers, other.identifiers) diff --git a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index 43d67c5fe..dfeb03340 100644 --- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -18,6 +18,5 @@ org.owasp.dependencycheck.analyzer.AutoconfAnalyzer org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer org.owasp.dependencycheck.analyzer.CMakeAnalyzer org.owasp.dependencycheck.analyzer.NodePackageAnalyzer -org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer -org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer +org.owasp.dependencycheck.analyzer.RubyBundleInstallDeploymentAnalyzer org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer