new Ruby bundler analyzer

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -106,16 +106,16 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
         }
 
         //add as vendor and product evidence
-        if (fileName.contains("-")) {
+//        if (fileName.contains("-")) {
-            dependency.getProductEvidence().addEvidence("file", "name",
+//            dependency.getProductEvidence().addEvidence("file", "name",
-                    fileName, Confidence.HIGHEST);
+//                    fileName, Confidence.HIGHEST);
-            dependency.getVendorEvidence().addEvidence("file", "name",
+//            dependency.getVendorEvidence().addEvidence("file", "name",
-                    fileName, Confidence.HIGHEST);
+//                    fileName, Confidence.HIGHEST);
-        } else if (!IGNORED_FILES.accept(f)) {
+//        } else if (!IGNORED_FILES.accept(f)) {
             dependency.getProductEvidence().addEvidence("file", "name",
                     fileName, Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("file", "name",
                     fileName, Confidence.HIGH);
-        }
+//        }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleInstallDeploymentAnalyzer.java

@@ -0,0 +1,65 @@
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.FilenameFilter;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+
+public class RubyBundleInstallDeploymentAnalyzer extends RubyGemspecAnalyzer {
+	
+	private static final String SPECIFICATIONS = "specifications";
+	private static final String GEMS = "gems";
+
+    /**
+     * The logger.
+     */
+//    private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleInstallDeploymentAnalyzer.class);
+    
+    /**
+     * Only accept *.gemspec stubs generated by "bundle install --deployment" under "specifications" folder.
+     */
+	@Override
+    public boolean accept(File pathname) {
+		
+        boolean accepted = super.accept(pathname);
+        if(accepted == true) {
+	        File parentDir = pathname.getParentFile();
+	        accepted = parentDir != null && parentDir.exists() && parentDir.getName().equals(SPECIFICATIONS);
+        }
+        
+        return accepted;
+    }
+	
+	@Override
+    protected void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        super.analyzeFileType(dependency, engine);
+        
+        //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment"
+        File gemspecFile = dependency.getActualFile();
+        String gemFileName = gemspecFile.getName();
+        final String gemName = gemFileName.substring(0, gemFileName.lastIndexOf(".gemspec"));
+        File specificationsDir = gemspecFile.getParentFile();
+    	if(specificationsDir != null && specificationsDir.getName().equals(SPECIFICATIONS) && specificationsDir.exists()) {
+    		File parentDir = specificationsDir.getParentFile();
+    		if(parentDir != null && parentDir.exists()) {
+    			File gemsDir = new File(parentDir, GEMS);
+    			if(gemsDir != null && gemsDir.exists()) {
+		    		File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() {
+		    		    public boolean accept(File dir, String name) {
+		    		        return name.equals(gemName);
+		    		    }
+		    		});
+		    		
+		    		if(matchingFiles.length > 0) {
+		    			String gemPath = matchingFiles[0].getAbsolutePath();
+		    			if(gemPath != null)
+		    				dependency.setPackagePath(gemPath);
+		    		}
+    			}
+    		}
+    	}
+	}
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java

@@ -134,7 +134,9 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
             if (email.isEmpty()) {
                 addListEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM);
             }
-            addStringEvidence(vendor, contents, blockVariable, "homepage", Confidence.MEDIUM);
+            addStringEvidence(vendor, contents, blockVariable, "homepage", Confidence.HIGHEST);
+            addStringEvidence(vendor, contents, blockVariable, "licenses", Confidence.HIGHEST);
+            
             final EvidenceCollection product = dependency.getProductEvidence();
             final String name = addStringEvidence(product, contents, blockVariable, "name", Confidence.HIGHEST);
             if (!name.isEmpty()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -72,7 +72,17 @@ public class Dependency implements Serializable, Comparable<Dependency> {
      * The file name of the dependency.
      */
     private String fileName;
-    /**
+    
+    private String packagePath;
+    public String getPackagePath() {
+		return packagePath;
+	}
+
+	public void setPackagePath(String packagePath) {
+		this.packagePath = packagePath;
+	}
+
+	/**
      * The md5 hash of the dependency.
      */
     private String md5sum;
@@ -120,6 +130,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.actualFilePath = file.getAbsolutePath();
         this.filePath = this.actualFilePath;
         this.fileName = file.getName();
+        this.packagePath = filePath;
         determineHashes(file);
     }
 
@@ -188,6 +199,9 @@ public class Dependency implements Serializable, Comparable<Dependency> {
      * @param filePath the file path of the dependency
      */
     public void setFilePath(String filePath) {
+    	if(this.packagePath == null || this.packagePath.equals(this.filePath))
+    		this.packagePath = filePath;
+    	
         this.filePath = filePath;
     }
 
@@ -719,6 +733,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
                 .append(this.actualFilePath, other.actualFilePath)
                 .append(this.filePath, other.filePath)
                 .append(this.fileName, other.fileName)
+                .append(this.packagePath, other.packagePath)
                 .append(this.md5sum, other.md5sum)
                 .append(this.sha1sum, other.sha1sum)
                 .append(this.identifiers, other.identifiers)

dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer

@@ -18,6 +18,5 @@ org.owasp.dependencycheck.analyzer.AutoconfAnalyzer
 org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer
 org.owasp.dependencycheck.analyzer.CMakeAnalyzer
 org.owasp.dependencycheck.analyzer.NodePackageAnalyzer
-org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer
+org.owasp.dependencycheck.analyzer.RubyBundleInstallDeploymentAnalyzer
-org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer
 org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer