diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index 0b0c7e0a3..701d77aa1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -30,7 +30,6 @@ import org.owasp.dependencycheck.data.update.UpdateService; import org.owasp.dependencycheck.data.update.exception.UpdateException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.exception.NoDataException; -import org.owasp.dependencycheck.utils.FileUtils; import org.owasp.dependencycheck.utils.InvalidSettingException; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; @@ -38,12 +37,7 @@ import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; -import java.util.ArrayList; -import java.util.EnumMap; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Set; +import java.util.*; /** * Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the scan, if a @@ -308,22 +302,14 @@ public class Engine implements FileFilter { * @return the scanned dependency */ protected Dependency scanFile(File file) { - if (!file.isFile()) { - LOGGER.debug("Path passed to scanFile(File) is not a file: {}. Skipping the file.", file); - return null; - } - final String fileName = file.getName(); - String extension = FileUtils.getFileExtension(fileName); - if (null == extension) { - extension = fileName; - } Dependency dependency = null; - if (accept(file)) { - dependency = new Dependency(file); - if (extension.equals(fileName)) { - dependency.setFileExtension(extension); + if (file.isFile()) { + if (accept(file)) { + dependency = new Dependency(file); + dependencies.add(dependency); } - dependencies.add(dependency); + } else { + LOGGER.debug("Path passed to scanFile(File) is not a file: {}. Skipping the file.", file); } return dependency; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 1c65608e8..d09ec907b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -106,9 +106,10 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { private static final Set EXTENSIONS = newHashSet("tar", "gz", "tgz"); /** - * The set of file extensions to remove from the engine's collection of dependencies. + * Detects files with extensions to remove from the engine's collection of dependencies. */ - private static final Set REMOVE_FROM_ANALYSIS = newHashSet("zip", "tar", "gz", "tgz"); //TODO add nupkg, apk, sar? + private static final FileFilter REMOVE_FROM_ANALYSIS = + FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz").build(); //TODO add nupkg, apk, sar? static { final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS); @@ -126,6 +127,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { return FILTER; } + /** + * Detects files with .zip extension. + */ + private static final FileFilter ZIP_FILTER = FileFilterBuilder.newInstance().addExtensions("zip").build(); + /** * Returns the name of the analyzer. * @@ -236,8 +242,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { } } } - if (REMOVE_FROM_ANALYSIS.contains(dependency.getFileExtension())) { - if ("zip".equals(dependency.getFileExtension()) && isZipFileActuallyJarFile(dependency)) { + if (REMOVE_FROM_ANALYSIS.accept(dependency.getActualFile())) { + if (ZIP_FILTER.accept(dependency.getActualFile()) && isZipFileActuallyJarFile(dependency)) { final File tdir = getNextTempDirectory(); final String fileName = dependency.getFileName(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index b4d41ae37..cec65d229 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -17,6 +17,7 @@ */ package org.owasp.dependencycheck.analyzer; +import java.io.FileFilter; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; import java.util.ArrayList; @@ -32,6 +33,7 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.VulnerableSoftware; +import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -46,6 +48,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { * The Logger. */ private static final Logger LOGGER = LoggerFactory.getLogger(FalsePositiveAnalyzer.class); + + private static final FileFilter DLL_EXE_FILTER = FileFilterBuilder.newInstance().addExtensions("dll", "exe").build(); + // /** * The name of the analyzer. @@ -412,8 +417,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { */ private void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) { if (dependency.getFileName().toLowerCase().endsWith("pom.xml") - || "dll".equals(dependency.getFileExtension()) - || "exe".equals(dependency.getFileExtension())) { + || DLL_EXE_FILTER.accept(dependency.getActualFile())) { String parentPath = dependency.getFilePath().toLowerCase(); if (parentPath.contains(".jar")) { parentPath = parentPath.substring(0, parentPath.indexOf(".jar") + 4); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 87d21f168..8d3e2831c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -26,19 +26,13 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.utils.*; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.mail.MessagingException; import javax.mail.internet.InternetHeaders; import java.io.*; -import java.util.regex.Pattern; -import org.owasp.dependencycheck.utils.ExtractionException; -import org.owasp.dependencycheck.utils.ExtractionUtil; -import org.owasp.dependencycheck.utils.FileFilterBuilder; -import org.owasp.dependencycheck.utils.FileUtils; -import org.owasp.dependencycheck.utils.Settings; -import org.owasp.dependencycheck.utils.UrlStringUtils; /** * Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used @@ -86,7 +80,12 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { /** * Used to match on egg archive candidate extensions. */ - private static final Pattern EGG_OR_ZIP = Pattern.compile("egg|zip"); + private static final FileFilter EGG_OR_ZIP = FileFilterBuilder.newInstance().addExtensions("egg", "zip").build(); + + /** + * Used to detect files with a .whl extension. + */ + private static final FileFilter WHL_FILTER = FileFilterBuilder.newInstance().addExtensions("whl").build(); /** * The parent directory for the individual directories per archive. @@ -165,16 +164,14 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { - if ("whl".equals(dependency.getFileExtension())) { + final File actualFile = dependency.getActualFile(); + if (WHL_FILTER.accept(actualFile)) { collectMetadataFromArchiveFormat(dependency, DIST_INFO_FILTER, METADATA_FILTER); - } else if (EGG_OR_ZIP.matcher( - StringUtils.stripToEmpty(dependency.getFileExtension())) - .matches()) { + } else if (EGG_OR_ZIP.accept(actualFile)) { collectMetadataFromArchiveFormat(dependency, EGG_INFO_FILTER, PKG_INFO_FILTER); } else { - final File actualFile = dependency.getActualFile(); final String name = actualFile.getName(); final boolean metadata = METADATA.equals(name); if (metadata || PKG_INFO.equals(name)) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 0cbcef15e..67ea1a890 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -68,11 +68,7 @@ public class Dependency implements Serializable, Comparable { * The file name of the dependency. */ private String fileName; - /** - * The file extension of the dependency. - */ - private String fileExtension; - /** + /** * The md5 hash of the dependency. */ private String md5sum; @@ -120,7 +116,6 @@ public class Dependency implements Serializable, Comparable { this.actualFilePath = file.getAbsolutePath(); this.filePath = this.actualFilePath; this.fileName = file.getName(); - this.fileExtension = FileUtils.getFileExtension(fileName); determineHashes(file); } @@ -231,24 +226,6 @@ public class Dependency implements Serializable, Comparable { return this.filePath; } - /** - * Sets the file extension of the dependency. - * - * @param fileExtension the file name of the dependency - */ - public void setFileExtension(String fileExtension) { - this.fileExtension = fileExtension; - } - - /** - * Gets the file extension of the dependency. - * - * @return the file extension of the dependency - */ - public String getFileExtension() { - return this.fileExtension; - } - /** * Returns the MD5 Checksum of the dependency file. * @@ -735,7 +712,6 @@ public class Dependency implements Serializable, Comparable { return ObjectUtils.equals(this.actualFilePath, other.actualFilePath) && ObjectUtils.equals(this.filePath, other.filePath) && ObjectUtils.equals(this.fileName, other.fileName) - && ObjectUtils.equals(this.fileExtension, other.fileExtension) && ObjectUtils.equals(this.md5sum, other.md5sum) && ObjectUtils.equals(this.sha1sum, other.sha1sum) && ObjectUtils.equals(this.identifiers, other.identifiers) @@ -758,7 +734,7 @@ public class Dependency implements Serializable, Comparable { @Override public int hashCode() { int hash = MAGIC_HASH_INIT_VALUE; - for (Object field : new Object[]{this.actualFilePath, this.filePath, this.fileName, this.fileExtension, this.md5sum, + for (Object field : new Object[]{this.actualFilePath, this.filePath, this.fileName, this.md5sum, this.sha1sum, this.identifiers, this.vendorEvidence, this.productEvidence, this.versionEvidence, this.description, this.license, this.vulnerabilities, this.relatedDependencies, this.projectReferences, this.availableVersions}) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java index 4428eaebd..1a64959f7 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java @@ -18,12 +18,14 @@ package org.owasp.dependencycheck.data.update; import org.junit.Test; -import static org.junit.Assert.*; import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.data.update.exception.UpdateException; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + /** * * @author Jeremy Long diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java index 30cc26a27..25210e9a7 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java @@ -127,29 +127,6 @@ public class DependencyTest { assertEquals(expResult, result); } - /** - * Test of setFileExtension method, of class Dependency. - */ - @Test - public void testSetFileExtension() { - String fileExtension = "jar"; - Dependency instance = new Dependency(); - instance.setFileExtension(fileExtension); - assertEquals(fileExtension, instance.getFileExtension()); - } - - /** - * Test of getFileExtension method, of class Dependency. - */ - @Test - public void testGetFileExtension() { - Dependency instance = new Dependency(); - String expResult = "jar"; - instance.setFileExtension(expResult); - String result = instance.getFileExtension(); - assertEquals(expResult, result); - } - /** * Test of getMd5sum method, of class Dependency. */