Merge branch 'upmaster' into ruby-bundler

Conflicts:
	dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java

@@ -173,10 +173,10 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
             }
         } else {
             // copy, alter and set in case some other thread is iterating over
-            final List<Dependency> deps = new ArrayList<Dependency>(
+            final List<Dependency> dependencies = new ArrayList<Dependency>(
                     engine.getDependencies());
-            deps.remove(dependency);
-            engine.setDependencies(deps);
+            dependencies.remove(dependency);
+            engine.setDependencies(dependencies);
         }
     }
 
@@ -225,7 +225,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
             contents = FileUtils.readFileToString(actualFile).trim();
         } catch (IOException e) {
             throw new AnalysisException(
-                    "Problem occured while reading dependency file.", e);
+                    "Problem occurred while reading dependency file.", e);
         }
         return contents;
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -0,0 +1,170 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.apache.commons.io.FileUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.json.*;
+import java.io.File;
+import java.io.FileFilter;
+import java.io.IOException;
+
+/**
+ * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine
+ * the associated CPE.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(NodePackageAnalyzer.class);
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Node.js Package Analyzer";
+
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    public static final String PACKAGE_JSON = "package.json";
+    /**
+     * Filter that detects files named "package.json".
+     */
+    private static final FileFilter PACKAGE_JSON_FILTER =
+            FileFilterBuilder.newInstance().addFilenames(PACKAGE_JSON).build();
+
+    /**
+     * Returns the FileFilter
+     *
+     * @return the FileFilter
+     */
+    @Override
+    protected FileFilter getFileFilter() {
+        return PACKAGE_JSON_FILTER;
+    }
+
+    @Override
+    protected void initializeFileTypeAnalyzer() throws Exception {
+        // NO-OP
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED;
+    }
+
+    @Override
+    protected void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        final File file = dependency.getActualFile();
+        JsonReader jsonReader;
+        try {
+            jsonReader = Json.createReader(FileUtils.openInputStream(file));
+        } catch (IOException e) {
+            throw new AnalysisException(
+                    "Problem occurred while reading dependency file.", e);
+        }
+        try {
+            JsonObject json = jsonReader.readObject();
+            final EvidenceCollection productEvidence = dependency.getProductEvidence();
+            final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
+            if (json.containsKey("name")) {
+                Object value = json.get("name");
+                if (value instanceof JsonString) {
+                    String valueString = ((JsonString) value).getString();
+                    productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST);
+                    vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW);
+                } else {
+                    LOGGER.warn("JSON value not string as expected: %s", value);
+                }
+            }
+            addToEvidence(json, productEvidence, "description");
+            addToEvidence(json, vendorEvidence, "author");
+            addToEvidence(json, dependency.getVersionEvidence(), "version");
+            dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName()));
+        } catch (JsonException e) {
+            LOGGER.warn("Failed to parse package.json file.", e);
+        } finally {
+            jsonReader.close();
+        }
+    }
+
+    private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) {
+        if (json.containsKey(key)) {
+            Object value = json.get(key);
+            if (value instanceof JsonString) {
+                collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST);
+            } else if (value instanceof JsonObject) {
+                final JsonObject jsonObject = (JsonObject) value;
+                for (String property : jsonObject.keySet()) {
+                    final Object subValue = jsonObject.get(property);
+                    if (subValue instanceof JsonString) {
+                        collection.addEvidence(PACKAGE_JSON,
+                                String.format("%s.%s", key, property),
+                                ((JsonString) subValue).getString(),
+                                Confidence.HIGHEST);
+                    } else {
+                        LOGGER.warn("JSON sub-value not string as expected: %s");
+                    }
+                }
+            } else {
+                LOGGER.warn("JSON value not string or JSON object as expected: %s", value);
+            }
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -53,7 +53,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
 public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
-     * Name of egg metatdata files to analyze.
+     * Name of egg metadata files to analyze.
      */
     private static final String PKG_INFO = "PKG-INFO";
 
@@ -269,10 +269,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
      *
      * @param dependency the dependency being analyzed
      * @param file a reference to the manifest/properties file
-     * @throws AnalysisException thrown when there is an error
      */
-    private static void collectWheelMetadata(Dependency dependency, File file)
-            throws AnalysisException {
+    private static void collectWheelMetadata(Dependency dependency, File file) {
         final InternetHeaders headers = getManifestProperties(file);
         addPropertyToEvidence(headers, dependency.getVersionEvidence(),
                 "Version", Confidence.HIGHEST);
@@ -352,7 +350,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Retrieves the next temporary destingation directory for extracting an archive.
+     * Retrieves the next temporary destination directory for extracting an archive.
      *
      * @return a directory
      * @throws AnalysisException thrown if unable to create temporary directory

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -28,13 +28,10 @@ import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.UrlStringUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
-import java.net.MalformedURLException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Matcher;
@@ -53,12 +50,6 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     private static final int REGEX_OPTIONS = Pattern.DOTALL
             | Pattern.CASE_INSENSITIVE;
 
-    /**
-     * The logger.
-     */
-    private static final Logger LOGGER = LoggerFactory
-            .getLogger(PythonPackageAnalyzer.class);
-
     /**
      * Filename extensions for files to be analyzed.
      */
@@ -173,7 +164,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * Analyzes python packages and adds evidence to the dependency.
      *
      * @param dependency the dependency being analyzed
-     * @param engine the engine being used to perform the scan
+     * @param engine     the engine being used to perform the scan
      * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
      */
     @Override
@@ -184,8 +175,8 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
         final String parentName = parent.getName();
         boolean found = false;
         if (INIT_PY_FILTER.accept(file)) {
-            for (final File sourcefile : parent.listFiles(PY_FILTER)) {
-                found |= analyzeFileContents(dependency, sourcefile);
+            for (final File sourceFile : parent.listFiles(PY_FILTER)) {
+                found |= analyzeFileContents(dependency, sourceFile);
             }
         }
         if (found) {
@@ -194,10 +185,10 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
                     "PackageName", parentName, Confidence.MEDIUM);
         } else {
             // copy, alter and set in case some other thread is iterating over
-            final List<Dependency> deps = new ArrayList<Dependency>(
+            final List<Dependency> dependencies = new ArrayList<Dependency>(
                     engine.getDependencies());
-            deps.remove(dependency);
-            engine.setDependencies(deps);
+            dependencies.remove(dependency);
+            engine.setDependencies(dependencies);
         }
     }
 
@@ -206,7 +197,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * __summary__, __uri__, __url__, __home*page__, __author__, and their all caps equivalents.
      *
      * @param dependency the dependency being analyzed
-     * @param file the file name to analyze
+     * @param file       the file name to analyze
      * @return whether evidence was found
      * @throws AnalysisException thrown if there is an unrecoverable error
      */
@@ -238,14 +229,10 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
                     .getVendorEvidence();
             found |= gatherEvidence(AUTHOR_PATTERN, contents, source,
                     vendorEvidence, "SourceAuthor", Confidence.MEDIUM);
-            try {
-                found |= gatherHomePageEvidence(URI_PATTERN, vendorEvidence,
-                        source, "URL", contents);
-                found |= gatherHomePageEvidence(HOMEPAGE_PATTERN,
-                        vendorEvidence, source, "HomePage", contents);
-            } catch (MalformedURLException e) {
-                LOGGER.warn(e.getMessage());
-            }
+            found |= gatherHomePageEvidence(URI_PATTERN, vendorEvidence,
+                    source, "URL", contents);
+            found |= gatherHomePageEvidence(HOMEPAGE_PATTERN,
+                    vendorEvidence, source, "HomePage", contents);
         }
         return found;
     }
@@ -254,15 +241,15 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * Adds summary information to the dependency
      *
      * @param dependency the dependency being analyzed
-     * @param pattern the pattern used to perform analysis
-     * @param group the group from the pattern that indicates the data to use
-     * @param contents the data being analyzed
-     * @param source the source name to use when recording the evidence
-     * @param key the key name to use when recording the evidence
+     * @param pattern    the pattern used to perform analysis
+     * @param group      the group from the pattern that indicates the data to use
+     * @param contents   the data being analyzed
+     * @param source     the source name to use when recording the evidence
+     * @param key        the key name to use when recording the evidence
      * @return true if evidence was collected; otherwise false
      */
     private boolean addSummaryInfo(Dependency dependency, Pattern pattern,
-            int group, String contents, String source, String key) {
+                                   int group, String contents, String source, String key) {
         final Matcher matcher = pattern.matcher(contents);
         final boolean found = matcher.find();
         if (found) {
@@ -275,17 +262,16 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Collects evidence from the home page URL.
      *
-     * @param pattern the pattern to match
+     * @param pattern  the pattern to match
      * @param evidence the evidence collection to add the evidence to
-     * @param source the source of the evidence
-     * @param name the name of the evidence
+     * @param source   the source of the evidence
+     * @param name     the name of the evidence
      * @param contents the home page URL
      * @return true if evidence was collected; otherwise false
-     * @throws MalformedURLException thrown if the URL is malformed
      */
     private boolean gatherHomePageEvidence(Pattern pattern,
-            EvidenceCollection evidence, String source, String name,
-            String contents) throws MalformedURLException {
+                                           EvidenceCollection evidence, String source, String name,
+                                           String contents) {
         final Matcher matcher = pattern.matcher(contents);
         boolean found = false;
         if (matcher.find()) {
@@ -299,19 +285,19 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Gather evidence from a Python source file usin the given string assignment regex pattern.
+     * Gather evidence from a Python source file using the given string assignment regex pattern.
      *
-     * @param pattern to scan contents with
-     * @param contents of Python source file
-     * @param source for storing evidence
-     * @param evidence to store evidence in
-     * @param name of evidence
+     * @param pattern    to scan contents with
+     * @param contents   of Python source file
+     * @param source     for storing evidence
+     * @param evidence   to store evidence in
+     * @param name       of evidence
      * @param confidence in evidence
      * @return whether evidence was found
      */
     private boolean gatherEvidence(Pattern pattern, String contents,
-            String source, EvidenceCollection evidence, String name,
-            Confidence confidence) {
+                                   String source, EvidenceCollection evidence, String name,
+                                   Confidence confidence) {
         final Matcher matcher = pattern.matcher(contents);
         final boolean found = matcher.find();
         if (found) {

dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer

@@ -17,5 +17,6 @@ org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer
 org.owasp.dependencycheck.analyzer.AutoconfAnalyzer
 org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer
 org.owasp.dependencycheck.analyzer.CMakeAnalyzer
+org.owasp.dependencycheck.analyzer.NodePackageAnalyzer
 org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer
-org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer
+org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -17,6 +17,7 @@
         <cpe>cpe:/a:mod_security:mod_security</cpe>
         <cpe>cpe:/a:springsource:spring_framework</cpe>
         <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+        <cpe>cpe:/a:pivotal:spring_framework</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[