github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-22 17:19:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

added correction to deal with http urls causing false positives

Browse Source 
Former-commit-id: 8fc7b6ec7754d83eca030968e851a13ef0b2b6ff
This commit is contained in:
Jeremy Long
2013-06-23 22:40:58 -04:00
parent 6016370515
commit a9b5949191
1 changed files with 69 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -18,11 +18,17 @@
*/ */
package org.owasp.dependencycheck.dependency; package org.owasp.dependencycheck.dependency;
import java.net.MalformedURLException;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator; import java.util.Iterator;
import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.TreeSet; import java.util.TreeSet;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.lang.StringUtils;
import org.owasp.dependencycheck.utils.Filter; import org.owasp.dependencycheck.utils.Filter;
import org.owasp.dependencycheck.utils.UrlStringUtils;
/** /**
* Used to maintain a collection of Evidence. * Used to maintain a collection of Evidence.
@@ -35,45 +41,37 @@ public class EvidenceCollection implements Iterable<Evidence> {
* Used to iterate over high confidence evidence contained in the * Used to iterate over high confidence evidence contained in the
* collection. * collection.
*/ */
private static final Filter<Evidence> HIGH_CONFIDENCE = private static final Filter<Evidence> HIGH_CONFIDENCE = new Filter<Evidence>() {
new Filter<Evidence>() { public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Evidence.Confidence.HIGH;
public boolean passes(Evidence evidence) { }
return evidence.getConfidence() == Evidence.Confidence.HIGH; };
}
};
/** /**
* Used to iterate over medium confidence evidence contained in the * Used to iterate over medium confidence evidence contained in the
* collection. * collection.
*/ */
private static final Filter<Evidence> MEDIUM_CONFIDENCE = private static final Filter<Evidence> MEDIUM_CONFIDENCE = new Filter<Evidence>() {
new Filter<Evidence>() { public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Evidence.Confidence.MEDIUM;
public boolean passes(Evidence evidence) { }
return evidence.getConfidence() == Evidence.Confidence.MEDIUM; };
}
};
/** /**
* Used to iterate over low confidence evidence contained in the collection. * Used to iterate over low confidence evidence contained in the collection.
*/ */
private static final Filter<Evidence> LOW_CONFIDENCE = private static final Filter<Evidence> LOW_CONFIDENCE = new Filter<Evidence>() {
new Filter<Evidence>() { public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Evidence.Confidence.LOW;
public boolean passes(Evidence evidence) { }
return evidence.getConfidence() == Evidence.Confidence.LOW; };
}
};
/** /**
* Used to iterate over evidence that has was used (aka read) from the * Used to iterate over evidence that has was used (aka read) from the
* collection. * collection.
*/ */
private static final Filter<Evidence> EVIDENCE_USED = private static final Filter<Evidence> EVIDENCE_USED = new Filter<Evidence>() {
new Filter<Evidence>() { public boolean passes(Evidence evidence) {
return evidence.isUsed();
public boolean passes(Evidence evidence) { }
return evidence.isUsed(); };
}
};
/** /**
* Used to iterate over evidence of the specified confidence. * Used to iterate over evidence of the specified confidence.
@@ -191,8 +189,11 @@ public class EvidenceCollection implements Iterable<Evidence> {
final String textToTest = text.toLowerCase(); final String textToTest = text.toLowerCase();
for (Evidence e : this.list) { for (Evidence e : this.list) {
if (e.isUsed() && e.getValue().toLowerCase().contains(textToTest)) { if (e.isUsed()) {
return true; final String value = urlCorrection(e.getValue().toLowerCase());
if (value.contains(textToTest)) {
return true;
}
} }
} }
return false; return false;
@@ -270,4 +271,42 @@ public class EvidenceCollection implements Iterable<Evidence> {
public int size() { public int size() {
return list.size(); return list.size();
} }
/**
* <p>Takes a string that may contain a fully qualified domain and it will
* return the string having removed the query string, the protocol, the
* sub-domain of 'www', and the file extension of the path.</p>
* <p>This is useful for checking if the evidence contains a specific
* string. The presence of the protocol, file extension, etc. may produce
* false positives.
*
* <p>Example, given the following input:</p>
* <code>'Please visit https://www.somedomain.com/path1/path2/file.php?id=439'</code>
* <p>The function would return:</p>
* <code>'Please visit somedomain path1 path2 file'</code>
*
* @param value the value that may contain a url
* @return the modified string
*/
private String urlCorrection(String value) {
if (value == null || !UrlStringUtils.containsUrl(value)) {
return value;
}
final StringBuilder sb = new StringBuilder(value.length());
final String[] parts = value.split("\\s");
for (String part : parts) {
if (UrlStringUtils.isUrl(part)) {
try {
final List<String> data = UrlStringUtils.extractImportantUrlData(part);
sb.append(' ').append(StringUtils.join(data, ' '));
} catch (MalformedURLException ex) {
Logger.getLogger(EvidenceCollection.class.getName()).log(Level.INFO, "error parsing " + part, ex);
sb.append(' ').append(part);
}
} else {
sb.append(' ').append(part);
}
}
return sb.toString().trim();
}
} }