mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-18 17:47:05 +01:00
multiple improvements
This commit is contained in:
bjiang
@@ -97,16 +97,16 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
}
|
||||
|
||||
//add as vendor and product evidence
|
||||
if (fileName.contains("-")) {
|
||||
dependency.getProductEvidence().addEvidence("file", "name",
|
||||
fileName, Confidence.HIGHEST);
|
||||
dependency.getVendorEvidence().addEvidence("file", "name",
|
||||
fileName, Confidence.HIGHEST);
|
||||
} else {
|
||||
// if (fileName.contains("-")) {
|
||||
// dependency.getProductEvidence().addEvidence("file", "name",
|
||||
// fileName, Confidence.HIGHEST);
|
||||
// dependency.getVendorEvidence().addEvidence("file", "name",
|
||||
// fileName, Confidence.HIGHEST);
|
||||
// } else {
|
||||
dependency.getProductEvidence().addEvidence("file", "name",
|
||||
fileName, Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("file", "name",
|
||||
fileName, Confidence.HIGH);
|
||||
}
|
||||
// }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -181,21 +181,21 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
@Override
|
||||
protected void analyzeFileType(Dependency dependency, Engine engine)
|
||||
throws AnalysisException {
|
||||
if (needToDisableGemspecAnalyzer) {
|
||||
boolean failed = true;
|
||||
final String className = RubyGemspecAnalyzer.class.getName();
|
||||
for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
|
||||
if (analyzer instanceof RubyGemspecAnalyzer) {
|
||||
((RubyGemspecAnalyzer) analyzer).setEnabled(false);
|
||||
LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
|
||||
failed = false;
|
||||
}
|
||||
}
|
||||
if (failed) {
|
||||
LOGGER.warn("Did not find" + className + '.');
|
||||
}
|
||||
needToDisableGemspecAnalyzer = false;
|
||||
}
|
||||
// if (needToDisableGemspecAnalyzer) {
|
||||
// boolean failed = true;
|
||||
// final String className = RubyGemspecAnalyzer.class.getName();
|
||||
// for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
|
||||
// if (analyzer instanceof RubyGemspecAnalyzer) {
|
||||
// ((RubyGemspecAnalyzer) analyzer).setEnabled(false);
|
||||
// LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
|
||||
// failed = false;
|
||||
// }
|
||||
// }
|
||||
// if (failed) {
|
||||
// LOGGER.warn("Did not find" + className + '.');
|
||||
// }
|
||||
// needToDisableGemspecAnalyzer = false;
|
||||
// }
|
||||
final File parentFile = dependency.getActualFile().getParentFile();
|
||||
final Process process = launchBundleAudit(parentFile);
|
||||
try {
|
||||
@@ -229,6 +229,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
private void processBundlerAuditOutput(Dependency original, Engine engine, BufferedReader rdr) throws IOException {
|
||||
final String parentName = original.getActualFile().getParentFile().getName();
|
||||
final String fileName = original.getFileName();
|
||||
final String filePath = original.getFilePath();
|
||||
Dependency dependency = null;
|
||||
Vulnerability vulnerability = null;
|
||||
String gem = null;
|
||||
@@ -242,7 +243,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
appendToDescription = false;
|
||||
gem = nextLine.substring(NAME.length());
|
||||
if (!map.containsKey(gem)) {
|
||||
map.put(gem, createDependencyForGem(engine, parentName, fileName, gem));
|
||||
map.put(gem, createDependencyForGem(engine, parentName, fileName, filePath, gem));
|
||||
}
|
||||
dependency = map.get(gem);
|
||||
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
|
||||
@@ -329,13 +330,16 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
return vulnerability;
|
||||
}
|
||||
|
||||
private Dependency createDependencyForGem(Engine engine, String parentName, String fileName, String gem) throws IOException {
|
||||
final File tempFile = File.createTempFile("Gemfile-" + gem, ".lock", Settings.getTempDirectory());
|
||||
private Dependency createDependencyForGem(Engine engine, String parentName, String fileName, String filePath, String gem) throws IOException {
|
||||
final File gemFile = new File(Settings.getTempDirectory(), gem + "_Gemfile.lock");
|
||||
gemFile.createNewFile();
|
||||
final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem);
|
||||
FileUtils.write(tempFile, displayFileName); // unique contents to avoid dependency bundling
|
||||
final Dependency dependency = new Dependency(tempFile);
|
||||
FileUtils.write(gemFile, displayFileName); // unique contents to avoid dependency bundling
|
||||
final Dependency dependency = new Dependency(gemFile);
|
||||
dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST);
|
||||
dependency.setDisplayFileName(displayFileName);
|
||||
dependency.setFileName(fileName);
|
||||
dependency.setFilePath(filePath);
|
||||
engine.getDependencies().add(dependency);
|
||||
return dependency;
|
||||
}
|
||||
|
||||
@@ -26,8 +26,14 @@ import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.utils.FileFilterBuilder;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.File;
|
||||
import java.io.FileFilter;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.FileReader;
|
||||
import java.io.FilenameFilter;
|
||||
import java.io.IOException;
|
||||
import java.util.List;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
@@ -52,10 +58,12 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
private static final String GEMSPEC = "gemspec";
|
||||
|
||||
private static final FileFilter FILTER
|
||||
= FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
|
||||
= FileFilterBuilder.newInstance().addExtensions(GEMSPEC).build();
|
||||
|
||||
private static final String EMAIL = "email";
|
||||
|
||||
private static final String VERSION_FILE_NAME = "VERSION";
|
||||
|
||||
/**
|
||||
* @return a filter that accepts files named Rakefile or matching the glob pattern, *.gemspec
|
||||
*/
|
||||
@@ -133,7 +141,9 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW);
|
||||
}
|
||||
addStringEvidence(product, contents, blockVariable, "summary", Confidence.LOW);
|
||||
addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, "version", Confidence.HIGHEST);
|
||||
String value = addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, "version", Confidence.HIGHEST);
|
||||
if(value.length() < 1)
|
||||
addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence());
|
||||
}
|
||||
}
|
||||
|
||||
@@ -158,4 +168,31 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
return value;
|
||||
}
|
||||
|
||||
private String addEvidenceFromVersionFile(File dependencyFile, EvidenceCollection versionEvidences) {
|
||||
String value = null;
|
||||
File parentDir = dependencyFile.getParentFile();
|
||||
if(parentDir != null) {
|
||||
File[] matchingFiles = parentDir.listFiles(new FilenameFilter() {
|
||||
public boolean accept(File dir, String name) {
|
||||
return name.contains(VERSION_FILE_NAME);
|
||||
}
|
||||
});
|
||||
|
||||
for(int i = 0; i < matchingFiles.length; i++) {
|
||||
try {
|
||||
List<String> lines = FileUtils.readLines(matchingFiles[i]);
|
||||
if(lines.size() == 1) { //TODO other checking?
|
||||
value = lines.get(0).trim();
|
||||
versionEvidences.addEvidence(GEMSPEC, "version", value, Confidence.HIGH);
|
||||
}
|
||||
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return value;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user