github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-22 17:19:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

moved the Confidence enumeration out of the Evidence object

Browse Source 
Former-commit-id: 77f937f2b17201b2764259ef6089f848fe8f3c8b
This commit is contained in:
Jeremy Long
2014-01-17 20:11:06 -05:00
parent 2725d32c33
commit b4664f85f0
8 changed files with 70 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -40,9 +40,9 @@ import org.owasp.dependencycheck.data.cpe.IndexException;
import org.owasp.dependencycheck.data.lucene.LuceneUtils; import org.owasp.dependencycheck.data.lucene.LuceneUtils;
import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence; import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.dependency.Evidence.Confidence;
import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.VulnerableSoftware; import org.owasp.dependencycheck.dependency.VulnerableSoftware;

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
View File

@@ -20,8 +20,8 @@ package org.owasp.dependencycheck.analyzer;
import java.io.File; import java.io.File;
import java.util.Set; import java.util.Set;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.DependencyVersion; import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.DependencyVersionUtil; import org.owasp.dependencycheck.utils.DependencyVersionUtil;
@@ -109,22 +109,22 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName); final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
if (version != null) { if (version != null) {
dependency.getVersionEvidence().addEvidence("file", "name", dependency.getVersionEvidence().addEvidence("file", "name",
version.toString(), Evidence.Confidence.HIGHEST); version.toString(), Confidence.HIGHEST);
dependency.getVersionEvidence().addEvidence("file", "name", dependency.getVersionEvidence().addEvidence("file", "name",
fileName, Evidence.Confidence.MEDIUM); fileName, Confidence.MEDIUM);
} }
//add as vendor and product evidence //add as vendor and product evidence
if (fileName.contains("-")) { if (fileName.contains("-")) {
dependency.getProductEvidence().addEvidence("file", "name", dependency.getProductEvidence().addEvidence("file", "name",
fileName, Evidence.Confidence.HIGHEST); fileName, Confidence.HIGHEST);
dependency.getVendorEvidence().addEvidence("file", "name", dependency.getVendorEvidence().addEvidence("file", "name",
fileName, Evidence.Confidence.HIGHEST); fileName, Confidence.HIGHEST);
} else { } else {
dependency.getProductEvidence().addEvidence("file", "name", dependency.getProductEvidence().addEvidence("file", "name",
fileName, Evidence.Confidence.HIGH); fileName, Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("file", "name", dependency.getVendorEvidence().addEvidence("file", "name",
fileName, Evidence.Confidence.HIGH); fileName, Confidence.HIGH);
} }
} }
} }

17
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -21,6 +21,7 @@ import java.util.ArrayList;
import java.util.Iterator; import java.util.Iterator;
import java.util.Set; import java.util.Set;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence; import org.owasp.dependencycheck.dependency.Evidence;
@@ -95,29 +96,29 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
final Evidence springTest1 = new Evidence("Manifest", final Evidence springTest1 = new Evidence("Manifest",
"Implementation-Title", "Implementation-Title",
"Spring Framework", "Spring Framework",
Evidence.Confidence.HIGH); Confidence.HIGH);
final Evidence springTest2 = new Evidence("Manifest", final Evidence springTest2 = new Evidence("Manifest",
"Implementation-Title", "Implementation-Title",
"org.springframework.core", "org.springframework.core",
Evidence.Confidence.HIGH); Confidence.HIGH);
final Evidence springTest3 = new Evidence("Manifest", final Evidence springTest3 = new Evidence("Manifest",
"Bundle-Vendor", "Bundle-Vendor",
"SpringSource", "SpringSource",
Evidence.Confidence.HIGH); Confidence.HIGH);
Set<Evidence> evidence = dependency.getProductEvidence().getEvidence(); Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
if (evidence.contains(springTest1) || evidence.contains(springTest2)) { if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Evidence.Confidence.HIGH); dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Evidence.Confidence.HIGH); dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Evidence.Confidence.HIGH); dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
} }
evidence = dependency.getVendorEvidence().getEvidence(); evidence = dependency.getVendorEvidence().getEvidence();
if (evidence.contains(springTest3)) { if (evidence.contains(springTest3)) {
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Evidence.Confidence.HIGH); dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Evidence.Confidence.HIGH); dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
} }
final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator(); final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
final ArrayList<Evidence> newEntries = new ArrayList<Evidence>(); final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();

72
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -48,8 +48,8 @@ import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.sax.SAXSource; import javax.xml.transform.sax.SAXSource;
import org.jsoup.Jsoup; import org.jsoup.Jsoup;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter; import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter;
import org.owasp.dependencycheck.jaxb.pom.generated.License; import org.owasp.dependencycheck.jaxb.pom.generated.License;
@@ -405,8 +405,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
groupid = groupid.substring(4); groupid = groupid.substring(4);
} }
foundSomething = true; foundSomething = true;
dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Evidence.Confidence.HIGH); dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGH);
dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Evidence.Confidence.LOW); dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
addMatchingValues(classes, groupid, dependency.getVendorEvidence()); addMatchingValues(classes, groupid, dependency.getVendorEvidence());
addMatchingValues(classes, groupid, dependency.getProductEvidence()); addMatchingValues(classes, groupid, dependency.getProductEvidence());
} }
@@ -416,8 +416,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
artifactid = artifactid.substring(4); artifactid = artifactid.substring(4);
} }
foundSomething = true; foundSomething = true;
dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.HIGH); dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.LOW); dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
addMatchingValues(classes, artifactid, dependency.getVendorEvidence()); addMatchingValues(classes, artifactid, dependency.getVendorEvidence());
addMatchingValues(classes, artifactid, dependency.getProductEvidence()); addMatchingValues(classes, artifactid, dependency.getProductEvidence());
} }
@@ -425,7 +425,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
final String version = interpolateString(pom.getVersion(), pomProperties); final String version = interpolateString(pom.getVersion(), pomProperties);
if (version != null && !version.isEmpty()) { if (version != null && !version.isEmpty()) {
foundSomething = true; foundSomething = true;
dependency.getVersionEvidence().addEvidence("pom", "version", version, Evidence.Confidence.HIGHEST); dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
} }
// org name // org name
final Organization org = pom.getOrganization(); final Organization org = pom.getOrganization();
@@ -433,7 +433,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
foundSomething = true; foundSomething = true;
final String orgName = interpolateString(org.getName(), pomProperties); final String orgName = interpolateString(org.getName(), pomProperties);
if (orgName != null && !orgName.isEmpty()) { if (orgName != null && !orgName.isEmpty()) {
dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Evidence.Confidence.HIGH); dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
addMatchingValues(classes, orgName, dependency.getVendorEvidence()); addMatchingValues(classes, orgName, dependency.getVendorEvidence());
} }
} }
@@ -441,8 +441,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
final String pomName = interpolateString(pom.getName(), pomProperties); final String pomName = interpolateString(pom.getName(), pomProperties);
if (pomName != null && !pomName.isEmpty()) { if (pomName != null && !pomName.isEmpty()) {
foundSomething = true; foundSomething = true;
dependency.getProductEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH); dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH); dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
addMatchingValues(classes, pomName, dependency.getVendorEvidence()); addMatchingValues(classes, pomName, dependency.getVendorEvidence());
addMatchingValues(classes, pomName, dependency.getProductEvidence()); addMatchingValues(classes, pomName, dependency.getProductEvidence());
} }
@@ -516,7 +516,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
//TODO remove weighting //TODO remove weighting
vendor.addWeighting(entry.getKey()); vendor.addWeighting(entry.getKey());
if (addPackagesAsEvidence && entry.getKey().length() > 1) { if (addPackagesAsEvidence && entry.getKey().length() > 1) {
vendor.addEvidence("jar", "package", entry.getKey(), Evidence.Confidence.LOW); vendor.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
} }
} }
} }
@@ -525,7 +525,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
if (ratio > 0.5) { if (ratio > 0.5) {
product.addWeighting(entry.getKey()); product.addWeighting(entry.getKey());
if (addPackagesAsEvidence && entry.getKey().length() > 1) { if (addPackagesAsEvidence && entry.getKey().length() > 1) {
product.addEvidence("jar", "package", entry.getKey(), Evidence.Confidence.LOW); product.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
} }
} }
} }
@@ -582,43 +582,43 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
continue; continue;
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) { } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
foundSomething = true; foundSomething = true;
productEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH); productEvidence.addEvidence(source, key, value, Confidence.HIGH);
addMatchingValues(classInformation, value, productEvidence); addMatchingValues(classInformation, value, productEvidence);
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) { } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
foundSomething = true; foundSomething = true;
versionEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH); versionEvidence.addEvidence(source, key, value, Confidence.HIGH);
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) { } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
foundSomething = true; foundSomething = true;
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH); vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
addMatchingValues(classInformation, value, vendorEvidence); addMatchingValues(classInformation, value, vendorEvidence);
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR_ID.toString())) { } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR_ID.toString())) {
foundSomething = true; foundSomething = true;
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, vendorEvidence); addMatchingValues(classInformation, value, vendorEvidence);
} else if (key.equalsIgnoreCase(BUNDLE_DESCRIPTION)) { } else if (key.equalsIgnoreCase(BUNDLE_DESCRIPTION)) {
foundSomething = true; foundSomething = true;
addDescription(dependency, value, "manifest", key); addDescription(dependency, value, "manifest", key);
//productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); //productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, productEvidence); addMatchingValues(classInformation, value, productEvidence);
} else if (key.equalsIgnoreCase(BUNDLE_NAME)) { } else if (key.equalsIgnoreCase(BUNDLE_NAME)) {
foundSomething = true; foundSomething = true;
productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, productEvidence); addMatchingValues(classInformation, value, productEvidence);
} else if (key.equalsIgnoreCase(BUNDLE_VENDOR)) { } else if (key.equalsIgnoreCase(BUNDLE_VENDOR)) {
foundSomething = true; foundSomething = true;
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH); vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
addMatchingValues(classInformation, value, vendorEvidence); addMatchingValues(classInformation, value, vendorEvidence);
} else if (key.equalsIgnoreCase(BUNDLE_VERSION)) { } else if (key.equalsIgnoreCase(BUNDLE_VERSION)) {
foundSomething = true; foundSomething = true;
versionEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH); versionEvidence.addEvidence(source, key, value, Confidence.HIGH);
} else if (key.equalsIgnoreCase(Attributes.Name.MAIN_CLASS.toString())) { } else if (key.equalsIgnoreCase(Attributes.Name.MAIN_CLASS.toString())) {
continue; continue;
//skipping main class as if this has important information to add //skipping main class as if this has important information to add
// it will be added during class name analysis... if other fields // it will be added during class name analysis... if other fields
// have the information from the class name then they will get added... // have the information from the class name then they will get added...
// foundSomething = true; // foundSomething = true;
// productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); // productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
// vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); // vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
// addMatchingValues(classInformation, value, vendorEvidence); // addMatchingValues(classInformation, value, vendorEvidence);
// addMatchingValues(classInformation, value, productEvidence); // addMatchingValues(classInformation, value, productEvidence);
} else { } else {
@@ -638,24 +638,24 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
foundSomething = true; foundSomething = true;
if (key.contains("version")) { if (key.contains("version")) {
if (key.contains("specification")) { if (key.contains("specification")) {
versionEvidence.addEvidence(source, key, value, Evidence.Confidence.LOW); versionEvidence.addEvidence(source, key, value, Confidence.LOW);
} else { } else {
versionEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
} }
} else if (key.contains("title")) { } else if (key.contains("title")) {
productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, productEvidence); addMatchingValues(classInformation, value, productEvidence);
} else if (key.contains("vendor")) { } else if (key.contains("vendor")) {
if (key.contains("specification")) { if (key.contains("specification")) {
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.LOW); vendorEvidence.addEvidence(source, key, value, Confidence.LOW);
} else { } else {
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, vendorEvidence); addMatchingValues(classInformation, value, vendorEvidence);
} }
} else if (key.contains("name")) { } else if (key.contains("name")) {
productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, vendorEvidence); addMatchingValues(classInformation, value, vendorEvidence);
addMatchingValues(classInformation, value, productEvidence); addMatchingValues(classInformation, value, productEvidence);
} else if (key.contains("license")) { } else if (key.contains("license")) {
@@ -664,8 +664,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
if (key.contains("description")) { if (key.contains("description")) {
addDescription(dependency, value, "manifest", key); addDescription(dependency, value, "manifest", key);
} else { } else {
productEvidence.addEvidence(source, key, value, Evidence.Confidence.LOW); productEvidence.addEvidence(source, key, value, Confidence.LOW);
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.LOW); vendorEvidence.addEvidence(source, key, value, Confidence.LOW);
addMatchingValues(classInformation, value, vendorEvidence); addMatchingValues(classInformation, value, vendorEvidence);
addMatchingValues(classInformation, value, productEvidence); addMatchingValues(classInformation, value, productEvidence);
if (value.matches(".*\\d.*")) { if (value.matches(".*\\d.*")) {
@@ -673,7 +673,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
while (tokenizer.hasMoreElements()) { while (tokenizer.hasMoreElements()) {
final String s = tokenizer.nextToken(); final String s = tokenizer.nextToken();
if (s.matches("^[0-9.]+$")) { if (s.matches("^[0-9.]+$")) {
versionEvidence.addEvidence(source, key, s, Evidence.Confidence.LOW); versionEvidence.addEvidence(source, key, s, Confidence.LOW);
} }
} }
} }
@@ -727,11 +727,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
sb.append("..."); sb.append("...");
descToUse = sb.toString(); descToUse = sb.toString();
} }
dependency.getProductEvidence().addEvidence(source, key, descToUse, Evidence.Confidence.LOW); dependency.getProductEvidence().addEvidence(source, key, descToUse, Confidence.LOW);
dependency.getVendorEvidence().addEvidence(source, key, descToUse, Evidence.Confidence.LOW); dependency.getVendorEvidence().addEvidence(source, key, descToUse, Confidence.LOW);
} else { } else {
dependency.getProductEvidence().addEvidence(source, key, desc, Evidence.Confidence.MEDIUM); dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.MEDIUM);
dependency.getVendorEvidence().addEvidence(source, key, desc, Evidence.Confidence.MEDIUM); dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.MEDIUM);
} }
} }
@@ -937,7 +937,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
for (ClassNameInformation cni : classes) { for (ClassNameInformation cni : classes) {
for (String key : cni.getPackageStructure()) { for (String key : cni.getPackageStructure()) {
if (text.contains(key)) { //note, package structure elements are already lowercase. if (text.contains(key)) { //note, package structure elements are already lowercase.
evidence.addEvidence("jar", "package name", key, Evidence.Confidence.HIGHEST); evidence.addEvidence("jar", "package name", key, Confidence.HIGHEST);
} }
} }
} }

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -26,8 +26,8 @@ import java.util.logging.Logger;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nexus.NexusSearch; import org.owasp.dependencycheck.data.nexus.NexusSearch;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.Settings;
/** /**
@@ -151,16 +151,13 @@ public class NexusAnalyzer extends AbstractAnalyzer {
try { try {
final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum()); final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) { if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
Evidence.Confidence.HIGH);
} }
if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) { if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
Evidence.Confidence.HIGH);
} }
if (ma.getVersion() != null && !"".equals(ma.getVersion())) { if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
Evidence.Confidence.HIGH);
} }
if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) { if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl()); dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl());

23
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
View File

@@ -24,29 +24,6 @@ package org.owasp.dependencycheck.dependency;
*/ */
public class Evidence implements Comparable<Evidence> { public class Evidence implements Comparable<Evidence> {
/**
* The confidence that the evidence is "high" quality.
*/
public enum Confidence {
/**
* High confidence evidence.
*/
HIGHEST,
/**
* High confidence evidence.
*/
HIGH,
/**
* Medium confidence evidence.
*/
MEDIUM,
/**
* Low confidence evidence.
*/
LOW
}
/** /**
* Creates a new Evidence object. * Creates a new Evidence object.
*/ */

20
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -43,7 +43,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
*/ */
private static final Filter<Evidence> HIGHEST_CONFIDENCE = new Filter<Evidence>() { private static final Filter<Evidence> HIGHEST_CONFIDENCE = new Filter<Evidence>() {
public boolean passes(Evidence evidence) { public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Evidence.Confidence.HIGHEST; return evidence.getConfidence() == Confidence.HIGHEST;
} }
}; };
/** /**
@@ -51,7 +51,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
*/ */
private static final Filter<Evidence> HIGH_CONFIDENCE = new Filter<Evidence>() { private static final Filter<Evidence> HIGH_CONFIDENCE = new Filter<Evidence>() {
public boolean passes(Evidence evidence) { public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Evidence.Confidence.HIGH; return evidence.getConfidence() == Confidence.HIGH;
} }
}; };
/** /**
@@ -59,7 +59,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
*/ */
private static final Filter<Evidence> MEDIUM_CONFIDENCE = new Filter<Evidence>() { private static final Filter<Evidence> MEDIUM_CONFIDENCE = new Filter<Evidence>() {
public boolean passes(Evidence evidence) { public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Evidence.Confidence.MEDIUM; return evidence.getConfidence() == Confidence.MEDIUM;
} }
}; };
/** /**
@@ -67,7 +67,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
*/ */
private static final Filter<Evidence> LOW_CONFIDENCE = new Filter<Evidence>() { private static final Filter<Evidence> LOW_CONFIDENCE = new Filter<Evidence>() {
public boolean passes(Evidence evidence) { public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Evidence.Confidence.LOW; return evidence.getConfidence() == Confidence.LOW;
} }
}; };
/** /**
@@ -85,12 +85,12 @@ public class EvidenceCollection implements Iterable<Evidence> {
* @param confidence the confidence level for the evidence to be iterated over. * @param confidence the confidence level for the evidence to be iterated over.
* @return Iterable<Evidence> an iterable collection of evidence * @return Iterable<Evidence> an iterable collection of evidence
*/ */
public final Iterable<Evidence> iterator(Evidence.Confidence confidence) { public final Iterable<Evidence> iterator(Confidence confidence) {
if (confidence == Evidence.Confidence.HIGHEST) { if (confidence == Confidence.HIGHEST) {
return EvidenceCollection.HIGHEST_CONFIDENCE.filter(this.list); return EvidenceCollection.HIGHEST_CONFIDENCE.filter(this.list);
} else if (confidence == Evidence.Confidence.HIGH) { } else if (confidence == Confidence.HIGH) {
return EvidenceCollection.HIGH_CONFIDENCE.filter(this.list); return EvidenceCollection.HIGH_CONFIDENCE.filter(this.list);
} else if (confidence == Evidence.Confidence.MEDIUM) { } else if (confidence == Confidence.MEDIUM) {
return EvidenceCollection.MEDIUM_CONFIDENCE.filter(this.list); return EvidenceCollection.MEDIUM_CONFIDENCE.filter(this.list);
} else { } else {
return EvidenceCollection.LOW_CONFIDENCE.filter(this.list); return EvidenceCollection.LOW_CONFIDENCE.filter(this.list);
@@ -130,7 +130,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
* @param value the value of the Evidence. * @param value the value of the Evidence.
* @param confidence the confidence of the Evidence. * @param confidence the confidence of the Evidence.
*/ */
public void addEvidence(String source, String name, String value, Evidence.Confidence confidence) { public void addEvidence(String source, String name, String value, Confidence confidence) {
final Evidence e = new Evidence(source, name, value, confidence); final Evidence e = new Evidence(source, name, value, confidence);
addEvidence(e); addEvidence(e);
} }
@@ -265,7 +265,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
* @param confidence A Confidence value. * @param confidence A Confidence value.
* @return boolean. * @return boolean.
*/ */
public boolean contains(Evidence.Confidence confidence) { public boolean contains(Confidence confidence) {
for (Evidence e : list) { for (Evidence e : list) {
if (e.getConfidence().equals(confidence)) { if (e.getConfidence().equals(confidence)) {
return true; return true;

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
View File

@@ -250,9 +250,9 @@ public class DependencyTest {
Dependency instance = new Dependency(); Dependency instance = new Dependency();
String expResult = "used"; String expResult = "used";
instance.getProductEvidence().addEvidence("used", "used", "used", Evidence.Confidence.HIGH); instance.getProductEvidence().addEvidence("used", "used", "used", Confidence.HIGH);
instance.getProductEvidence().addEvidence("not", "not", "not", Evidence.Confidence.MEDIUM); instance.getProductEvidence().addEvidence("not", "not", "not", Confidence.MEDIUM);
for (Evidence e : instance.getProductEvidence().iterator(Evidence.Confidence.HIGH)) { for (Evidence e : instance.getProductEvidence().iterator(Confidence.HIGH)) {
String use = e.getValue(); String use = e.getValue();
} }