From b473d8ab9c0e45bdfde4d2ed4c8ef1b51c25282e Mon Sep 17 00:00:00 2001
From: Dale Visser <dvisser@ida.org>
Date: Sat, 29 Aug 2015 11:28:38 -0400
Subject: [PATCH] Ruby Bundler: Added URL to report.

---
 .../analyzer/RubyBundleAuditAnalyzer.java       | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
index c04034997..9f11f9d11 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -22,6 +22,7 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Reference;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
@@ -29,10 +30,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.*;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 /**
  * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
@@ -245,8 +243,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                 }
                 LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
             } else if (nextLine.startsWith(CRITICALITY)) {
-                final String criticality = nextLine.substring(CRITICALITY.length()).trim();
                 if (null != vulnerability) {
+                    final String criticality = nextLine.substring(CRITICALITY.length()).trim();
                     if ("High".equals(criticality)) {
                         vulnerability.setCvssScore(8.5f);
                     } else if ("Medium".equals(criticality)) {
@@ -258,6 +256,15 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                     }
                 }
                 LOGGER.info(String.format("bundle-audit (%s): %s", parentName, nextLine));
+            } else if (nextLine.startsWith("URL: ")){
+                final String url = nextLine.substring(("URL: ").length());
+                if (null != vulnerability) {
+                    Reference ref = new Reference();
+                    ref.setName(vulnerability.getName());
+                    ref.setSource("bundle-audit");
+                    ref.setUrl(url);
+                    vulnerability.getReferences().add(ref);
+                }
             }
         }
     }