Merge branch 'master' of github.com:ctrl-alt-dev/DependencyCheck into ctrl-alt-dev-master

Former-commit-id: 4d1ab5ecacf0ca7354f57d3a49accd5a173e0a26
2026-05-01 04:34:45 +02:00 · 2014-10-24 05:36:40 -04:00
parent 109443ce77 f9e4ca0cc2
commit b4aa55ce1f
6 changed files with 140 additions and 61 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -27,6 +27,7 @@ import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+
 import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.analyzer.AnalyzerService;
@@ -34,12 +35,14 @@ import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
 import org.owasp.dependencycheck.data.cpe.IndexException;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.update.CachedWebDataSource;
 import org.owasp.dependencycheck.data.update.UpdateService;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.exception.NoDataException;
 import org.owasp.dependencycheck.utils.FileUtils;
@@ -188,7 +191,7 @@ public class Engine implements Serializable {
    public void scan(String path) {
        if (path.matches("^.*[\\/]\\*\\.[^\\/:*|?<>\"]+$")) {
            final String[] parts = path.split("\\*\\.");
-            final String[] ext = new String[]{parts[parts.length - 1]};
+            final String[] ext = new String[] { parts[parts.length - 1] };
            final File dir = new File(path.substring(0, path.length() - ext[0].length() - 2));
            if (dir.isDirectory()) {
                final List<File> files = (List<File>) org.apache.commons.io.FileUtils.listFiles(dir, ext, true);
@@ -287,6 +290,17 @@ public class Engine implements Serializable {
     * @param file The file to scan.
     */
    protected void scanFile(File file) {
+        scan(file, null);
+    }
+
+    /**
+     * Scans a specified file. If a dependency is identified it is added to the dependency collection.
+     * If there is an mavenArtifact present, it will be added to
+     * 
+     * @param file The file to scan.
+     * @param mavenArtifact The (optional) Maven artifact.
+     */
+    public void scan(File file, MavenArtifact mavenArtifact) {
        if (!file.isFile()) {
            final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
            LOGGER.log(Level.FINE, msg);
@@ -297,11 +311,13 @@ public class Engine implements Serializable {
        if (extension != null) {
            if (supportsExtension(extension)) {
                final Dependency dependency = new Dependency(file);
+                if (mavenArtifact != null) {
+                    dependency.addAsEvidence("project-pom", mavenArtifact, Confidence.HIGH);
+                }
                dependencies.add(dependency);
            }
        } else {
-            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
-                    file.toString());
+            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.", file.toString());
            LOGGER.log(Level.FINEST, msg);
        }
    }
@@ -326,9 +342,7 @@ public class Engine implements Serializable {

        }

-        final String logHeader = String.format("%n"
-                + "----------------------------------------------------%n"
-                + "BEGIN ANALYSIS%n"
+        final String logHeader = String.format("%n" + "----------------------------------------------------%n" + "BEGIN ANALYSIS%n"
                + "----------------------------------------------------");
        LOGGER.log(Level.FINE, logHeader);
        LOGGER.log(Level.INFO, "Analysis Starting");
@@ -381,9 +395,7 @@ public class Engine implements Serializable {
            }
        }

-        final String logFooter = String.format("%n"
-                + "----------------------------------------------------%n"
-                + "END ANALYSIS%n"
+        final String logFooter = String.format("%n" + "----------------------------------------------------%n" + "END ANALYSIS%n"
                + "----------------------------------------------------");
        LOGGER.log(Level.FINE, logFooter);
        LOGGER.log(Level.INFO, "Analysis Complete");
@@ -437,10 +449,8 @@ public class Engine implements Serializable {
            try {
                source.update();
            } catch (UpdateException ex) {
-                LOGGER.log(Level.WARNING,
-                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
-                LOGGER.log(Level.FINE,
-                        String.format("Unable to update details for %s", source.getClass().getName()), ex);
+                LOGGER.log(Level.WARNING, "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
+                LOGGER.log(Level.FINE, String.format("Unable to update details for %s", source.getClass().getName()), ex);
            }
        }
    }
@@ -503,4 +513,5 @@ public class Engine implements Serializable {
            throw new NoDataException("No documents exist");
        }
    }
+
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
@@ -24,13 +24,13 @@ import java.net.URL;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.utils.Settings;

 /**
@@ -152,29 +152,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
        try {
            final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
-            if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
-                dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
-            }
-            if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
-                dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
-            }
-            if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
-                dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
-            }
-            if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
-                boolean found = false;
-                for (Identifier i : dependency.getIdentifiers()) {
-                    if ("maven".equals(i.getType()) && i.getValue().equals(ma.toString())) {
-                        found = true;
-                        i.setConfidence(Confidence.HIGHEST);
-                        i.setUrl(ma.getArtifactUrl());
-                        break;
-                    }
-                }
-                if (!found) {
-                    dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
-                }
-            }
+            dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
        } catch (IllegalArgumentException iae) {
            //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
            LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -26,6 +26,8 @@ import java.util.SortedSet;
 import java.util.TreeSet;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.FileUtils;

@@ -316,6 +318,38 @@ public class Dependency implements Serializable, Comparable<Dependency> {
        this.identifiers.add(i);
    }

+    /**
+     * Adds the maven artifact as evidence.
+     * @param source The source of the evidence.
+     * @param mavenArtifact The maven artifact.
+     * @param confidence The confidence level of this evidence.
+     */
+    public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) {
+        if (mavenArtifact.getGroupId() != null && !"".equals(mavenArtifact.getGroupId())) {
+            this.getVendorEvidence().addEvidence(source, "groupid", mavenArtifact.getGroupId(), confidence);
+        }
+        if (mavenArtifact.getArtifactId() != null && !"".equals(mavenArtifact.getArtifactId())) {
+            this.getProductEvidence().addEvidence(source, "artifactid", mavenArtifact.getArtifactId(), confidence);
+        }
+        if (mavenArtifact.getVersion() != null && !"".equals(mavenArtifact.getVersion())) {
+            this.getVersionEvidence().addEvidence(source, "version", mavenArtifact.getVersion(), confidence);
+        }
+        if (mavenArtifact.getArtifactUrl() != null && !"".equals(mavenArtifact.getArtifactUrl())) {
+            boolean found = false;
+            for (Identifier i : this.getIdentifiers()) {
+                if ("maven".equals(i.getType()) && i.getValue().equals(mavenArtifact.toString())) {
+                    found = true;
+                    i.setConfidence(Confidence.HIGHEST);
+                    i.setUrl(mavenArtifact.getArtifactUrl());
+                    break;
+                }
+            }
+            if (!found) {
+                this.addIdentifier("maven", mavenArtifact.toString(), mavenArtifact.getArtifactUrl(), Confidence.HIGHEST);
+            }
+        }
+    }
+
    /**
     * Adds an entry to the list of detected Identifiers for the dependency file.
     *
@@ -324,6 +358,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
    public void addIdentifier(Identifier identifier) {
        this.identifiers.add(identifier);
    }
+
    /**
     * A set of identifiers that have been suppressed.
     */
@@ -441,6 +476,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
    public EvidenceCollection getVersionEvidence() {
        return this.versionEvidence;
    }
+
    /**
     * The description of the JAR file.
     */
@@ -463,6 +499,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
    public void setDescription(String description) {
        this.description = description;
    }
+
    /**
     * The license that this dependency uses.
     */
@@ -485,6 +522,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
    public void setLicense(String license) {
        this.license = license;
    }
+
    /**
     * A list of vulnerabilities for this dependency.
     */
@@ -540,6 +578,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
    public void addVulnerability(Vulnerability vulnerability) {
        this.vulnerabilities.add(vulnerability);
    }
+
    /**
     * A collection of related dependencies.
     */