diff --git a/pom.xml b/pom.xml index dd5820ecc..aa640b616 100644 --- a/pom.xml +++ b/pom.xml @@ -472,7 +472,7 @@ along with DependencyCheck. If not, see . diff --git a/src/main/java/org/codesecure/dependencycheck/Engine.java b/src/main/java/org/codesecure/dependencycheck/Engine.java index e118e4102..71807def1 100644 --- a/src/main/java/org/codesecure/dependencycheck/Engine.java +++ b/src/main/java/org/codesecure/dependencycheck/Engine.java @@ -19,9 +19,7 @@ package org.codesecure.dependencycheck; import java.util.EnumMap; -import org.codesecure.dependencycheck.dependency.Dependency; import java.io.File; -import java.io.IOException; import java.util.ArrayList; import java.util.HashSet; import java.util.Iterator; @@ -33,10 +31,10 @@ import org.codesecure.dependencycheck.analyzer.AnalysisException; import org.codesecure.dependencycheck.analyzer.AnalysisPhase; import org.codesecure.dependencycheck.analyzer.Analyzer; import org.codesecure.dependencycheck.analyzer.AnalyzerService; -import org.codesecure.dependencycheck.analyzer.ArchiveAnalyzer; import org.codesecure.dependencycheck.data.CachedWebDataSource; import org.codesecure.dependencycheck.data.UpdateException; import org.codesecure.dependencycheck.data.UpdateService; +import org.codesecure.dependencycheck.dependency.Dependency; import org.codesecure.dependencycheck.utils.FileUtils; /** @@ -188,9 +186,9 @@ public class Engine { * Runs the analyzers against all of the dependencies. */ public void analyzeDependencies() { + //phase one initilize for (AnalysisPhase phase : AnalysisPhase.values()) { List analyzerList = analyzers.get(phase); - for (Analyzer a : analyzerList) { try { a.initialize(); @@ -204,41 +202,34 @@ public class Engine { } continue; } + } + } + + // analysis phases + for (AnalysisPhase phase : AnalysisPhase.values()) { + List analyzerList = analyzers.get(phase); + + for (Analyzer a : analyzerList) { for (Dependency d : dependencies) { if (a.supportsExtension(d.getFileExtension())) { try { - if (a instanceof ArchiveAnalyzer) { - ArchiveAnalyzer aa = (ArchiveAnalyzer) a; - aa.analyze(d, this); - } else { - a.analyze(d); - } + a.analyze(d, this); } catch (AnalysisException ex) { d.addAnalysisException(ex); - } catch (IOException ex) { - String msg = String.format("IOException occured while analyzing the file '%s'.", - d.getActualFilePath()); - Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg, ex); } } } - try { - a.close(); - } catch (Exception ex) { - Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, null, ex); - } } } - //Now cycle through all of the analyzers one last time to call - // cleanup on any archiveanalyzers. These should only exist in the - // initial phase, but we are going to be thourough just in case. + //close/cleanup for (AnalysisPhase phase : AnalysisPhase.values()) { List analyzerList = analyzers.get(phase); for (Analyzer a : analyzerList) { - if (a instanceof ArchiveAnalyzer) { - ArchiveAnalyzer aa = (ArchiveAnalyzer) a; - aa.cleanup(); + try { + a.close(); + } catch (Exception ex) { + Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, null, ex); } } } diff --git a/src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java b/src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java index 349e0f00e..96511c184 100644 --- a/src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java +++ b/src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java @@ -19,6 +19,7 @@ package org.codesecure.dependencycheck.analyzer; import java.util.Set; +import org.codesecure.dependencycheck.Engine; import org.codesecure.dependencycheck.dependency.Dependency; /** @@ -37,10 +38,12 @@ public interface Analyzer { * description or license information for the dependency it should be added. * * @param dependency a dependency to analyze. + * @param engine the engine that is scanning the dependencies - this is useful + * if we need to check other dependencies * @throws AnalysisException is thrown if there is an error analyzing the * dependency file */ - void analyze(Dependency dependency) throws AnalysisException; + void analyze(Dependency dependency, Engine engine) throws AnalysisException; /** *

Returns a list of supported file extensions. An example would be an diff --git a/src/main/java/org/codesecure/dependencycheck/analyzer/ArchiveAnalyzer.java b/src/main/java/org/codesecure/dependencycheck/analyzer/ArchiveAnalyzer.java deleted file mode 100644 index 575efcdca..000000000 --- a/src/main/java/org/codesecure/dependencycheck/analyzer/ArchiveAnalyzer.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * This file is part of DependencyCheck. - * - * DependencyCheck is free software: you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the Free - * Software Foundation, either version 3 of the License, or (at your option) any - * later version. - * - * DependencyCheck is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * DependencyCheck. If not, see http://www.gnu.org/licenses/. - * - * Copyright (c) 2012 Jeremy Long. All Rights Reserved. - */ -package org.codesecure.dependencycheck.analyzer; - -import org.codesecure.dependencycheck.dependency.Dependency; -import java.io.IOException; -import org.codesecure.dependencycheck.Engine; - -/** - * An interface that defines an Analyzer that is used to expand archives and - * allow the engine to scan the contents. - * - * @author Jeremy Long (jeremy.long@gmail.com) - */ -public interface ArchiveAnalyzer { - - /** - * An ArchiveAnalyzer expands an archive and calls the scan method of the - * engine on the exploded contents. - * - * @param dependency a dependency to analyze. - * @param engine the engine that is scanning the dependencies. - * @throws IOException is thrown if there is an error reading the dependency - * file - */ - void analyze(Dependency dependency, Engine engine) throws IOException; - - /** - * Cleans any temporary files generated when analyzing the archive. - */ - void cleanup(); -} diff --git a/src/main/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzer.java b/src/main/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzer.java index 77b7d7be2..d5ebf8f7b 100644 --- a/src/main/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzer.java +++ b/src/main/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzer.java @@ -21,6 +21,7 @@ package org.codesecure.dependencycheck.analyzer; import org.codesecure.dependencycheck.dependency.Dependency; import org.codesecure.dependencycheck.dependency.Evidence; import java.util.Set; +import org.codesecure.dependencycheck.Engine; /** * @@ -85,10 +86,11 @@ public class FileNameAnalyzer implements Analyzer { * Collects information about the file name. * * @param dependency the dependency to analyze. + * @param engine the engine that is scanning the dependencies * @throws AnalysisException is thrown if there is an error reading the JAR * file. */ - public void analyze(Dependency dependency) throws AnalysisException { + public void analyze(Dependency dependency, Engine engine) throws AnalysisException { String fileName = dependency.getFileName(); int pos = fileName.lastIndexOf("."); diff --git a/src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java b/src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java index 1dcc1b1cc..5ad142886 100644 --- a/src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java +++ b/src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java @@ -23,6 +23,7 @@ import java.io.FileInputStream; import java.util.logging.Level; import java.util.logging.Logger; import javax.xml.bind.JAXBException; +import org.codesecure.dependencycheck.Engine; import org.codesecure.dependencycheck.dependency.Dependency; import org.codesecure.dependencycheck.dependency.Evidence; import org.codesecure.dependencycheck.dependency.EvidenceCollection; @@ -54,7 +55,7 @@ import org.codesecure.dependencycheck.utils.NonClosingStream; * * @author Jeremy Long (jeremy.long@gmail.com) */ -public class JarAnalyzer extends AbstractAnalyzer { +public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { /** * The system independent newline character. @@ -178,10 +179,11 @@ public class JarAnalyzer extends AbstractAnalyzer { * checksums to identify the correct CPE information. * * @param dependency the dependency to analyze. + * @param engine the engine that is scanning the dependencies * @throws AnalysisException is thrown if there is an error reading the JAR * file. */ - public void analyze(Dependency dependency) throws AnalysisException { + public void analyze(Dependency dependency, Engine engine) throws AnalysisException { try { parseManifest(dependency); analyzePackageNames(dependency); diff --git a/src/main/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzer.java b/src/main/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzer.java index 029a0b97a..d2b16bc0b 100644 --- a/src/main/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzer.java +++ b/src/main/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzer.java @@ -29,6 +29,7 @@ import org.apache.lucene.index.CorruptIndexException; import org.apache.lucene.queryparser.classic.ParseException; import org.apache.lucene.search.ScoreDoc; import org.apache.lucene.search.TopDocs; +import org.codesecure.dependencycheck.Engine; import org.codesecure.dependencycheck.analyzer.AnalysisException; import org.codesecure.dependencycheck.analyzer.AnalysisPhase; import org.codesecure.dependencycheck.data.lucene.LuceneUtils; @@ -436,10 +437,11 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal * identifiers for this dependency. * * @param dependency The Dependency to analyze. + * @param engine The analysis engine * @throws AnalysisException is thrown if there is an issue analyzing the * dependency. */ - public void analyze(Dependency dependency) throws AnalysisException { + public void analyze(Dependency dependency, Engine engine) throws AnalysisException { try { determineCPE(dependency); } catch (CorruptIndexException ex) { diff --git a/src/main/java/org/codesecure/dependencycheck/data/nvdcve/NvdCveAnalyzer.java b/src/main/java/org/codesecure/dependencycheck/data/nvdcve/NvdCveAnalyzer.java index 9d1f8ed16..dfbd4afa4 100644 --- a/src/main/java/org/codesecure/dependencycheck/data/nvdcve/NvdCveAnalyzer.java +++ b/src/main/java/org/codesecure/dependencycheck/data/nvdcve/NvdCveAnalyzer.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.sql.SQLException; import java.util.List; import java.util.Set; +import org.codesecure.dependencycheck.Engine; import org.codesecure.dependencycheck.analyzer.AnalysisException; import org.codesecure.dependencycheck.analyzer.AnalysisPhase; import org.codesecure.dependencycheck.dependency.Dependency; @@ -92,11 +93,12 @@ public class NvdCveAnalyzer implements org.codesecure.dependencycheck.analyzer.A * Analyzes a dependency and attempts to determine if there are any CPE * identifiers for this dependency. * - * @param dependency The Dependency to analyze. + * @param dependency The Dependency to analyze + * @param engine The analysis engine * @throws AnalysisException is thrown if there is an issue analyzing the - * dependency. + * dependency */ - public void analyze(Dependency dependency) throws AnalysisException { + public void analyze(Dependency dependency, Engine engine) throws AnalysisException { for (Identifier id : dependency.getIdentifiers()) { if ("cpe".equals(id.getType())) { try { diff --git a/src/main/java/org/codesecure/dependencycheck/dependency/Identifier.java b/src/main/java/org/codesecure/dependencycheck/dependency/Identifier.java index 1131ce6a4..55220444f 100644 --- a/src/main/java/org/codesecure/dependencycheck/dependency/Identifier.java +++ b/src/main/java/org/codesecure/dependencycheck/dependency/Identifier.java @@ -138,4 +138,31 @@ public class Identifier { public void setDescription(String description) { this.description = description; } + + @Override + public boolean equals(Object obj) { + if (obj == null) { + return false; + } + if (getClass() != obj.getClass()) { + return false; + } + final Identifier other = (Identifier) obj; + if ((this.value == null) ? (other.value != null) : !this.value.equals(other.value)) { + return false; + } + if ((this.type == null) ? (other.type != null) : !this.type.equals(other.type)) { + return false; + } + return true; + } + + @Override + public int hashCode() { + int hash = 5; + hash = 53 * hash + (this.value != null ? this.value.hashCode() : 0); + hash = 53 * hash + (this.type != null ? this.type.hashCode() : 0); + return hash; + } + } diff --git a/src/main/resources/META-INF/services/org.codesecure.dependencycheck.analyzer.Analyzer b/src/main/resources/META-INF/services/org.codesecure.dependencycheck.analyzer.Analyzer index 9f3ade19a..fb521c11d 100644 --- a/src/main/resources/META-INF/services/org.codesecure.dependencycheck.analyzer.Analyzer +++ b/src/main/resources/META-INF/services/org.codesecure.dependencycheck.analyzer.Analyzer @@ -1,4 +1,5 @@ org.codesecure.dependencycheck.analyzer.JarAnalyzer org.codesecure.dependencycheck.analyzer.FileNameAnalyzer +org.codesecure.dependencycheck.analyzer.SpringCleaningAnalyzer org.codesecure.dependencycheck.data.cpe.CPEAnalyzer org.codesecure.dependencycheck.data.nvdcve.NvdCveAnalyzer \ No newline at end of file diff --git a/src/test/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzerTest.java b/src/test/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzerTest.java index f5d2e12d4..ab66818a6 100644 --- a/src/test/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzerTest.java +++ b/src/test/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzerTest.java @@ -19,7 +19,7 @@ import static org.junit.Assert.*; * @author Jeremy Long (jeremy.long@gmail.com) */ public class FileNameAnalyzerTest { - + public FileNameAnalyzerTest() { } @@ -30,11 +30,11 @@ public class FileNameAnalyzerTest { @AfterClass public static void tearDownClass() throws Exception { } - + @Before public void setUp() { } - + @After public void tearDown() { } @@ -97,7 +97,7 @@ public class FileNameAnalyzerTest { File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath()); Dependency result = new Dependency(file); FileNameAnalyzer instance = new FileNameAnalyzer(); - instance.analyze(result); + instance.analyze(result, null); assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("struts")); } @@ -119,7 +119,7 @@ public class FileNameAnalyzerTest { public void testClose() { System.out.println("close"); FileNameAnalyzer instance = new FileNameAnalyzer(); - instance.close(); + instance.close(); assertTrue(true); //close does nothing. } } diff --git a/src/test/java/org/codesecure/dependencycheck/analyzer/JarAnalyzerTest.java b/src/test/java/org/codesecure/dependencycheck/analyzer/JarAnalyzerTest.java index d62a512bb..50f992839 100644 --- a/src/test/java/org/codesecure/dependencycheck/analyzer/JarAnalyzerTest.java +++ b/src/test/java/org/codesecure/dependencycheck/analyzer/JarAnalyzerTest.java @@ -53,14 +53,14 @@ public class JarAnalyzerTest { File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath()); Dependency result = new Dependency(file); JarAnalyzer instance = new JarAnalyzer(); - instance.analyze(result); + instance.analyze(result, null); assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache")); assertTrue(result.getVendorEvidence().getWeighting().contains("apache")); file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath()); result = new Dependency(file); - instance.analyze(result); + instance.analyze(result, null); boolean found = false; for (Evidence e : result.getProductEvidence()) { if (e.getName().equalsIgnoreCase("package-title") @@ -93,7 +93,7 @@ public class JarAnalyzerTest { file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath()); result = new Dependency(file); - instance.analyze(result); + instance.analyze(result, null); assertEquals("org.mortbar,jmx.jar has version evidence?", result.getVersionEvidence().size(), 0); } diff --git a/src/test/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzerTest.java b/src/test/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzerTest.java index e16b27100..3dc1b6ad6 100644 --- a/src/test/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzerTest.java +++ b/src/test/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzerTest.java @@ -97,11 +97,11 @@ public class CPEAnalyzerTest extends BaseIndexTestCase { File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath()); JarAnalyzer jarAnalyzer = new JarAnalyzer(); Dependency depends = new Dependency(file); - jarAnalyzer.analyze(depends); + jarAnalyzer.analyze(depends, null); File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath()); Dependency spring = new Dependency(fileSpring); - jarAnalyzer.analyze(spring); + jarAnalyzer.analyze(spring, null); CPEAnalyzer instance = new CPEAnalyzer(); instance.open();