github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-14 14:11:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

bug fixed regarding whether or not to include packages as evidence

Browse Source 
Former-commit-id: 0a180e491a630d6cbb1fb1083aabad97f44dc1fd
This commit is contained in:
Jeremy Long
2013-04-23 07:03:57 -04:00
parent 9c0ef770b2
commit bb2abf4529
1 changed files with 16 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -185,11 +185,16 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
*/ */
public void analyze(Dependency dependency, Engine engine) throws AnalysisException { public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
boolean addPackagesAsEvidence = false; boolean addPackagesAsEvidence = false;
//todo - catch should be more granular here, one for each call likely
//todo - think about sources/javadoc jars, should we remove or move to related dependency?
try { try {
addPackagesAsEvidence ^= parseManifest(dependency); boolean hasManifest = parseManifest(dependency);
addPackagesAsEvidence ^= analyzePOM(dependency); boolean hasPOM = analyzePOM(dependency);
addPackagesAsEvidence ^= Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN); boolean deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
analyzePackageNames(dependency, addPackagesAsEvidence); if ((!hasManifest && !hasPOM) || deepScan) {
addPackagesAsEvidence = true;
}
boolean hasClasses = analyzePackageNames(dependency, addPackagesAsEvidence);
if (!hasClasses if (!hasClasses
&& (dependency.getFileName().toLowerCase().endsWith("-sources.jar") && (dependency.getFileName().toLowerCase().endsWith("-sources.jar")
|| dependency.getFileName().toLowerCase().endsWith("-javadoc.jar") || dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
@@ -351,10 +356,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
return foundSomething; return foundSomething;
} }
/**
* flag indicating whether any class files were found (weeding out javadoc and sources JAR files)
*/
private boolean hasClasses = false;
/** /**
* Analyzes the path information of the classes contained within the * Analyzes the path information of the classes contained within the
* JarAnalyzer to try and determine possible vendor or product names. If any * JarAnalyzer to try and determine possible vendor or product names. If any
@@ -364,11 +365,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
* @param dependency A reference to the dependency. * @param dependency A reference to the dependency.
* @param addPackagesAsEvidence a flag indicating whether or not package * @param addPackagesAsEvidence a flag indicating whether or not package
* names should be added as evidence. * names should be added as evidence.
* @return returns true or false depending on whether classses were identified in the JAR
* @throws IOException is thrown if there is an error reading the JAR file. * @throws IOException is thrown if there is an error reading the JAR file.
*/ */
protected void analyzePackageNames(Dependency dependency, boolean addPackagesAsEvidence) protected boolean analyzePackageNames(Dependency dependency, boolean addPackagesAsEvidence)
throws IOException { throws IOException {
boolean hasClasses = false;
JarFile jar = null; JarFile jar = null;
try { try {
jar = new JarFile(dependency.getActualFilePath()); jar = new JarFile(dependency.getActualFilePath());
@@ -433,7 +435,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
} }
if (count == 0) { if (count == 0) {
return; return hasClasses;
} }
final EvidenceCollection vendor = dependency.getVendorEvidence(); final EvidenceCollection vendor = dependency.getVendorEvidence();
final EvidenceCollection product = dependency.getProductEvidence(); final EvidenceCollection product = dependency.getProductEvidence();
@@ -533,6 +535,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
jar.close(); jar.close();
} }
} }
return hasClasses;
} }
/** /**
@@ -556,8 +559,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
final Manifest manifest = jar.getManifest(); final Manifest manifest = jar.getManifest();
if (manifest == null) { if (manifest == null) {
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE,
"Jar file '{0}' does not contain a manifest.", String.format("Jar file '%s' does not contain a manifest.",
dependency.getFileName()); dependency.getFileName()));
return false; return false;
} }
final Attributes atts = manifest.getMainAttributes(); final Attributes atts = manifest.getMainAttributes();