github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-20 16:24:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

added code to remove additional false positives

Browse Source 
Former-commit-id: 1a15cccd4790fee2044de40843305762cfbefe96
This commit is contained in:
Jeremy Long
2013-06-02 21:44:20 -04:00
parent e3f401debb
commit bfb6373742
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -102,6 +102,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*/ */
public void analyze(Dependency dependency, Engine engine) throws AnalysisException { public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
removeJreEntries(dependency); removeJreEntries(dependency);
removeBadMatches(dependency);
boolean deepScan = false; boolean deepScan = false;
try { try {
deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN); deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
@@ -182,7 +183,10 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
final Iterator<Identifier> itr = identifiers.iterator(); final Iterator<Identifier> itr = identifiers.iterator();
while (itr.hasNext()) { while (itr.hasNext()) {
final Identifier i = itr.next(); final Identifier i = itr.next();
if ((i.getValue().startsWith("cpe:/a:sun:java:") if ((i.getValue().startsWith("cpe:/a:sun:java:")
|| i.getValue().startsWith("cpe:/a:sun:java_se")
|| i.getValue().startsWith("cpe:/a:oracle:java_se")
|| i.getValue().startsWith("cpe:/a:oracle:jre") || i.getValue().startsWith("cpe:/a:oracle:jre")
|| i.getValue().startsWith("cpe:/a:oracle:jdk")) || i.getValue().startsWith("cpe:/a:oracle:jdk"))
&& !dependency.getFileName().toLowerCase().endsWith("rt.jar")) { && !dependency.getFileName().toLowerCase().endsWith("rt.jar")) {
@@ -210,4 +214,18 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
} }
return cpe; return cpe;
} }
private void removeBadMatches(Dependency dependency) {
final Set<Identifier> identifiers = dependency.getIdentifiers();
final Iterator<Identifier> itr = identifiers.iterator();
while (itr.hasNext()) {
final Identifier i = itr.next();
//TODO move this startswith expression to a configuration file?
if (i.getValue().startsWith("cpe:/a:apache:xerces-c++:")
&& dependency.getFileName().toLowerCase().endsWith(".jar")) {
itr.remove();
}
}
}
} }