github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-18 07:14:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixed bug 40 - version evidence is not showing up in the final reports

Browse Source 
Former-commit-id: 1d39898252ca5738587947edd6ea977fbc571d55
This commit is contained in:
Jeremy Long
2014-01-08 05:23:18 -05:00
parent cc915e39c5
commit c0013a0ba5
1 changed files with 16 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -144,11 +144,13 @@ public class CPEAnalyzer implements Analyzer {
* @throws ParseException is thrown when the Lucene query cannot be parsed. * @throws ParseException is thrown when the Lucene query cannot be parsed.
*/ */
protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException { protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
Confidence vendorConf = Confidence.HIGHEST; Confidence confidence = Confidence.HIGHEST;
Confidence productConf = Confidence.HIGHEST;
String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), vendorConf); String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), confidence);
String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), productConf); String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), confidence);
/* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
* CPE identified. As such, we are "using" the evidence and ignoring the results. */
addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
int ctr = 0; int ctr = 0;
do { do {
@@ -164,13 +166,17 @@ public class CPEAnalyzer implements Analyzer {
} }
} }
} }
vendorConf = reduceConfidence(vendorConf); confidence = reduceConfidence(confidence);
if (dependency.getVendorEvidence().contains(vendorConf)) { if (dependency.getVendorEvidence().contains(confidence)) {
vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), vendorConf); vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
} }
productConf = reduceConfidence(productConf); if (dependency.getProductEvidence().contains(confidence)) {
if (dependency.getProductEvidence().contains(productConf)) { products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), productConf); }
/* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
* CPE identified. As such, we are "using" the evidence and ignoring the results. */
if (dependency.getVersionEvidence().contains(confidence)) {
addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
} }
} while ((++ctr) < 4); } while ((++ctr) < 4);
} }