From c0e59735173260c06ea5e1ef4ed1c80ee8451244 Mon Sep 17 00:00:00 2001 From: bjiang Date: Fri, 6 May 2016 15:50:35 -0400 Subject: [PATCH] rename RubyBundlerAnalyzer and javadoc --- ...Analyzer.java => RubyBundlerAnalyzer.java} | 43 ++++++++++++++++--- ...rg.owasp.dependencycheck.analyzer.Analyzer | 2 +- 2 files changed, 38 insertions(+), 7 deletions(-) rename dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/{RubyBundleInstallDeploymentAnalyzer.java => RubyBundlerAnalyzer.java} (53%) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleInstallDeploymentAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java similarity index 53% rename from dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleInstallDeploymentAnalyzer.java rename to dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java index b7f0262f8..7ec6c9207 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleInstallDeploymentAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java @@ -1,3 +1,20 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2016 Bianca Jiang. All Rights Reserved. + */ package org.owasp.dependencycheck.analyzer; import java.io.File; @@ -7,16 +24,30 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; -public class RubyBundleInstallDeploymentAnalyzer extends RubyGemspecAnalyzer { +/** + * Used to leverage Ruby gems that are deployed or installed by Ruby bundler (http://bundler.io). + * The difference of scanning gems installed by the bundler is that "bundle install" creates + * a set of new .gemspec files under a folder called "specifications", in addition to the original + * .gemspec files from source. The advantage of bundler generated .gemspec files is that + * they contain fully resolved attributes, and original .gemspec from source often contain variable + * for attributes. + * + * This analyzer takes advantage of the fully resolved .gemspec installed by the bundler for + * better dependency identification results. It also tries to resolve the dependency packagePath + * to where the gem is actually installed. Then during AnalysisPhase.PRE_FINDING_ANALYSIS + * DependencyBundlingAnalyzer would merge the two dependencies together if they contain + * the same packagePath. + * + * @author Bianca Jiang (biancajiang@gmail.com) + */ +public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { + //Folder name that contains .gemspec files created by "bundle install" private static final String SPECIFICATIONS = "specifications"; + + //Folder name that contains the gems by "bundle install" private static final String GEMS = "gems"; - /** - * The logger. - */ -// private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleInstallDeploymentAnalyzer.class); - /** * Only accept *.gemspec stubs generated by "bundle install --deployment" under "specifications" folder. */ diff --git a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index b0d1c95c8..7f67a3d84 100644 --- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -19,6 +19,6 @@ org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer org.owasp.dependencycheck.analyzer.CMakeAnalyzer org.owasp.dependencycheck.analyzer.NodePackageAnalyzer org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer -org.owasp.dependencycheck.analyzer.RubyBundleInstallDeploymentAnalyzer +org.owasp.dependencycheck.analyzer.RubyBundlerAnalyzer org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer