From 9175b2624d64efd4cddacc1de2e03a09a563b544 Mon Sep 17 00:00:00 2001 From: brianf Date: Thu, 14 Sep 2017 12:29:28 -0400 Subject: [PATCH 01/16] Following the pattern of other analyzers and including the parent name so the report doesn't list dozens of "package.swift" entries --- .../dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java | 4 ++++ .../owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java | 3 +++ 2 files changed, 7 insertions(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index 5823d8aaf..5805ecb3b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -142,6 +142,10 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { if (name != null && !name.isEmpty()) { vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST); } + + final File actual = dependency.getActualFile(); + final String parentName = actual.getParentFile().getName(); + dependency.setDisplayFileName(parentName + "/" + actual.getName()); } setPackagePath(dependency); } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java index 8b81bbe3e..6bb0e5fad 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java @@ -10,6 +10,7 @@ import org.owasp.dependencycheck.dependency.Dependency; import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.is; import static org.junit.Assert.assertThat; +import static org.hamcrest.CoreMatchers.equalTo; import java.io.File; @@ -105,6 +106,7 @@ public class SwiftAnalyzersTest extends BaseTest { assertThat(vendorString, containsString("MIT")); assertThat(result.getProductEvidence().toString(), containsString("EasyPeasy")); assertThat(result.getVersionEvidence().toString(), containsString("0.2.3")); + assertThat(result.getDisplayFileName(),equalTo("EasyPeasy.podspec")); } /** @@ -119,5 +121,6 @@ public class SwiftAnalyzersTest extends BaseTest { spmAnalyzer.analyze(result, null); assertThat(result.getProductEvidence().toString(), containsString("Gloss")); + assertThat(result.getDisplayFileName(),equalTo("Gloss/Package.swift")); } } From a0081318b6a651e183cd5177e5bb36145d162265 Mon Sep 17 00:00:00 2001 From: brianf Date: Fri, 15 Sep 2017 13:27:44 -0400 Subject: [PATCH 02/16] Adding version to the composer.lock displayFileName Changed output to debug Added basic test for composer parsing, including the new version --- .../dependencycheck/analyzer/ComposerLockAnalyzer.java | 6 +++--- .../dependencycheck/analyzer/ComposerLockAnalyzerTest.java | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index cccfeb010..41afd49e0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -107,15 +107,15 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { clp.process(); for (ComposerDependency dep : clp.getDependencies()) { final Dependency d = new Dependency(dependency.getActualFile()); - d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject())); - final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject()); + d.setDisplayFileName(String.format("%s:%s/%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject(), dep.getVersion())); + final String filePath = String.format("%s:%s/%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject(), dep.getVersion()); final MessageDigest sha1 = getSha1MessageDigest(); d.setFilePath(filePath); d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset())))); d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST); d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST); d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST); - LOGGER.info("Adding dependency {}", d); + LOGGER.debug("Adding dependency {}", d); engine.getDependencies().add(d); } } catch (IOException ex) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java index 30c72b25a..f2c066659 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java @@ -36,6 +36,8 @@ import java.security.NoSuchAlgorithmException; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertThat; +import static org.hamcrest.CoreMatchers.equalTo; /** * Unit tests for NodePackageAnalyzer. @@ -99,6 +101,8 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "composer.lock")); analyzer.analyze(result, engine); + assertEquals(30,engine.getDependencies().size()); + assertThat(engine.getDependencies().get(0).getDisplayFileName(),equalTo("composer.lock:classpreloader/classpreloader/2.0.0")); } From 3b00b764ac05ed01217e7da89b07d19931d9632a Mon Sep 17 00:00:00 2001 From: brianf Date: Sun, 17 Sep 2017 18:01:40 -0400 Subject: [PATCH 03/16] Remove the redundant top level entry for composer.lock once the child dependencies are processed. This main entry is empty of evidence because everything is added into the new dependencies. --- .../analyzer/ComposerLockAnalyzer.java | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index cccfeb010..b154247ac 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -105,8 +105,14 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { final ComposerLockParser clp = new ComposerLockParser(fis); LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath()); clp.process(); + //if dependencies are found in the lock, then there is always an empty shell dependency left behind for the + //composer.lock. The first pass through, reuse the top level dependency, and add new ones for the rest. + boolean processedAtLeastOneDep = false; for (ComposerDependency dep : clp.getDependencies()) { - final Dependency d = new Dependency(dependency.getActualFile()); + + final Dependency d = new Dependency(dependency.getActualFile()); + + d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject())); final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject()); final MessageDigest sha1 = getSha1MessageDigest(); @@ -115,8 +121,17 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST); d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST); d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST); - LOGGER.info("Adding dependency {}", d); - engine.getDependencies().add(d); + + LOGGER.info("Adding dependency {}", d.getDisplayFileName()); + engine.getDependencies().add(d); + + //make sure we only remove the main dependency if we went through this loop at least once. + processedAtLeastOneDep = true; + } + //remove the dependency at the end because it's referenced in the loop itself. + if (processedAtLeastOneDep) { + LOGGER.info("Removing main redundant dependency {}",dependency.getDisplayFileName()); + engine.getDependencies().remove(dependency); } } catch (IOException ex) { LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath()); From 9b718490e312ad2ec29f4430d6f065a9d831a6a1 Mon Sep 17 00:00:00 2001 From: brianf Date: Thu, 21 Sep 2017 15:00:38 -0400 Subject: [PATCH 04/16] Centralize the collection of name and version to be used for synthesizing a displayName. Fixed the swift/cocoapod analyzers to new model --- .../analyzer/CocoaPodsAnalyzer.java | 10 ++- .../analyzer/SwiftPackageManagerAnalyzer.java | 17 +++-- .../dependency/Dependency.java | 72 ++++++++++++++++++- .../analyzer/SwiftAnalyzersTest.java | 11 ++- 4 files changed, 101 insertions(+), 9 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java index a8a33121e..22e314184 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java @@ -52,6 +52,11 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { */ private static final String ANALYZER_NAME = "CocoaPods Package Analyzer"; + /** + * The dependency Ecosystem + */ + static final String DEPENDENCY_ECOSYSTEM = "CocoaPod"; + /** * The phase that this analyzer is intended to run in. */ @@ -122,6 +127,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); @@ -141,6 +147,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST); if (!name.isEmpty()) { vendor.addEvidence(PODSPEC, "name_project", name, Confidence.HIGHEST); + dependency.setName(name); } addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.HIGHEST); @@ -148,7 +155,8 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST); addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST); - addStringEvidence(version, contents, blockVariable, "version", "version", Confidence.HIGHEST); + final String versionStr = addStringEvidence(version, contents, blockVariable, "version", "version", Confidence.HIGHEST); + dependency.setVersion(versionStr); } setPackagePath(dependency); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index 5805ecb3b..07b47bd3d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -47,6 +47,11 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "SWIFT Package Manager Analyzer"; + + /** + * The dependency Ecosystem + */ + static final String DEPENDENCY_ECOSYSTEM = "Swift.PM"; /** * The phase that this analyzer is intended to run in. @@ -119,6 +124,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); @@ -141,11 +148,13 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST); if (name != null && !name.isEmpty()) { vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST); + dependency.setName(name); + } + else + { + //if we can't get the name from the meta, then assume the name is the name of the parent folder containing the package.swift file. + dependency.setName(dependency.getActualFile().getParentFile().getName()); } - - final File actual = dependency.getActualFile(); - final String parentName = actual.getParentFile().getName(); - dependency.setDisplayFileName(parentName + "/" + actual.getName()); } setPackagePath(dependency); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 6beb4a9c1..de78f2d70 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -142,6 +142,21 @@ public class Dependency implements Serializable, Comparable { * Defines an actual or virtual dependency. */ private boolean isVirtual = false; + + /** + * Defines the human-recognizable name for the dependency + */ + private String name; + + /** + * Defines the human-recognizable version for the dependency + */ + private String version; + + /** + * Defines the ecosystem identifier for this dependency + */ + private String dependencyEcosystem; /** * Returns the package path. @@ -283,13 +298,24 @@ public class Dependency implements Serializable, Comparable { /** * Returns the file name to display in reports; if no display file name has - * been set it will default to the actual file name. + * been set it will default to constructing a name based on the name and version + * fields, otherwise it will return the actual file name. * * @return the file name to display */ public String getDisplayFileName() { if (displayName == null) { - return this.fileName; + if(name != null) { + if (version != null) { + return name + ":" + version; + } + else { + return name; + } + } + else { + return this.fileName; + } } return this.displayName; } @@ -582,6 +608,20 @@ public class Dependency implements Serializable, Comparable { } /** + * @return the name + */ + public String getName() { + return name; + } + + /** + * @param name the name to set + */ + public void setName(String name) { + this.name = name; + } + + /** * Get the list of vulnerabilities. * * @return the list of vulnerabilities @@ -830,4 +870,32 @@ public class Dependency implements Serializable, Comparable { return "Dependency{ fileName='" + fileName + "', actualFilePath='" + actualFilePath + "', filePath='" + filePath + "', packagePath='" + packagePath + "'}"; } + + /** + * @return the version + */ + public String getVersion() { + return version; + } + + /** + * @param version the version to set + */ + public void setVersion(String version) { + this.version = version; + } + + /** + * @return the dependencyEcosystem + */ + public String getDependencyEcosystem() { + return dependencyEcosystem; + } + + /** + * @param dependencyEcosystem the dependencyEcosystem to set + */ + public void setDependencyEcosystem(String dependencyEcosystem) { + this.dependencyEcosystem = dependencyEcosystem; + } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java index 6bb0e5fad..c43b65b71 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java @@ -106,7 +106,10 @@ public class SwiftAnalyzersTest extends BaseTest { assertThat(vendorString, containsString("MIT")); assertThat(result.getProductEvidence().toString(), containsString("EasyPeasy")); assertThat(result.getVersionEvidence().toString(), containsString("0.2.3")); - assertThat(result.getDisplayFileName(),equalTo("EasyPeasy.podspec")); + assertThat(result.getName(),equalTo("EasyPeasy")); + assertThat(result.getVersion(),equalTo("0.2.3")); + assertThat(result.getDisplayFileName(),equalTo("EasyPeasy:0.2.3")); + assertThat(result.getDependencyEcosystem(),equalTo(CocoaPodsAnalyzer.DEPENDENCY_ECOSYSTEM)); } /** @@ -121,6 +124,10 @@ public class SwiftAnalyzersTest extends BaseTest { spmAnalyzer.analyze(result, null); assertThat(result.getProductEvidence().toString(), containsString("Gloss")); - assertThat(result.getDisplayFileName(),equalTo("Gloss/Package.swift")); + assertThat(result.getName(),equalTo("Gloss")); + //TODO: when version processing is added, update the expected name. + assertThat(result.getDisplayFileName(),equalTo("Gloss")); + + assertThat(result.getDependencyEcosystem(),equalTo(SwiftPackageManagerAnalyzer.DEPENDENCY_ECOSYSTEM)); } } From 7a74917b67a1075b7b45e9fa8ebad859110f341a Mon Sep 17 00:00:00 2001 From: brianf Date: Thu, 21 Sep 2017 15:30:47 -0400 Subject: [PATCH 05/16] Standardized the Composer / PHP Names --- .../analyzer/ComposerLockAnalyzer.java | 12 ++++++++++-- .../analyzer/ComposerLockAnalyzerTest.java | 6 +++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index 6852413f5..5e8b4c3ec 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -56,6 +56,11 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { */ private static final String ANALYZER_NAME = "Composer.lock analyzer"; + /** + * The dependency Ecosystem + */ + static final String DEPENDENCY_ECOSYSTEM = "Composer"; + /** * composer.json. */ @@ -110,9 +115,12 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { boolean processedAtLeastOneDep = false; for (ComposerDependency dep : clp.getDependencies()) { final Dependency d = new Dependency(dependency.getActualFile()); - d.setDisplayFileName(String.format("%s:%s/%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject(), dep.getVersion())); final String filePath = String.format("%s:%s/%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject(), dep.getVersion()); - + d.setName(dep.getProject()); + d.setVersion(dep.getVersion()); + + d.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + final MessageDigest sha1 = getSha1MessageDigest(); d.setFilePath(filePath); d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset())))); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java index d94acfe37..95e7a1a18 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java @@ -126,7 +126,11 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase { //make sure the redundant composer.lock is removed assertFalse(engine.getDependencies().contains(result)); assertEquals(30,engine.getDependencies().size()); - assertThat(engine.getDependencies().get(0).getDisplayFileName(),equalTo("composer.lock:classpreloader/classpreloader/2.0.0")); + Dependency d = engine.getDependencies().get(0); + assertEquals("classpreloader",d.getName()); + assertEquals("2.0.0",d.getVersion()); + assertThat(d.getDisplayFileName(),equalTo("classpreloader:2.0.0")); + assertEquals(ComposerLockAnalyzer.DEPENDENCY_ECOSYSTEM,d.getDependencyEcosystem()); } From a8b740a53853fdcb7310037885fdf3647c9cebe8 Mon Sep 17 00:00:00 2001 From: brianf Date: Thu, 21 Sep 2017 15:41:13 -0400 Subject: [PATCH 06/16] Normalized Python Dist names --- .../analyzer/PythonDistributionAnalyzer.java | 12 +++++++++++- .../analyzer/PythonDistributionAnalyzerTest.java | 11 +++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 551279eb7..3c0e2ab03 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -61,6 +61,11 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { * Name of egg metadata files to analyze. */ private static final String PKG_INFO = "PKG-INFO"; + + /** + * The dependency Ecosystem + */ + static final String DEPENDENCY_ECOSYSTEM = "Python.Dist"; /** * Name of wheel metadata files to analyze. @@ -183,6 +188,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); final File actualFile = dependency.getActualFile(); if (WHL_FILTER.accept(actualFile)) { collectMetadataFromArchiveFormat(dependency, DIST_INFO_FILTER, @@ -196,7 +203,6 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { if (metadata || PKG_INFO.equals(name)) { final File parent = actualFile.getParentFile(); final String parentName = parent.getName(); - dependency.setDisplayFileName(parentName + "/" + name); if (parent.isDirectory() && (metadata && parentName.endsWith(".dist-info") || parentName.endsWith(".egg-info") || "EGG-INFO" @@ -298,6 +304,10 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { "Version", Confidence.HIGHEST); addPropertyToEvidence(headers, dependency.getProductEvidence(), "Name", Confidence.HIGHEST); + + dependency.setName(headers.getHeader("Name", null)); + dependency.setVersion(headers.getHeader("Version", null)); + final String url = headers.getHeader("Home-page", null); final EvidenceCollection vendorEvidence = dependency .getVendorEvidence(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java index f788b9965..f443fb04b 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java @@ -115,8 +115,7 @@ public class PythonDistributionAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile( this, "python/site-packages/Django-1.7.2.dist-info/METADATA")); djangoAssertions(result); - assertEquals("Django-1.7.2.dist-info/METADATA", result.getDisplayFileName()); - } + } private void djangoAssertions(final Dependency result) throws AnalysisException { @@ -131,6 +130,10 @@ public class PythonDistributionAnalyzerTest extends BaseTest { } } assertTrue("Version 1.7.2 not found in Django dependency.", found); + assertEquals("1.7.2",result.getVersion()); + assertEquals("Django",result.getName()); + assertEquals("Django:1.7.2",result.getDisplayFileName()); + assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); } @Test @@ -183,5 +186,9 @@ public class PythonDistributionAnalyzerTest extends BaseTest { } } assertTrue("Version 0.0.1 not found in EggTest dependency.", found); + assertEquals("0.0.1",result.getVersion()); + assertEquals("EggTest",result.getName()); + assertEquals("EggTest:0.0.1",result.getDisplayFileName()); + assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); } } From 562269dd2bfa83b2715c87681dd77ea9b070426f Mon Sep 17 00:00:00 2001 From: brianf Date: Thu, 21 Sep 2017 15:53:13 -0400 Subject: [PATCH 07/16] Normalized Python Package Name --- .../analyzer/PythonPackageAnalyzer.java | 40 ++++++++++++++++--- .../analyzer/PythonPackageAnalyzerTest.java | 4 ++ 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 12e58d3f4..4bb9a9ce0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -109,7 +109,12 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { * The file filter used to determine which files this analyzer supports. */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); - + + /** + * The dependency Ecosystem + */ + static final String DEPENDENCY_ECOSYSTEM = "Python.Pkg"; + /** * Returns the name of the Python Package Analyzer. * @@ -173,14 +178,15 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - final File file = dependency.getActualFile(); + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + final File file = dependency.getActualFile(); final File parent = file.getParentFile(); final String parentName = parent.getName(); if (INIT_PY_FILTER.accept(file)) { //by definition, the containing folder of __init__.py is considered the package, even the file is empty: //"The __init__.py files are required to make Python treat the directories as containing packages" //see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html; - dependency.setDisplayFileName(parentName + "/__init__.py"); + dependency.setName(parentName); dependency.getProductEvidence().addEvidence(file.getName(), "PackageName", parentName, Confidence.HIGHEST); @@ -217,9 +223,9 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { boolean found = false; if (!contents.isEmpty()) { final String source = file.getName(); - found = gatherEvidence(VERSION_PATTERN, contents, source, + found = gatherVersionEvidence(VERSION_PATTERN, contents, source, dependency.getVersionEvidence(), "SourceVersion", - Confidence.MEDIUM); + Confidence.MEDIUM,dependency); found |= addSummaryInfo(dependency, SUMMARY_PATTERN, 4, contents, source, "summary"); if (INIT_PY_FILTER.accept(file)) { @@ -310,6 +316,30 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { } return found; } + + /** + * Gather package version evidence from a Python source file using the given string + * assignment regex pattern. + * + * @param pattern to scan contents with + * @param contents of Python source file + * @param source for storing evidence + * @param evidence to store evidence in + * @param name of evidence + * @param confidence in evidence + * @return whether evidence was found + */ + private boolean gatherVersionEvidence(Pattern pattern, String contents, + String source, EvidenceCollection evidence, String name, + Confidence confidence,Dependency d) { + final Matcher matcher = pattern.matcher(contents); + final boolean found = matcher.find(); + if (found) { + evidence.addEvidence(source, name, matcher.group(4), confidence); + d.setVersion(matcher.group(4)); + } + return found; + } @Override protected String getAnalyzerEnabledSettingKey() { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java index 74d594535..f4cc4d9f1 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java @@ -98,6 +98,10 @@ public class PythonPackageAnalyzerTest extends BaseTest { } } assertTrue("Version 0.0.1 not found in EggTest dependency.", found); + assertEquals("0.0.1",result.getVersion()); + assertEquals("eggtest",result.getName()); + assertEquals("eggtest:0.0.1",result.getDisplayFileName()); + assertEquals(PythonPackageAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); } } From 9998cd0ccc871b7e02f889ec4a8151acc67fcea5 Mon Sep 17 00:00:00 2001 From: brianf Date: Thu, 21 Sep 2017 16:35:14 -0400 Subject: [PATCH 08/16] Normailze Cmake names --- .../analyzer/CMakeAnalyzer.java | 14 ++++++++--- .../analyzer/CMakeAnalyzerTest.java | 25 ++++++++++++++++++- 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index f24a468c4..606dc6394 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -57,6 +57,11 @@ import org.owasp.dependencycheck.exception.InitializationException; @Experimental public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { + /** + * The dependency Ecosystem + */ + static final String DEPENDENCY_ECOSYSTEM = "CMAKE"; + /** * The logger. */ @@ -149,10 +154,10 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); final File file = dependency.getActualFile(); final String parentName = file.getParentFile().getName(); final String name = file.getName(); - dependency.setDisplayFileName(String.format("%s%c%s", parentName, File.separatorChar, name)); String contents; try { contents = FileUtils.readFileToString(file, Charset.defaultCharset()).trim(); @@ -173,6 +178,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.debug("Group 1: {}", group); dependency.getProductEvidence().addEvidence(name, "Project", group, Confidence.HIGH); + dependency.setName(group); } LOGGER.debug("Found {} matches.", count); analyzeSetVersionCommand(dependency, engine, contents); @@ -211,7 +217,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { if (count > 1) { //TODO - refactor so we do not assign to the parameter (checkstyle) currentDep = new Dependency(dependency.getActualFile()); - currentDep.setDisplayFileName(String.format("%s:%s", dependency.getDisplayFileName(), product)); + currentDep.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); final String filePath = String.format("%s:%s", dependency.getFilePath(), product); currentDep.setFilePath(filePath); @@ -225,11 +231,13 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { currentDep.setSha1sum(Checksum.getHex(sha1.digest(path))); engine.getDependencies().add(currentDep); } - final String source = currentDep.getDisplayFileName(); + final String source = currentDep.getFileName(); currentDep.getProductEvidence().addEvidence(source, "Product", product, Confidence.MEDIUM); currentDep.getVersionEvidence().addEvidence(source, "Version", version, Confidence.MEDIUM); + currentDep.setName(product); + currentDep.setVersion(version); } LOGGER.debug("Found {} matches.", count); } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java index 6408d4a86..fac741221 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java @@ -123,11 +123,32 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { analyzer.analyze(result, null); final String product = "zlib"; assertProductEvidence(result, product); + + } + /** + * Test whether expected evidence is gathered from OpenCV's CVDetectPython. + * + * @throws AnalysisException is thrown when an exception occurs. + */ + @Test + public void testAnalyzeCMakeListsPython() throws AnalysisException { + final Dependency result = new Dependency(BaseTest.getResourceAsFile( + this, "cmake/opencv/cmake/OpenCVDetectPython.cmake")); + analyzer.analyze(result, null); + + //this one finds nothing so it falls through to the filename. Can we do better? + assertEquals("OpenCVDetectPython.cmake",result.getDisplayFileName()); + + + } + private void assertProductEvidence(Dependency result, String product) { - assertTrue("Expected product evidence to contain \"" + product + "\".", + assertEquals(product,result.getName()); + assertTrue("Expected product evidence to contain \"" + product + "\".", result.getProductEvidence().toString().contains(product)); + assertEquals(CMakeAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); } /** @@ -150,11 +171,13 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { final Dependency last = dependencies.get(3); assertProductEvidence(last, "libavresample"); assertVersionEvidence(last, "1.0.1"); + } private void assertVersionEvidence(Dependency result, String version) { assertTrue("Expected version evidence to contain \"" + version + "\".", result.getVersionEvidence().toString().contains(version)); + assertEquals(version,result.getVersion()); } @Test(expected = InitializationException.class) From 6726101e36af537f3a177fbad4a2f56cf0c7379d Mon Sep 17 00:00:00 2001 From: brianf Date: Thu, 21 Sep 2017 17:37:17 -0400 Subject: [PATCH 09/16] Added Ecosystem to Java --- .../java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java | 5 +++++ .../org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java | 1 + 2 files changed, 6 insertions(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index db54d1ab6..b2376688a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -157,6 +157,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "Jar Analyzer"; + /** + * The dependency ecosystem. + */ + static final String DEPENDENCY_ECOSYSTEM = "Java"; /** * The phase that this analyzer is intended to run in. */ @@ -258,6 +262,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { final boolean hasPOM = analyzePOM(dependency, classNames, engine); final boolean addPackagesAsEvidence = !(hasManifest && hasPOM); analyzePackageNames(classNames, dependency, addPackagesAsEvidence); + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); } catch (IOException ex) { throw new AnalysisException("Exception occurred reading the JAR file (" + dependency.getFileName() + ").", ex); } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java index 4d9684f3d..cf254cb60 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java @@ -58,6 +58,7 @@ public class JarAnalyzerTest extends BaseTest { file = BaseTest.getResourceAsFile(this, "dwr.jar"); result = new Dependency(file); instance.analyze(result, null); + assertEquals(JarAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); boolean found = false; for (Evidence e : result.getVendorEvidence()) { if (e.getName().equals("url")) { From 69323bf0a4b4cb6e66d3472715615e40f9002fb2 Mon Sep 17 00:00:00 2001 From: brianf Date: Thu, 21 Sep 2017 21:00:55 -0400 Subject: [PATCH 10/16] Normalize the Node Analyzers --- .../analyzer/NodePackageAnalyzer.java | 27 ++++++++++++++----- .../analyzer/NodePackageAnalyzerTest.java | 3 +++ 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index ffd94fa7c..f6d5794a6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -59,6 +59,11 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { */ private static final String ANALYZER_NAME = "Node.js Package Analyzer"; + /** + * The dependency ecosystem. + */ + static final String DEPENDENCY_ECOSYSTEM = "npm"; + /** * The phase that this analyzer is intended to run in. */ @@ -122,7 +127,8 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - final File file = dependency.getActualFile(); + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + final File file = dependency.getActualFile(); if (!file.isFile() || file.length()==0) { return; } @@ -135,6 +141,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { if (value instanceof JsonString) { final String valueString = ((JsonString) value).getString(); productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); + dependency.setName(valueString); vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); } else { LOGGER.warn("JSON value not string as expected: {}", value); @@ -142,8 +149,9 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { } addToEvidence(json, productEvidence, "description"); addToEvidence(json, vendorEvidence, "author"); - addToEvidence(json, dependency.getVersionEvidence(), "version"); - dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName())); + final String version = addToEvidence(json, dependency.getVersionEvidence(), "version"); + dependency.setVersion(version); + } catch (JsonException e) { LOGGER.warn("Failed to parse package.json file.", e); } catch (IOException e) { @@ -158,21 +166,25 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { * @param json information from node.js * @param collection a set of evidence about a dependency * @param key the key to obtain the data from the json information + * @return the actual string set into evidence */ - private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) { - if (json.containsKey(key)) { + private String addToEvidence(JsonObject json, EvidenceCollection collection, String key) { + String evidenceStr = null; + if (json.containsKey(key)) { final JsonValue value = json.get(key); if (value instanceof JsonString) { - collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); + evidenceStr = ((JsonString) value).getString(); + collection.addEvidence(PACKAGE_JSON, key, evidenceStr, Confidence.HIGHEST); } else if (value instanceof JsonObject) { final JsonObject jsonObject = (JsonObject) value; for (final Map.Entry entry : jsonObject.entrySet()) { final String property = entry.getKey(); final JsonValue subValue = entry.getValue(); if (subValue instanceof JsonString) { + evidenceStr = ((JsonString) subValue).getString(); collection.addEvidence(PACKAGE_JSON, String.format("%s.%s", key, property), - ((JsonString) subValue).getString(), + evidenceStr, Confidence.HIGHEST); } else { LOGGER.warn("JSON sub-value not string as expected: {}", subValue); @@ -182,5 +194,6 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.warn("JSON value not string or JSON object as expected: {}", value); } } + return evidenceStr; } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java index 50c93a3eb..ae158eae9 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java @@ -96,5 +96,8 @@ public class NodePackageAnalyzerTest extends BaseTest { assertThat(vendorString, containsString("dns-sync_project")); assertThat(result.getProductEvidence().toString(), containsString("dns-sync")); assertThat(result.getVersionEvidence().toString(), containsString("0.1.0")); + assertEquals(NodePackageAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); + assertEquals("dns-sync",result.getName()); + assertEquals("0.1.0",result.getVersion()); } } From 1564f11b89829849c51a086cc92805228705b716 Mon Sep 17 00:00:00 2001 From: brianf Date: Thu, 21 Sep 2017 21:44:49 -0400 Subject: [PATCH 11/16] Normalize Ruby analyzers --- .../analyzer/RubyBundlerAnalyzer.java | 7 +++++-- .../analyzer/RubyGemspecAnalyzer.java | 13 +++++++++++-- .../analyzer/RubyBundlerAnalyzerTest.java | 6 ++++++ .../analyzer/RubyGemspecAnalyzerTest.java | 12 +++++++++++- 4 files changed, 33 insertions(+), 5 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java index 6502d02ab..66343c79d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java @@ -53,7 +53,10 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "Ruby Bundler Analyzer"; - + /** + * The types of files on which this will work. + */ + static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; /** * Folder name that contains .gemspec files created by "bundle install" */ @@ -97,7 +100,7 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { super.analyzeDependency(dependency, engine); - + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment" final File gemspecFile = dependency.getActualFile(); final String gemFileName = gemspecFile.getName(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index b600236d2..dd66d4da8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -56,7 +56,10 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "Ruby Gemspec Analyzer"; - + /** + * The Dependency's ecosystem. + */ + static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; /** * The phase that this analyzer is intended to run in. */ @@ -132,6 +135,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); @@ -148,6 +152,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { final EvidenceCollection product = dependency.getProductEvidence(); final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST); if (!name.isEmpty()) { + dependency.setName(name); vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); } addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.LOW); @@ -158,10 +163,14 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST); final String value = addStringEvidence(dependency.getVersionEvidence(), contents, - blockVariable, "version", "version", Confidence.HIGHEST); + blockVariable, "version", "version", Confidence.HIGHEST); if (value.length() < 1) { addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence()); } + else + { + dependency.setVersion(value); + } } setPackagePath(dependency); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java index cfab09c4e..6b90dbc91 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java @@ -80,6 +80,7 @@ public class RubyBundlerAnalyzerTest extends BaseTest { public void testSupportsFiles() { assertThat(analyzer.accept(new File("test.gemspec")), is(false)); assertThat(analyzer.accept(new File("specifications" + File.separator + "test.gemspec")), is(true)); + assertThat(analyzer.accept(new File("gemspec.lock")), is(false)); } /** @@ -100,7 +101,12 @@ public class RubyBundlerAnalyzerTest extends BaseTest { assertThat(vendorString, containsString("https://github.com/petergoldstein/dalli")); assertThat(vendorString, containsString("MIT")); assertThat(result.getProductEvidence().toString(), containsString("dalli")); + assertEquals("dalli",result.getName()); assertThat(result.getProductEvidence().toString(), containsString("High performance memcached client for Ruby")); assertThat(result.getVersionEvidence().toString(), containsString("2.7.5")); + assertEquals("2.7.5",result.getVersion()); + assertEquals(RubyBundlerAnalyzer.DEPENDENCY_ECOSYSTEM, result.getDependencyEcosystem()); + assertEquals("dalli:2.7.5",result.getDisplayFileName()); + } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java index 4521504be..0c6e71cf7 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java @@ -79,6 +79,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest { @Test public void testSupportsFiles() { assertThat(analyzer.accept(new File("test.gemspec")), is(true)); + assertThat(analyzer.accept(new File("gemspec.lock")), is(false)); // assertThat(analyzer.accept(new File("Rakefile")), is(true)); } @@ -93,12 +94,16 @@ public class RubyGemspecAnalyzerTest extends BaseTest { "ruby/vulnerable/gems/specifications/rest-client-1.7.2.gemspec")); analyzer.analyze(result, null); final String vendorString = result.getVendorEvidence().toString(); + assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getDependencyEcosystem()); assertThat(vendorString, containsString("REST Client Team")); assertThat(vendorString, containsString("rest-client_project")); assertThat(vendorString, containsString("rest.client@librelist.com")); assertThat(vendorString, containsString("https://github.com/rest-client/rest-client")); assertThat(result.getProductEvidence().toString(), containsString("rest-client")); + assertEquals("rest-client",result.getName()); assertThat(result.getVersionEvidence().toString(), containsString("1.7.2")); + assertEquals("1.7.2",result.getVersion()); + assertEquals("rest-client:1.7.2",result.getDisplayFileName()); } /** @@ -106,11 +111,16 @@ public class RubyGemspecAnalyzerTest extends BaseTest { * * @throws AnalysisException is thrown when an exception occurs. */ - //@Test TODO: place holder to test Rakefile support + //@Test + //TODO: place holder to test Rakefile support public void testAnalyzeRakefile() throws AnalysisException { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/gems/pg-0.18.4/Rakefile")); analyzer.analyze(result, null); assertTrue(result.getEvidence().size()>0); + assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getDependencyEcosystem()); + assertEquals("pg",result.getName()); + assertEquals("0.18.4",result.getVersion()); + assertEquals("pg:0.18.4",result.getDisplayFileName()); } } From e0af41e43900f8ab06778418959012b5ca0f17ce Mon Sep 17 00:00:00 2001 From: brianf Date: Fri, 22 Sep 2017 13:47:08 -0400 Subject: [PATCH 12/16] cleanup --- .../dependencycheck/analyzer/CMakeAnalyzer.java | 9 ++++----- .../analyzer/CocoaPodsAnalyzer.java | 12 ++++++------ .../analyzer/ComposerLockAnalyzer.java | 12 ++++++------ .../dependencycheck/analyzer/JarAnalyzer.java | 10 +++++----- .../analyzer/NodePackageAnalyzer.java | 12 ++++++------ .../analyzer/PythonDistributionAnalyzer.java | 12 ++++++------ .../analyzer/PythonPackageAnalyzer.java | 12 ++++++------ .../analyzer/RubyBundlerAnalyzer.java | 12 +++++++----- .../analyzer/RubyGemspecAnalyzer.java | 14 ++++++++------ .../analyzer/SwiftPackageManagerAnalyzer.java | 12 ++++++------ .../dependencycheck/dependency/Dependency.java | 17 +++++++++-------- .../analyzer/CMakeAnalyzerTest.java | 2 +- .../analyzer/ComposerLockAnalyzerTest.java | 2 +- .../analyzer/JarAnalyzerTest.java | 2 +- .../analyzer/NodePackageAnalyzerTest.java | 2 +- .../PythonDistributionAnalyzerTest.java | 4 ++-- .../analyzer/PythonPackageAnalyzerTest.java | 2 +- .../analyzer/RubyBundlerAnalyzerTest.java | 2 +- .../analyzer/RubyGemspecAnalyzerTest.java | 4 ++-- .../analyzer/SwiftAnalyzersTest.java | 4 ++-- 20 files changed, 81 insertions(+), 77 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index 606dc6394..59e1d13bf 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -58,9 +58,9 @@ import org.owasp.dependencycheck.exception.InitializationException; public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { /** - * The dependency Ecosystem + * A descriptor for the type of dependencies processed or added by this analyzer */ - static final String DEPENDENCY_ECOSYSTEM = "CMAKE"; + public static final String DEPENDENCY_ECOSYSTEM = "CMAKE"; /** * The logger. @@ -154,9 +154,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File file = dependency.getActualFile(); - final String parentName = file.getParentFile().getName(); final String name = file.getName(); String contents; try { @@ -217,7 +216,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { if (count > 1) { //TODO - refactor so we do not assign to the parameter (checkstyle) currentDep = new Dependency(dependency.getActualFile()); - currentDep.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + currentDep.setEcosystem(DEPENDENCY_ECOSYSTEM); final String filePath = String.format("%s:%s", dependency.getFilePath(), product); currentDep.setFilePath(filePath); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java index 22e314184..c18ff8f26 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java @@ -43,6 +43,11 @@ import org.owasp.dependencycheck.utils.Settings; @Experimental public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "CocoaPod"; + /** * The logger. */ @@ -51,11 +56,6 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "CocoaPods Package Analyzer"; - - /** - * The dependency Ecosystem - */ - static final String DEPENDENCY_ECOSYSTEM = "CocoaPod"; /** * The phase that this analyzer is intended to run in. @@ -127,7 +127,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index 5e8b4c3ec..9e69b18b9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -46,6 +46,11 @@ import java.security.NoSuchAlgorithmException; @Experimental public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Composer"; + /** * The logger. */ @@ -55,11 +60,6 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { * The analyzer name. */ private static final String ANALYZER_NAME = "Composer.lock analyzer"; - - /** - * The dependency Ecosystem - */ - static final String DEPENDENCY_ECOSYSTEM = "Composer"; /** * composer.json. @@ -119,7 +119,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { d.setName(dep.getProject()); d.setVersion(dep.getVersion()); - d.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + d.setEcosystem(DEPENDENCY_ECOSYSTEM); final MessageDigest sha1 = getSha1MessageDigest(); d.setFilePath(filePath); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index b2376688a..4b807720e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -73,6 +73,10 @@ import org.slf4j.LoggerFactory; public class JarAnalyzer extends AbstractFileTypeAnalyzer { // + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Java"; /** * The logger. */ @@ -157,10 +161,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "Jar Analyzer"; - /** - * The dependency ecosystem. - */ - static final String DEPENDENCY_ECOSYSTEM = "Java"; /** * The phase that this analyzer is intended to run in. */ @@ -262,7 +262,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { final boolean hasPOM = analyzePOM(dependency, classNames, engine); final boolean addPackagesAsEvidence = !(hasManifest && hasPOM); analyzePackageNames(classNames, dependency, addPackagesAsEvidence); - dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); } catch (IOException ex) { throw new AnalysisException("Exception occurred reading the JAR file (" + dependency.getFileName() + ").", ex); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index f6d5794a6..8e4ea9d7f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -50,6 +50,11 @@ import org.owasp.dependencycheck.exception.InitializationException; public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "npm"; + + /** * The logger. */ private static final Logger LOGGER = LoggerFactory.getLogger(NodePackageAnalyzer.class); @@ -58,11 +63,6 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "Node.js Package Analyzer"; - - /** - * The dependency ecosystem. - */ - static final String DEPENDENCY_ECOSYSTEM = "npm"; /** * The phase that this analyzer is intended to run in. @@ -127,7 +127,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File file = dependency.getActualFile(); if (!file.isFile() || file.length()==0) { return; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 3c0e2ab03..d6002c5d4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -57,15 +57,15 @@ import java.util.concurrent.atomic.AtomicInteger; @Experimental public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Python.Dist"; + /** * Name of egg metadata files to analyze. */ private static final String PKG_INFO = "PKG-INFO"; - - /** - * The dependency Ecosystem - */ - static final String DEPENDENCY_ECOSYSTEM = "Python.Dist"; /** * Name of wheel metadata files to analyze. @@ -189,7 +189,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File actualFile = dependency.getActualFile(); if (WHL_FILTER.accept(actualFile)) { collectMetadataFromArchiveFormat(dependency, DIST_INFO_FILTER, diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 4bb9a9ce0..684b46b59 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -46,6 +46,11 @@ import org.owasp.dependencycheck.exception.InitializationException; @Experimental public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Python.Pkg"; + /** * Used when compiling file scanning regex patterns. */ @@ -110,11 +115,6 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); - /** - * The dependency Ecosystem - */ - static final String DEPENDENCY_ECOSYSTEM = "Python.Pkg"; - /** * Returns the name of the Python Package Analyzer. * @@ -178,7 +178,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File file = dependency.getActualFile(); final File parent = file.getParentFile(); final String parentName = parent.getName(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java index 66343c79d..268fee20d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java @@ -49,14 +49,16 @@ import org.owasp.dependencycheck.dependency.Dependency; @Experimental public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; + /** * The name of the analyzer. */ private static final String ANALYZER_NAME = "Ruby Bundler Analyzer"; - /** - * The types of files on which this will work. - */ - static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; + /** * Folder name that contains .gemspec files created by "bundle install" */ @@ -100,7 +102,7 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { super.analyzeDependency(dependency, engine); - dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment" final File gemspecFile = dependency.getActualFile(); final String gemFileName = gemspecFile.getName(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index dd66d4da8..6256e83db 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -48,7 +48,12 @@ import org.slf4j.LoggerFactory; @Experimental public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { - /** + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; + + /** * The logger. */ private static final Logger LOGGER = LoggerFactory.getLogger(RubyGemspecAnalyzer.class); @@ -56,10 +61,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "Ruby Gemspec Analyzer"; - /** - * The Dependency's ecosystem. - */ - static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; + /** * The phase that this analyzer is intended to run in. */ @@ -135,7 +137,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index 07b47bd3d..076ad9178 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -43,15 +43,15 @@ import org.owasp.dependencycheck.utils.Settings; @Experimental public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Swift.PM"; + /** * The name of the analyzer. */ private static final String ANALYZER_NAME = "SWIFT Package Manager Analyzer"; - - /** - * The dependency Ecosystem - */ - static final String DEPENDENCY_ECOSYSTEM = "Swift.PM"; /** * The phase that this analyzer is intended to run in. @@ -124,7 +124,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); String contents; try { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index de78f2d70..6c4e792c5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -154,9 +154,10 @@ public class Dependency implements Serializable, Comparable { private String version; /** - * Defines the ecosystem identifier for this dependency + * A descriptor for the type of dependency based on which analyzer added it + * or collected evidence about it */ - private String dependencyEcosystem; + private String ecosystem; /** * Returns the package path. @@ -886,16 +887,16 @@ public class Dependency implements Serializable, Comparable { } /** - * @return the dependencyEcosystem + * @return the ecosystem */ - public String getDependencyEcosystem() { - return dependencyEcosystem; + public String getEcosystem() { + return ecosystem; } /** - * @param dependencyEcosystem the dependencyEcosystem to set + * @param ecosystem the ecosystem to set */ - public void setDependencyEcosystem(String dependencyEcosystem) { - this.dependencyEcosystem = dependencyEcosystem; + public void setEcosystem(String ecosystem) { + this.ecosystem = ecosystem; } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java index fac741221..b47d7be5c 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java @@ -148,7 +148,7 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { assertEquals(product,result.getName()); assertTrue("Expected product evidence to contain \"" + product + "\".", result.getProductEvidence().toString().contains(product)); - assertEquals(CMakeAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); + assertEquals(CMakeAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); } /** diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java index 95e7a1a18..046267c7a 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java @@ -130,7 +130,7 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase { assertEquals("classpreloader",d.getName()); assertEquals("2.0.0",d.getVersion()); assertThat(d.getDisplayFileName(),equalTo("classpreloader:2.0.0")); - assertEquals(ComposerLockAnalyzer.DEPENDENCY_ECOSYSTEM,d.getDependencyEcosystem()); + assertEquals(ComposerLockAnalyzer.DEPENDENCY_ECOSYSTEM,d.getEcosystem()); } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java index cf254cb60..37061d6b1 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java @@ -58,7 +58,7 @@ public class JarAnalyzerTest extends BaseTest { file = BaseTest.getResourceAsFile(this, "dwr.jar"); result = new Dependency(file); instance.analyze(result, null); - assertEquals(JarAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); + assertEquals(JarAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); boolean found = false; for (Evidence e : result.getVendorEvidence()) { if (e.getName().equals("url")) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java index ae158eae9..71fd0e604 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java @@ -96,7 +96,7 @@ public class NodePackageAnalyzerTest extends BaseTest { assertThat(vendorString, containsString("dns-sync_project")); assertThat(result.getProductEvidence().toString(), containsString("dns-sync")); assertThat(result.getVersionEvidence().toString(), containsString("0.1.0")); - assertEquals(NodePackageAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); + assertEquals(NodePackageAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); assertEquals("dns-sync",result.getName()); assertEquals("0.1.0",result.getVersion()); } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java index f443fb04b..94f5f45be 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java @@ -133,7 +133,7 @@ public class PythonDistributionAnalyzerTest extends BaseTest { assertEquals("1.7.2",result.getVersion()); assertEquals("Django",result.getName()); assertEquals("Django:1.7.2",result.getDisplayFileName()); - assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); + assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); } @Test @@ -189,6 +189,6 @@ public class PythonDistributionAnalyzerTest extends BaseTest { assertEquals("0.0.1",result.getVersion()); assertEquals("EggTest",result.getName()); assertEquals("EggTest:0.0.1",result.getDisplayFileName()); - assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); + assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java index f4cc4d9f1..8c3a16fec 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java @@ -101,7 +101,7 @@ public class PythonPackageAnalyzerTest extends BaseTest { assertEquals("0.0.1",result.getVersion()); assertEquals("eggtest",result.getName()); assertEquals("eggtest:0.0.1",result.getDisplayFileName()); - assertEquals(PythonPackageAnalyzer.DEPENDENCY_ECOSYSTEM,result.getDependencyEcosystem()); + assertEquals(PythonPackageAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java index 6b90dbc91..1e1710222 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java @@ -105,7 +105,7 @@ public class RubyBundlerAnalyzerTest extends BaseTest { assertThat(result.getProductEvidence().toString(), containsString("High performance memcached client for Ruby")); assertThat(result.getVersionEvidence().toString(), containsString("2.7.5")); assertEquals("2.7.5",result.getVersion()); - assertEquals(RubyBundlerAnalyzer.DEPENDENCY_ECOSYSTEM, result.getDependencyEcosystem()); + assertEquals(RubyBundlerAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); assertEquals("dalli:2.7.5",result.getDisplayFileName()); } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java index 0c6e71cf7..64cbee973 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java @@ -94,7 +94,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest { "ruby/vulnerable/gems/specifications/rest-client-1.7.2.gemspec")); analyzer.analyze(result, null); final String vendorString = result.getVendorEvidence().toString(); - assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getDependencyEcosystem()); + assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); assertThat(vendorString, containsString("REST Client Team")); assertThat(vendorString, containsString("rest-client_project")); assertThat(vendorString, containsString("rest.client@librelist.com")); @@ -118,7 +118,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest { "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/gems/pg-0.18.4/Rakefile")); analyzer.analyze(result, null); assertTrue(result.getEvidence().size()>0); - assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getDependencyEcosystem()); + assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); assertEquals("pg",result.getName()); assertEquals("0.18.4",result.getVersion()); assertEquals("pg:0.18.4",result.getDisplayFileName()); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java index c43b65b71..8fedb2259 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java @@ -109,7 +109,7 @@ public class SwiftAnalyzersTest extends BaseTest { assertThat(result.getName(),equalTo("EasyPeasy")); assertThat(result.getVersion(),equalTo("0.2.3")); assertThat(result.getDisplayFileName(),equalTo("EasyPeasy:0.2.3")); - assertThat(result.getDependencyEcosystem(),equalTo(CocoaPodsAnalyzer.DEPENDENCY_ECOSYSTEM)); + assertThat(result.getEcosystem(),equalTo(CocoaPodsAnalyzer.DEPENDENCY_ECOSYSTEM)); } /** @@ -128,6 +128,6 @@ public class SwiftAnalyzersTest extends BaseTest { //TODO: when version processing is added, update the expected name. assertThat(result.getDisplayFileName(),equalTo("Gloss")); - assertThat(result.getDependencyEcosystem(),equalTo(SwiftPackageManagerAnalyzer.DEPENDENCY_ECOSYSTEM)); + assertThat(result.getEcosystem(),equalTo(SwiftPackageManagerAnalyzer.DEPENDENCY_ECOSYSTEM)); } } From 4fc8dd59d2b67ebd678ec4b91b8367034e78c754 Mon Sep 17 00:00:00 2001 From: brianf Date: Mon, 25 Sep 2017 10:18:56 -0400 Subject: [PATCH 13/16] cleanup from reviews. Mostly formatting --- .../analyzer/CMakeAnalyzer.java | 2 +- .../analyzer/CocoaPodsAnalyzer.java | 12 +-- .../analyzer/ComposerLockAnalyzer.java | 29 ++++--- .../analyzer/NodePackageAnalyzer.java | 77 ++++++++++--------- .../analyzer/PythonDistributionAnalyzer.java | 18 ++--- .../analyzer/PythonPackageAnalyzer.java | 33 ++++---- .../analyzer/RubyGemspecAnalyzer.java | 30 ++++---- .../analyzer/SwiftPackageManagerAnalyzer.java | 39 +++++----- .../dependency/Dependency.java | 34 ++++---- .../analyzer/CMakeAnalyzerTest.java | 19 ++--- .../analyzer/ComposerLockAnalyzerTest.java | 2 +- 11 files changed, 142 insertions(+), 153 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index 59e1d13bf..858f5dfde 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -154,7 +154,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File file = dependency.getActualFile(); final String name = file.getName(); String contents; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java index c18ff8f26..62e6d5245 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java @@ -43,11 +43,11 @@ import org.owasp.dependencycheck.utils.Settings; @Experimental public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { - /** - * A descriptor for the type of dependencies processed or added by this analyzer - */ - public static final String DEPENDENCY_ECOSYSTEM = "CocoaPod"; - + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "CocoaPod"; + /** * The logger. */ @@ -127,7 +127,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index 9e69b18b9..acfbc0026 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -46,11 +46,11 @@ import java.security.NoSuchAlgorithmException; @Experimental public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { - /** - * A descriptor for the type of dependencies processed or added by this analyzer - */ - public static final String DEPENDENCY_ECOSYSTEM = "Composer"; - + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Composer"; + /** * The logger. */ @@ -117,10 +117,8 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { final Dependency d = new Dependency(dependency.getActualFile()); final String filePath = String.format("%s:%s/%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject(), dep.getVersion()); d.setName(dep.getProject()); - d.setVersion(dep.getVersion()); - - d.setEcosystem(DEPENDENCY_ECOSYSTEM); - + d.setVersion(dep.getVersion()); + d.setEcosystem(DEPENDENCY_ECOSYSTEM); final MessageDigest sha1 = getSha1MessageDigest(); d.setFilePath(filePath); d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset())))); @@ -133,13 +131,12 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { //make sure we only remove the main dependency if we went through this loop at least once. processedAtLeastOneDep = true; } - //remove the dependency at the end because it's referenced in the loop itself. - //double check the name to be sure we only remove the generic entry. - if (processedAtLeastOneDep && dependency.getDisplayFileName().equalsIgnoreCase("composer.lock")) { - LOGGER.debug("Removing main redundant dependency {}",dependency.getDisplayFileName()); - engine.getDependencies().remove(dependency); - - } + // remove the dependency at the end because it's referenced in the loop itself. + // double check the name to be sure we only remove the generic entry. + if (processedAtLeastOneDep && dependency.getDisplayFileName().equalsIgnoreCase("composer.lock")) { + LOGGER.debug("Removing main redundant dependency {}", dependency.getDisplayFileName()); + engine.getDependencies().remove(dependency); + } } catch (IOException ex) { LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath()); } catch (ComposerException ce) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index 8e4ea9d7f..07fdb7003 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -49,11 +49,11 @@ import org.owasp.dependencycheck.exception.InitializationException; @Experimental public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { - /** - * A descriptor for the type of dependencies processed or added by this analyzer - */ - public static final String DEPENDENCY_ECOSYSTEM = "npm"; - + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "npm"; + /** * The logger. */ @@ -125,39 +125,40 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { return Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED; } - @Override - protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); - final File file = dependency.getActualFile(); - if (!file.isFile() || file.length()==0) { - return; - } - try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(file))) { - final JsonObject json = jsonReader.readObject(); - final EvidenceCollection productEvidence = dependency.getProductEvidence(); - final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); - if (json.containsKey("name")) { - final Object value = json.get("name"); - if (value instanceof JsonString) { - final String valueString = ((JsonString) value).getString(); - productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); - dependency.setName(valueString); - vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); - } else { - LOGGER.warn("JSON value not string as expected: {}", value); - } - } - addToEvidence(json, productEvidence, "description"); - addToEvidence(json, vendorEvidence, "author"); - final String version = addToEvidence(json, dependency.getVersionEvidence(), "version"); - dependency.setVersion(version); - - } catch (JsonException e) { - LOGGER.warn("Failed to parse package.json file.", e); - } catch (IOException e) { - throw new AnalysisException("Problem occurred while reading dependency file.", e); - } - } + @Override + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); + final File file = dependency.getActualFile(); + if (!file.isFile() || file.length() == 0) { + return; + } + try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(file))) { + final JsonObject json = jsonReader.readObject(); + final EvidenceCollection productEvidence = dependency.getProductEvidence(); + final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); + if (json.containsKey("name")) { + final Object value = json.get("name"); + if (value instanceof JsonString) { + final String valueString = ((JsonString) value).getString(); + productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); + dependency.setName(valueString); + vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), + Confidence.LOW); + } else { + LOGGER.warn("JSON value not string as expected: {}", value); + } + } + addToEvidence(json, productEvidence, "description"); + addToEvidence(json, vendorEvidence, "author"); + final String version = addToEvidence(json, dependency.getVersionEvidence(), "version"); + dependency.setVersion(version); + + } catch (JsonException e) { + LOGGER.warn("Failed to parse package.json file.", e); + } catch (IOException e) { + throw new AnalysisException("Problem occurred while reading dependency file.", e); + } + } /** * Adds information to an evidence collection from the node json diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index d6002c5d4..6c2851e76 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -57,10 +57,10 @@ import java.util.concurrent.atomic.AtomicInteger; @Experimental public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { - /** - * A descriptor for the type of dependencies processed or added by this analyzer - */ - public static final String DEPENDENCY_ECOSYSTEM = "Python.Dist"; + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Python.Dist"; /** * Name of egg metadata files to analyze. @@ -189,7 +189,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File actualFile = dependency.getActualFile(); if (WHL_FILTER.accept(actualFile)) { collectMetadataFromArchiveFormat(dependency, DIST_INFO_FILTER, @@ -304,11 +304,9 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { "Version", Confidence.HIGHEST); addPropertyToEvidence(headers, dependency.getProductEvidence(), "Name", Confidence.HIGHEST); - - dependency.setName(headers.getHeader("Name", null)); - dependency.setVersion(headers.getHeader("Version", null)); - - final String url = headers.getHeader("Home-page", null); + dependency.setName(headers.getHeader("Name", null)); + dependency.setVersion(headers.getHeader("Version", null)); + final String url = headers.getHeader("Home-page", null); final EvidenceCollection vendorEvidence = dependency .getVendorEvidence(); if (StringUtils.isNotBlank(url)) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 684b46b59..e4d357cb4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -47,10 +47,10 @@ import org.owasp.dependencycheck.exception.InitializationException; public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { /** - * A descriptor for the type of dependencies processed or added by this analyzer - */ - public static final String DEPENDENCY_ECOSYSTEM = "Python.Pkg"; - + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Python.Pkg"; + /** * Used when compiling file scanning regex patterns. */ @@ -178,7 +178,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File file = dependency.getActualFile(); final File parent = file.getParentFile(); final String parentName = parent.getName(); @@ -186,7 +186,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { //by definition, the containing folder of __init__.py is considered the package, even the file is empty: //"The __init__.py files are required to make Python treat the directories as containing packages" //see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html; - dependency.setName(parentName); + dependency.setName(parentName); dependency.getProductEvidence().addEvidence(file.getName(), "PackageName", parentName, Confidence.HIGHEST); @@ -329,17 +329,16 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { * @param confidence in evidence * @return whether evidence was found */ - private boolean gatherVersionEvidence(Pattern pattern, String contents, - String source, EvidenceCollection evidence, String name, - Confidence confidence,Dependency d) { - final Matcher matcher = pattern.matcher(contents); - final boolean found = matcher.find(); - if (found) { - evidence.addEvidence(source, name, matcher.group(4), confidence); - d.setVersion(matcher.group(4)); - } - return found; - } + private boolean gatherVersionEvidence(Pattern pattern, String contents, String source, EvidenceCollection evidence, + String name, Confidence confidence, Dependency d) { + final Matcher matcher = pattern.matcher(contents); + final boolean found = matcher.find(); + if (found) { + evidence.addEvidence(source, name, matcher.group(4), confidence); + d.setVersion(matcher.group(4)); + } + return found; + } @Override protected String getAnalyzerEnabledSettingKey() { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index 6256e83db..ed89d1b71 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -49,10 +49,10 @@ import org.slf4j.LoggerFactory; public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { /** - * A descriptor for the type of dependencies processed or added by this analyzer - */ - public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; - + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; + /** * The logger. */ @@ -137,7 +137,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); @@ -153,10 +153,10 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { final EvidenceCollection vendor = dependency.getVendorEvidence(); final EvidenceCollection product = dependency.getProductEvidence(); final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST); - if (!name.isEmpty()) { - dependency.setName(name); - vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); - } + if (!name.isEmpty()) { + dependency.setName(name); + vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); + } addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.LOW); addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST); @@ -164,17 +164,15 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST); addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST); - final String value = addStringEvidence(dependency.getVersionEvidence(), contents, - blockVariable, "version", "version", Confidence.HIGHEST); + final String value = addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, "version", + "version", Confidence.HIGHEST); if (value.length() < 1) { addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence()); } - else - { - dependency.setVersion(value); - } + else { + dependency.setVersion(value); + } } - setPackagePath(dependency); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index 076ad9178..744f9a3df 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -43,11 +43,11 @@ import org.owasp.dependencycheck.utils.Settings; @Experimental public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { - /** - * A descriptor for the type of dependencies processed or added by this analyzer - */ - public static final String DEPENDENCY_ECOSYSTEM = "Swift.PM"; - + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Swift.PM"; + /** * The name of the analyzer. */ @@ -124,8 +124,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); - + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); + String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); @@ -143,18 +143,19 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { final EvidenceCollection product = dependency.getProductEvidence(); final EvidenceCollection vendor = dependency.getVendorEvidence(); - //SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies. - //Future interesting metadata: version, license, homepage, author, summary, etc. - final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST); - if (name != null && !name.isEmpty()) { - vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST); - dependency.setName(name); - } - else - { - //if we can't get the name from the meta, then assume the name is the name of the parent folder containing the package.swift file. - dependency.setName(dependency.getActualFile().getParentFile().getName()); - } + // SPM is currently under development for SWIFT 3. Its current metadata includes + // package name and dependencies. + // Future interesting metadata: version, license, homepage, author, summary, + // etc. + final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST); + if (name != null && !name.isEmpty()) { + vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST); + dependency.setName(name); + } else { + // if we can't get the name from the meta, then assume the name is the name of + // the parent folder containing the package.swift file. + dependency.setName(dependency.getActualFile().getParentFile().getName()); + } } setPackagePath(dependency); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 6c4e792c5..7e8048507 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -304,22 +304,18 @@ public class Dependency implements Serializable, Comparable { * * @return the file name to display */ - public String getDisplayFileName() { - if (displayName == null) { - if(name != null) { - if (version != null) { - return name + ":" + version; - } - else { - return name; - } - } - else { - return this.fileName; - } - } - return this.displayName; - } + public String getDisplayFileName() { + if (displayName != null) { + return displayName; + } + if (name == null) { + return fileName; + } + if (version == null) { + return name; + } + return name + ":" + version; + } /** *

@@ -880,7 +876,8 @@ public class Dependency implements Serializable, Comparable { } /** - * @param version the version to set + * @param version + * the version to set */ public void setVersion(String version) { this.version = version; @@ -894,7 +891,8 @@ public class Dependency implements Serializable, Comparable { } /** - * @param ecosystem the ecosystem to set + * @param ecosystem + * the ecosystem to set */ public void setEcosystem(String ecosystem) { this.ecosystem = ecosystem; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java index b47d7be5c..3a83621fb 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java @@ -139,17 +139,15 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { analyzer.analyze(result, null); //this one finds nothing so it falls through to the filename. Can we do better? - assertEquals("OpenCVDetectPython.cmake",result.getDisplayFileName()); - - + assertEquals("OpenCVDetectPython.cmake",result.getDisplayFileName()); } - private void assertProductEvidence(Dependency result, String product) { - assertEquals(product,result.getName()); - assertTrue("Expected product evidence to contain \"" + product + "\".", - result.getProductEvidence().toString().contains(product)); - assertEquals(CMakeAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); - } + private void assertProductEvidence(Dependency result, String product) { + assertEquals(product, result.getName()); + assertTrue("Expected product evidence to contain \"" + product + "\".", + result.getProductEvidence().toString().contains(product)); + assertEquals(CMakeAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); + } /** * Test whether expected version evidence is gathered from OpenCV's third party cmake files. @@ -170,8 +168,7 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { assertEquals("Number of additional dependencies should be 4.", 4, dependencies.size()); final Dependency last = dependencies.get(3); assertProductEvidence(last, "libavresample"); - assertVersionEvidence(last, "1.0.1"); - + assertVersionEvidence(last, "1.0.1"); } private void assertVersionEvidence(Dependency result, String version) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java index 046267c7a..790cef2f7 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java @@ -101,7 +101,7 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "composer.lock")); - ///test that we don't remove the parent if it's not redundant by name + //test that we don't remove the parent if it's not redundant by name result.setDisplayFileName("NotComposer.Lock"); engine.getDependencies().add(result); analyzer.analyze(result, engine); From c33cc3f2305b5af3728deec10e992fd890585b9f Mon Sep 17 00:00:00 2001 From: brianf Date: Mon, 25 Sep 2017 10:25:56 -0400 Subject: [PATCH 14/16] few more formatting fixes --- .../owasp/dependencycheck/analyzer/NodePackageAnalyzer.java | 6 +++--- .../owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index 07fdb7003..ae4ed6057 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -194,7 +194,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { } else { LOGGER.warn("JSON value not string or JSON object as expected: {}", value); } - } - return evidenceStr; - } + } + return evidenceStr; + } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index ed89d1b71..9feb44b89 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -52,7 +52,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { * A descriptor for the type of dependencies processed or added by this analyzer */ public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; - + /** * The logger. */ From 16892d022fe4058c4df0435560355f2c635a245b Mon Sep 17 00:00:00 2001 From: brianf Date: Sun, 1 Oct 2017 11:41:45 -0400 Subject: [PATCH 15/16] Nuspec tests and name normalization added tests for the existing analyzer and normalized the name and set the ecosystem. --- .../analyzer/NuspecAnalyzer.java | 10 ++++++- .../analyzer/NuspecAnalyzerTest.java | 30 +++++++++++++++++++ .../src/test/resources/nuspec/test.nuspec | 17 +++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 dependency-check-core/src/test/resources/nuspec/test.nuspec diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 1aefe1129..05e8fa18c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -41,7 +41,12 @@ import org.owasp.dependencycheck.exception.InitializationException; * @author colezlaw */ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { - + + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "NuGet"; + /** * The logger. */ @@ -136,12 +141,15 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { throw new AnalysisException(ex); } + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); if (np.getOwners() != null) { dependency.getVendorEvidence().addEvidence("nuspec", "owners", np.getOwners(), Confidence.HIGHEST); } dependency.getVendorEvidence().addEvidence("nuspec", "authors", np.getAuthors(), Confidence.HIGH); dependency.getVersionEvidence().addEvidence("nuspec", "version", np.getVersion(), Confidence.HIGHEST); + dependency.setVersion(np.getVersion()); dependency.getProductEvidence().addEvidence("nuspec", "id", np.getId(), Confidence.HIGHEST); + dependency.setName(np.getId()); if (np.getTitle() != null) { dependency.getProductEvidence().addEvidence("nuspec", "title", np.getTitle(), Confidence.MEDIUM); } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java index 6d184dd2a..280e611a6 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java @@ -23,6 +23,9 @@ import static org.junit.Assert.assertTrue; import org.junit.Before; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Evidence; import java.io.File; @@ -52,6 +55,33 @@ public class NuspecAnalyzerTest extends BaseTest { public void testGetAnalysisPhaze() { assertEquals(AnalysisPhase.INFORMATION_COLLECTION, instance.getAnalysisPhase()); } + + @Test + public void testNuspecAnalysis() throws Exception { + + File file = BaseTest.getResourceAsFile(this, "nuspec/test.nuspec"); + Dependency result = new Dependency(file); + instance.analyze(result, null); + + assertEquals(NuspecAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); + + //checking the owner field + assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("bobsmack")); + + //checking the author field + assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("brianfox")); + + //checking the id field + assertTrue(result.getProductEvidence().toString().contains("TestDepCheck")); + + //checking the title field + assertTrue(result.getProductEvidence().toString().contains("Test Package")); + + assertTrue(result.getVersionEvidence().toString().contains("1.0.0")); + assertEquals("1.0.0", result.getVersion()); + assertEquals("TestDepCheck", result.getName()); + assertEquals("TestDepCheck:1.0.0", result.getDisplayFileName()); + } } // vim: cc=120:sw=4:ts=4:sts=4 diff --git a/dependency-check-core/src/test/resources/nuspec/test.nuspec b/dependency-check-core/src/test/resources/nuspec/test.nuspec new file mode 100644 index 000000000..7dc2f2029 --- /dev/null +++ b/dependency-check-core/src/test/resources/nuspec/test.nuspec @@ -0,0 +1,17 @@ + + + + 1.0.0 + brianfox + bobsmack + + + + TestDepCheck + Test Package + false + Test package for Dependency Check Analyzer +

+ + + \ No newline at end of file From cd875777e7fa90e5ce557ce3408115b72ffcdff4 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 4 Oct 2017 06:27:09 -0400 Subject: [PATCH 16/16] added hints from community feedback --- .../resources/dependencycheck-base-hint.xml | 40 ++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml b/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml index 31f266994..d2fb2d581 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml @@ -158,5 +158,43 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file