From cb53ddf8a8f5f67e8cbdf84c1d401f28076d1e24 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Fri, 17 Jan 2014 19:43:01 -0500 Subject: [PATCH] updated to fix issue #31 Former-commit-id: 569d1aee14d0f51a990e0cc059dce5aa500f10b2 --- .../analyzer/DependencyBundlingAnalyzer.java | 84 ++++++++++++++----- 1 file changed, 62 insertions(+), 22 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index 1dc7e4244..885565939 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -127,29 +127,20 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal final ListIterator subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex()); while (subIterator.hasNext()) { final Dependency nextDependency = subIterator.next(); - - if (identifiersMatch(dependency, nextDependency) + if (hashesMatch(dependency, nextDependency)) { + if (isCore(dependency, nextDependency)) { + mergeDependencies(dependency, nextDependency, dependenciesToRemove); + } else { + mergeDependencies(nextDependency, dependency, dependenciesToRemove); + } + } else if (identifiersMatch(dependency, nextDependency) && hasSameBasePath(dependency, nextDependency) && fileNameMatch(dependency, nextDependency)) { if (isCore(dependency, nextDependency)) { - dependency.addRelatedDependency(nextDependency); - //move any "related dependencies" to the new "parent" dependency - final Iterator i = nextDependency.getRelatedDependencies().iterator(); - while (i.hasNext()) { - dependency.addRelatedDependency(i.next()); - i.remove(); - } - dependenciesToRemove.add(nextDependency); + mergeDependencies(dependency, nextDependency, dependenciesToRemove); } else { - nextDependency.addRelatedDependency(dependency); - //move any "related dependencies" to the new "parent" dependency - final Iterator i = dependency.getRelatedDependencies().iterator(); - while (i.hasNext()) { - nextDependency.addRelatedDependency(i.next()); - i.remove(); - } - dependenciesToRemove.add(dependency); + mergeDependencies(nextDependency, dependency, dependenciesToRemove); } } } @@ -163,6 +154,23 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal } } + /** + * Adds the relatedDependency to the dependency's related dependencies. + * + * @param dependency the main dependency + * @param nextDependency the related dependency + * @param relatedDependency a collection of dependencies to be removed from the main analysis loop + */ + private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set dependenciesToRemove) { + dependency.addRelatedDependency(relatedDependency); + final Iterator i = relatedDependency.getRelatedDependencies().iterator(); + while (i.hasNext()) { + dependency.addRelatedDependency(i.next()); + i.remove(); + } + dependenciesToRemove.add(relatedDependency); + } + /** * Attempts to trim a maven repo to a common base path. This is typically * [drive]\[repo_location]\repository\[path1]\[path2]. @@ -286,7 +294,16 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal left = getBaseRepoPath(left); right = getBaseRepoPath(right); } - return left.equalsIgnoreCase(right); + if (left.equalsIgnoreCase(right)) { + return true; + } + //new code + for (Dependency child : dependency2.getRelatedDependencies()) { + if (hasSameBasePath(dependency1, child)) { + return true; + } + } + return false; } /** @@ -297,13 +314,22 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal * @param right the dependency to test against * @return a boolean indicating whether or not the left dependency should be considered the "core" version. */ - private boolean isCore(Dependency left, Dependency right) { + boolean isCore(Dependency left, Dependency right) { final String leftName = left.getFileName().toLowerCase(); final String rightName = right.getFileName().toLowerCase(); + + if (leftName.equals("struts-1.2.7.jar") || rightName.equals("struts-1.2.7.jar")) { + String pause = "pause"; + } + final boolean returnVal; - if (rightName.contains("core") && !leftName.contains("core")) { + if (!rightName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") && leftName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") + || rightName.contains("core") && !leftName.contains("core") + || rightName.contains("kernel") && !leftName.contains("kernel")) { returnVal = false; - } else if (!rightName.contains("core") && leftName.contains("core")) { + } else if (rightName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") && !leftName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") + || !rightName.contains("core") && leftName.contains("core") + || !rightName.contains("kernel") && leftName.contains("kernel")) { returnVal = true; } else { /* @@ -323,4 +349,18 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal } return returnVal; } + + /** + * Compares the SHA1 hashes of two dependencies to determine if they are equal. + * + * @param dependency1 a dependency object to compare + * @param dependency2 a dependency object to compare + * @return true if the sha1 hashes of the two dependencies match; otherwise false + */ + private boolean hashesMatch(Dependency dependency1, Dependency dependency2) { + if (dependency1 == null || dependency2 == null || dependency1.getSha1sum() == null || dependency2.getSha1sum() == null) { + return false; + } + return dependency1.getSha1sum().equals(dependency2.getSha1sum()); + } }