github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:jeremylong/DependencyCheck

Browse Source 
Former-commit-id: e7876e1969de54e1d9a139fb7e40f26748687c5b
This commit is contained in:
Jeremy Long
2015-06-19 05:35:10 -04:00
parent 63d92c62a5 6a67c04ca2
commit ce7d12e850
2 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -122,6 +122,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
"ipojo-components",
"ipojo-extension",
"eclipse-sourcereferences");
/**
* Deprecated Jar manifest attribute, that is, nonetheless, useful for
* analysis.
*/
@SuppressWarnings("deprecation")
private static final String IMPLEMENTATION_VENDOR_ID = Attributes.Name.IMPLEMENTATION_VENDOR_ID
.toString();
/**
* item in some manifest, should be considered medium confidence.
*/
@@ -670,7 +677,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
foundSomething = true;
vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
addMatchingValues(classInformation, value, vendorEvidence);
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR_ID.toString())) {
} else if (key.equalsIgnoreCase(IMPLEMENTATION_VENDOR_ID)) {
foundSomething = true;
vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, vendorEvidence);
@@ -918,9 +925,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
JarFile jar = null;
try {
jar = new JarFile(dependency.getActualFilePath());
final Enumeration entries = jar.entries();
final Enumeration<JarEntry> entries = jar.entries();
while (entries.hasMoreElements()) {
final JarEntry entry = (JarEntry) entries.nextElement();
final JarEntry entry = entries.nextElement();
final String name = entry.getName().toLowerCase();
//no longer stripping "|com\\.sun" - there are some com.sun jar files with CVEs.
if (name.endsWith(".class") && !name.matches("^javax?\\..*$")) {

15
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
View File

@@ -356,9 +356,22 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
try {
result = URLDecoder.decode(text, "ASCII");
} catch (UnsupportedEncodingException ex1) {
result = URLDecoder.decode(text);
result = defaultUrlDecode(text);
}
}
return result;
}
/**
* Call {@link java.net.URLDecoder#decode(String)} to URL decode using the
* default encoding.
*
* @param text
* www-form-encoded URL to decode
* @return the newly decoded String
*/
@SuppressWarnings("deprecation")
private String defaultUrlDecode(final String text) {
return URLDecoder.decode(text);
}
}