github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-24 10:01:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:jeremylong/DependencyCheck

Browse Source 
Former-commit-id: e7876e1969de54e1d9a139fb7e40f26748687c5b
This commit is contained in:
Jeremy Long
2015-06-19 05:35:10 -04:00
parent 63d92c62a5 6a67c04ca2
commit ce7d12e850
2 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -122,6 +122,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
"ipojo-components", "ipojo-components",
"ipojo-extension", "ipojo-extension",
"eclipse-sourcereferences"); "eclipse-sourcereferences");
/**
* Deprecated Jar manifest attribute, that is, nonetheless, useful for
* analysis.
*/
@SuppressWarnings("deprecation")
private static final String IMPLEMENTATION_VENDOR_ID = Attributes.Name.IMPLEMENTATION_VENDOR_ID
.toString();
/** /**
* item in some manifest, should be considered medium confidence. * item in some manifest, should be considered medium confidence.
*/ */
@@ -670,7 +677,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
foundSomething = true; foundSomething = true;
vendorEvidence.addEvidence(source, key, value, Confidence.HIGH); vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
addMatchingValues(classInformation, value, vendorEvidence); addMatchingValues(classInformation, value, vendorEvidence);
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR_ID.toString())) { } else if (key.equalsIgnoreCase(IMPLEMENTATION_VENDOR_ID)) {
foundSomething = true; foundSomething = true;
vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM); vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, vendorEvidence); addMatchingValues(classInformation, value, vendorEvidence);
@@ -918,9 +925,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
JarFile jar = null; JarFile jar = null;
try { try {
jar = new JarFile(dependency.getActualFilePath()); jar = new JarFile(dependency.getActualFilePath());
final Enumeration entries = jar.entries(); final Enumeration<JarEntry> entries = jar.entries();
while (entries.hasMoreElements()) { while (entries.hasMoreElements()) {
final JarEntry entry = (JarEntry) entries.nextElement(); final JarEntry entry = entries.nextElement();
final String name = entry.getName().toLowerCase(); final String name = entry.getName().toLowerCase();
//no longer stripping "|com\\.sun" - there are some com.sun jar files with CVEs. //no longer stripping "|com\\.sun" - there are some com.sun jar files with CVEs.
if (name.endsWith(".class") && !name.matches("^javax?\\..*$")) { if (name.endsWith(".class") && !name.matches("^javax?\\..*$")) {

15
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
View File

@@ -356,9 +356,22 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
try { try {
result = URLDecoder.decode(text, "ASCII"); result = URLDecoder.decode(text, "ASCII");
} catch (UnsupportedEncodingException ex1) { } catch (UnsupportedEncodingException ex1) {
result = URLDecoder.decode(text); result = defaultUrlDecode(text);
} }
} }
return result; return result;
} }
/**
* Call {@link java.net.URLDecoder#decode(String)} to URL decode using the
* default encoding.
*
* @param text
* www-form-encoded URL to decode
* @return the newly decoded String
*/
@SuppressWarnings("deprecation")
private String defaultUrlDecode(final String text) {
return URLDecoder.decode(text);
}
} }