diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 36936d852..387601cdd 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -459,6 +459,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. test true + + com.thoughtworks.xstream + xstream + 1.4.8 + test + true + @@ -587,13 +594,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. test true - - com.thoughtworks.xstream - xstream - 1.4.2 - test - true - org.apache.ws.security wss4j diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java index 7e3c3e01e..666a2ffbe 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java @@ -101,11 +101,11 @@ public final class CpeMemoryIndex { /** * The search field analyzer for the product field. */ - private SearchFieldAnalyzer productSearchFieldAnalyzer; + private SearchFieldAnalyzer productFieldAnalyzer; /** * The search field analyzer for the vendor field. */ - private SearchFieldAnalyzer vendorSearchFieldAnalyzer; + private SearchFieldAnalyzer vendorFieldAnalyzer; /** * Creates and loads data into an in memory index. @@ -148,7 +148,9 @@ public final class CpeMemoryIndex { * Creates the indexing analyzer for the CPE Index. * * @return the CPE Analyzer. + * @deprecated the search field analyzer must be used to include the token concatenating filter. */ + @Deprecated private Analyzer createIndexingAnalyzer() { final Map fieldAnalyzers = new HashMap(); fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer()); @@ -163,12 +165,12 @@ public final class CpeMemoryIndex { private Analyzer createSearchingAnalyzer() { final Map fieldAnalyzers = new HashMap(); fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer()); - productSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); - vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); - fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer); - fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer); + productFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); + vendorFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); + fieldAnalyzers.put(Fields.PRODUCT, productFieldAnalyzer); + fieldAnalyzers.put(Fields.VENDOR, vendorFieldAnalyzer); - return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers); + return new PerFieldAnalyzerWrapper(new KeywordAnalyzer(), fieldAnalyzers); } /** @@ -206,7 +208,7 @@ public final class CpeMemoryIndex { Analyzer analyzer = null; IndexWriter indexWriter = null; try { - analyzer = createIndexingAnalyzer(); + analyzer = createSearchingAnalyzer(); final IndexWriterConfig conf = new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer); indexWriter = new IndexWriter(index, conf); try { @@ -224,6 +226,7 @@ public final class CpeMemoryIndex { v.setStringValue(pair.getLeft()); p.setStringValue(pair.getRight()); indexWriter.addDocument(doc); + resetFieldAnalyzer(); } } catch (DatabaseException ex) { LOGGER.debug("", ex); @@ -254,14 +257,14 @@ public final class CpeMemoryIndex { } /** - * Resets the searching analyzers + * Resets the product and vendor field analyzers. */ - private void resetSearchingAnalyzer() { - if (productSearchFieldAnalyzer != null) { - productSearchFieldAnalyzer.clear(); + private void resetFieldAnalyzer() { + if (productFieldAnalyzer != null) { + productFieldAnalyzer.clear(); } - if (vendorSearchFieldAnalyzer != null) { - vendorSearchFieldAnalyzer.clear(); + if (vendorFieldAnalyzer != null) { + vendorFieldAnalyzer.clear(); } } @@ -293,7 +296,7 @@ public final class CpeMemoryIndex { * @throws IOException thrown if there is an IOException */ public TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException { - resetSearchingAnalyzer(); + resetFieldAnalyzer(); return indexSearcher.search(query, maxQueryResults); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java index 68c6031fc..534259f07 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java @@ -29,11 +29,15 @@ import org.apache.lucene.util.Version; /** *

- * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The intended - * purpose of this Analyzer is to index the CPE fields vendor and product.

+ * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, + * LowerCaseFilter, and StopFilter. The intended purpose of this Analyzer is to + * index the CPE fields vendor and product.

* * @author Jeremy Long + * @Deprecated the field analyzer should not be used, instead use the + * SearchFieldAnalyzer so that the token analyzing filter is used. */ +@Deprecated public class FieldAnalyzer extends Analyzer { /** diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java index a400bc861..552ec2abc 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java @@ -29,6 +29,7 @@ import static org.junit.Assert.assertTrue; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.BaseDBTestCase; +import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.data.cpe.IndexEntry; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; @@ -82,6 +83,10 @@ public class CPEAnalyzerIntegrationTest extends BaseDBTestCase { */ @Test public void testDetermineCPE_full() throws Exception { + //update needs to be performed so that xtream can be tested + Engine e = new Engine(); + e.doUpdates(); + CPEAnalyzer cpeAnalyzer = new CPEAnalyzer(); try { cpeAnalyzer.initialize(); @@ -94,14 +99,15 @@ public class CPEAnalyzerIntegrationTest extends BaseDBTestCase { hAnalyzer.initialize(); FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer(); fp.initialize(); - - //callDetermineCPE_full("struts2-core-2.3.16.3.jar", "cpe:/a:apache:struts:2.3.16.3", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); + callDetermineCPE_full("hazelcast-2.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("ehcache-core-2.2.0.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); + callDetermineCPE_full("xstream-1.4.8.jar", "cpe:/a:x-stream:xstream:1.4.8", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); + } finally { cpeAnalyzer.close(); }