github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

added project references as part of patch for issue #185

Browse Source 
Former-commit-id: 3146c47f89031eaf09e513b6eb757bcc98ee9edf
This commit is contained in:
Jeremy Long
2015-02-08 07:17:16 -05:00
parent 4c5489efd3
commit d79d5b5f33
3 changed files with 33 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View File

@@ -36,9 +36,9 @@ import org.owasp.dependencycheck.utils.LogUtils;
/**
* <p>
* This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
* grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
* same relative path then these should be grouped into a single dependency under the core/main library.</p>
* This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An
* example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path
* then these should be grouped into a single dependency under the core/main library.</p>
* <p>
* Note, this grouping only works on dependencies with identified CVE entries</p>
*
@@ -91,8 +91,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
//</editor-fold>
/**
* Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
* identifiers they are likely related. The related dependencies are bundled into a single reportable item.
* Analyzes a set of dependencies. If they have been found to have the same base path and the same set of identifiers they are
* likely related. The related dependencies are bundled into a single reportable item.
*
* @param ignore this analyzer ignores the dependency being analyzed
* @param engine the engine that is scanning the dependencies
@@ -151,10 +151,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
* Adds the relatedDependency to the dependency's related dependencies.
*
* @param dependency the main dependency
* @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the
* source of dependencies to remove
* @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this
* function adds to this collection
* @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the source of
* dependencies to remove
* @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this function
* adds to this collection
*/
private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
dependency.addRelatedDependency(relatedDependency);
@@ -163,12 +163,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
dependency.addRelatedDependency(i.next());
i.remove();
}
//dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
dependenciesToRemove.add(relatedDependency);
}
/**
* Attempts to trim a maven repo to a common base path. This is typically
* [drive]\[repo_location]\repository\[path1]\[path2].
* Attempts to trim a maven repo to a common base path. This is typically [drive]\[repo_location]\repository\[path1]\[path2].
*
* @param path the path to trim
* @return a string representing the base path.
@@ -321,8 +321,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
}
/**
* This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
* to the 'right' library.
* This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the
* 'right' library.
*
* @param left the dependency to test
* @param right the dependency to test against
@@ -379,13 +379,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
}
/**
* Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml
* dependency should be removed.
* Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml dependency
* should be removed.
*
* @param dependency a dependency to check
* @param nextDependency another dependency to check
* @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match;
* otherwise false
* @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match; otherwise false
*/
private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
final String mainName = dependency.getFileName().toLowerCase();
@@ -399,8 +398,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
}
/**
* Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to
* determine if the first path is smaller.
* Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to determine if the
* first path is smaller.
*
* @param left the first path to compare
* @param right the second path to compare

20
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -21,8 +21,7 @@ import java.io.File;
import java.io.IOException;
import java.io.Serializable;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.List;
import java.util.HashSet;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -599,14 +598,14 @@ public class Dependency implements Serializable, Comparable<Dependency> {
/**
* A list of projects that reference this dependency.
*/
private List<String> projectReferences = new ArrayList<String>();
private Set<String> projectReferences = new HashSet<String>();
/**
* Get the value of projectReferences
*
* @return the value of projectReferences
*/
public List<String> getProjectReferences() {
public Set<String> getProjectReferences() {
return projectReferences;
}
@@ -615,19 +614,28 @@ public class Dependency implements Serializable, Comparable<Dependency> {
*
* @param projectReferences new value of projectReferences
*/
public void setProjectReferences(List<String> projectReferences) {
public void setProjectReferences(Set<String> projectReferences) {
this.projectReferences = projectReferences;
}
/**
* Adds a project reference.
*
* @param projectReference
* @param projectReference a project reference
*/
public void addProjectReference(String projectReference) {
this.projectReferences.add(projectReference);
}
/**
* Add a collection of project reference.
*
* @param projectReferences a set of project references
*/
public void addAllProjectReferences(Set<String> projectReferences) {
this.projectReferences.addAll(projectReferences);
}
/**
* Set the value of relatedDependencies.
*

1
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -430,6 +430,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
if (deps != null) {
if (deps.size() == 1) {
final Dependency d = deps.get(0);
d.addProjectReference(project.getName());
if (d != null) {
final MavenArtifact ma = new MavenArtifact(a.getGroupId(), a.getArtifactId(), a.getVersion());
d.addAsEvidence("pom", ma, Confidence.HIGHEST);