Added 'deep scan' argument/property to indicate more evidence should be collected even if it increases false positives

Former-commit-id: 200acdb012410df0cd59c164cd362f7940366fb1

src/main/java/org/owasp/dependencycheck/App.java

@@ -29,6 +29,7 @@ import org.apache.commons.cli.ParseException;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.CliParser;
+import org.owasp.dependencycheck.utils.Settings;
 
 /*
  * This file is part of App.
@@ -112,11 +113,10 @@ public class App {
         if (cli.isGetVersion()) {
             cli.printVersionInfo();
         } else if (cli.isRunScan()) {
-            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.isAutoUpdate());
+            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.isAutoUpdate(), cli.isDeepScan());
         } else {
             cli.printHelp();
         }
-
     }
 
     /**
@@ -124,16 +124,21 @@ public class App {
      * reportDirectory.
      *
      * @param reportDirectory the path to the directory where the reports will
-     * be written.
-     * @param outputFormat the output format of the report.
-     * @param applicationName the application name for the report.
-     * @param files the files/directories to scan.
+     * be written
+     * @param outputFormat the output format of the report
+     * @param applicationName the application name for the report
+     * @param files the files/directories to scan
+     * @param autoUpdate whether to auto-update the cached data from the Internet
+     * @param deepScan whether to perform a deep scan of the evidence in the project dependencies
      */
-    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, boolean autoUpdate) {
+    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, boolean autoUpdate, boolean deepScan) {
         Engine scanner = new Engine(autoUpdate);
+        Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan);
+
         for (String file : files) {
             scanner.scan(file);
         }
+
         scanner.analyzeDependencies();
         List<Dependency> dependencies = scanner.getDependencies();
 
@@ -145,6 +150,5 @@ public class App {
         } catch (Exception ex) {
             Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
         }
-
     }
 }

src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -47,6 +47,7 @@ import org.owasp.dependencycheck.analyzer.pom.generated.License;
 import org.owasp.dependencycheck.analyzer.pom.generated.Model;
 import org.owasp.dependencycheck.analyzer.pom.generated.Organization;
 import org.owasp.dependencycheck.utils.NonClosingStream;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
@@ -182,7 +183,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             parseManifest(dependency);
-            analyzePackageNames(dependency);
+            if (Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN)) {
+                analyzePackageNames(dependency);
+            }
             analyzePOM(dependency);
             //addPredefinedData(dependency); //this has been moved to its own analyzer (HintAnalyzer)
         } catch (IOException ex) {

src/main/java/org/owasp/dependencycheck/utils/CliParser.java

@@ -160,6 +160,9 @@ public final class CliParser {
         Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false,
                 "shows additional help regarding properties file.");
 
+        Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
+                "extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
+
         Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
                 false, "print the version information.");
 
@@ -199,6 +202,7 @@ public final class CliParser {
         opts.addOption(version);
         opts.addOption(help);
         opts.addOption(noupdate);
+        opts.addOption(deepScan);
         opts.addOption(props);
         opts.addOption(advancedHelp);
         return opts;
@@ -238,7 +242,7 @@ public final class CliParser {
         HelpFormatter formatter = new HelpFormatter();
         String nl = System.getProperty("line.separator");
         String advancedHelp = null;
-        if (line.hasOption(ArgumentName.ADVANCED_HELP)) {
+        if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
             advancedHelp = nl + nl
                     + "Additionally, the following properties are supported and can be specified either"
                     + "using the -p <file> argument or by passing them in as system properties." + nl
@@ -323,6 +327,13 @@ public final class CliParser {
         return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE);
     }
 
+    /**
+     * Checks if a deep scan of the dependencies was requested.
+     * @return whether a deep scan of the evidence within the dependencies was requested.
+     */
+    public boolean isDeepScan() {
+        return (line != null) && line.hasOption(ArgumentName.PERFORM_DEEP_SCAN);
+    }
     /**
      * A collection of static final strings that represent the possible command
      * line arguments.
@@ -401,6 +412,16 @@ public final class CliParser {
          * The short CLI argument name asking for advanced help.
          */
         public static final String ADVANCED_HELP = "advancedhelp";
+        /*
+         * The short CLI argument name indicating a deep scan of the dependencies
+         * should be performed.
+         */
+        public static final String PERFORM_DEEP_SCAN_SHORT = "d";
+        /*
+         * The CLI argument name indicating a deep scan of the dependencies
+         * should be performed.
+         */
+        public static final String PERFORM_DEEP_SCAN = "deepscan";
         /**
          * The short CLI argument name for setting the location of an additional
          * properties file.

src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -117,6 +117,10 @@ public class Settings {
          * The properties key for the connection timeout.
          */
         public static final String CONNECTION_TIMEOUT = "connection.timeout";
+        /**
+         * The properties key indicating a deep scan should be performed.
+         */
+        public static final String PERFORM_DEEP_SCAN = "perform.deepscan";
     }
     private static final String PROPERTIES_FILE = "configuration/dependencycheck.properties";
     private static final Settings INSTANCE = new Settings();
@@ -145,6 +149,19 @@ public class Settings {
     public static void setString(String key, String value) {
         INSTANCE.props.setProperty(key, value);
     }
+    /**
+     * Sets a property value.
+     *
+     * @param key the key for the property.
+     * @param value the value for the property.
+     */
+    public static void setBoolean(String key, boolean value) {
+        if (value) {
+            INSTANCE.props.setProperty(key, Boolean.TRUE.toString());
+        } else {
+            INSTANCE.props.setProperty(key, Boolean.FALSE.toString());
+        }
+    }
 
     /**
      * Merges a new properties file into the current properties. This method