mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-15 00:03:43 +01:00
checkstyle suggested changes
This commit is contained in:
Jeremy Long
@@ -120,7 +120,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
|
||||
throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
|
||||
}
|
||||
final String[] suppressionFilePaths = getSettings().getArray(Settings.KEYS.SUPPRESSION_FILE);
|
||||
List<String> failedLoadingFiles = new ArrayList<>();
|
||||
final List<String> failedLoadingFiles = new ArrayList<>();
|
||||
if (suppressionFilePaths != null && suppressionFilePaths.length > 0) {
|
||||
|
||||
// Load all the suppression file paths
|
||||
|
||||
@@ -60,7 +60,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "CMAKE";
|
||||
|
||||
|
||||
@@ -75,16 +75,16 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
private static final String SUPPORTED_EXTENSIONS = "jar";
|
||||
|
||||
/**
|
||||
* There may be temporary issues when connecting to MavenCentral.
|
||||
* In order to compensate for 99% of the issues, we perform a retry
|
||||
* before finally failing the analysis.
|
||||
* There may be temporary issues when connecting to MavenCentral. In order
|
||||
* to compensate for 99% of the issues, we perform a retry before finally
|
||||
* failing the analysis.
|
||||
*/
|
||||
private static final int NUMBER_OF_TRIES = 5;
|
||||
|
||||
/**
|
||||
* The searcher itself.
|
||||
*/
|
||||
protected CentralSearch searcher;
|
||||
private CentralSearch searcher;
|
||||
|
||||
/**
|
||||
* Initializes the analyzer with the configured settings.
|
||||
@@ -189,7 +189,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* Performs the analysis.
|
||||
*
|
||||
* @param dependency the dependency to analyze
|
||||
* @param engine the engine
|
||||
* @param engine the engine
|
||||
* @throws AnalysisException when there's an exception during analysis
|
||||
*/
|
||||
@Override
|
||||
@@ -255,7 +255,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param dependency the dependency to analyze
|
||||
* @return the downloaded list of MavenArtifacts
|
||||
* @throws FileNotFoundException if the specified artifact is not found
|
||||
* @throws IOException if connecting to MavenCentral finally failed
|
||||
* @throws IOException if connecting to MavenCentral finally failed
|
||||
*/
|
||||
protected List<MavenArtifact> fetchMavenArtifacts(Dependency dependency) throws IOException {
|
||||
IOException lastException = null;
|
||||
@@ -283,8 +283,17 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
}
|
||||
|
||||
final String message = "Finally failed connecting to Central search." +
|
||||
" Giving up after " + NUMBER_OF_TRIES + " tries.";
|
||||
final String message = "Finally failed connecting to Central search."
|
||||
+ " Giving up after " + NUMBER_OF_TRIES + " tries.";
|
||||
throw new IOException(message, lastException);
|
||||
}
|
||||
|
||||
/**
|
||||
* Method used by unit tests to setup the analyzer.
|
||||
*
|
||||
* @param searcher the Central Search object to use.
|
||||
*/
|
||||
protected void setCentralSearch(CentralSearch searcher) {
|
||||
this.searcher = searcher;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -47,7 +47,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "CocoaPod";
|
||||
|
||||
|
||||
@@ -49,7 +49,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "Composer";
|
||||
|
||||
|
||||
@@ -75,7 +75,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
//<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "Java";
|
||||
/**
|
||||
@@ -535,13 +535,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
foundSomething = true;
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "groupid", groupid, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "groupid", groupid, Confidence.LOW);
|
||||
addMatchingValues(classes, groupid, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, groupid, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classes, groupid, dependency, EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, groupid, dependency, EvidenceType.PRODUCT);
|
||||
if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "parent-groupid", parentGroupId, Confidence.LOW);
|
||||
addMatchingValues(classes, parentGroupId, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, parentGroupId, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classes, parentGroupId, dependency, EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, parentGroupId, dependency, EvidenceType.PRODUCT);
|
||||
}
|
||||
} else {
|
||||
addAsIdentifier = false;
|
||||
@@ -551,13 +551,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
foundSomething = true;
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "artifactid", artifactid, Confidence.HIGHEST);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "artifactid", artifactid, Confidence.LOW);
|
||||
addMatchingValues(classes, artifactid, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, artifactid, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classes, artifactid, dependency, EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, artifactid, dependency, EvidenceType.PRODUCT);
|
||||
if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
|
||||
addMatchingValues(classes, parentArtifactId, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, parentArtifactId, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classes, parentArtifactId, dependency, EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, parentArtifactId, dependency, EvidenceType.PRODUCT);
|
||||
}
|
||||
} else {
|
||||
addAsIdentifier = false;
|
||||
@@ -582,8 +582,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (org != null && !org.isEmpty()) {
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "organization name", org, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "organization name", org, Confidence.LOW);
|
||||
addMatchingValues(classes, org, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, org, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classes, org, dependency, EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, org, dependency, EvidenceType.PRODUCT);
|
||||
}
|
||||
// org name
|
||||
String orgUrl = pom.getOrganizationUrl();
|
||||
@@ -603,8 +603,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
foundSomething = true;
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, "pom", "name", pomName, Confidence.HIGH);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, "pom", "name", pomName, Confidence.HIGH);
|
||||
addMatchingValues(classes, pomName, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, pomName, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classes, pomName, dependency, EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, pomName, dependency, EvidenceType.PRODUCT);
|
||||
}
|
||||
|
||||
//Description
|
||||
@@ -612,8 +612,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (description != null && !description.isEmpty() && !description.startsWith("POM was created by")) {
|
||||
foundSomething = true;
|
||||
final String trimmedDescription = addDescription(dependency, description, "pom", "description");
|
||||
addMatchingValues(classes, trimmedDescription, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, trimmedDescription, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classes, trimmedDescription, dependency, EvidenceType.VENDOR);
|
||||
addMatchingValues(classes, trimmedDescription, dependency, EvidenceType.PRODUCT);
|
||||
}
|
||||
|
||||
String projectURL = pom.getProjectURL();
|
||||
@@ -723,7 +723,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
|
||||
foundSomething = true;
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.HIGH);
|
||||
addMatchingValues(classInformation, value, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classInformation, value, dependency, EvidenceType.PRODUCT);
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
|
||||
hasImplementationVersion = true;
|
||||
foundSomething = true;
|
||||
@@ -733,19 +733,19 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
|
||||
foundSomething = true;
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.HIGH);
|
||||
addMatchingValues(classInformation, value, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classInformation, value, dependency, EvidenceType.VENDOR);
|
||||
} else if (key.equalsIgnoreCase(IMPLEMENTATION_VENDOR_ID)) {
|
||||
foundSomething = true;
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classInformation, value, dependency, EvidenceType.VENDOR);
|
||||
} else if (key.equalsIgnoreCase(BUNDLE_DESCRIPTION)) {
|
||||
foundSomething = true;
|
||||
addDescription(dependency, value, "manifest", key);
|
||||
addMatchingValues(classInformation, value, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classInformation, value, dependency, EvidenceType.PRODUCT);
|
||||
} else if (key.equalsIgnoreCase(BUNDLE_NAME)) {
|
||||
foundSomething = true;
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classInformation, value, dependency, EvidenceType.PRODUCT);
|
||||
// //the following caused false positives.
|
||||
// } else if (key.equalsIgnoreCase(BUNDLE_VENDOR)) {
|
||||
} else if (key.equalsIgnoreCase(BUNDLE_VERSION)) {
|
||||
@@ -785,19 +785,19 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.MEDIUM);
|
||||
} else if (key.contains("title")) {
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classInformation, value, dependency, EvidenceType.PRODUCT);
|
||||
} else if (key.contains("vendor")) {
|
||||
if (key.contains("specification")) {
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.LOW);
|
||||
} else {
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classInformation, value, dependency, EvidenceType.VENDOR);
|
||||
}
|
||||
} else if (key.contains("name")) {
|
||||
dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM);
|
||||
dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, dependency,EvidenceType.VENDOR);
|
||||
addMatchingValues(classInformation, value, dependency,EvidenceType.PRODUCT);
|
||||
addMatchingValues(classInformation, value, dependency, EvidenceType.VENDOR);
|
||||
addMatchingValues(classInformation, value, dependency, EvidenceType.PRODUCT);
|
||||
} else if (key.contains("license")) {
|
||||
addLicense(dependency, value);
|
||||
} else if (key.contains("description")) {
|
||||
@@ -1080,6 +1080,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param classes a collection of class name information
|
||||
* @param value the value to check to see if it contains a package name
|
||||
* @param dep the dependency to add new entries too
|
||||
* @param type the type of evidence (vendor, product, or version)
|
||||
*/
|
||||
private static void addMatchingValues(List<ClassNameInformation> classes, String value, Dependency dep, EvidenceType type) {
|
||||
if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
|
||||
|
||||
@@ -57,7 +57,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
private static final Logger LOGGER = LoggerFactory.getLogger(NodePackageAnalyzer.class);
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "npm";
|
||||
/**
|
||||
|
||||
@@ -47,7 +47,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "NuGet";
|
||||
|
||||
|
||||
@@ -61,7 +61,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "Python.Dist";
|
||||
|
||||
|
||||
@@ -50,7 +50,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "Python.Pkg";
|
||||
|
||||
|
||||
@@ -52,10 +52,11 @@ import org.owasp.dependencycheck.dependency.Dependency;
|
||||
public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
|
||||
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this analyzer
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle";
|
||||
|
||||
|
||||
/**
|
||||
* The name of the analyzer.
|
||||
*/
|
||||
|
||||
@@ -52,7 +52,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle";
|
||||
/**
|
||||
|
||||
@@ -47,7 +47,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* A descriptor for the type of dependencies processed or added by this
|
||||
* analyzer
|
||||
* analyzer.
|
||||
*/
|
||||
public static final String DEPENDENCY_ECOSYSTEM = "Swift.PM";
|
||||
|
||||
|
||||
@@ -73,8 +73,7 @@ public class CentralSearch {
|
||||
* Creates a NexusSearch for the given repository URL.
|
||||
*
|
||||
* @param settings the configured settings
|
||||
* @throws MalformedURLException thrown if the configured URL is
|
||||
* invalid
|
||||
* @throws MalformedURLException thrown if the configured URL is invalid
|
||||
*/
|
||||
public CentralSearch(Settings settings) throws MalformedURLException {
|
||||
this.settings = settings;
|
||||
@@ -102,8 +101,7 @@ public class CentralSearch {
|
||||
* @param sha1 the SHA-1 hash string for which to search
|
||||
* @return the populated Maven GAV.
|
||||
* @throws FileNotFoundException if the specified artifact is not found
|
||||
* @throws IOException if it's unable to connect to the specified
|
||||
* repository
|
||||
* @throws IOException if it's unable to connect to the specified repository
|
||||
*/
|
||||
public List<MavenArtifact> searchSha1(String sha1) throws IOException {
|
||||
if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
|
||||
@@ -179,7 +177,7 @@ public class CentralSearch {
|
||||
throw new FileNotFoundException("Artifact not found in Central");
|
||||
}
|
||||
} else {
|
||||
String errorMessage = "Could not connect to MavenCentral (" + conn.getResponseCode() + "): " + conn.getResponseMessage();
|
||||
final String errorMessage = "Could not connect to MavenCentral (" + conn.getResponseCode() + "): " + conn.getResponseMessage();
|
||||
throw new IOException(errorMessage);
|
||||
}
|
||||
return result;
|
||||
|
||||
@@ -195,22 +195,23 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
|
||||
/**
|
||||
* Method that split versions for '.', '|' and '-". Then if a token start
|
||||
* with a number and then contains letters, it will split it too. For
|
||||
* example "12a" is splitted in ["12", "a"]. This is done to support correct
|
||||
* example "12a" is split into ["12", "a"]. This is done to support correct
|
||||
* comparison of "5.0.3a", "5.0.9" and "5.0.30".
|
||||
*
|
||||
* @param s the string to split
|
||||
* @return an Array of String containing the tokens to be compared
|
||||
*/
|
||||
private String[] split(String s) {
|
||||
String[] splitted = s.split("(\\.|-)");
|
||||
final Pattern pattern = Pattern.compile("^([\\d]+?)(.*)$");
|
||||
final String[] splitted = s.split("(\\.|-)");
|
||||
|
||||
ArrayList<String> res = new ArrayList<>();
|
||||
final ArrayList<String> res = new ArrayList<>();
|
||||
for (String token : splitted) {
|
||||
if (token.matches("^[\\d]+?[A-z]+")) {
|
||||
Pattern pattern = Pattern.compile("^([\\d]+?)(.*)$");
|
||||
Matcher matcher = pattern.matcher(token);
|
||||
final Matcher matcher = pattern.matcher(token);
|
||||
matcher.find();
|
||||
String g1 = matcher.group(1);
|
||||
String g2 = matcher.group(2);
|
||||
final String g1 = matcher.group(1);
|
||||
final String g2 = matcher.group(2);
|
||||
|
||||
res.add(g1);
|
||||
res.add(g2);
|
||||
|
||||
@@ -37,7 +37,7 @@ public class InitializationException extends Exception {
|
||||
private boolean fatal = true;
|
||||
|
||||
/**
|
||||
* Get the value of fatal
|
||||
* Get the value of fatal.
|
||||
*
|
||||
* @return the value of fatal
|
||||
*/
|
||||
@@ -46,7 +46,7 @@ public class InitializationException extends Exception {
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of fatal
|
||||
* Set the value of fatal.
|
||||
*
|
||||
* @param fatal new value of fatal
|
||||
*/
|
||||
|
||||
@@ -22,11 +22,11 @@ import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
|
||||
/**
|
||||
* EvidenceMatcher can match one or more {@link Evidence}s.
|
||||
* By using regular expressions for some fields and allowing omission of
|
||||
* Evidence fields it can be used to match more than one occurrence of evidence
|
||||
* to enable hints that work for a range of similar false positives/false negatives.
|
||||
*
|
||||
* EvidenceMatcher can match one or more {@link Evidence}s. By using regular
|
||||
* expressions for some fields and allowing omission of Evidence fields it can
|
||||
* be used to match more than one occurrence of evidence to enable hints that
|
||||
* work for a range of similar false positives/false negatives.
|
||||
*
|
||||
* The EvidenceMatcher is used for processing Evidences of a project's
|
||||
* dependencies in conjuction with the {@code <given>} and {@code <remove>}
|
||||
* clauses of the hints file.
|
||||
@@ -41,8 +41,8 @@ public class EvidenceMatcher {
|
||||
private String name;
|
||||
|
||||
/**
|
||||
* The source that the {@link Evidence} should have for a match.
|
||||
* A {@code null}-value is allowed and functions as a wildcard.
|
||||
* The source that the {@link Evidence} should have for a match. A
|
||||
* {@code null}-value is allowed and functions as a wildcard.
|
||||
*/
|
||||
private String source;
|
||||
|
||||
@@ -55,23 +55,24 @@ public class EvidenceMatcher {
|
||||
* Whether the {@link EvidenceMatcher#value} should be interpreted as a
|
||||
* regular expression.
|
||||
*/
|
||||
private boolean regex=false;
|
||||
private boolean regex = false;
|
||||
|
||||
|
||||
/**
|
||||
* The confidence that the {@link Evidence} should have for a match.
|
||||
* A {@code null}-value is allowed and functions as a wildcard.
|
||||
* The confidence that the {@link Evidence} should have for a match. A
|
||||
* {@code null}-value is allowed and functions as a wildcard.
|
||||
*/
|
||||
private Confidence confidence;
|
||||
|
||||
/**
|
||||
* Creates a new EvidenceMatcher objects.
|
||||
*
|
||||
* @param source the source of the evidence, a source that is {@code null} indicates any source should match.
|
||||
* @param source the source of the evidence, a source that is {@code null}
|
||||
* indicates any source should match.
|
||||
* @param name the non-{@code null} name of the evidence.
|
||||
* @param value the non-{@code null} value of the evidence.
|
||||
* @param regex whether value is a regex.
|
||||
* @param confidence the confidence of the evidence, a confidence that is {@code null} indicates any confidence should match.
|
||||
* @param confidence the confidence of the evidence, a confidence that is
|
||||
* {@code null} indicates any confidence should match.
|
||||
*/
|
||||
public EvidenceMatcher(String source, String name, String value, boolean regex, Confidence confidence) {
|
||||
this.source = source;
|
||||
@@ -83,11 +84,12 @@ public class EvidenceMatcher {
|
||||
|
||||
/**
|
||||
* Tests whether the given Evidence matches this EvidenceMatcher.
|
||||
* @param evidence
|
||||
* @return whehter the evidence matches this matcher.
|
||||
*
|
||||
* @param evidence the evidence to match
|
||||
* @return whether the evidence matches this matcher
|
||||
*/
|
||||
public boolean matches(Evidence evidence) {
|
||||
return sourceMatches(evidence)
|
||||
return sourceMatches(evidence)
|
||||
&& confidenceMatches(evidence)
|
||||
&& name.equalsIgnoreCase(evidence.getName())
|
||||
&& valueMatches(evidence);
|
||||
@@ -100,11 +102,13 @@ public class EvidenceMatcher {
|
||||
*/
|
||||
@Override
|
||||
public String toString() {
|
||||
return "HintEvidenceMatcher{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence + ", regex=" + regex +'}';
|
||||
return "HintEvidenceMatcher{" + "name=" + name + ", source=" + source + ", value=" + value
|
||||
+ ", confidence=" + confidence + ", regex=" + regex + '}';
|
||||
}
|
||||
|
||||
/**
|
||||
* package-private getter to allow testability of the parser without mocking
|
||||
*
|
||||
* @return The name property
|
||||
*/
|
||||
String getName() {
|
||||
@@ -113,6 +117,7 @@ public class EvidenceMatcher {
|
||||
|
||||
/**
|
||||
* package-private getter to allow testability of the parser without mocking
|
||||
*
|
||||
* @return The source property
|
||||
*/
|
||||
String getSource() {
|
||||
@@ -121,6 +126,7 @@ public class EvidenceMatcher {
|
||||
|
||||
/**
|
||||
* package-private getter to allow testability of the parser without mocking
|
||||
*
|
||||
* @return The value property
|
||||
*/
|
||||
String getValue() {
|
||||
@@ -129,6 +135,7 @@ public class EvidenceMatcher {
|
||||
|
||||
/**
|
||||
* package-private getter to allow testability of the parser without mocking
|
||||
*
|
||||
* @return The regex property
|
||||
*/
|
||||
boolean isRegex() {
|
||||
@@ -137,6 +144,7 @@ public class EvidenceMatcher {
|
||||
|
||||
/**
|
||||
* package-private getter to allow testability of the parser without mocking
|
||||
*
|
||||
* @return The confidence property
|
||||
*/
|
||||
Confidence getConfidence() {
|
||||
@@ -144,13 +152,17 @@ public class EvidenceMatcher {
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks whether the value of the evidence matches this matcher.
|
||||
* When {@link #isRegEx()} is {@code true} value is used as a
|
||||
* {@link java.util.regex.Pattern} that it should match. Otherwise the
|
||||
* value must be case-insensitive equal to the evidence's value.
|
||||
*
|
||||
* Checks whether the value of the evidence matches this matcher. When
|
||||
* {@link #isRegEx()} is {@code true} value is used as a
|
||||
* {@link java.util.regex.Pattern} that it should match. Otherwise the value
|
||||
* must be case-insensitive equal to the evidence's value.
|
||||
*
|
||||
* Uses {@link Evidence#getValue(java.lang.Boolean) to avoid setting
|
||||
* evidences to used while just checking for a match.
|
||||
*
|
||||
* @param evidence the evidence to match
|
||||
* @return <code>true</code> if the evidence matches; otherwise
|
||||
* <code>false</code>
|
||||
*/
|
||||
private boolean valueMatches(Evidence evidence) {
|
||||
boolean result;
|
||||
@@ -163,30 +175,30 @@ public class EvidenceMatcher {
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks whether the source of the evidence matches this matcher.
|
||||
* If our source is {@code null} any source in the evidence matches.
|
||||
* Otherwise the source in the evidence must be case-insensitive equal to
|
||||
* our source.
|
||||
* Checks whether the source of the evidence matches this matcher. If our
|
||||
* source is {@code null} any source in the evidence matches. Otherwise the
|
||||
* source in the evidence must be case-insensitive equal to our source.
|
||||
*
|
||||
* @param evidence The evidence to inspect
|
||||
* @return {@code true} is the source of the evidence matches, false otherwise.
|
||||
* @return {@code true} is the source of the evidence matches, false
|
||||
* otherwise.
|
||||
*/
|
||||
private boolean sourceMatches(Evidence evidence) {
|
||||
return this.source == null || source.equalsIgnoreCase(evidence.getSource());
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Checks whether the confidence of the evidence matches this matcher.
|
||||
* If our confidence is {@code null} any confidence in the evidence matches.
|
||||
* Checks whether the confidence of the evidence matches this matcher. If
|
||||
* our confidence is {@code null} any confidence in the evidence matches.
|
||||
* Otherwise the confidence in the evidence must be exactly equal to our
|
||||
* confidence.
|
||||
*
|
||||
* @param evidence The evidence to inspect
|
||||
* @return {@code true} is the confidence of the evidence matches, false otherwise.
|
||||
* @return {@code true} is the confidence of the evidence matches, false
|
||||
* otherwise.
|
||||
*/
|
||||
private boolean confidenceMatches(Evidence evidence) {
|
||||
return this.confidence == null || confidence.equals(evidence.getConfidence());
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
@@ -50,18 +50,20 @@ public class CentralAnalyzerTest {
|
||||
@Test
|
||||
@SuppressWarnings("PMD.NonStaticInitializer")
|
||||
public void testFetchMavenArtifactsWithoutException(@Mocked final CentralSearch centralSearch,
|
||||
@Mocked final Dependency dependency)
|
||||
@Mocked final Dependency dependency)
|
||||
throws IOException {
|
||||
|
||||
CentralAnalyzer instance = new CentralAnalyzer();
|
||||
instance.searcher = centralSearch;
|
||||
instance.setCentralSearch(centralSearch);
|
||||
specifySha1SumFor(dependency);
|
||||
|
||||
final List<MavenArtifact> expectedMavenArtifacts = Collections.emptyList();
|
||||
new Expectations() {{
|
||||
centralSearch.searchSha1(SHA1_SUM);
|
||||
returns(expectedMavenArtifacts);
|
||||
}};
|
||||
new Expectations() {
|
||||
{
|
||||
centralSearch.searchSha1(SHA1_SUM);
|
||||
returns(expectedMavenArtifacts);
|
||||
}
|
||||
};
|
||||
|
||||
final List<MavenArtifact> actualMavenArtifacts = instance.fetchMavenArtifacts(dependency);
|
||||
|
||||
@@ -71,20 +73,22 @@ public class CentralAnalyzerTest {
|
||||
@Test
|
||||
@SuppressWarnings("PMD.NonStaticInitializer")
|
||||
public void testFetchMavenArtifactsWithSporadicIOException(@Mocked final CentralSearch centralSearch,
|
||||
@Mocked final Dependency dependency)
|
||||
@Mocked final Dependency dependency)
|
||||
throws IOException {
|
||||
|
||||
CentralAnalyzer instance = new CentralAnalyzer();
|
||||
instance.searcher = centralSearch;
|
||||
instance.setCentralSearch(centralSearch);
|
||||
specifySha1SumFor(dependency);
|
||||
|
||||
final List<MavenArtifact> expectedMavenArtifacts = Collections.emptyList();
|
||||
new Expectations() {{
|
||||
centralSearch.searchSha1(SHA1_SUM);
|
||||
result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
|
||||
result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
|
||||
result = expectedMavenArtifacts;
|
||||
}};
|
||||
new Expectations() {
|
||||
{
|
||||
centralSearch.searchSha1(SHA1_SUM);
|
||||
result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
|
||||
result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
|
||||
result = expectedMavenArtifacts;
|
||||
}
|
||||
};
|
||||
|
||||
final List<MavenArtifact> actualMavenArtifacts = instance.fetchMavenArtifacts(dependency);
|
||||
|
||||
@@ -94,17 +98,19 @@ public class CentralAnalyzerTest {
|
||||
@Test(expected = FileNotFoundException.class)
|
||||
@SuppressWarnings("PMD.NonStaticInitializer")
|
||||
public void testFetchMavenArtifactsRethrowsFileNotFoundException(@Mocked final CentralSearch centralSearch,
|
||||
@Mocked final Dependency dependency)
|
||||
@Mocked final Dependency dependency)
|
||||
throws IOException {
|
||||
|
||||
CentralAnalyzer instance = new CentralAnalyzer();
|
||||
instance.searcher = centralSearch;
|
||||
instance.setCentralSearch(centralSearch);
|
||||
specifySha1SumFor(dependency);
|
||||
|
||||
new Expectations() {{
|
||||
centralSearch.searchSha1(SHA1_SUM);
|
||||
result = new FileNotFoundException("Artifact not found in Central");
|
||||
}};
|
||||
new Expectations() {
|
||||
{
|
||||
centralSearch.searchSha1(SHA1_SUM);
|
||||
result = new FileNotFoundException("Artifact not found in Central");
|
||||
}
|
||||
};
|
||||
|
||||
instance.fetchMavenArtifacts(dependency);
|
||||
}
|
||||
@@ -112,35 +118,39 @@ public class CentralAnalyzerTest {
|
||||
@Test(expected = IOException.class)
|
||||
@SuppressWarnings("PMD.NonStaticInitializer")
|
||||
public void testFetchMavenArtifactsAlwaysThrowsIOException(@Mocked final CentralSearch centralSearch,
|
||||
@Mocked final Dependency dependency)
|
||||
@Mocked final Dependency dependency)
|
||||
throws IOException {
|
||||
|
||||
CentralAnalyzer instance = new CentralAnalyzer();
|
||||
instance.searcher = centralSearch;
|
||||
instance.setCentralSearch(centralSearch);
|
||||
specifySha1SumFor(dependency);
|
||||
|
||||
new Expectations() {{
|
||||
centralSearch.searchSha1(SHA1_SUM);
|
||||
result = new IOException("no internet connection");
|
||||
}};
|
||||
new Expectations() {
|
||||
{
|
||||
centralSearch.searchSha1(SHA1_SUM);
|
||||
result = new IOException("no internet connection");
|
||||
}
|
||||
};
|
||||
|
||||
instance.fetchMavenArtifacts(dependency);
|
||||
}
|
||||
|
||||
@Test(expected = AnalysisException.class)
|
||||
@SuppressWarnings("PMD.NonStaticInitializer")
|
||||
public void testFetchMavenArtifactsAlwaysThrowsIOExceptionLetsTheAnalysisFail(@Mocked final CentralSearch centralSearch,
|
||||
@Mocked final Dependency dependency)
|
||||
public void testFetchMavenArtifactsAlwaysThrowsIOExceptionLetsTheAnalysisFail(
|
||||
@Mocked final CentralSearch centralSearch, @Mocked final Dependency dependency)
|
||||
throws AnalysisException, IOException {
|
||||
|
||||
CentralAnalyzer instance = new CentralAnalyzer();
|
||||
instance.searcher = centralSearch;
|
||||
instance.setCentralSearch(centralSearch);
|
||||
specifySha1SumFor(dependency);
|
||||
|
||||
new Expectations() {{
|
||||
centralSearch.searchSha1(SHA1_SUM);
|
||||
result = new IOException("no internet connection");
|
||||
}};
|
||||
new Expectations() {
|
||||
{
|
||||
centralSearch.searchSha1(SHA1_SUM);
|
||||
result = new IOException("no internet connection");
|
||||
}
|
||||
};
|
||||
|
||||
instance.analyze(dependency, null);
|
||||
}
|
||||
@@ -164,9 +174,11 @@ public class CentralAnalyzerTest {
|
||||
*/
|
||||
@SuppressWarnings("PMD.NonStaticInitializer")
|
||||
private void specifySha1SumFor(final Dependency dependency) {
|
||||
new Expectations() {{
|
||||
dependency.getSha1sum();
|
||||
returns(SHA1_SUM);
|
||||
}};
|
||||
new Expectations() {
|
||||
{
|
||||
dependency.getSha1sum();
|
||||
returns(SHA1_SUM);
|
||||
}
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
@@ -13,6 +13,6 @@
|
||||
^ \* See the License for the specific language governing permissions and\s*$
|
||||
^ \* limitations under the License\.\s*$
|
||||
^ \*\s*$
|
||||
^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|Josh Cain|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$
|
||||
^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|Josh Cain|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses|Hans Aikema)\. All Rights Reserved\.\s*$
|
||||
^ \*/\s*$
|
||||
^package
|
||||
|
||||
Reference in New Issue
Block a user