diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java index ca61b07f8..b09a22d5b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java @@ -120,7 +120,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { throw new SuppressionParseException("Unable to parse the base suppression data file", ex); } final String[] suppressionFilePaths = getSettings().getArray(Settings.KEYS.SUPPRESSION_FILE); - List failedLoadingFiles = new ArrayList<>(); + final List failedLoadingFiles = new ArrayList<>(); if (suppressionFilePaths != null && suppressionFilePaths.length > 0) { // Load all the suppression file paths diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index fd2c0c697..e473c7497 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -60,7 +60,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { /** * A descriptor for the type of dependencies processed or added by this - * analyzer + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "CMAKE"; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index 1ab49f346..c65e14667 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -75,16 +75,16 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { private static final String SUPPORTED_EXTENSIONS = "jar"; /** - * There may be temporary issues when connecting to MavenCentral. - * In order to compensate for 99% of the issues, we perform a retry - * before finally failing the analysis. + * There may be temporary issues when connecting to MavenCentral. In order + * to compensate for 99% of the issues, we perform a retry before finally + * failing the analysis. */ private static final int NUMBER_OF_TRIES = 5; /** * The searcher itself. */ - protected CentralSearch searcher; + private CentralSearch searcher; /** * Initializes the analyzer with the configured settings. @@ -189,7 +189,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { * Performs the analysis. * * @param dependency the dependency to analyze - * @param engine the engine + * @param engine the engine * @throws AnalysisException when there's an exception during analysis */ @Override @@ -255,7 +255,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { * @param dependency the dependency to analyze * @return the downloaded list of MavenArtifacts * @throws FileNotFoundException if the specified artifact is not found - * @throws IOException if connecting to MavenCentral finally failed + * @throws IOException if connecting to MavenCentral finally failed */ protected List fetchMavenArtifacts(Dependency dependency) throws IOException { IOException lastException = null; @@ -283,8 +283,17 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { } } - final String message = "Finally failed connecting to Central search." + - " Giving up after " + NUMBER_OF_TRIES + " tries."; + final String message = "Finally failed connecting to Central search." + + " Giving up after " + NUMBER_OF_TRIES + " tries."; throw new IOException(message, lastException); } + + /** + * Method used by unit tests to setup the analyzer. + * + * @param searcher the Central Search object to use. + */ + protected void setCentralSearch(CentralSearch searcher) { + this.searcher = searcher; + } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java index b0ef81b68..7d8aac2b7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java @@ -47,7 +47,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { /** * A descriptor for the type of dependencies processed or added by this - * analyzer + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "CocoaPod"; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index a0a7df387..aba20c9d5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -49,7 +49,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { /** * A descriptor for the type of dependencies processed or added by this - * analyzer + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "Composer"; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 53775aab0..5a191efbc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -75,7 +75,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { // /** * A descriptor for the type of dependencies processed or added by this - * analyzer + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "Java"; /** @@ -535,13 +535,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { foundSomething = true; dependency.addEvidence(EvidenceType.VENDOR, "pom", "groupid", groupid, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.PRODUCT, "pom", "groupid", groupid, Confidence.LOW); - addMatchingValues(classes, groupid, dependency,EvidenceType.VENDOR); - addMatchingValues(classes, groupid, dependency,EvidenceType.PRODUCT); + addMatchingValues(classes, groupid, dependency, EvidenceType.VENDOR); + addMatchingValues(classes, groupid, dependency, EvidenceType.PRODUCT); if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) { dependency.addEvidence(EvidenceType.VENDOR, "pom", "parent-groupid", parentGroupId, Confidence.MEDIUM); dependency.addEvidence(EvidenceType.PRODUCT, "pom", "parent-groupid", parentGroupId, Confidence.LOW); - addMatchingValues(classes, parentGroupId, dependency,EvidenceType.VENDOR); - addMatchingValues(classes, parentGroupId, dependency,EvidenceType.PRODUCT); + addMatchingValues(classes, parentGroupId, dependency, EvidenceType.VENDOR); + addMatchingValues(classes, parentGroupId, dependency, EvidenceType.PRODUCT); } } else { addAsIdentifier = false; @@ -551,13 +551,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { foundSomething = true; dependency.addEvidence(EvidenceType.PRODUCT, "pom", "artifactid", artifactid, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VENDOR, "pom", "artifactid", artifactid, Confidence.LOW); - addMatchingValues(classes, artifactid, dependency,EvidenceType.VENDOR); - addMatchingValues(classes, artifactid, dependency,EvidenceType.PRODUCT); + addMatchingValues(classes, artifactid, dependency, EvidenceType.VENDOR); + addMatchingValues(classes, artifactid, dependency, EvidenceType.PRODUCT); if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) { dependency.addEvidence(EvidenceType.PRODUCT, "pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM); dependency.addEvidence(EvidenceType.VENDOR, "pom", "parent-artifactid", parentArtifactId, Confidence.LOW); - addMatchingValues(classes, parentArtifactId, dependency,EvidenceType.VENDOR); - addMatchingValues(classes, parentArtifactId, dependency,EvidenceType.PRODUCT); + addMatchingValues(classes, parentArtifactId, dependency, EvidenceType.VENDOR); + addMatchingValues(classes, parentArtifactId, dependency, EvidenceType.PRODUCT); } } else { addAsIdentifier = false; @@ -582,8 +582,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { if (org != null && !org.isEmpty()) { dependency.addEvidence(EvidenceType.VENDOR, "pom", "organization name", org, Confidence.HIGH); dependency.addEvidence(EvidenceType.PRODUCT, "pom", "organization name", org, Confidence.LOW); - addMatchingValues(classes, org, dependency,EvidenceType.VENDOR); - addMatchingValues(classes, org, dependency,EvidenceType.PRODUCT); + addMatchingValues(classes, org, dependency, EvidenceType.VENDOR); + addMatchingValues(classes, org, dependency, EvidenceType.PRODUCT); } // org name String orgUrl = pom.getOrganizationUrl(); @@ -603,8 +603,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { foundSomething = true; dependency.addEvidence(EvidenceType.PRODUCT, "pom", "name", pomName, Confidence.HIGH); dependency.addEvidence(EvidenceType.VENDOR, "pom", "name", pomName, Confidence.HIGH); - addMatchingValues(classes, pomName, dependency,EvidenceType.VENDOR); - addMatchingValues(classes, pomName, dependency,EvidenceType.PRODUCT); + addMatchingValues(classes, pomName, dependency, EvidenceType.VENDOR); + addMatchingValues(classes, pomName, dependency, EvidenceType.PRODUCT); } //Description @@ -612,8 +612,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { if (description != null && !description.isEmpty() && !description.startsWith("POM was created by")) { foundSomething = true; final String trimmedDescription = addDescription(dependency, description, "pom", "description"); - addMatchingValues(classes, trimmedDescription, dependency,EvidenceType.VENDOR); - addMatchingValues(classes, trimmedDescription, dependency,EvidenceType.PRODUCT); + addMatchingValues(classes, trimmedDescription, dependency, EvidenceType.VENDOR); + addMatchingValues(classes, trimmedDescription, dependency, EvidenceType.PRODUCT); } String projectURL = pom.getProjectURL(); @@ -723,7 +723,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) { foundSomething = true; dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.HIGH); - addMatchingValues(classInformation, value, dependency,EvidenceType.PRODUCT); + addMatchingValues(classInformation, value, dependency, EvidenceType.PRODUCT); } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) { hasImplementationVersion = true; foundSomething = true; @@ -733,19 +733,19 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) { foundSomething = true; dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.HIGH); - addMatchingValues(classInformation, value, dependency,EvidenceType.VENDOR); + addMatchingValues(classInformation, value, dependency, EvidenceType.VENDOR); } else if (key.equalsIgnoreCase(IMPLEMENTATION_VENDOR_ID)) { foundSomething = true; dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, dependency,EvidenceType.VENDOR); + addMatchingValues(classInformation, value, dependency, EvidenceType.VENDOR); } else if (key.equalsIgnoreCase(BUNDLE_DESCRIPTION)) { foundSomething = true; addDescription(dependency, value, "manifest", key); - addMatchingValues(classInformation, value, dependency,EvidenceType.PRODUCT); + addMatchingValues(classInformation, value, dependency, EvidenceType.PRODUCT); } else if (key.equalsIgnoreCase(BUNDLE_NAME)) { foundSomething = true; dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, dependency,EvidenceType.PRODUCT); + addMatchingValues(classInformation, value, dependency, EvidenceType.PRODUCT); // //the following caused false positives. // } else if (key.equalsIgnoreCase(BUNDLE_VENDOR)) { } else if (key.equalsIgnoreCase(BUNDLE_VERSION)) { @@ -785,19 +785,19 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { dependency.addEvidence(EvidenceType.VERSION, source, key, value, Confidence.MEDIUM); } else if (key.contains("title")) { dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, dependency,EvidenceType.PRODUCT); + addMatchingValues(classInformation, value, dependency, EvidenceType.PRODUCT); } else if (key.contains("vendor")) { if (key.contains("specification")) { dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.LOW); } else { dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, dependency,EvidenceType.VENDOR); + addMatchingValues(classInformation, value, dependency, EvidenceType.VENDOR); } } else if (key.contains("name")) { dependency.addEvidence(EvidenceType.PRODUCT, source, key, value, Confidence.MEDIUM); dependency.addEvidence(EvidenceType.VENDOR, source, key, value, Confidence.MEDIUM); - addMatchingValues(classInformation, value, dependency,EvidenceType.VENDOR); - addMatchingValues(classInformation, value, dependency,EvidenceType.PRODUCT); + addMatchingValues(classInformation, value, dependency, EvidenceType.VENDOR); + addMatchingValues(classInformation, value, dependency, EvidenceType.PRODUCT); } else if (key.contains("license")) { addLicense(dependency, value); } else if (key.contains("description")) { @@ -1080,6 +1080,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * @param classes a collection of class name information * @param value the value to check to see if it contains a package name * @param dep the dependency to add new entries too + * @param type the type of evidence (vendor, product, or version) */ private static void addMatchingValues(List classes, String value, Dependency dep, EvidenceType type) { if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index f318269d4..f9b83008d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -57,7 +57,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { private static final Logger LOGGER = LoggerFactory.getLogger(NodePackageAnalyzer.class); /** * A descriptor for the type of dependencies processed or added by this - * analyzer + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "npm"; /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 30c3834f3..17a11dec5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -47,7 +47,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { /** * A descriptor for the type of dependencies processed or added by this - * analyzer + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "NuGet"; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 1bf8f1d7a..ef2ed97d7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -61,7 +61,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { /** * A descriptor for the type of dependencies processed or added by this - * analyzer + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "Python.Dist"; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 4a237b55e..ebfde0dd4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -50,7 +50,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { /** * A descriptor for the type of dependencies processed or added by this - * analyzer + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "Python.Pkg"; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java index c22335cdf..83108747a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java @@ -52,10 +52,11 @@ import org.owasp.dependencycheck.dependency.Dependency; public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { /** - * A descriptor for the type of dependencies processed or added by this analyzer + * A descriptor for the type of dependencies processed or added by this + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; - + /** * The name of the analyzer. */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index 436360eda..082d557ea 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -52,7 +52,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { /** * A descriptor for the type of dependencies processed or added by this - * analyzer + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index 73953f535..90a3cddee 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -47,7 +47,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { /** * A descriptor for the type of dependencies processed or added by this - * analyzer + * analyzer. */ public static final String DEPENDENCY_ECOSYSTEM = "Swift.PM"; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java index 0db54763b..6b648eabf 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java @@ -73,8 +73,7 @@ public class CentralSearch { * Creates a NexusSearch for the given repository URL. * * @param settings the configured settings - * @throws MalformedURLException thrown if the configured URL is - * invalid + * @throws MalformedURLException thrown if the configured URL is invalid */ public CentralSearch(Settings settings) throws MalformedURLException { this.settings = settings; @@ -102,8 +101,7 @@ public class CentralSearch { * @param sha1 the SHA-1 hash string for which to search * @return the populated Maven GAV. * @throws FileNotFoundException if the specified artifact is not found - * @throws IOException if it's unable to connect to the specified - * repository + * @throws IOException if it's unable to connect to the specified repository */ public List searchSha1(String sha1) throws IOException { if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) { @@ -179,7 +177,7 @@ public class CentralSearch { throw new FileNotFoundException("Artifact not found in Central"); } } else { - String errorMessage = "Could not connect to MavenCentral (" + conn.getResponseCode() + "): " + conn.getResponseMessage(); + final String errorMessage = "Could not connect to MavenCentral (" + conn.getResponseCode() + "): " + conn.getResponseMessage(); throw new IOException(errorMessage); } return result; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java index 3075ea142..7c45b6fae 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java @@ -195,22 +195,23 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp /** * Method that split versions for '.', '|' and '-". Then if a token start * with a number and then contains letters, it will split it too. For - * example "12a" is splitted in ["12", "a"]. This is done to support correct + * example "12a" is split into ["12", "a"]. This is done to support correct * comparison of "5.0.3a", "5.0.9" and "5.0.30". * + * @param s the string to split * @return an Array of String containing the tokens to be compared */ private String[] split(String s) { - String[] splitted = s.split("(\\.|-)"); + final Pattern pattern = Pattern.compile("^([\\d]+?)(.*)$"); + final String[] splitted = s.split("(\\.|-)"); - ArrayList res = new ArrayList<>(); + final ArrayList res = new ArrayList<>(); for (String token : splitted) { if (token.matches("^[\\d]+?[A-z]+")) { - Pattern pattern = Pattern.compile("^([\\d]+?)(.*)$"); - Matcher matcher = pattern.matcher(token); + final Matcher matcher = pattern.matcher(token); matcher.find(); - String g1 = matcher.group(1); - String g2 = matcher.group(2); + final String g1 = matcher.group(1); + final String g2 = matcher.group(2); res.add(g1); res.add(g2); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/InitializationException.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/InitializationException.java index 866ccf3d9..23fd9293b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/InitializationException.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/InitializationException.java @@ -37,7 +37,7 @@ public class InitializationException extends Exception { private boolean fatal = true; /** - * Get the value of fatal + * Get the value of fatal. * * @return the value of fatal */ @@ -46,7 +46,7 @@ public class InitializationException extends Exception { } /** - * Set the value of fatal + * Set the value of fatal. * * @param fatal new value of fatal */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/EvidenceMatcher.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/EvidenceMatcher.java index 05a59d5a5..c869b761a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/EvidenceMatcher.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/EvidenceMatcher.java @@ -22,11 +22,11 @@ import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Evidence; /** - * EvidenceMatcher can match one or more {@link Evidence}s. - * By using regular expressions for some fields and allowing omission of - * Evidence fields it can be used to match more than one occurrence of evidence - * to enable hints that work for a range of similar false positives/false negatives. - * + * EvidenceMatcher can match one or more {@link Evidence}s. By using regular + * expressions for some fields and allowing omission of Evidence fields it can + * be used to match more than one occurrence of evidence to enable hints that + * work for a range of similar false positives/false negatives. + * * The EvidenceMatcher is used for processing Evidences of a project's * dependencies in conjuction with the {@code } and {@code } * clauses of the hints file. @@ -41,8 +41,8 @@ public class EvidenceMatcher { private String name; /** - * The source that the {@link Evidence} should have for a match. - * A {@code null}-value is allowed and functions as a wildcard. + * The source that the {@link Evidence} should have for a match. A + * {@code null}-value is allowed and functions as a wildcard. */ private String source; @@ -55,23 +55,24 @@ public class EvidenceMatcher { * Whether the {@link EvidenceMatcher#value} should be interpreted as a * regular expression. */ - private boolean regex=false; + private boolean regex = false; - /** - * The confidence that the {@link Evidence} should have for a match. - * A {@code null}-value is allowed and functions as a wildcard. + * The confidence that the {@link Evidence} should have for a match. A + * {@code null}-value is allowed and functions as a wildcard. */ private Confidence confidence; /** * Creates a new EvidenceMatcher objects. * - * @param source the source of the evidence, a source that is {@code null} indicates any source should match. + * @param source the source of the evidence, a source that is {@code null} + * indicates any source should match. * @param name the non-{@code null} name of the evidence. * @param value the non-{@code null} value of the evidence. * @param regex whether value is a regex. - * @param confidence the confidence of the evidence, a confidence that is {@code null} indicates any confidence should match. + * @param confidence the confidence of the evidence, a confidence that is + * {@code null} indicates any confidence should match. */ public EvidenceMatcher(String source, String name, String value, boolean regex, Confidence confidence) { this.source = source; @@ -83,11 +84,12 @@ public class EvidenceMatcher { /** * Tests whether the given Evidence matches this EvidenceMatcher. - * @param evidence - * @return whehter the evidence matches this matcher. + * + * @param evidence the evidence to match + * @return whether the evidence matches this matcher */ public boolean matches(Evidence evidence) { - return sourceMatches(evidence) + return sourceMatches(evidence) && confidenceMatches(evidence) && name.equalsIgnoreCase(evidence.getName()) && valueMatches(evidence); @@ -100,11 +102,13 @@ public class EvidenceMatcher { */ @Override public String toString() { - return "HintEvidenceMatcher{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence + ", regex=" + regex +'}'; + return "HintEvidenceMatcher{" + "name=" + name + ", source=" + source + ", value=" + value + + ", confidence=" + confidence + ", regex=" + regex + '}'; } /** * package-private getter to allow testability of the parser without mocking + * * @return The name property */ String getName() { @@ -113,6 +117,7 @@ public class EvidenceMatcher { /** * package-private getter to allow testability of the parser without mocking + * * @return The source property */ String getSource() { @@ -121,6 +126,7 @@ public class EvidenceMatcher { /** * package-private getter to allow testability of the parser without mocking + * * @return The value property */ String getValue() { @@ -129,6 +135,7 @@ public class EvidenceMatcher { /** * package-private getter to allow testability of the parser without mocking + * * @return The regex property */ boolean isRegex() { @@ -137,6 +144,7 @@ public class EvidenceMatcher { /** * package-private getter to allow testability of the parser without mocking + * * @return The confidence property */ Confidence getConfidence() { @@ -144,13 +152,17 @@ public class EvidenceMatcher { } /** - * Checks whether the value of the evidence matches this matcher. - * When {@link #isRegEx()} is {@code true} value is used as a - * {@link java.util.regex.Pattern} that it should match. Otherwise the - * value must be case-insensitive equal to the evidence's value. - * + * Checks whether the value of the evidence matches this matcher. When + * {@link #isRegEx()} is {@code true} value is used as a + * {@link java.util.regex.Pattern} that it should match. Otherwise the value + * must be case-insensitive equal to the evidence's value. + * * Uses {@link Evidence#getValue(java.lang.Boolean) to avoid setting * evidences to used while just checking for a match. + * + * @param evidence the evidence to match + * @return true if the evidence matches; otherwise + * false */ private boolean valueMatches(Evidence evidence) { boolean result; @@ -163,30 +175,30 @@ public class EvidenceMatcher { } /** - * Checks whether the source of the evidence matches this matcher. - * If our source is {@code null} any source in the evidence matches. - * Otherwise the source in the evidence must be case-insensitive equal to - * our source. + * Checks whether the source of the evidence matches this matcher. If our + * source is {@code null} any source in the evidence matches. Otherwise the + * source in the evidence must be case-insensitive equal to our source. * * @param evidence The evidence to inspect - * @return {@code true} is the source of the evidence matches, false otherwise. + * @return {@code true} is the source of the evidence matches, false + * otherwise. */ private boolean sourceMatches(Evidence evidence) { return this.source == null || source.equalsIgnoreCase(evidence.getSource()); } - + /** - * Checks whether the confidence of the evidence matches this matcher. - * If our confidence is {@code null} any confidence in the evidence matches. + * Checks whether the confidence of the evidence matches this matcher. If + * our confidence is {@code null} any confidence in the evidence matches. * Otherwise the confidence in the evidence must be exactly equal to our * confidence. * * @param evidence The evidence to inspect - * @return {@code true} is the confidence of the evidence matches, false otherwise. + * @return {@code true} is the confidence of the evidence matches, false + * otherwise. */ private boolean confidenceMatches(Evidence evidence) { return this.confidence == null || confidence.equals(evidence.getConfidence()); } - - + } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java index 3a52a769b..6dd34a6dc 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java @@ -50,18 +50,20 @@ public class CentralAnalyzerTest { @Test @SuppressWarnings("PMD.NonStaticInitializer") public void testFetchMavenArtifactsWithoutException(@Mocked final CentralSearch centralSearch, - @Mocked final Dependency dependency) + @Mocked final Dependency dependency) throws IOException { CentralAnalyzer instance = new CentralAnalyzer(); - instance.searcher = centralSearch; + instance.setCentralSearch(centralSearch); specifySha1SumFor(dependency); final List expectedMavenArtifacts = Collections.emptyList(); - new Expectations() {{ - centralSearch.searchSha1(SHA1_SUM); - returns(expectedMavenArtifacts); - }}; + new Expectations() { + { + centralSearch.searchSha1(SHA1_SUM); + returns(expectedMavenArtifacts); + } + }; final List actualMavenArtifacts = instance.fetchMavenArtifacts(dependency); @@ -71,20 +73,22 @@ public class CentralAnalyzerTest { @Test @SuppressWarnings("PMD.NonStaticInitializer") public void testFetchMavenArtifactsWithSporadicIOException(@Mocked final CentralSearch centralSearch, - @Mocked final Dependency dependency) + @Mocked final Dependency dependency) throws IOException { CentralAnalyzer instance = new CentralAnalyzer(); - instance.searcher = centralSearch; + instance.setCentralSearch(centralSearch); specifySha1SumFor(dependency); final List expectedMavenArtifacts = Collections.emptyList(); - new Expectations() {{ - centralSearch.searchSha1(SHA1_SUM); - result = new IOException("Could not connect to MavenCentral (500): Internal Server Error"); - result = new IOException("Could not connect to MavenCentral (500): Internal Server Error"); - result = expectedMavenArtifacts; - }}; + new Expectations() { + { + centralSearch.searchSha1(SHA1_SUM); + result = new IOException("Could not connect to MavenCentral (500): Internal Server Error"); + result = new IOException("Could not connect to MavenCentral (500): Internal Server Error"); + result = expectedMavenArtifacts; + } + }; final List actualMavenArtifacts = instance.fetchMavenArtifacts(dependency); @@ -94,17 +98,19 @@ public class CentralAnalyzerTest { @Test(expected = FileNotFoundException.class) @SuppressWarnings("PMD.NonStaticInitializer") public void testFetchMavenArtifactsRethrowsFileNotFoundException(@Mocked final CentralSearch centralSearch, - @Mocked final Dependency dependency) + @Mocked final Dependency dependency) throws IOException { CentralAnalyzer instance = new CentralAnalyzer(); - instance.searcher = centralSearch; + instance.setCentralSearch(centralSearch); specifySha1SumFor(dependency); - new Expectations() {{ - centralSearch.searchSha1(SHA1_SUM); - result = new FileNotFoundException("Artifact not found in Central"); - }}; + new Expectations() { + { + centralSearch.searchSha1(SHA1_SUM); + result = new FileNotFoundException("Artifact not found in Central"); + } + }; instance.fetchMavenArtifacts(dependency); } @@ -112,35 +118,39 @@ public class CentralAnalyzerTest { @Test(expected = IOException.class) @SuppressWarnings("PMD.NonStaticInitializer") public void testFetchMavenArtifactsAlwaysThrowsIOException(@Mocked final CentralSearch centralSearch, - @Mocked final Dependency dependency) + @Mocked final Dependency dependency) throws IOException { CentralAnalyzer instance = new CentralAnalyzer(); - instance.searcher = centralSearch; + instance.setCentralSearch(centralSearch); specifySha1SumFor(dependency); - new Expectations() {{ - centralSearch.searchSha1(SHA1_SUM); - result = new IOException("no internet connection"); - }}; + new Expectations() { + { + centralSearch.searchSha1(SHA1_SUM); + result = new IOException("no internet connection"); + } + }; instance.fetchMavenArtifacts(dependency); } @Test(expected = AnalysisException.class) @SuppressWarnings("PMD.NonStaticInitializer") - public void testFetchMavenArtifactsAlwaysThrowsIOExceptionLetsTheAnalysisFail(@Mocked final CentralSearch centralSearch, - @Mocked final Dependency dependency) + public void testFetchMavenArtifactsAlwaysThrowsIOExceptionLetsTheAnalysisFail( + @Mocked final CentralSearch centralSearch, @Mocked final Dependency dependency) throws AnalysisException, IOException { CentralAnalyzer instance = new CentralAnalyzer(); - instance.searcher = centralSearch; + instance.setCentralSearch(centralSearch); specifySha1SumFor(dependency); - new Expectations() {{ - centralSearch.searchSha1(SHA1_SUM); - result = new IOException("no internet connection"); - }}; + new Expectations() { + { + centralSearch.searchSha1(SHA1_SUM); + result = new IOException("no internet connection"); + } + }; instance.analyze(dependency, null); } @@ -164,9 +174,11 @@ public class CentralAnalyzerTest { */ @SuppressWarnings("PMD.NonStaticInitializer") private void specifySha1SumFor(final Dependency dependency) { - new Expectations() {{ - dependency.getSha1sum(); - returns(SHA1_SUM); - }}; + new Expectations() { + { + dependency.getSha1sum(); + returns(SHA1_SUM); + } + }; } } diff --git a/src/main/config/checkstyle-header.txt b/src/main/config/checkstyle-header.txt index 8d34b1ad4..a7c174a1b 100644 --- a/src/main/config/checkstyle-header.txt +++ b/src/main/config/checkstyle-header.txt @@ -13,6 +13,6 @@ ^ \* See the License for the specific language governing permissions and\s*$ ^ \* limitations under the License\.\s*$ ^ \*\s*$ -^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|Josh Cain|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$ +^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|Josh Cain|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses|Hans Aikema)\. All Rights Reserved\.\s*$ ^ \*/\s*$ ^package