diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/PropertyType.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/PropertyType.java index eb3b52050..23046ef78 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/PropertyType.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/PropertyType.java @@ -80,7 +80,7 @@ public class PropertyType { /** * Indicates case sensitivity. */ - protected boolean caseSensitive = false; + private boolean caseSensitive = false; /** * Gets the value of the caseSensitive property. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java index cfc2710b8..38c10b08d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java @@ -1,6 +1,20 @@ /* - * To change this template, choose Tools | Templates - * and open the template in the editor. + * This file is part of dependency-check-core. + * + * Dependency-check-core is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation, either version 3 of the License, or (at your option) any + * later version. + * + * Dependency-check-core is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * dependency-check-core. If not, see http://www.gnu.org/licenses/. + * + * Copyright (c) 2013 Jeremy Long. All Rights Reserved. */ package org.owasp.dependencycheck.suppression; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java index 2acab08f7..5c17859b9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java @@ -65,7 +65,7 @@ public class SuppressionHandler extends DefaultHandler { private List supressionRules = new ArrayList(); /** - * Get the value of supressionRules + * Get the value of supressionRules. * * @return the value of supressionRules */ @@ -120,19 +120,19 @@ public class SuppressionHandler extends DefaultHandler { supressionRules.add(rule); rule = null; } else if (FILE_PATH.equals(qName)) { - PropertyType pt = processPropertyType(); + final PropertyType pt = processPropertyType(); rule.setFilePath(pt); } else if (SHA1.equals(qName)) { rule.setSha1(currentText.toString()); } else if (CPE.equals(qName)) { - PropertyType pt = processPropertyType(); + final PropertyType pt = processPropertyType(); rule.addCpe(pt); } else if (CWE.equals(qName)) { rule.addCwe(currentText.toString()); } else if (CVE.equals(qName)) { rule.addCve(currentText.toString()); } else if (CVSS_BELOW.equals(qName)) { - float cvss = Float.parseFloat(currentText.toString()); + final float cvss = Float.parseFloat(currentText.toString()); } } @@ -156,7 +156,7 @@ public class SuppressionHandler extends DefaultHandler { * @return a PropertyType object */ private PropertyType processPropertyType() { - PropertyType pt = new PropertyType(); + final PropertyType pt = new PropertyType(); pt.setValue(currentText.toString()); if (currentAttributes != null && currentAttributes.getLength() > 0) { final String regex = currentAttributes.getValue("regex"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java index 464039869..0bfc0756f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java @@ -43,17 +43,17 @@ import org.xml.sax.XMLReader; public class SuppressionParser { /** - * JAXP Schema Language, source: + * JAXP Schema Language. Source: * http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html */ public static final String JAXP_SCHEMA_LANGUAGE = "http://java.sun.com/xml/jaxp/properties/schemaLanguage"; /** - * W3C XML Schema, source: + * W3C XML Schema. Source: * http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html */ public static final String W3C_XML_SCHEMA = "http://www.w3.org/2001/XMLSchema"; /** - * JAXP Schema Source, source: + * JAXP Schema Source. Source: * http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html */ public static final String JAXP_SCHEMA_SOURCE = "http://java.sun.com/xml/jaxp/properties/schemaSource"; @@ -68,22 +68,22 @@ public class SuppressionParser { */ public List parseSuppressionRules(File file) throws SuppressionParseException { try { - File schema = new File(this.getClass().getClassLoader().getResource("schema/suppression.xsd").getPath()); - SuppressionHandler handler = new SuppressionHandler(); + final File schema = new File(this.getClass().getClassLoader().getResource("schema/suppression.xsd").getPath()); + final SuppressionHandler handler = new SuppressionHandler(); - SAXParserFactory factory = SAXParserFactory.newInstance(); + final SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setNamespaceAware(true); factory.setValidating(true); - SAXParser saxParser = factory.newSAXParser(); + final SAXParser saxParser = factory.newSAXParser(); saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_LANGUAGE, SuppressionParser.W3C_XML_SCHEMA); saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_SOURCE, schema); - XMLReader xmlReader = saxParser.getXMLReader(); + final XMLReader xmlReader = saxParser.getXMLReader(); xmlReader.setErrorHandler(new SuppressionErrorHandler()); xmlReader.setContentHandler(handler); - InputStream inputStream = new FileInputStream(file); - Reader reader = new InputStreamReader(inputStream); //, "UTF-8"); - InputSource in = new InputSource(reader); + final InputStream inputStream = new FileInputStream(file); + final Reader reader = new InputStreamReader(inputStream); //, "UTF-8"); + final InputSource in = new InputSource(reader); //in.setEncoding("UTF-8"); xmlReader.parse(in); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java index e8ce2b061..56d427066 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java @@ -121,7 +121,7 @@ public class SuppressionRule { private List cvssBelow = new ArrayList(); /** - * Get the value of cvssBelow + * Get the value of cvssBelow. * * @return the value of cvssBelow */ @@ -130,7 +130,7 @@ public class SuppressionRule { } /** - * Set the value of cvssBelow + * Set the value of cvssBelow. * * @param cvssBelow new value of cvssBelow */ @@ -236,6 +236,13 @@ public class SuppressionRule { return cve.size() > 0; } + /** + * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS + * scores should be suppressed. If any should be, they are removed from the + * dependency. + * + * @param dependency a project dependency to analyze + */ public void process(Dependency dependency) { if (filePath != null && !filePath.matches(dependency.getFilePath())) { return; @@ -244,9 +251,9 @@ public class SuppressionRule { return; } if (this.hasCpe()) { - Iterator itr = dependency.getIdentifiers().iterator(); + final Iterator itr = dependency.getIdentifiers().iterator(); while (itr.hasNext()) { - Identifier i = itr.next(); + final Identifier i = itr.next(); for (PropertyType c : this.cpe) { if (cpeMatches(c, i)) { itr.remove(); @@ -256,10 +263,10 @@ public class SuppressionRule { } } if (hasCve() || hasCwe() || hasCvssBelow()) { - Iterator itr = dependency.getVulnerabilities().iterator(); + final Iterator itr = dependency.getVulnerabilities().iterator(); boolean remove = false; while (!remove && itr.hasNext()) { - Vulnerability v = itr.next(); + final Vulnerability v = itr.next(); for (String entry : this.cve) { if (entry.equalsIgnoreCase(v.getName())) { remove = true; @@ -293,6 +300,14 @@ public class SuppressionRule { } } + /** + * Identifies if the cpe specified by the cpe suppression rule does not + * specify a version. + * + * @param c a suppression rule identifier + * @return true if the property type does not specify a version; otherwise + * false + */ boolean cpeHasNoVersion(PropertyType c) { if (c.isRegex()) { return false; @@ -303,6 +318,14 @@ public class SuppressionRule { return false; } + /** + * Counts the number of occurrences of the character found within the + * string. + * + * @param str the string to check + * @param c the character to count + * @return the number of times the character is found in the string + */ int countCharacter(String str, char c) { int count = 0; int pos = str.indexOf(c) + 1; @@ -313,6 +336,14 @@ public class SuppressionRule { return count; } + /** + * Determines if the cpeEntry specified as a PropertyType matches the given + * Identifier. + * + * @param cpeEntry a suppression rule entry + * @param identifier a CPE identifier to check + * @return true if the entry matches; otherwise false + */ boolean cpeMatches(PropertyType cpeEntry, Identifier identifier) { if (cpeEntry.matches(identifier.getValue())) { return true;