From e58fc13fdb7a2c2c14ebbc3f9023c3a2d06f41ff Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 6 Sep 2014 19:09:38 -0400
Subject: [PATCH] additional looping corrections in determineCPE() to break
 early if an identifier is found

Former-commit-id: 4ec4ffe598d9870a793da8980bb863633c1967d7
---
 .../dependencycheck/analyzer/CPEAnalyzer.java | 34 +++++++------------
 1 file changed, 12 insertions(+), 22 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
index 9bd2ff972..a9f069ca2 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -170,11 +170,10 @@ public class CPEAnalyzer implements Analyzer {
      * @throws ParseException is thrown when the Lucene query cannot be parsed.
      */
     protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
-        Confidence confidence = Confidence.HIGHEST;
-
+        //TODO test dojo-war against this. we shold get dojo-toolkit:dojo-toolkit AND dojo-toolkit:toolkit
         String vendors = "";
         String products = "";
-        for (Confidence l : Confidence.values()) {
+        for (Confidence confidence : Confidence.values()) {
             if (dependency.getVendorEvidence().contains(confidence)) {
                 vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
             }
@@ -190,15 +189,18 @@ public class CPEAnalyzer implements Analyzer {
                 final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
                         dependency.getVendorEvidence().getWeighting());
 
+                boolean identifierAdded = false;
                 for (IndexEntry e : entries) {
                     if (verifyEntry(e, dependency)) {
                         final String vendor = e.getVendor();
                         final String product = e.getProduct();
-                        determineIdentifiers(dependency, vendor, product);
+                        identifierAdded |= determineIdentifiers(dependency, vendor, product);
                     }
                 }
+                if (identifierAdded) {
+                    break;
+                }
             }
-            confidence = reduceConfidence(confidence);
         }
     }
 
@@ -234,22 +236,6 @@ public class CPEAnalyzer implements Analyzer {
         return sb.toString().trim();
     }
 
-    /**
-     * Reduces the given confidence by one level. This returns LOW if the confidence passed in is not HIGH.
-     *
-     * @param c the confidence to reduce.
-     * @return One less then the confidence passed in.
-     */
-    private Confidence reduceConfidence(final Confidence c) {
-        if (c == Confidence.HIGHEST) {
-            return Confidence.HIGH;
-        } else if (c == Confidence.HIGH) {
-            return Confidence.MEDIUM;
-        } else {
-            return Confidence.LOW;
-        }
-    }
-
     /**
      * <p>
      * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
@@ -503,9 +489,10 @@ public class CPEAnalyzer implements Analyzer {
      * @param dependency the Dependency being analyzed
      * @param vendor the vendor for the CPE being analyzed
      * @param product the product for the CPE being analyzed
+     * @return <code>true</code> if an identifier was added to the dependency; otherwise <code>false</code>
      * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
      */
-    private void determineIdentifiers(Dependency dependency, String vendor, String product) throws UnsupportedEncodingException {
+    private boolean determineIdentifiers(Dependency dependency, String vendor, String product) throws UnsupportedEncodingException {
         final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product);
         DependencyVersion bestGuess = new DependencyVersion("-");
         Confidence bestGuessConf = null;
@@ -561,6 +548,7 @@ public class CPEAnalyzer implements Analyzer {
         Collections.sort(collected);
         final IdentifierConfidence bestIdentifierQuality = collected.get(0).getConfidence();
         final Confidence bestEvidenceQuality = collected.get(0).getEvidenceConfidence();
+        boolean identifierAdded = false;
         for (IdentifierMatch m : collected) {
             if (bestIdentifierQuality.equals(m.getConfidence())
                     && bestEvidenceQuality.equals(m.getEvidenceConfidence())) {
@@ -571,8 +559,10 @@ public class CPEAnalyzer implements Analyzer {
                     i.setConfidence(bestEvidenceQuality);
                 }
                 dependency.addIdentifier(i);
+                identifierAdded = true;
             }
         }
+        return identifierAdded;
     }
 
     /**