github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-19 15:54:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

additional looping corrections in determineCPE() to break early if an identifier is found

Browse Source 
Former-commit-id: 4ec4ffe598d9870a793da8980bb863633c1967d7
This commit is contained in:
Jeremy Long
2014-09-06 19:09:38 -04:00
parent 922d53d2e4
commit e58fc13fdb
1 changed files with 12 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -170,11 +170,10 @@ public class CPEAnalyzer implements Analyzer {
* @throws ParseException is thrown when the Lucene query cannot be parsed. * @throws ParseException is thrown when the Lucene query cannot be parsed.
*/ */
protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException { protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
Confidence confidence = Confidence.HIGHEST; //TODO test dojo-war against this. we shold get dojo-toolkit:dojo-toolkit AND dojo-toolkit:toolkit
String vendors = ""; String vendors = "";
String products = ""; String products = "";
for (Confidence l : Confidence.values()) { for (Confidence confidence : Confidence.values()) {
if (dependency.getVendorEvidence().contains(confidence)) { if (dependency.getVendorEvidence().contains(confidence)) {
vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence); vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
} }
@@ -190,15 +189,18 @@ public class CPEAnalyzer implements Analyzer {
final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(), final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
dependency.getVendorEvidence().getWeighting()); dependency.getVendorEvidence().getWeighting());
boolean identifierAdded = false;
for (IndexEntry e : entries) { for (IndexEntry e : entries) {
if (verifyEntry(e, dependency)) { if (verifyEntry(e, dependency)) {
final String vendor = e.getVendor(); final String vendor = e.getVendor();
final String product = e.getProduct(); final String product = e.getProduct();
determineIdentifiers(dependency, vendor, product); identifierAdded |= determineIdentifiers(dependency, vendor, product);
} }
} }
if (identifierAdded) {
break;
}
} }
confidence = reduceConfidence(confidence);
} }
} }
@@ -234,22 +236,6 @@ public class CPEAnalyzer implements Analyzer {
return sb.toString().trim(); return sb.toString().trim();
} }
/**
* Reduces the given confidence by one level. This returns LOW if the confidence passed in is not HIGH.
*
* @param c the confidence to reduce.
* @return One less then the confidence passed in.
*/
private Confidence reduceConfidence(final Confidence c) {
if (c == Confidence.HIGHEST) {
return Confidence.HIGH;
} else if (c == Confidence.HIGH) {
return Confidence.MEDIUM;
} else {
return Confidence.LOW;
}
}
/** /**
* <p> * <p>
* Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
@@ -503,9 +489,10 @@ public class CPEAnalyzer implements Analyzer {
* @param dependency the Dependency being analyzed * @param dependency the Dependency being analyzed
* @param vendor the vendor for the CPE being analyzed * @param vendor the vendor for the CPE being analyzed
* @param product the product for the CPE being analyzed * @param product the product for the CPE being analyzed
* @return <code>true</code> if an identifier was added to the dependency; otherwise <code>false</code>
* @throws UnsupportedEncodingException is thrown if UTF-8 is not supported * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
*/ */
private void determineIdentifiers(Dependency dependency, String vendor, String product) throws UnsupportedEncodingException { private boolean determineIdentifiers(Dependency dependency, String vendor, String product) throws UnsupportedEncodingException {
final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product); final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product);
DependencyVersion bestGuess = new DependencyVersion("-"); DependencyVersion bestGuess = new DependencyVersion("-");
Confidence bestGuessConf = null; Confidence bestGuessConf = null;
@@ -561,6 +548,7 @@ public class CPEAnalyzer implements Analyzer {
Collections.sort(collected); Collections.sort(collected);
final IdentifierConfidence bestIdentifierQuality = collected.get(0).getConfidence(); final IdentifierConfidence bestIdentifierQuality = collected.get(0).getConfidence();
final Confidence bestEvidenceQuality = collected.get(0).getEvidenceConfidence(); final Confidence bestEvidenceQuality = collected.get(0).getEvidenceConfidence();
boolean identifierAdded = false;
for (IdentifierMatch m : collected) { for (IdentifierMatch m : collected) {
if (bestIdentifierQuality.equals(m.getConfidence()) if (bestIdentifierQuality.equals(m.getConfidence())
&& bestEvidenceQuality.equals(m.getEvidenceConfidence())) { && bestEvidenceQuality.equals(m.getEvidenceConfidence())) {
@@ -571,8 +559,10 @@ public class CPEAnalyzer implements Analyzer {
i.setConfidence(bestEvidenceQuality); i.setConfidence(bestEvidenceQuality);
} }
dependency.addIdentifier(i); dependency.addIdentifier(i);
identifierAdded = true;
} }
} }
return identifierAdded;
} }
/** /**