github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 07:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

general cleanup/enhancement

Browse Source 
Former-commit-id: 0a3daf5bd7149a02716bfd9af7e6536687184352
This commit is contained in:
jeremylong
2012-09-29 14:15:37 -04:00
parent ff3be5ccf5
commit e80408d4c2
8 changed files with 93 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
pom.xml
View File

@@ -157,22 +157,21 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses/>.
<packageLineRate>85</packageLineRate>
<packageBranchRate>85</packageBranchRate>
<regexes>
<regex>
<pattern>org.codesecure.dependencycheck.cpe.CPEEntry</pattern>
<branchRate>60</branchRate>
<lineRate>60</lineRate>
</regex>
<regex>
<pattern>.*\$.*</pattern>
<branchRate>0</branchRate>
<lineRate>0</lineRate>
</regex>
<regex>
<pattern>org.codesecure.dependencycheck.store.CPEFields</pattern>
<pattern>org.codesecure.dependencycheck.data.cpe.Fields</pattern>
<branchRate>0</branchRate>
<lineRate>0</lineRate>
</regex>
<regex>
<pattern>org.codesecure.dependencycheck.App</pattern>
<branchRate>0</branchRate>
<lineRate>0</lineRate>
</regex>
<regex>
<pattern>org.codesecure.dependencycheck.utils.SSDeep</pattern>
<branchRate>0</branchRate>
@@ -203,11 +202,11 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses/>.
</property>
<property>
<name>cve</name>
<value>${project.build.directory}/store/cve</value>
<value>${project.build.directory}/data/cve</value>
</property>
<property>
<name>cpe</name>
<value>${project.build.directory}/store/cpe</value>
<value>${project.build.directory}/data/cpe</value>
</property>
</systemProperties>
</configuration>

8
src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java
View File

@@ -18,8 +18,8 @@ package org.codesecure.dependencycheck.analyzer;
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
import org.codesecure.dependencycheck.dependency.Dependency;
import java.util.Set;
import org.codesecure.dependencycheck.dependency.Dependency;
/**
* An interface that defines an Analyzer that is used to identify Dependencies.
@@ -33,8 +33,8 @@ public interface Analyzer {
/**
* Analyzes the given dependency. The analysis could be anything from identifying
* an Idenifier for the dependency, to finding vulnerabilities, etc. Additionally,
* if the analyzer collects enough information to add a description for the dependency
* one should be added.
* if the analyzer collects enough information to add a description or license
* information for the dependency it should be added.
*
* @param dependency a dependency to analyze.
* @throws AnalysisException is thrown if there is an error analyzing the dependency file
@@ -43,7 +43,7 @@ public interface Analyzer {
/**
* <p>Returns a list of supported file extensions. An example would be an analyzer
* that inpected java jar files. The getSupportedExtensions function would return
* that inspected java jar files. The getSupportedExtensions function would return
* a set with a single element "jar".</p>
*
* <p><b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>

86
src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -32,12 +32,17 @@ import java.util.jar.Manifest;
/**
*
* Used to load a JAR file and collect information that can be used to determine the associated CPE.
* Used to load a JAR file and collect information that can be used to determine
* the associated CPE.
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class JarAnalyzer extends AbstractAnalyzer {
/**
* The system independent newline character.
*/
private static final String NEWLINE = System.getProperty("line.separator");
/**
* The name of the analyzer.
*/
@@ -52,7 +57,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
private static final Set<String> IGNORE_LIST = newHashSet(
"built-by",
"created-by",
"license",
//"license",
"build-jdk",
"ant-version",
"import-package",
@@ -61,6 +66,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
"manifest-version",
"archiver-version",
"classpath",
"tool",
"bundle-manifestversion");
/**
* The set of file extensions supported by this analyzer.
@@ -85,6 +91,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
/**
* Returns a list of file EXTENSIONS supported by this analyzer.
*
* @return a list of file EXTENSIONS supported by this analyzer.
*/
public Set<String> getSupportedExtensions() {
@@ -93,6 +100,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
/**
* Returns the name of the analyzer.
*
* @return the name of the analyzer.
*/
public String getName() {
@@ -101,8 +109,10 @@ public class JarAnalyzer extends AbstractAnalyzer {
/**
* Returns whether or not this analyzer can process the given extension.
*
* @param extension the file extension to test for support.
* @return whether or not the specified file extension is supported by tihs analyzer.
* @return whether or not the specified file extension is supported by tihs
* analyzer.
*/
public boolean supportsExtension(String extension) {
return EXTENSIONS.contains(extension);
@@ -110,47 +120,20 @@ public class JarAnalyzer extends AbstractAnalyzer {
/**
* Returns the phase that the analyzer is intended to run in.
*
* @return the phase that the analyzer is intended to run in.
*/
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
/**
* An enumeration to keep track of the characters in a string as it is being
* read in one character at a time.
*/
private enum STRING_STATE {
ALPHA,
NUMBER,
PERIOD,
OTHER
}
/**
* Determines type of the character passed in.
* @param c a character
* @return a STRING_STATE representing whether the character is number, alpha, or other.
*/
private STRING_STATE determineState(char c) {
if (c >= '0' && c <= '9') {
return STRING_STATE.NUMBER;
} else if (c == '.') {
return STRING_STATE.PERIOD;
} else if (c >= 'a' && c <= 'z') {
return STRING_STATE.ALPHA;
} else {
return STRING_STATE.OTHER;
}
}
/**
* Loads a specified JAR file and collects information from the manifest and
* checksums to identify the correct CPE information.
*
* @param dependency the dependency to analyze.
* @throws AnalysisException is thrown if there is an error reading the JAR file.
* @throws AnalysisException is thrown if there is an error reading the JAR
* file.
*/
public void analyze(Dependency dependency) throws AnalysisException {
try {
@@ -163,9 +146,10 @@ public class JarAnalyzer extends AbstractAnalyzer {
}
/**
* Analyzes the path information of the classes contained within the JarAnalyzer
* to try and determine possible vendor or product names. If any are found they are
* stored in the packageVendor and packageProduct hashSets.
* Analyzes the path information of the classes contained within the
* JarAnalyzer to try and determine possible vendor or product names. If any
* are found they are stored in the packageVendor and packageProduct
* hashSets.
*
* @param dependency A reference to the dependency.
* @throws IOException is thrown if there is an error reading the JAR file.
@@ -314,17 +298,11 @@ public class JarAnalyzer extends AbstractAnalyzer {
}
/**
* <p>Reads the manifest from the JAR file and collects the entries. Some key entries are:</p>
* <ul><li>Implementation Title</li>
* <li>Implementation Version</li>
* <li>Implementation Vendor</li>
* <li>Implementation VendorId</li>
* <li>Bundle Name</li>
* <li>Bundle Version</li>
* <li>Bundle Vendor</li>
* <li>Bundle Description</li>
* <li>Main Class</li>
* </ul>
* <p>Reads the manifest from the JAR file and collects the entries. Some
* key entries are:</p> <ul><li>Implementation Title</li> <li>Implementation
* Version</li> <li>Implementation Vendor</li> <li>Implementation
* VendorId</li> <li>Bundle Name</li> <li>Bundle Version</li> <li>Bundle
* Vendor</li> <li>Bundle Description</li> <li>Main Class</li> </ul>
* However, all but a handful of specific entries are read in.
*
* @param dependency A reference to the dependency.
@@ -367,7 +345,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
} else {
key = key.toLowerCase();
if (!IGNORE_LIST.contains(key) && !key.contains("license") && !key.endsWith("jdk")
if (!IGNORE_LIST.contains(key) && !key.endsWith("jdk")
&& !key.contains("lastmodified") && !key.endsWith("package")) {
if (key.contains("version")) {
@@ -379,9 +357,11 @@ public class JarAnalyzer extends AbstractAnalyzer {
} else if (key.contains("name")) {
productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM);
} else if (key.contains("license")) {
addLicense(dependency, value);
} else {
if (key.contains("description")) {
dependency.setDescription(value);
addDescription(dependency, value);
}
productEvidence.addEvidence(source, key, value, Evidence.Confidence.LOW);
vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.LOW);
@@ -407,6 +387,14 @@ public class JarAnalyzer extends AbstractAnalyzer {
}
}
private void addLicense(Dependency d, String license) {
if (d.getLicense() == null) {
d.setLicense(license);
} else if (!d.getLicense().contains(license)) {
d.setLicense(d.getLicense() + NEWLINE + license);
}
}
/**
* The initialize method does nothing for this Analyzer
*/

22
src/main/java/org/codesecure/dependencycheck/dependency/Dependency.java
View File

@@ -337,6 +337,28 @@ public class Dependency {
public void setDescription(String description) {
this.description = description;
}
/**
* The license that this dependency uses.
*/
private String license;
/**
* Get the value of license
*
* @return the value of license
*/
public String getLicense() {
return license;
}
/**
* Set the value of license
*
* @param license new value of license
*/
public void setLicense(String license) {
this.license = license;
}
/**
* Determines if the specified string was used when searching.

4
src/main/resources/configuration/dependencycheck.properties
View File

@@ -1,7 +1,7 @@
application.name=${pom.name}
application.version=${pom.version}
cpe=store/cpe
cpe=data/cpe
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
cve=store/cve
cve=data/cve

28
src/main/resources/templates/HtmlReport.vsl
View File

@@ -261,8 +261,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
table {
border: 0px;
}
table tr:nth-child(even) {
background-color: #eeeeee;
table.lined tr:nth-child(even) {
background-color: #fbfbfb;
}
.fullwidth {
width:100%;
}
body {
font: 13px "Droid Sans",Arial,"Helvetica Neue","Lucida Grande",sans-serif
@@ -291,22 +294,27 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<h3 class="subsectionheader standardsubsection"><a name="$esc.html($dependency.FilePath)"></a>$esc.html($dependency.FileName)</h3>
<div class="subsectioncontent">
#if ($dependency.description)
<p><b>Description:&nbsp;</b>$esc.html($dependency.description)</p>
<p><b>Description:</b>&nbsp;$esc.html($dependency.description)<br/></p>
#end
<p><b>File&nbsp;Path:</b>&nbsp;$esc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$esc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$esc.html($dependency.Sha1sum)</p>
<p>
#if ($dependency.license)
<b>License:</b><pre class="indent">$esc.html($dependency.license)</pre>
#end
<b>File&nbsp;Path:</b>&nbsp;$esc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$esc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$esc.html($dependency.Sha1sum)
</p>
#if ( $dependency.analysisExceptions.size() != 0 )
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader red">Analysis Exceptions</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection">
<ul>
#foreach($ex in $dependency.analysisExceptions)
<li>$esc.html($ex.message)<br/><br/>$esc.html($ex.stackTrace)
<li>$esc.html($ex.message)<br/><br/><pre class="indent">$esc.html($ex.stackTrace)</pre>
#if ( $ex.cause )
<br/><b>Caused by:</b> $esc.html($ex.cause.message)
<br/><br/>$esc.html($ex.cause.stackTrace)
<br/><br/><pre class="indent">$esc.html($ex.cause.stackTrace)</pre>
#end
</li>
#end
@@ -316,7 +324,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandablesubsection white">Evidence</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<table border="0" style="width:100%">
<table class="lined fullwidth" border="0">
<tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
#foreach($evidence in $dependency.getEvidenceUsed())
<tr><td>$esc.html($evidence.getSource())</td><td>$esc.html($evidence.getName())</td><td>$esc.html($evidence.getValue())</td></tr>

2
src/test/java/org/codesecure/dependencycheck/data/cpe/IndexTest.java
View File

@@ -69,7 +69,7 @@ public class IndexTest extends BaseIndexTestCase {
Index index = new Index();
Directory result = index.getDirectory();
String exp = File.separatorChar + "target" + File.separatorChar + "store" + File.separatorChar + "cpe";
String exp = File.separatorChar + "target" + File.separatorChar + "data" + File.separatorChar + "cpe";
// TODO review the generated test code and remove the default call to fail.
assertTrue(result.toString().contains(exp));
}

2
src/test/java/org/codesecure/dependencycheck/utils/SettingsTest.java
View File

@@ -38,7 +38,7 @@ public class SettingsTest extends TestCase {
public void testGetString() {
System.out.println("getString");
String key = Settings.KEYS.CPE_INDEX;
String expResult = "target/store/cpe";
String expResult = "target/data/cpe";
String result = Settings.getString(key);
assertTrue(result.endsWith(expResult));
}