diff --git a/pom.xml b/pom.xml index da8edf6aa..6249a0aa7 100644 --- a/pom.xml +++ b/pom.xml @@ -157,22 +157,21 @@ along with DependencyCheck. If not, see . 85 85 - - org.codesecure.dependencycheck.cpe.CPEEntry - 60 - 60 - .*\$.* 0 0 - org.codesecure.dependencycheck.store.CPEFields + org.codesecure.dependencycheck.data.cpe.Fields + 0 + 0 + + + org.codesecure.dependencycheck.App 0 0 - org.codesecure.dependencycheck.utils.SSDeep 0 @@ -203,11 +202,11 @@ along with DependencyCheck. If not, see . cve - ${project.build.directory}/store/cve + ${project.build.directory}/data/cve cpe - ${project.build.directory}/store/cpe + ${project.build.directory}/data/cpe diff --git a/src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java b/src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java index 646c0d496..6a2e41c8f 100644 --- a/src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java +++ b/src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java @@ -18,8 +18,8 @@ package org.codesecure.dependencycheck.analyzer; * Copyright (c) 2012 Jeremy Long. All Rights Reserved. */ -import org.codesecure.dependencycheck.dependency.Dependency; import java.util.Set; +import org.codesecure.dependencycheck.dependency.Dependency; /** * An interface that defines an Analyzer that is used to identify Dependencies. @@ -33,8 +33,8 @@ public interface Analyzer { /** * Analyzes the given dependency. The analysis could be anything from identifying * an Idenifier for the dependency, to finding vulnerabilities, etc. Additionally, - * if the analyzer collects enough information to add a description for the dependency - * one should be added. + * if the analyzer collects enough information to add a description or license + * information for the dependency it should be added. * * @param dependency a dependency to analyze. * @throws AnalysisException is thrown if there is an error analyzing the dependency file @@ -43,7 +43,7 @@ public interface Analyzer { /** *

Returns a list of supported file extensions. An example would be an analyzer - * that inpected java jar files. The getSupportedExtensions function would return + * that inspected java jar files. The getSupportedExtensions function would return * a set with a single element "jar".

* *

Note: when implementing this the extensions returned MUST be lowercase.

diff --git a/src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java b/src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java index 11061f1d9..f44d20907 100644 --- a/src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java +++ b/src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java @@ -32,12 +32,17 @@ import java.util.jar.Manifest; /** * - * Used to load a JAR file and collect information that can be used to determine the associated CPE. + * Used to load a JAR file and collect information that can be used to determine + * the associated CPE. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class JarAnalyzer extends AbstractAnalyzer { + /** + * The system independent newline character. + */ + private static final String NEWLINE = System.getProperty("line.separator"); /** * The name of the analyzer. */ @@ -52,7 +57,7 @@ public class JarAnalyzer extends AbstractAnalyzer { private static final Set IGNORE_LIST = newHashSet( "built-by", "created-by", - "license", + //"license", "build-jdk", "ant-version", "import-package", @@ -61,6 +66,7 @@ public class JarAnalyzer extends AbstractAnalyzer { "manifest-version", "archiver-version", "classpath", + "tool", "bundle-manifestversion"); /** * The set of file extensions supported by this analyzer. @@ -85,6 +91,7 @@ public class JarAnalyzer extends AbstractAnalyzer { /** * Returns a list of file EXTENSIONS supported by this analyzer. + * * @return a list of file EXTENSIONS supported by this analyzer. */ public Set getSupportedExtensions() { @@ -93,6 +100,7 @@ public class JarAnalyzer extends AbstractAnalyzer { /** * Returns the name of the analyzer. + * * @return the name of the analyzer. */ public String getName() { @@ -101,8 +109,10 @@ public class JarAnalyzer extends AbstractAnalyzer { /** * Returns whether or not this analyzer can process the given extension. + * * @param extension the file extension to test for support. - * @return whether or not the specified file extension is supported by tihs analyzer. + * @return whether or not the specified file extension is supported by tihs + * analyzer. */ public boolean supportsExtension(String extension) { return EXTENSIONS.contains(extension); @@ -110,47 +120,20 @@ public class JarAnalyzer extends AbstractAnalyzer { /** * Returns the phase that the analyzer is intended to run in. + * * @return the phase that the analyzer is intended to run in. */ public AnalysisPhase getAnalysisPhase() { return ANALYSIS_PHASE; } - /** - * An enumeration to keep track of the characters in a string as it is being - * read in one character at a time. - */ - private enum STRING_STATE { - - ALPHA, - NUMBER, - PERIOD, - OTHER - } - - /** - * Determines type of the character passed in. - * @param c a character - * @return a STRING_STATE representing whether the character is number, alpha, or other. - */ - private STRING_STATE determineState(char c) { - if (c >= '0' && c <= '9') { - return STRING_STATE.NUMBER; - } else if (c == '.') { - return STRING_STATE.PERIOD; - } else if (c >= 'a' && c <= 'z') { - return STRING_STATE.ALPHA; - } else { - return STRING_STATE.OTHER; - } - } - /** * Loads a specified JAR file and collects information from the manifest and * checksums to identify the correct CPE information. * * @param dependency the dependency to analyze. - * @throws AnalysisException is thrown if there is an error reading the JAR file. + * @throws AnalysisException is thrown if there is an error reading the JAR + * file. */ public void analyze(Dependency dependency) throws AnalysisException { try { @@ -163,9 +146,10 @@ public class JarAnalyzer extends AbstractAnalyzer { } /** - * Analyzes the path information of the classes contained within the JarAnalyzer - * to try and determine possible vendor or product names. If any are found they are - * stored in the packageVendor and packageProduct hashSets. + * Analyzes the path information of the classes contained within the + * JarAnalyzer to try and determine possible vendor or product names. If any + * are found they are stored in the packageVendor and packageProduct + * hashSets. * * @param dependency A reference to the dependency. * @throws IOException is thrown if there is an error reading the JAR file. @@ -314,17 +298,11 @@ public class JarAnalyzer extends AbstractAnalyzer { } /** - *

Reads the manifest from the JAR file and collects the entries. Some key entries are:

- *
  • Implementation Title
    • - *
  • Implementation Version
    • - *
  • Implementation Vendor
    • - *
  • Implementation VendorId
    • - *
  • Bundle Name
    • - *
  • Bundle Version
    • - *
  • Bundle Vendor
    • - *
  • Bundle Description
    • - *
  • Main Class
    • - *
+ *

Reads the manifest from the JAR file and collects the entries. Some + * key entries are:

  • Implementation Title
  • Implementation + * Version
  • Implementation Vendor
  • Implementation + * VendorId
  • Bundle Name
  • Bundle Version
  • Bundle + * Vendor
  • Bundle Description
  • Main Class
* However, all but a handful of specific entries are read in. * * @param dependency A reference to the dependency. @@ -367,7 +345,7 @@ public class JarAnalyzer extends AbstractAnalyzer { } else { key = key.toLowerCase(); - if (!IGNORE_LIST.contains(key) && !key.contains("license") && !key.endsWith("jdk") + if (!IGNORE_LIST.contains(key) && !key.endsWith("jdk") && !key.contains("lastmodified") && !key.endsWith("package")) { if (key.contains("version")) { @@ -379,9 +357,11 @@ public class JarAnalyzer extends AbstractAnalyzer { } else if (key.contains("name")) { productEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.MEDIUM); + } else if (key.contains("license")) { + addLicense(dependency, value); } else { if (key.contains("description")) { - dependency.setDescription(value); + addDescription(dependency, value); } productEvidence.addEvidence(source, key, value, Evidence.Confidence.LOW); vendorEvidence.addEvidence(source, key, value, Evidence.Confidence.LOW); @@ -407,6 +387,14 @@ public class JarAnalyzer extends AbstractAnalyzer { } } + private void addLicense(Dependency d, String license) { + if (d.getLicense() == null) { + d.setLicense(license); + } else if (!d.getLicense().contains(license)) { + d.setLicense(d.getLicense() + NEWLINE + license); + } + } + /** * The initialize method does nothing for this Analyzer */ diff --git a/src/main/java/org/codesecure/dependencycheck/dependency/Dependency.java b/src/main/java/org/codesecure/dependencycheck/dependency/Dependency.java index 82deb26c8..6df8792ed 100644 --- a/src/main/java/org/codesecure/dependencycheck/dependency/Dependency.java +++ b/src/main/java/org/codesecure/dependencycheck/dependency/Dependency.java @@ -337,6 +337,28 @@ public class Dependency { public void setDescription(String description) { this.description = description; } + /** + * The license that this dependency uses. + */ + private String license; + + /** + * Get the value of license + * + * @return the value of license + */ + public String getLicense() { + return license; + } + + /** + * Set the value of license + * + * @param license new value of license + */ + public void setLicense(String license) { + this.license = license; + } /** * Determines if the specified string was used when searching. diff --git a/src/main/resources/configuration/dependencycheck.properties b/src/main/resources/configuration/dependencycheck.properties index 2076f7d95..b5803d44e 100644 --- a/src/main/resources/configuration/dependencycheck.properties +++ b/src/main/resources/configuration/dependencycheck.properties @@ -1,7 +1,7 @@ application.name=${pom.name} application.version=${pom.version} -cpe=store/cpe +cpe=data/cpe cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta -cve=store/cve +cve=data/cve diff --git a/src/main/resources/templates/HtmlReport.vsl b/src/main/resources/templates/HtmlReport.vsl index 2f8a63d6b..6950e54ec 100644 --- a/src/main/resources/templates/HtmlReport.vsl +++ b/src/main/resources/templates/HtmlReport.vsl @@ -261,8 +261,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. table { border: 0px; } - table tr:nth-child(even) { - background-color: #eeeeee; + table.lined tr:nth-child(even) { + background-color: #fbfbfb; + } + .fullwidth { + width:100%; } body { font: 13px "Droid Sans",Arial,"Helvetica Neue","Lucida Grande",sans-serif @@ -291,22 +294,27 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.

$esc.html($dependency.FileName)

#if ($dependency.description) -

Description: $esc.html($dependency.description)

+

Description: $esc.html($dependency.description)

#end -

File Path: $esc.html($dependency.FilePath)
- MD5: $esc.html($dependency.Md5sum)
- SHA1: $esc.html($dependency.Sha1sum)

- +

+ #if ($dependency.license) + License:

$esc.html($dependency.license)
+ #end + File Path: $esc.html($dependency.FilePath)
+ MD5: $esc.html($dependency.Md5sum)
+ SHA1: $esc.html($dependency.Sha1sum) +

+ #if ( $dependency.analysisExceptions.size() != 0 ) #set($cnt=$cnt+1)

Analysis Exceptions

    #foreach($ex in $dependency.analysisExceptions) -
  • $esc.html($ex.message)

    $esc.html($ex.stackTrace) +
  • $esc.html($ex.message)

    $esc.html($ex.stackTrace)
    #if ( $ex.cause )
    Caused by: $esc.html($ex.cause.message) -

    $esc.html($ex.cause.stackTrace) + 

    $esc.html($ex.cause.stackTrace)
    #end
    • #end @@ -316,7 +324,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #set($cnt=$cnt+1)

    Evidence