Merge remote-tracking branch 'upstream/master'

2026-05-04 22:25:23 +02:00 · 2017-11-30 14:04:26 -03:00
parent 38499898aa 4862811600
commit ebff547b6f
19 changed files with 81 additions and 26 deletions
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>3.0.2</version>
+        <version>3.0.3-SNAPSHOT</version>
    </parent>

    <artifactId>dependency-check-core</artifactId>
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
@@ -471,6 +471,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                boolean stillLooking = true;
                int chr;
                int nxtChr;
+                //CSOFF: InnerAssignment
+                //CSOFF: NestedIfDepth
                while (stillLooking && (chr = in.read()) != -1) {
                    if (chr == '\n' || chr == '\r') {
                        in.mark(4);
@@ -488,6 +490,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                        }
                    }
                }
+                //CSON: InnerAssignment
+                //CSON: NestedIfDepth
            } else {
                in.reset();
            }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java
@@ -90,6 +90,7 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz
    @Override
    protected boolean evaluateDependencies(final Dependency dependency, final Dependency nextDependency, final Set<Dependency> dependenciesToRemove) {
        Dependency main;
+        //CSOFF: InnerAssignment
        if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) {
            if (main == dependency) {
                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
@@ -105,6 +106,7 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz
                return true; //since we merged into the next dependency - skip forward to the next in mainIterator
            }
        }
+        //CSON: InnerAssignment
        return false;
    }

--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
@@ -396,6 +396,7 @@ public final class ConnectionFactory {
            final int c0 = Integer.parseInt(currentDbVersion.getVersionParts().get(0));
            final int e1 = Integer.parseInt(appExpectedVersion.getVersionParts().get(1));
            final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
+            //CSOFF: EmptyBlock
            if (e0 == c0 && e1 < c1) {
                LOGGER.warn("A new version of dependency-check is available; consider upgrading");
                settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
@@ -406,6 +407,7 @@ public final class ConnectionFactory {
                        UPGRADE_HELP_URL);
                throw new DatabaseException("Database schema is out of date");
            }
+            //CSON: EmptyBlock
        }
    }

--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/H2DBLock.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/H2DBLock.java
@@ -145,8 +145,8 @@ public class H2DBLock {
                if (lock == null || !lock.isValid()) {
                    try {
                        final Timestamp timestamp = new Timestamp(System.currentTimeMillis());
-                        LOGGER.debug("Sleeping thread {} ({}) for 10 seconds because an exclusive lock on the database could not be obtained ({})",
-                                Thread.currentThread().getName(), magic, timestamp.toString());
+                        LOGGER.debug("Sleeping thread {} ({}) for {} seconds because an exclusive lock on the database could not be obtained ({})",
+                                Thread.currentThread().getName(), magic, SLEEP_DURATION / 1000, timestamp.toString());
                        Thread.sleep(SLEEP_DURATION);
                    } catch (InterruptedException ex) {
                        LOGGER.debug("sleep was interrupted.", ex);
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -855,4 +855,19 @@
        <gav regex="true">^com\.unboundid:unboundid-ldapsdk:.*$</gav>
        <cpe>cpe:/a:id:id-software</cpe>
    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        jaxb-xerces and jaxb-xerces2 are completely different dependencies.
+        ]]></notes>
+        <gav regex="true">^activesoap:jaxb-xercesImpl:[01].*$</gav>
+        <cpe>cpe:/a:apache:xerces2_java</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        jaxb-xerces and jaxb-xerces2 are completely different dependencies - the sha1
+            is primarily for testing.
+        ]]></notes>
+        <sha1>73a51faadb407dccdbd77234e0d5a0a648665692</sha1>
+        <cpe>cpe:/a:apache:xerces2_java</cpe>
+    </suppress>
 </suppressions>
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
@@ -103,13 +103,17 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
            fp.initialize(getSettings());
            fp.prepare(e);

-            callDetermineCPE_full("hazelcast-2.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
-            callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
-            callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
-            callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
-            callDetermineCPE_full("ehcache-core-2.2.0.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
-            callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
-            callDetermineCPE_full("xstream-1.4.8.jar", "cpe:/a:x-stream:xstream:1.4.8", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
+            CpeSuppressionAnalyzer cpeSuppression = new CpeSuppressionAnalyzer();
+            cpeSuppression.initialize(getSettings());
+            cpeSuppression.prepare(e);
+
+            callDetermineCPE_full("hazelcast-2.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+            callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+            callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+            callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+            callDetermineCPE_full("ehcache-core-2.2.0.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+            callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+            callDetermineCPE_full("xstream-1.4.8.jar", "cpe:/a:x-stream:xstream:1.4.8", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
        } finally {
            cpeAnalyzer.close();
        }
@@ -121,7 +125,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
     * @throws Exception is thrown when an exception occurs
     */
    public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer cpeAnalyzer, FileNameAnalyzer fnAnalyzer,
-            JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp) throws Exception {
+            JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp, CpeSuppressionAnalyzer cpeSuppression) throws Exception {

        //File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
        File file = BaseTest.getResourceAsFile(this, depName);
@@ -133,6 +137,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
        hAnalyzer.analyze(dep, null);
        cpeAnalyzer.analyze(dep, null);
        fp.analyze(dep, null);
+        cpeSuppression.analyze(dep, null);

        if (expResult != null) {
            boolean found = false;
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
@@ -84,8 +84,7 @@ public class CentralAnalyzerTest {
        new Expectations() {
            {
                centralSearch.searchSha1(SHA1_SUM);
-                result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
-                result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
+                //result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
                result = expectedMavenArtifacts;
            }
        };