github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-20 08:14:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

checkstyle fixes (javadoc, final variables, etc)

Browse Source 
Former-commit-id: 1f8649c19d845cf3eb80730fb91b33c089e86aae
This commit is contained in:
Jeremy Long
2013-06-03 20:23:23 -04:00
parent 2eca1f9702
commit f06f1d1c42
3 changed files with 24 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -215,6 +215,12 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
return cpe; return cpe;
} }
/**
* Removes bad CPE matches for a dependency. Unfortunately, right now
* these are hard-coded patches for specific problems identified when
* testing this ona LARGE volume of jar files.
* @param dependency the dependency to analyze
*/
private void removeBadMatches(Dependency dependency) { private void removeBadMatches(Dependency dependency) {
final Set<Identifier> identifiers = dependency.getIdentifiers(); final Set<Identifier> identifiers = dependency.getIdentifiers();
final Iterator<Identifier> itr = identifiers.iterator(); final Iterator<Identifier> itr = identifiers.iterator();

15
src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -19,7 +19,6 @@
package org.owasp.dependencycheck.analyzer; package org.owasp.dependencycheck.analyzer;
import java.io.File; import java.io.File;
import java.io.FileInputStream;
import java.util.Enumeration; import java.util.Enumeration;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.logging.Logger; import java.util.logging.Logger;
@@ -44,7 +43,6 @@ import java.util.jar.JarFile;
import java.util.jar.Manifest; import java.util.jar.Manifest;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import java.util.zip.ZipEntry; import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement; import javax.xml.bind.JAXBElement;
import javax.xml.bind.Unmarshaller; import javax.xml.bind.Unmarshaller;
@@ -213,7 +211,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
/** /**
* A pattern to detect HTML within text. * A pattern to detect HTML within text.
*/ */
final Pattern htmlDetection = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE); final private Pattern htmlDetection = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE);
/** /**
* Attempts to find a pom.xml within the JAR file. If found it extracts * Attempts to find a pom.xml within the JAR file. If found it extracts
@@ -284,10 +282,10 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
justification = "The reader is closed by closing the zipEntry") justification = "The reader is closed by closing the zipEntry")
private Properties retrievePomProperties(String path, final JarFile jar) throws IOException { private Properties retrievePomProperties(String path, final JarFile jar) throws IOException {
Properties pomProperties = null; Properties pomProperties = null;
String propPath = path.substring(0, path.length() - 7) + "pom.properies"; final String propPath = path.substring(0, path.length() - 7) + "pom.properies";
ZipEntry propEntry = jar.getEntry(propPath); final ZipEntry propEntry = jar.getEntry(propPath);
if (propEntry != null) { if (propEntry != null) {
Reader reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8"); final Reader reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8");
pomProperties = new Properties(); pomProperties = new Properties();
pomProperties.load(reader); pomProperties.load(reader);
} }
@@ -300,7 +298,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
* @throws IOException thrown if there is an exception reading a JarEntry * @throws IOException thrown if there is an exception reading a JarEntry
*/ */
private List<String> retrievePomListing(final JarFile jar) throws IOException { private List<String> retrievePomListing(final JarFile jar) throws IOException {
List<String> pomEntries = new ArrayList<String>(); final List<String> pomEntries = new ArrayList<String>();
JarEntry entry = jar.entries().nextElement(); JarEntry entry = jar.entries().nextElement();
while (entry != null) { while (entry != null) {
final String entryName = (new File(entry.getName())).getName().toLowerCase(); final String entryName = (new File(entry.getName())).getName().toLowerCase();
@@ -322,8 +320,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
private Model retrievePom(String path, JarFile jar) throws JAXBException, IOException { private Model retrievePom(String path, JarFile jar) throws JAXBException, IOException {
ZipEntry entry = jar.getEntry(path); ZipEntry entry = jar.getEntry(path);
if (entry != null) { //should never be null if (entry != null) { //should never be null
NonClosingStream stream = new NonClosingStream(jar.getInputStream(entry)); final NonClosingStream stream = new NonClosingStream(jar.getInputStream(entry));
Model p = null;
final JAXBElement obj = (JAXBElement) pomUnmarshaller.unmarshal(stream); final JAXBElement obj = (JAXBElement) pomUnmarshaller.unmarshal(stream);
return (Model) obj.getValue(); return (Model) obj.getValue();
} }

11
src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
View File

@@ -164,6 +164,15 @@ public class NvdCveAnalyzer implements Analyzer {
this.open(); this.open();
} }
/**
* <p>Determines if this is a valid vulnerability match for the given dependency.
* Specifically, this is concerned with ensuring the version numbers are correct.</p>
* <p>Currently, this is focused on the issues with the versions for Struts 1 and Struts 2.
* In the future this will due better matching on more version numbers.</p>
* @param dependency
* @param v
* @return
*/
private boolean isValidMatch(final Dependency dependency, final Vulnerability v) { private boolean isValidMatch(final Dependency dependency, final Vulnerability v) {
//right now I only know of the issue with Struts1/2 //right now I only know of the issue with Struts1/2
// start with fixing this problem. // start with fixing this problem.
@@ -173,7 +182,7 @@ public class NvdCveAnalyzer implements Analyzer {
boolean struts2 = false; boolean struts2 = false;
for (Identifier i : dependency.getIdentifiers()) { for (Identifier i : dependency.getIdentifiers()) {
if (i.getValue().startsWith("cpe:/a:apache:struts:")) { if (i.getValue().startsWith("cpe:/a:apache:struts:")) {
char version = i.getValue().charAt(21); final char version = i.getValue().charAt(21);
if (version == '1') { if (version == '1') {
struts1 = true; struts1 = true;
} }