diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index 3733809c9..e076bb6ba 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -550,7 +550,7 @@ public class CPEAnalyzer implements Analyzer { final List collected = new ArrayList(); //TODO the following algorithm incorrectly identifies things as a lower version - // if there lower confidence evidence when the current (highest) version number + // if there lower confidence evidence when the current (highest) version number // is newer then anything in the NVD. for (Confidence conf : Confidence.values()) { for (Evidence evidence : dependency.getVersionEvidence().iterator(conf)) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java index 4d05e6505..d23ec72ea 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java @@ -35,7 +35,8 @@ import org.owasp.dependencycheck.utils.Settings; /** * This analyzer is used to analyze SWIFT and Objective-C packages by collecting - * information from .podspec files. CocoaPods dependency manager see https://cocoapods.org/. + * information from .podspec files. CocoaPods dependency manager see + * https://cocoapods.org/. * * @author Bianca Jiang (https://twitter.com/biancajiang) */ @@ -46,7 +47,6 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { * The logger. */ // private static final Logger LOGGER = LoggerFactory.getLogger(CocoaPodsAnalyzer.class); - /** * The name of the analyzer. */ @@ -66,15 +66,12 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { */ private static final FileFilter PODSPEC_FILTER = FileFilterBuilder.newInstance().addExtensions(PODSPEC).build(); - /** - * The capture group #1 is the block variable. - * e.g. "Pod::Spec.new do |spec|" + * The capture group #1 is the block variable. e.g. "Pod::Spec.new do + * |spec|" */ - private static final Pattern PODSPEC_BLOCK_PATTERN - = Pattern.compile("Pod::Spec\\.new\\s+?do\\s+?\\|(.+?)\\|"); - - + private static final Pattern PODSPEC_BLOCK_PATTERN = Pattern.compile("Pod::Spec\\.new\\s+?do\\s+?\\|(.+?)\\|"); + /** * Returns the FileFilter * @@ -111,7 +108,8 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Returns the key used in the properties file to reference the analyzer's enabled property. + * Returns the key used in the properties file to reference the analyzer's + * enabled property. * * @return the analyzer's enabled property setting key */ @@ -123,8 +121,8 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { - - String contents; + + String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); } catch (IOException e) { @@ -135,11 +133,11 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { if (matcher.find()) { contents = contents.substring(matcher.end()); final String blockVariable = matcher.group(1); - + final EvidenceCollection vendor = dependency.getVendorEvidence(); final EvidenceCollection product = dependency.getProductEvidence(); final EvidenceCollection version = dependency.getVersionEvidence(); - + final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST); if (!name.isEmpty()) { vendor.addEvidence(PODSPEC, "name_project", name, Confidence.HIGHEST); @@ -149,41 +147,41 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST); addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST); addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST); - + addStringEvidence(version, contents, blockVariable, "version", "version", Confidence.HIGHEST); } - + setPackagePath(dependency); } - + private String addStringEvidence(EvidenceCollection evidences, String contents, String blockVariable, String field, String fieldPattern, Confidence confidence) { String value = ""; - - //capture array value between [ ] - final Matcher arrayMatcher = Pattern.compile( + + //capture array value between [ ] + final Matcher arrayMatcher = Pattern.compile( String.format("\\s*?%s\\.%s\\s*?=\\s*?\\{\\s*?(.*?)\\s*?\\}", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents); - if(arrayMatcher.find()) { - value = arrayMatcher.group(1); - } - //capture single value between quotes - else { - final Matcher matcher = Pattern.compile( - String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents); - if (matcher.find()) { - value = matcher.group(2); - } - } - if(value.length() > 0) - evidences.addEvidence(PODSPEC, field, value, confidence); - + if (arrayMatcher.find()) { + value = arrayMatcher.group(1); + } //capture single value between quotes + else { + final Matcher matcher = Pattern.compile( + String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents); + if (matcher.find()) { + value = matcher.group(2); + } + } + if (value.length() > 0) { + evidences.addEvidence(PODSPEC, field, value, confidence); + } return value; } private void setPackagePath(Dependency dep) { - File file = new File(dep.getFilePath()); - String parent = file.getParent(); - if(parent != null) - dep.setPackagePath(parent); + File file = new File(dep.getFilePath()); + String parent = file.getParent(); + if (parent != null) { + dep.setPackagePath(parent); + } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index 42b322e65..3e4507379 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -144,17 +144,17 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal mergeDependencies(nextDependency, dependency, dependenciesToRemove); break; //since we merged into the next dependency - skip forward to the next in mainIterator } - } else if ( (main = getMainGemspecDependency(dependency, nextDependency)) != null ) { - if (main == dependency) { - mergeDependencies(dependency, nextDependency, dependenciesToRemove); - } else { + } else if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) { + if (main == dependency) { + mergeDependencies(dependency, nextDependency, dependenciesToRemove); + } else { mergeDependencies(nextDependency, dependency, dependenciesToRemove); break; //since we merged into the next dependency - skip forward to the next in mainIterator } - } else if ( (main = getMainSwiftDependency(dependency, nextDependency)) != null) { - if (main == dependency) { - mergeDependencies(dependency, nextDependency, dependenciesToRemove); - } else { + } else if ((main = getMainSwiftDependency(dependency, nextDependency)) != null) { + if (main == dependency) { + mergeDependencies(dependency, nextDependency, dependenciesToRemove); + } else { mergeDependencies(nextDependency, dependency, dependenciesToRemove); break; //since we merged into the next dependency - skip forward to the next in mainIterator } @@ -382,29 +382,37 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal } return null; } - + /** - * Bundling same swift dependencies with the same packagePath but identified by different analyzers. + * Bundling same swift dependencies with the same packagePath but identified + * by different analyzers. + * + * @param dependency1 dependency to test + * @param dependency2 dependency to test + * @return true if the dependencies appear to be the same; + * otherwise false */ private boolean isSameSwiftPackage(Dependency dependency1, Dependency dependency2) { - if (dependency1 == null || dependency2 == null || - (!dependency1.getFileName().endsWith(".podspec") && - !dependency1.getFileName().equals("Package.swift")) || - (!dependency2.getFileName().endsWith(".podspec") && - !dependency2.getFileName().equals("Package.swift")) || - dependency1.getPackagePath() == null || - dependency2.getPackagePath() == null) { + if (dependency1 == null || dependency2 == null + || (!dependency1.getFileName().endsWith(".podspec") + && !dependency1.getFileName().equals("Package.swift")) + || (!dependency2.getFileName().endsWith(".podspec") + && !dependency2.getFileName().equals("Package.swift")) + || dependency1.getPackagePath() == null + || dependency2.getPackagePath() == null) { return false; } - if (dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath())) - return true; - - return false; + if (dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath())) { + return true; + } + return false; } + private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) { - if (isSameSwiftPackage(dependency1, dependency2)) { - if(dependency1.getFileName().endsWith(".podspec")) - return dependency1; + if (isSameSwiftPackage(dependency1, dependency2)) { + if (dependency1.getFileName().endsWith(".podspec")) { + return dependency1; + } return dependency2; } return null; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java index 5e6dee5b8..75f417ebf 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java @@ -73,8 +73,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer { private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{ "__init__.py", "__init__.pyc", - "__init__.pyo", - }); + "__init__.pyo",}); /** * Collects information about the file name. @@ -111,9 +110,9 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer { if (!IGNORED_FILES.accept(f)) { dependency.getProductEvidence().addEvidence("file", "name", - packageName, Confidence.HIGH); + packageName, Confidence.HIGH); dependency.getVendorEvidence().addEvidence("file", "name", - packageName, Confidence.HIGH); + packageName, Confidence.HIGH); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index aad0cb036..33d57e690 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -704,17 +704,12 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { addMatchingValues(classInformation, value, productEvidence); // //the following caused false positives. // } else if (key.equalsIgnoreCase(BUNDLE_VENDOR)) { -// foundSomething = true; -// vendorEvidence.addEvidence(source, key, value, Confidence.HIGH); -// addMatchingValues(classInformation, value, vendorEvidence); } else if (key.equalsIgnoreCase(BUNDLE_VERSION)) { foundSomething = true; versionEvidence.addEvidence(source, key, value, Confidence.HIGH); } else if (key.equalsIgnoreCase(Attributes.Name.MAIN_CLASS.toString())) { continue; - //skipping main class as if this has important information to add - // it will be added during class name analysis... if other fields - // have the information from the class name then they will get added... + //skipping main class as if this has important information to add it will be added during class name analysis... } else { key = key.toLowerCase(); if (!IGNORE_KEYS.contains(key) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index f28feecae..9daee5428 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -70,8 +70,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { * name: "Gloss" * )" */ - private static final Pattern SPM_BLOCK_PATTERN - = Pattern.compile("let[^=]+=\\s*Package\\s*\\(\\s*([^)]*)\\s*\\)", Pattern.DOTALL); + private static final Pattern SPM_BLOCK_PATTERN = Pattern.compile("let[^=]+=\\s*Package\\s*\\(\\s*([^)]*)\\s*\\)", Pattern.DOTALL); /** * Returns the FileFilter diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java index c9ffb9ac8..a5918ca47 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java @@ -95,7 +95,7 @@ public final class ConnectionFactory { * @throws DatabaseException thrown if we are unable to connect to the * database */ - public static synchronized void initialize() throws DatabaseException { + public static void initialize() throws DatabaseException { //this only needs to be called once. if (connectionString != null) { return; @@ -196,7 +196,7 @@ public final class ConnectionFactory { * finalize method being called as during shutdown the class loader used to * load the driver may be unloaded prior to the driver being de-registered. */ - public static synchronized void cleanup() { + public static void cleanup() { if (driver != null) { try { DriverManager.deregisterDriver(driver); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java index b91510b1e..61e88a820 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java @@ -24,7 +24,8 @@ import java.util.regex.Pattern; /** *

- * A utility class to extract version numbers from file names (or other strings containing version numbers.

+ * A utility class to extract version numbers from file names (or other strings + * containing version numbers.

* * @author Jeremy Long */ @@ -35,13 +36,16 @@ public final class DependencyVersionUtil { */ private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d{1,6})+(\\.?([_-](release|beta|alpha|\\d+)|[a-zA-Z_-]{1,3}\\d{0,8}))?"); /** - * Regular expression to extract a single version number without periods. This is a last ditch effort just to check in case we - * are missing a version number using the previous regex. + * Regular expression to extract a single version number without periods. + * This is a last ditch effort just to check in case we are missing a + * version number using the previous regex. */ private static final Pattern RX_SINGLE_VERSION = Pattern.compile("\\d+(\\.?([_-](release|beta|alpha)|[a-zA-Z_-]{1,3}\\d{1,8}))?"); - + /** - * Regular expression to extract the part before the version numbers if there are any based on RX_VERSION. In most cases, this part represents a more accurate name. + * Regular expression to extract the part before the version numbers if + * there are any based on RX_VERSION. In most cases, this part represents a + * more accurate name. */ private static final Pattern RX_PRE_VERSION = Pattern.compile("^(.+)[_-](\\d+\\.\\d{1,6})+"); @@ -53,7 +57,8 @@ public final class DependencyVersionUtil { /** *

- * A utility class to extract version numbers from file names (or other strings containing version numbers.

+ * A utility class to extract version numbers from file names (or other + * strings containing version numbers.

* 
      * Example:
      * Give the file name: library-name-1.4.1r2-release.jar
@@ -103,21 +108,24 @@ public final class DependencyVersionUtil {
 
     /**
      * 

-     * A utility class to extract the part before version numbers from file names (or other strings containing version numbers. 
-     * In most cases, this part represents a more accurate name than the full file name.

+     * A utility class to extract the part before version numbers from file
+     * names (or other strings containing version numbers. In most cases, this
+     * part represents a more accurate name than the full file name.

      * 
      * Example:
      * Give the file name: library-name-1.4.1r2-release.jar
      * This function would return: library-name

      *
      * @param text the text being analyzed
-     * @return the part before the version numbers if any, otherwise return the text itself.
+     * @return the part before the version numbers if any, otherwise return the
+     * text itself.
      */
     public static String parsePreVersion(String text) {
-    	if(parseVersion(text) == null)
-    		return text;
-    	
-    	Matcher matcher = RX_PRE_VERSION.matcher(text);
+        if (parseVersion(text) == null) {
+            return text;
+        }
+
+        final Matcher matcher = RX_PRE_VERSION.matcher(text);
         if (matcher.find()) {
             return matcher.group(1);
         }
diff --git a/src/main/config/checkstyle-header.txt b/src/main/config/checkstyle-header.txt
index 2e87cd304..aef133a42 100644
--- a/src/main/config/checkstyle-header.txt
+++ b/src/main/config/checkstyle-header.txt
@@ -13,6 +13,6 @@
 ^ \* See the License for the specific language governing permissions and\s*$
 ^ \* limitations under the License\.\s*$
 ^ \*\s*$
-^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Bianca Jiang|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$
+^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Bianca Jiang|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$
 ^ \*/\s*$
 ^package