diff --git a/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index 2b0aed19c..5c0e7336d 100644 --- a/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -215,6 +215,12 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { return cpe; } + /** + * Removes bad CPE matches for a dependency. Unfortunately, right now + * these are hard-coded patches for specific problems identified when + * testing this ona LARGE volume of jar files. + * @param dependency the dependency to analyze + */ private void removeBadMatches(Dependency dependency) { final Set identifiers = dependency.getIdentifiers(); final Iterator itr = identifiers.iterator(); diff --git a/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 9fffbd282..e41d88d55 100644 --- a/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -19,7 +19,6 @@ package org.owasp.dependencycheck.analyzer; import java.io.File; -import java.io.FileInputStream; import java.util.Enumeration; import java.util.logging.Level; import java.util.logging.Logger; @@ -44,7 +43,6 @@ import java.util.jar.JarFile; import java.util.jar.Manifest; import java.util.regex.Pattern; import java.util.zip.ZipEntry; -import java.util.zip.ZipInputStream; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBElement; import javax.xml.bind.Unmarshaller; @@ -213,7 +211,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { /** * A pattern to detect HTML within text. */ - final Pattern htmlDetection = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE); + final private Pattern htmlDetection = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE); /** * Attempts to find a pom.xml within the JAR file. If found it extracts @@ -284,10 +282,10 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { justification = "The reader is closed by closing the zipEntry") private Properties retrievePomProperties(String path, final JarFile jar) throws IOException { Properties pomProperties = null; - String propPath = path.substring(0, path.length() - 7) + "pom.properies"; - ZipEntry propEntry = jar.getEntry(propPath); + final String propPath = path.substring(0, path.length() - 7) + "pom.properies"; + final ZipEntry propEntry = jar.getEntry(propPath); if (propEntry != null) { - Reader reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8"); + final Reader reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8"); pomProperties = new Properties(); pomProperties.load(reader); } @@ -300,7 +298,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { * @throws IOException thrown if there is an exception reading a JarEntry */ private List retrievePomListing(final JarFile jar) throws IOException { - List pomEntries = new ArrayList(); + final List pomEntries = new ArrayList(); JarEntry entry = jar.entries().nextElement(); while (entry != null) { final String entryName = (new File(entry.getName())).getName().toLowerCase(); @@ -322,10 +320,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { private Model retrievePom(String path, JarFile jar) throws JAXBException, IOException { ZipEntry entry = jar.getEntry(path); if (entry != null) { //should never be null - NonClosingStream stream = new NonClosingStream(jar.getInputStream(entry)); - Model p = null; - final JAXBElement obj = (JAXBElement) pomUnmarshaller.unmarshal(stream); - return (Model) obj.getValue(); + final NonClosingStream stream = new NonClosingStream(jar.getInputStream(entry)); + final JAXBElement obj = (JAXBElement) pomUnmarshaller.unmarshal(stream); + return (Model) obj.getValue(); } return null; } diff --git a/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java b/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java index 31d81a18c..cf75d98f8 100644 --- a/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java +++ b/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java @@ -164,6 +164,15 @@ public class NvdCveAnalyzer implements Analyzer { this.open(); } + /** + *

Determines if this is a valid vulnerability match for the given dependency. + * Specifically, this is concerned with ensuring the version numbers are correct.

+ *

Currently, this is focused on the issues with the versions for Struts 1 and Struts 2. + * In the future this will due better matching on more version numbers.

+ * @param dependency + * @param v + * @return + */ private boolean isValidMatch(final Dependency dependency, final Vulnerability v) { //right now I only know of the issue with Struts1/2 // start with fixing this problem. @@ -173,7 +182,7 @@ public class NvdCveAnalyzer implements Analyzer { boolean struts2 = false; for (Identifier i : dependency.getIdentifiers()) { if (i.getValue().startsWith("cpe:/a:apache:struts:")) { - char version = i.getValue().charAt(21); + final char version = i.getValue().charAt(21); if (version == '1') { struts1 = true; }