github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-19 07:44:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

added false positive checks for axis vs axis2

Browse Source 
Former-commit-id: 4548c6d0e8ba036756721460d0d439ff90279dd4
This commit is contained in:
Jeremy Long
2013-10-26 17:21:14 -04:00
parent 58cfdd6d05
commit f903d91dca
1 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -109,6 +109,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
public void analyze(Dependency dependency, Engine engine) throws AnalysisException { public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
removeJreEntries(dependency); removeJreEntries(dependency);
removeBadMatches(dependency); removeBadMatches(dependency);
removeWrongVersionMatches(dependency);
removeSpuriousCPE(dependency); removeSpuriousCPE(dependency);
addFalseNegativeCPEs(dependency); addFalseNegativeCPEs(dependency);
} }
@@ -291,6 +292,40 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
} }
} }
/**
* Removes CPE matches for the wrong version of a dependency. Currently,
* this only covers Axis 1 & 2.
*
* @param dependency the dependency to analyze
*/
private void removeWrongVersionMatches(Dependency dependency) {
final Set<Identifier> identifiers = dependency.getIdentifiers();
final Iterator<Identifier> itr = identifiers.iterator();
final String fileName = dependency.getFileName();
if (fileName != null && fileName.contains("axis2")) {
while (itr.hasNext()) {
final Identifier i = itr.next();
if ("cpe".equals(i.getType())) {
final String cpe = i.getValue();
if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis:") || "cpe:/a:apache:axis".equals(cpe))) {
itr.remove();
}
}
}
} else if (fileName != null && fileName.contains("axis")) {
while (itr.hasNext()) {
final Identifier i = itr.next();
if ("cpe".equals(i.getType())) {
final String cpe = i.getValue();
if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis2:") || "cpe:/a:apache:axis2".equals(cpe))) {
itr.remove();
}
}
}
}
}
/** /**
* There are some known CPE entries, specifically regarding sun and oracle * There are some known CPE entries, specifically regarding sun and oracle
* products due to the acquisition and changes in product names, that based * products due to the acquisition and changes in product names, that based