From fdb0d07ab82b8e7caf16e1e45797a8b475e83d28 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 4 Jun 2013 23:27:14 -0400 Subject: [PATCH] fixed bug where dependencies would get bundled even if they were different versions Former-commit-id: 23eb0cb89d4372611d552e3691727ac8477b245c --- .../analyzer/DependencyBundlingAnalyzer.java | 43 ++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index 38c5216fb..83bc1b012 100644 --- a/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -23,8 +23,12 @@ import java.util.HashSet; import java.util.Iterator; import java.util.ListIterator; import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.DependencyVersion; +import org.owasp.dependencycheck.utils.DependencyVersionUtil; /** *

This analyzer ensures dependencies that should be grouped together, to @@ -52,6 +56,11 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal */ private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS; + /** + * A pattern for obtaining the first part of a filename. + */ + private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*"); + /** * Returns a list of file EXTENSIONS supported by this analyzer. * @@ -118,7 +127,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal final Dependency nextDependency = subIterator.next(); if (identifiersMatch(dependency, nextDependency) - && hasSameBasePath(dependency, nextDependency)) { + && hasSameBasePath(dependency, nextDependency) + && fileNameMatch(dependency, nextDependency)) { if (isCore(dependency, nextDependency)) { dependency.addRelatedDependency(nextDependency); @@ -179,6 +189,37 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal return path.substring(0, pos); } + /** + * Returns true if the file names (and version if it exists) of the two + * dependencies are sufficiently similiar. + * @param dependency1 a dependency2 to compare + * @param dependency2 a dependency2 to compare + * @return true if the identifiers in the two supplied dependencies are equal + */ + private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) { + if (dependency1 == null || dependency1.getFileName() == null + || dependency2 == null || dependency2.getFileName() == null) { + return false; + } + String fileName1 = dependency1.getFileName(); + String fileName2 = dependency2.getFileName(); + //version check + DependencyVersion version1 = DependencyVersionUtil.parseVersionFromFileName(fileName1); + DependencyVersion version2 = DependencyVersionUtil.parseVersionFromFileName(fileName2); + if (version1 != null && version2 != null) { + if (!version1.equals(version2)) { + return false; + } + } + Matcher match1 = STARTING_TEXT_PATTERN.matcher(fileName1); + Matcher match2 = STARTING_TEXT_PATTERN.matcher(fileName2); + if (match1.find() && match2.find()) { + return match1.group().equals(match2.group()); + } + + return false; + } + /** * Returns true if the identifiers in the two supplied dependencies are equal. * @param dependency1 a dependency2 to compare