diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index 701897b7c..fd6911e6f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -311,6 +311,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal return false; } + /** + * Bundling Ruby gems that are identified from different .gemspec files but denote the same package path. + * This happens when Ruby bundler installs an app's dependencies by running "bundle install". + */ private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) { if (dependency1 == null || dependency2 == null || !dependency1.getFileName().endsWith(".gemspec") || @@ -326,8 +330,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal } /** - * A gem install may have zero or more *.gemspec files, all of which have the same packagePath and should be grouped. - * If one of these gemspec is from /specifications/*.gemspec, which is a stub with fully resolved gem meta-data + * Ruby gems installed by "bundle install" can have zero or more *.gemspec files, all of which have the same packagePath and should be grouped. + * If one of these gemspec is from /specifications/*.gemspec, because it is a stub with fully resolved gem meta-data * created by Ruby bundler, this dependency should be the main one. Otherwise, use dependency2 as main. * * This method returns null if any dependency is not from *.gemspec, or the two do not have the same packagePath. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index 9d0d6596d..770c49cb5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -17,10 +17,22 @@ */ package org.owasp.dependencycheck.analyzer; +import java.io.BufferedReader; +import java.io.File; +import java.io.FileFilter; +import java.io.IOException; +import java.io.InputStreamReader; +import java.nio.charset.Charset; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + import org.apache.commons.io.FileUtils; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.data.nvdcve.CveDB; +import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Reference; @@ -30,12 +42,6 @@ import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.*; -import java.nio.charset.Charset; -import java.util.*; -import java.util.logging.Level; -import org.owasp.dependencycheck.data.nvdcve.DatabaseException; - /** * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party * bundle-audit tool. @@ -364,6 +370,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { final File gemFile = new File(Settings.getTempDirectory(), gem + "_Gemfile.lock"); gemFile.createNewFile(); final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem); + FileUtils.write(gemFile, displayFileName, Charset.defaultCharset()); // unique contents to avoid dependency bundling final Dependency dependency = new Dependency(gemFile); dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST);