1 /*
2 * This file is part of dependency-check-core.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17 */
18 package org.owasp.dependencycheck.analyzer;
19
20 import java.io.File;
21 import org.owasp.dependencycheck.Engine;
22 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
23 import org.owasp.dependencycheck.dependency.Confidence;
24 import org.owasp.dependencycheck.dependency.Dependency;
25 import org.owasp.dependencycheck.utils.DependencyVersion;
26 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
27
28 /**
29 *
30 * Takes a dependency and analyzes the filename and determines the hashes.
31 *
32 * @author Jeremy Long
33 */
34 public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
35
36 //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
37 /**
38 * The name of the analyzer.
39 */
40 private static final String ANALYZER_NAME = "File Name Analyzer";
41 /**
42 * The phase that this analyzer is intended to run in.
43 */
44 private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
45
46 /**
47 * Returns the name of the analyzer.
48 *
49 * @return the name of the analyzer.
50 */
51 @Override
52 public String getName() {
53 return ANALYZER_NAME;
54 }
55
56 /**
57 * Returns the phase that the analyzer is intended to run in.
58 *
59 * @return the phase that the analyzer is intended to run in.
60 */
61 @Override
62 public AnalysisPhase getAnalysisPhase() {
63 return ANALYSIS_PHASE;
64 }
65 //</editor-fold>
66
67 /**
68 * Collects information about the file name.
69 *
70 * @param dependency the dependency to analyze.
71 * @param engine the engine that is scanning the dependencies
72 * @throws AnalysisException is thrown if there is an error reading the JAR file.
73 */
74 @Override
75 public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
76
77 //strip any path information that may get added by ArchiveAnalyzer, etc.
78 final File f = dependency.getActualFile();
79 String fileName = f.getName();
80
81 //remove file extension
82 final int pos = fileName.lastIndexOf(".");
83 if (pos > 0) {
84 fileName = fileName.substring(0, pos);
85 }
86
87 //add version evidence
88 final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
89 if (version != null) {
90 // If the version number is just a number like 2 or 23, reduce the confidence
91 // a shade. This should hopefully correct for cases like log4j.jar or
92 // struts2-core.jar
93 if (version.getVersionParts() == null || version.getVersionParts().size() < 2) {
94 dependency.getVersionEvidence().addEvidence("file", "name",
95 version.toString(), Confidence.MEDIUM);
96 } else {
97 dependency.getVersionEvidence().addEvidence("file", "name",
98 version.toString(), Confidence.HIGHEST);
99 }
100 dependency.getVersionEvidence().addEvidence("file", "name",
101 fileName, Confidence.MEDIUM);
102 }
103
104 //add as vendor and product evidence
105 if (fileName.contains("-")) {
106 dependency.getProductEvidence().addEvidence("file", "name",
107 fileName, Confidence.HIGHEST);
108 dependency.getVendorEvidence().addEvidence("file", "name",
109 fileName, Confidence.HIGHEST);
110 } else {
111 dependency.getProductEvidence().addEvidence("file", "name",
112 fileName, Confidence.HIGH);
113 dependency.getVendorEvidence().addEvidence("file", "name",
114 fileName, Confidence.HIGH);
115 }
116 }
117 }