Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.RubyBundlerAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

RubyBundlerAnalyzer

66%

20/30

43%

13/30

4.5

RubyBundlerAnalyzer$1

100%

2/2

N/A

4.5

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2016 Bianca Jiang. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
 import java.io.FilenameFilter;
 
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 
 /**
  * This analyzer accepts the fully resolved .gemspec created by the Ruby bundler
  * (http://bundler.io) for better evidence results. It also tries to resolve the
  * dependency packagePath to where the gem is actually installed. Then during {@link org.owasp.dependencycheck.analyzer.AnalysisPhase#PRE_FINDING_ANALYSIS}
  * {@link DependencyBundlingAnalyzer} will merge two .gemspec dependencies
  * together if <code>Dependency.getPackagePath()</code> are the same.
  *
  * Ruby bundler creates new .gemspec files under a folder called
  * "specifications" at deploy time, in addition to the original .gemspec files
  * from source. The bundler generated .gemspec files always contain fully
  * resolved attributes thus provide more accurate evidences, whereas the
  * original .gemspec from source often contain variables for attributes that
  * can't be used for evidences.
  *
  * Note this analyzer share the same
  * {@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_RUBY_GEMSPEC_ENABLED} as
  * {@link RubyGemspecAnalyzer}, so it will enabled/disabled with
  * {@link RubyGemspecAnalyzer}.
  *
  * @author Bianca Jiang (biancajiang@gmail.com)
  */
 @Experimental
 public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
 
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Ruby Bundler Analyzer";
 
     /**
      * Folder name that contains .gemspec files created by "bundle install"
      */
     private static final String SPECIFICATIONS = "specifications";
 
     /**
      * Folder name that contains the gems by "bundle install"
      */
     private static final String GEMS = "gems";
 
     /**
      * Returns the name of the analyzer.
      *
      * @return the name of the analyzer.
      */
     @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Only accept *.gemspec files generated by "bundle install --deployment"
      * under "specifications" folder.
      *
      * @param pathname the path name to test
      * @return true if the analyzer can process the given file; otherwise false
      */
     @Override
     public boolean accept(File pathname) {
 
         boolean accepted = super.accept(pathname);
         if (accepted) {
             final File parentDir = pathname.getParentFile();
             accepted = parentDir != null && parentDir.getName().equals(SPECIFICATIONS);
         }
 
         return accepted;
     }
 
     @Override
     protected void analyzeFileType(Dependency dependency, Engine engine)
             throws AnalysisException {
         super.analyzeFileType(dependency, engine);
 
         //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment"
         final File gemspecFile = dependency.getActualFile();
         final String gemFileName = gemspecFile.getName();
         final String gemName = gemFileName.substring(0, gemFileName.lastIndexOf(".gemspec"));
         final File specificationsDir = gemspecFile.getParentFile();
         if (specificationsDir != null && specificationsDir.getName().equals(SPECIFICATIONS) && specificationsDir.exists()) {
             final File parentDir = specificationsDir.getParentFile();
             if (parentDir != null && parentDir.exists()) {
                 final File gemsDir = new File(parentDir, GEMS);
                 if (gemsDir.exists()) {
                     final File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() {
                         public boolean accept(File dir, String name) {
                             return name.equals(gemName);
                         }
                     });
 
                     if (matchingFiles != null && matchingFiles.length > 0) {
                         final String gemPath = matchingFiles[0].getAbsolutePath();
                         if (dependency.getActualFilePath().equals(dependency.getFilePath())) {
                             if (gemPath != null) {
                                 dependency.setPackagePath(gemPath);
                             }
                         } else {
                             //.gemspec's actualFilePath and filePath are different when it's from a compressed file
                             //in which case actualFilePath is the temp directory used by decompression.
                             //packagePath should use the filePath of the identified gem file in "gems" folder
                             final File gemspecStub = new File(dependency.getFilePath());
                             final File specDir = gemspecStub.getParentFile();
                             if (specDir != null && specDir.getName().equals(SPECIFICATIONS)) {
                                 final File gemsDir2 = new File(specDir.getParentFile(), GEMS);
                                 final File packageDir = new File(gemsDir2, gemName);
                                 dependency.setPackagePath(packageDir.getAbsolutePath());
                             }
                         }
                     }
                 }
             }
         }
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2016 Bianca Jiang. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.File;
21		import java.io.FilenameFilter;
22
23		import org.owasp.dependencycheck.Engine;
24		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
25		import org.owasp.dependencycheck.dependency.Dependency;
26
27		/**
28		* This analyzer accepts the fully resolved .gemspec created by the Ruby bundler
29		* (http://bundler.io) for better evidence results. It also tries to resolve the
30		* dependency packagePath to where the gem is actually installed. Then during {@link org.owasp.dependencycheck.analyzer.AnalysisPhase#PRE_FINDING_ANALYSIS}
31		* {@link DependencyBundlingAnalyzer} will merge two .gemspec dependencies
32		* together if <code>Dependency.getPackagePath()</code> are the same.
33		*
34		* Ruby bundler creates new .gemspec files under a folder called
35		* "specifications" at deploy time, in addition to the original .gemspec files
36		* from source. The bundler generated .gemspec files always contain fully
37		* resolved attributes thus provide more accurate evidences, whereas the
38		* original .gemspec from source often contain variables for attributes that
39		* can't be used for evidences.
40		*
41		* Note this analyzer share the same
42		* {@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_RUBY_GEMSPEC_ENABLED} as
43		* {@link RubyGemspecAnalyzer}, so it will enabled/disabled with
44		* {@link RubyGemspecAnalyzer}.
45		*
46		* @author Bianca Jiang (biancajiang@gmail.com)
47		*/
48		@Experimental
49	18	public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
50
51		/**
52		* The name of the analyzer.
53		*/
54		private static final String ANALYZER_NAME = "Ruby Bundler Analyzer";
55
56		/**
57		* Folder name that contains .gemspec files created by "bundle install"
58		*/
59		private static final String SPECIFICATIONS = "specifications";
60
61		/**
62		* Folder name that contains the gems by "bundle install"
63		*/
64		private static final String GEMS = "gems";
65
66		/**
67		* Returns the name of the analyzer.
68		*
69		* @return the name of the analyzer.
70		*/
71		@Override
72		public String getName() {
73	30	return ANALYZER_NAME;
74		}
75
76		/**
77		* Only accept *.gemspec files generated by "bundle install --deployment"
78		* under "specifications" folder.
79		*
80		* @param pathname the path name to test
81		* @return true if the analyzer can process the given file; otherwise false
82		*/
83		@Override
84		public boolean accept(File pathname) {
85
86	1722	boolean accepted = super.accept(pathname);
87	1722	if (accepted) {
88	8	final File parentDir = pathname.getParentFile();
89	8	accepted = parentDir != null && parentDir.getName().equals(SPECIFICATIONS);
90		}
91
92	1722	return accepted;
93		}
94
95		@Override
96		protected void analyzeFileType(Dependency dependency, Engine engine)
97		throws AnalysisException {
98	4	super.analyzeFileType(dependency, engine);
99
100		//find the corresponding gem folder for this .gemspec stub by "bundle install --deployment"
101	4	final File gemspecFile = dependency.getActualFile();
102	4	final String gemFileName = gemspecFile.getName();
103	4	final String gemName = gemFileName.substring(0, gemFileName.lastIndexOf(".gemspec"));
104	4	final File specificationsDir = gemspecFile.getParentFile();
105	4	if (specificationsDir != null && specificationsDir.getName().equals(SPECIFICATIONS) && specificationsDir.exists()) {
106	4	final File parentDir = specificationsDir.getParentFile();
107	4	if (parentDir != null && parentDir.exists()) {
108	4	final File gemsDir = new File(parentDir, GEMS);
109	4	if (gemsDir.exists()) {
110	4	final File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() {
111		public boolean accept(File dir, String name) {
112	4	return name.equals(gemName);
113		}
114		});
115
116	4	if (matchingFiles != null && matchingFiles.length > 0) {
117	0	final String gemPath = matchingFiles[0].getAbsolutePath();
118	0	if (dependency.getActualFilePath().equals(dependency.getFilePath())) {
119	0	if (gemPath != null) {
120	0	dependency.setPackagePath(gemPath);
121		}
122		} else {
123		//.gemspec's actualFilePath and filePath are different when it's from a compressed file
124		//in which case actualFilePath is the temp directory used by decompression.
125		//packagePath should use the filePath of the identified gem file in "gems" folder
126	0	final File gemspecStub = new File(dependency.getFilePath());
127	0	final File specDir = gemspecStub.getParentFile();
128	0	if (specDir != null && specDir.getName().equals(SPECIFICATIONS)) {
129	0	final File gemsDir2 = new File(specDir.getParentFile(), GEMS);
130	0	final File packageDir = new File(gemsDir2, gemName);
131	0	dependency.setPackagePath(packageDir.getAbsolutePath());
132		}
133		}
134		}
135		}
136		}
137		}
138	4	}
139		}