Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

DependencyBundlingAnalyzer

40%

72/178

30%

57/184

7.688

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.ListIterator;
 import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
  * <p>
  * This analyzer ensures dependencies that should be grouped together, to remove
  * excess noise from the report, are grouped. An example would be Spring, Spring
  * Beans, Spring MVC, etc. If they are all for the same version and have the
  * same relative path then these should be grouped into a single dependency
  * under the core/main library.</p>
  * <p>
  * Note, this grouping only works on dependencies with identified CVE
  * entries</p>
  *
  * @author Jeremy Long
  */
 public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**
      * The Logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(DependencyBundlingAnalyzer.class);
 
     //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
     /**
      * A pattern for obtaining the first part of a filename.
      */
     private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z0-9]*");
     /**
      * a flag indicating if this analyzer has run. This analyzer only runs once.
      */
     private boolean analyzed = false;
     //</editor-fold>
     //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Dependency Bundling Analyzer";
     /**
      * The phase that this analyzer is intended to run in.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
 
     /**
      * Returns the name of the analyzer.
      *
      * @return the name of the analyzer.
      */
     @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
      * @return the phase that the analyzer is intended to run in.
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
     //</editor-fold>
 
     /**
      * Analyzes a set of dependencies. If they have been found to have the same
      * base path and the same set of identifiers they are likely related. The
      * related dependencies are bundled into a single reportable item.
      *
      * @param ignore this analyzer ignores the dependency being analyzed
      * @param engine the engine that is scanning the dependencies
      * @throws AnalysisException is thrown if there is an error reading the JAR
      * file.
      */
     @Override
     public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
         if (!analyzed) {
             analyzed = true;
             final Set<Dependency> dependenciesToRemove = new HashSet<Dependency>();
             final ListIterator<Dependency> mainIterator = engine.getDependencies().listIterator();
             //for (Dependency nextDependency : engine.getDependencies()) {
             while (mainIterator.hasNext()) {
                 final Dependency dependency = mainIterator.next();
                 if (mainIterator.hasNext() && !dependenciesToRemove.contains(dependency)) {
                     final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
                     while (subIterator.hasNext()) {
                         final Dependency nextDependency = subIterator.next();
                         if (hashesMatch(dependency, nextDependency) && !containedInWar(dependency.getFilePath())
                                 && !containedInWar(nextDependency.getFilePath())) {
                             if (firstPathIsShortest(dependency.getFilePath(), nextDependency.getFilePath())) {
                                 mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                             } else {
                                 mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                 break; //since we merged into the next dependency - skip forward to the next in mainIterator
                             }
                         } else if (isShadedJar(dependency, nextDependency)) {
                             if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
                                 mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                 nextDependency.getRelatedDependencies().remove(dependency);
                                 break;
                             } else {
                                 mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                                 dependency.getRelatedDependencies().remove(nextDependency);
                             }
                         } else if (cpeIdentifiersMatch(dependency, nextDependency)
                                 && hasSameBasePath(dependency, nextDependency)
                                 && fileNameMatch(dependency, nextDependency)) {
                             if (isCore(dependency, nextDependency)) {
                                 mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                             } else {
                                 mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                 break; //since we merged into the next dependency - skip forward to the next in mainIterator
                             }
                         } else if (isSameRubyGem(dependency, nextDependency)) {
                             final Dependency main = getMainGemspecDependency(dependency, nextDependency);
                             if (main == dependency) {
                                 mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                             } else {
                                 mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                 break; //since we merged into the next dependency - skip forward to the next in mainIterator
                             }
                         }
                     }
                 }
             }
             //removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
             // was difficult because of the inner iterator.
             engine.getDependencies().removeAll(dependenciesToRemove);
         }
     }
 
     /**
      * Adds the relatedDependency to the dependency's related dependencies.
      *
      * @param dependency the main dependency
      * @param relatedDependency a collection of dependencies to be removed from
      * the main analysis loop, this is the source of dependencies to remove
      * @param dependenciesToRemove a collection of dependencies that will be
      * removed from the main analysis loop, this function adds to this
      * collection
      */
     private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
         dependency.addRelatedDependency(relatedDependency);
         final Iterator<Dependency> i = relatedDependency.getRelatedDependencies().iterator();
         while (i.hasNext()) {
             dependency.addRelatedDependency(i.next());
             i.remove();
         }
         if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
             dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
         }
         dependenciesToRemove.add(relatedDependency);
     }
 
     /**
      * Attempts to trim a maven repo to a common base path. This is typically
      * [drive]\[repo_location]\repository\[path1]\[path2].
      *
      * @param path the path to trim
      * @return a string representing the base path.
      */
     private String getBaseRepoPath(final String path) {
         int pos = path.indexOf("repository" + File.separator) + 11;
         if (pos < 0) {
             return path;
         }
         int tmp = path.indexOf(File.separator, pos);
         if (tmp <= 0) {
             return path;
         }
         if (tmp > 0) {
             pos = tmp + 1;
         }
         tmp = path.indexOf(File.separator, pos);
         if (tmp > 0) {
             pos = tmp + 1;
         }
         return path.substring(0, pos);
     }
 
     /**
      * Returns true if the file names (and version if it exists) of the two
      * dependencies are sufficiently similar.
      *
      * @param dependency1 a dependency2 to compare
      * @param dependency2 a dependency2 to compare
      * @return true if the identifiers in the two supplied dependencies are
      * equal
      */
     private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency1.getFileName() == null
                 || dependency2 == null || dependency2.getFileName() == null) {
             return false;
         }
         final String fileName1 = dependency1.getActualFile().getName();
         final String fileName2 = dependency2.getActualFile().getName();
 
         //version check
         final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
         final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
         if (version1 != null && version2 != null && !version1.equals(version2)) {
             return false;
         }
 
         //filename check
         final Matcher match1 = STARTING_TEXT_PATTERN.matcher(fileName1);
         final Matcher match2 = STARTING_TEXT_PATTERN.matcher(fileName2);
         if (match1.find() && match2.find()) {
             return match1.group().equals(match2.group());
         }
 
         return false;
     }
 
     /**
      * Returns true if the CPE identifiers in the two supplied dependencies are
      * equal.
      *
      * @param dependency1 a dependency2 to compare
      * @param dependency2 a dependency2 to compare
      * @return true if the identifiers in the two supplied dependencies are
      * equal
      */
     private boolean cpeIdentifiersMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency1.getIdentifiers() == null
                 || dependency2 == null || dependency2.getIdentifiers() == null) {
             return false;
         }
         boolean matches = false;
         int cpeCount1 = 0;
         int cpeCount2 = 0;
         for (Identifier i : dependency1.getIdentifiers()) {
             if ("cpe".equals(i.getType())) {
                 cpeCount1 += 1;
             }
         }
         for (Identifier i : dependency2.getIdentifiers()) {
             if ("cpe".equals(i.getType())) {
                 cpeCount2 += 1;
             }
         }
         if (cpeCount1 > 0 && cpeCount1 == cpeCount2) {
             for (Identifier i : dependency1.getIdentifiers()) {
                 if ("cpe".equals(i.getType())) {
                     matches |= dependency2.getIdentifiers().contains(i);
                     if (!matches) {
                         break;
                     }
                 }
             }
         }
         LOGGER.debug("IdentifiersMatch={} ({}, {})", matches, dependency1.getFileName(), dependency2.getFileName());
         return matches;
     }
 
     /**
      * Determines if the two dependencies have the same base path.
      *
      * @param dependency1 a Dependency object
      * @param dependency2 a Dependency object
      * @return true if the base paths of the dependencies are identical
      */
     private boolean hasSameBasePath(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency2 == null) {
             return false;
         }
         final File lFile = new File(dependency1.getFilePath());
         String left = lFile.getParent();
         final File rFile = new File(dependency2.getFilePath());
         String right = rFile.getParent();
         if (left == null) {
             return right == null;
         }
         if (left.equalsIgnoreCase(right)) {
             return true;
         }
         if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
             left = getBaseRepoPath(left);
             right = getBaseRepoPath(right);
         }
         if (left.equalsIgnoreCase(right)) {
             return true;
         }
         //new code
         for (Dependency child : dependency2.getRelatedDependencies()) {
             if (hasSameBasePath(dependency1, child)) {
                 return true;
             }
         }
         return false;
     }
 
     /**
      * Bundling Ruby gems that are identified from different .gemspec files but
      * denote the same package path. This happens when Ruby bundler installs an
      * application's dependencies by running "bundle install".
      *
      * @param dependency1 dependency to compare
      * @param dependency2 dependency to compare
      * @return true if the the dependencies being analyzed appear to be the
      * same; otherwise false
      */
     private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency2 == null
                 || !dependency1.getFileName().endsWith(".gemspec")
                 || !dependency2.getFileName().endsWith(".gemspec")
                 || dependency1.getPackagePath() == null
                 || dependency2.getPackagePath() == null) {
             return false;
         }
         if (dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath())) {
             return true;
         }
 
         return false;
     }
 
     /**
      * Ruby gems installed by "bundle install" can have zero or more *.gemspec
      * files, all of which have the same packagePath and should be grouped. If
      * one of these gemspec is from <parent>/specifications/*.gemspec, because
      * it is a stub with fully resolved gem meta-data created by Ruby bundler,
      * this dependency should be the main one. Otherwise, use dependency2 as
      * main.
      *
      * This method returns null if any dependency is not from *.gemspec, or the
      * two do not have the same packagePath. In this case, they should not be
      * grouped.
      *
      * @param dependency1 dependency to compare
      * @param dependency2 dependency to compare
      * @return the main dependency; or null if a gemspec is not included in the
      * analysis
      */
     private Dependency getMainGemspecDependency(Dependency dependency1, Dependency dependency2) {
         if (isSameRubyGem(dependency1, dependency2)) {
             final File lFile = dependency1.getActualFile();
             final File left = lFile.getParentFile();
             if (left != null && left.getName().equalsIgnoreCase("specifications")) {
                 return dependency1;
             }
             return dependency2;
         }
         return null;
     }
 
     /**
      * This is likely a very broken attempt at determining if the 'left'
      * dependency is the 'core' library in comparison to the 'right' library.
      *
      * @param left the dependency to test
      * @param right the dependency to test against
      * @return a boolean indicating whether or not the left dependency should be
      * considered the "core" version.
      */
     boolean isCore(Dependency left, Dependency right) {
         final String leftName = left.getFileName().toLowerCase();
         final String rightName = right.getFileName().toLowerCase();
 
         final boolean returnVal;
         if (!rightName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") && leftName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+")
                 || rightName.contains("core") && !leftName.contains("core")
                 || rightName.contains("kernel") && !leftName.contains("kernel")) {
             returnVal = false;
         } else if (rightName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") && !leftName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+")
                 || !rightName.contains("core") && leftName.contains("core")
                 || !rightName.contains("kernel") && leftName.contains("kernel")) {
             returnVal = true;
 //        } else if (leftName.matches(".*struts2\\-core.*") && rightName.matches(".*xwork\\-core.*")) {
 //            returnVal = true;
 //        } else if (rightName.matches(".*struts2\\-core.*") && leftName.matches(".*xwork\\-core.*")) {
 //            returnVal = false;
         } else {
             /*
              * considered splitting the names up and comparing the components,
              * but decided that the file name length should be sufficient as the
              * "core" component, if this follows a normal naming protocol should
              * be shorter:
              * axis2-saaj-1.4.1.jar
              * axis2-1.4.1.jar       <-----
              * axis2-kernel-1.4.1.jar
              */
             returnVal = leftName.length() <= rightName.length();
         }
         LOGGER.debug("IsCore={} ({}, {})", returnVal, left.getFileName(), right.getFileName());
         return returnVal;
     }
 
     /**
      * Compares the SHA1 hashes of two dependencies to determine if they are
      * equal.
      *
      * @param dependency1 a dependency object to compare
      * @param dependency2 a dependency object to compare
      * @return true if the sha1 hashes of the two dependencies match; otherwise
      * false
      */
     private boolean hashesMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency2 == null || dependency1.getSha1sum() == null || dependency2.getSha1sum() == null) {
             return false;
         }
         return dependency1.getSha1sum().equals(dependency2.getSha1sum());
     }
 
     /**
      * Determines if the jar is shaded and the created pom.xml identified the
      * same CPE as the jar - if so, the pom.xml dependency should be removed.
      *
      * @param dependency a dependency to check
      * @param nextDependency another dependency to check
      * @return true if on of the dependencies is a pom.xml and the identifiers
      * between the two collections match; otherwise false
      */
     private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
         final String mainName = dependency.getFileName().toLowerCase();
         final String nextName = nextDependency.getFileName().toLowerCase();
         if (mainName.endsWith(".jar") && nextName.endsWith("pom.xml")) {
             return dependency.getIdentifiers().containsAll(nextDependency.getIdentifiers());
         } else if (nextName.endsWith(".jar") && mainName.endsWith("pom.xml")) {
             return nextDependency.getIdentifiers().containsAll(dependency.getIdentifiers());
         }
         return false;
     }
 
     /**
      * Determines which path is shortest; if path lengths are equal then we use
      * compareTo of the string method to determine if the first path is smaller.
      *
      * @param left the first path to compare
      * @param right the second path to compare
      * @return <code>true</code> if the leftPath is the shortest; otherwise
      * <code>false</code>
      */
     protected boolean firstPathIsShortest(String left, String right) {
         final String leftPath = left.replace('\\', '/');
         final String rightPath = right.replace('\\', '/');
 
         final int leftCount = countChar(leftPath, '/');
         final int rightCount = countChar(rightPath, '/');
         if (leftCount == rightCount) {
             return leftPath.compareTo(rightPath) <= 0;
         } else {
             return leftCount < rightCount;
         }
     }
 
     /**
      * Counts the number of times the character is present in the string.
      *
      * @param string the string to count the characters in
      * @param c the character to count
      * @return the number of times the character is present in the string
      */
     private int countChar(String string, char c) {
         int count = 0;
         final int max = string.length();
         for (int i = 0; i < max; i++) {
             if (c == string.charAt(i)) {
                 count++;
             }
         }
         return count;
     }
 
     /**
      * Checks if the given file path is contained within a war or ear file.
      *
      * @param filePath the file path to check
      * @return true if the path contains '.war\' or '.ear\'.
      */
     private boolean containedInWar(String filePath) {
         return filePath == null ? false : filePath.matches(".*\\.(ear|war)[\\\\/].*");
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.File;
21		import java.util.HashSet;
22		import java.util.Iterator;
23		import java.util.ListIterator;
24		import java.util.Set;
25		import java.util.regex.Matcher;
26		import java.util.regex.Pattern;
27		import org.owasp.dependencycheck.Engine;
28		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
29		import org.owasp.dependencycheck.dependency.Dependency;
30		import org.owasp.dependencycheck.dependency.Identifier;
31		import org.owasp.dependencycheck.utils.DependencyVersion;
32		import org.owasp.dependencycheck.utils.DependencyVersionUtil;
33		import org.slf4j.Logger;
34		import org.slf4j.LoggerFactory;
35
36		/**
37		* <p>
38		* This analyzer ensures dependencies that should be grouped together, to remove
39		* excess noise from the report, are grouped. An example would be Spring, Spring
40		* Beans, Spring MVC, etc. If they are all for the same version and have the
41		* same relative path then these should be grouped into a single dependency
42		* under the core/main library.</p>
43		* <p>
44		* Note, this grouping only works on dependencies with identified CVE
45		* entries</p>
46		*
47		* @author Jeremy Long
48		*/
49	10	public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
50
51		/**
52		* The Logger.
53		*/
54	1	private static final Logger LOGGER = LoggerFactory.getLogger(DependencyBundlingAnalyzer.class);
55
56		//<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
57		/**
58		* A pattern for obtaining the first part of a filename.
59		*/
60	1	private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z0-9]*");
61		/**
62		* a flag indicating if this analyzer has run. This analyzer only runs once.
63		*/
64	10	private boolean analyzed = false;
65		//</editor-fold>
66		//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
67		/**
68		* The name of the analyzer.
69		*/
70		private static final String ANALYZER_NAME = "Dependency Bundling Analyzer";
71		/**
72		* The phase that this analyzer is intended to run in.
73		*/
74	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
75
76		/**
77		* Returns the name of the analyzer.
78		*
79		* @return the name of the analyzer.
80		*/
81		@Override
82		public String getName() {
83	17	return ANALYZER_NAME;
84		}
85
86		/**
87		* Returns the phase that the analyzer is intended to run in.
88		*
89		* @return the phase that the analyzer is intended to run in.
90		*/
91		@Override
92		public AnalysisPhase getAnalysisPhase() {
93	5	return ANALYSIS_PHASE;
94		}
95		//</editor-fold>
96
97		/**
98		* Analyzes a set of dependencies. If they have been found to have the same
99		* base path and the same set of identifiers they are likely related. The
100		* related dependencies are bundled into a single reportable item.
101		*
102		* @param ignore this analyzer ignores the dependency being analyzed
103		* @param engine the engine that is scanning the dependencies
104		* @throws AnalysisException is thrown if there is an error reading the JAR
105		* file.
106		*/
107		@Override
108		public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
109	4	if (!analyzed) {
110	2	analyzed = true;
111	2	final Set<Dependency> dependenciesToRemove = new HashSet<Dependency>();
112	2	final ListIterator<Dependency> mainIterator = engine.getDependencies().listIterator();
113		//for (Dependency nextDependency : engine.getDependencies()) {
114	6	while (mainIterator.hasNext()) {
115	4	final Dependency dependency = mainIterator.next();
116	4	if (mainIterator.hasNext() && !dependenciesToRemove.contains(dependency)) {
117	2	final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
118	4	while (subIterator.hasNext()) {
119	2	final Dependency nextDependency = subIterator.next();
120	2	if (hashesMatch(dependency, nextDependency) && !containedInWar(dependency.getFilePath())
121	0	&& !containedInWar(nextDependency.getFilePath())) {
122	0	if (firstPathIsShortest(dependency.getFilePath(), nextDependency.getFilePath())) {
123	0	mergeDependencies(dependency, nextDependency, dependenciesToRemove);
124		} else {
125	0	mergeDependencies(nextDependency, dependency, dependenciesToRemove);
126	0	break; //since we merged into the next dependency - skip forward to the next in mainIterator
127		}
128	2	} else if (isShadedJar(dependency, nextDependency)) {
129	0	if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
130	0	mergeDependencies(nextDependency, dependency, dependenciesToRemove);
131	0	nextDependency.getRelatedDependencies().remove(dependency);
132	0	break;
133		} else {
134	0	mergeDependencies(dependency, nextDependency, dependenciesToRemove);
135	0	dependency.getRelatedDependencies().remove(nextDependency);
136		}
137	2	} else if (cpeIdentifiersMatch(dependency, nextDependency)
138	0	&& hasSameBasePath(dependency, nextDependency)
139	0	&& fileNameMatch(dependency, nextDependency)) {
140	0	if (isCore(dependency, nextDependency)) {
141	0	mergeDependencies(dependency, nextDependency, dependenciesToRemove);
142		} else {
143	0	mergeDependencies(nextDependency, dependency, dependenciesToRemove);
144	0	break; //since we merged into the next dependency - skip forward to the next in mainIterator
145		}
146	2	} else if (isSameRubyGem(dependency, nextDependency)) {
147	0	final Dependency main = getMainGemspecDependency(dependency, nextDependency);
148	0	if (main == dependency) {
149	0	mergeDependencies(dependency, nextDependency, dependenciesToRemove);
150		} else {
151	0	mergeDependencies(nextDependency, dependency, dependenciesToRemove);
152	0	break; //since we merged into the next dependency - skip forward to the next in mainIterator
153		}
154		}
155	2	}
156		}
157	4	}
158		//removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
159		// was difficult because of the inner iterator.
160	2	engine.getDependencies().removeAll(dependenciesToRemove);
161		}
162	4	}
163
164		/**
165		* Adds the relatedDependency to the dependency's related dependencies.
166		*
167		* @param dependency the main dependency
168		* @param relatedDependency a collection of dependencies to be removed from
169		* the main analysis loop, this is the source of dependencies to remove
170		* @param dependenciesToRemove a collection of dependencies that will be
171		* removed from the main analysis loop, this function adds to this
172		* collection
173		*/
174		private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
175	0	dependency.addRelatedDependency(relatedDependency);
176	0	final Iterator<Dependency> i = relatedDependency.getRelatedDependencies().iterator();
177	0	while (i.hasNext()) {
178	0	dependency.addRelatedDependency(i.next());
179	0	i.remove();
180		}
181	0	if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
182	0	dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
183		}
184	0	dependenciesToRemove.add(relatedDependency);
185	0	}
186
187		/**
188		* Attempts to trim a maven repo to a common base path. This is typically
189		* [drive]\[repo_location]\repository\[path1]\[path2].
190		*
191		* @param path the path to trim
192		* @return a string representing the base path.
193		*/
194		private String getBaseRepoPath(final String path) {
195	0	int pos = path.indexOf("repository" + File.separator) + 11;
196	0	if (pos < 0) {
197	0	return path;
198		}
199	0	int tmp = path.indexOf(File.separator, pos);
200	0	if (tmp <= 0) {
201	0	return path;
202		}
203	0	if (tmp > 0) {
204	0	pos = tmp + 1;
205		}
206	0	tmp = path.indexOf(File.separator, pos);
207	0	if (tmp > 0) {
208	0	pos = tmp + 1;
209		}
210	0	return path.substring(0, pos);
211		}
212
213		/**
214		* Returns true if the file names (and version if it exists) of the two
215		* dependencies are sufficiently similar.
216		*
217		* @param dependency1 a dependency2 to compare
218		* @param dependency2 a dependency2 to compare
219		* @return true if the identifiers in the two supplied dependencies are
220		* equal
221		*/
222		private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) {
223	0	if (dependency1 == null \|\| dependency1.getFileName() == null
224	0	\|\| dependency2 == null \|\| dependency2.getFileName() == null) {
225	0	return false;
226		}
227	0	final String fileName1 = dependency1.getActualFile().getName();
228	0	final String fileName2 = dependency2.getActualFile().getName();
229
230		//version check
231	0	final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
232	0	final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
233	0	if (version1 != null && version2 != null && !version1.equals(version2)) {
234	0	return false;
235		}
236
237		//filename check
238	0	final Matcher match1 = STARTING_TEXT_PATTERN.matcher(fileName1);
239	0	final Matcher match2 = STARTING_TEXT_PATTERN.matcher(fileName2);
240	0	if (match1.find() && match2.find()) {
241	0	return match1.group().equals(match2.group());
242		}
243
244	0	return false;
245		}
246
247		/**
248		* Returns true if the CPE identifiers in the two supplied dependencies are
249		* equal.
250		*
251		* @param dependency1 a dependency2 to compare
252		* @param dependency2 a dependency2 to compare
253		* @return true if the identifiers in the two supplied dependencies are
254		* equal
255		*/
256		private boolean cpeIdentifiersMatch(Dependency dependency1, Dependency dependency2) {
257	2	if (dependency1 == null \|\| dependency1.getIdentifiers() == null
258	2	\|\| dependency2 == null \|\| dependency2.getIdentifiers() == null) {
259	0	return false;
260		}
261	2	boolean matches = false;
262	2	int cpeCount1 = 0;
263	2	int cpeCount2 = 0;
264	2	for (Identifier i : dependency1.getIdentifiers()) {
265	0	if ("cpe".equals(i.getType())) {
266	0	cpeCount1 += 1;
267		}
268	0	}
269	2	for (Identifier i : dependency2.getIdentifiers()) {
270	3	if ("cpe".equals(i.getType())) {
271	3	cpeCount2 += 1;
272		}
273	3	}
274	2	if (cpeCount1 > 0 && cpeCount1 == cpeCount2) {
275	0	for (Identifier i : dependency1.getIdentifiers()) {
276	0	if ("cpe".equals(i.getType())) {
277	0	matches \|= dependency2.getIdentifiers().contains(i);
278	0	if (!matches) {
279	0	break;
280		}
281		}
282	0	}
283		}
284	2	LOGGER.debug("IdentifiersMatch={} ({}, {})", matches, dependency1.getFileName(), dependency2.getFileName());
285	2	return matches;
286		}
287
288		/**
289		* Determines if the two dependencies have the same base path.
290		*
291		* @param dependency1 a Dependency object
292		* @param dependency2 a Dependency object
293		* @return true if the base paths of the dependencies are identical
294		*/
295		private boolean hasSameBasePath(Dependency dependency1, Dependency dependency2) {
296	0	if (dependency1 == null \|\| dependency2 == null) {
297	0	return false;
298		}
299	0	final File lFile = new File(dependency1.getFilePath());
300	0	String left = lFile.getParent();
301	0	final File rFile = new File(dependency2.getFilePath());
302	0	String right = rFile.getParent();
303	0	if (left == null) {
304	0	return right == null;
305		}
306	0	if (left.equalsIgnoreCase(right)) {
307	0	return true;
308		}
309	0	if (left.matches(".[/\\\\]repository[/\\\\].") && right.matches(".[/\\\\]repository[/\\\\].")) {
310	0	left = getBaseRepoPath(left);
311	0	right = getBaseRepoPath(right);
312		}
313	0	if (left.equalsIgnoreCase(right)) {
314	0	return true;
315		}
316		//new code
317	0	for (Dependency child : dependency2.getRelatedDependencies()) {
318	0	if (hasSameBasePath(dependency1, child)) {
319	0	return true;
320		}
321	0	}
322	0	return false;
323		}
324
325		/**
326		* Bundling Ruby gems that are identified from different .gemspec files but
327		* denote the same package path. This happens when Ruby bundler installs an
328		* application's dependencies by running "bundle install".
329		*
330		* @param dependency1 dependency to compare
331		* @param dependency2 dependency to compare
332		* @return true if the the dependencies being analyzed appear to be the
333		* same; otherwise false
334		*/
335		private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) {
336	2	if (dependency1 == null \|\| dependency2 == null
337	2	\|\| !dependency1.getFileName().endsWith(".gemspec")
338	0	\|\| !dependency2.getFileName().endsWith(".gemspec")
339	0	\|\| dependency1.getPackagePath() == null
340	0	\|\| dependency2.getPackagePath() == null) {
341	2	return false;
342		}
343	0	if (dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath())) {
344	0	return true;
345		}
346
347	0	return false;
348		}
349
350		/**
351		* Ruby gems installed by "bundle install" can have zero or more *.gemspec
352		* files, all of which have the same packagePath and should be grouped. If
353		* one of these gemspec is from <parent>/specifications/*.gemspec, because
354		* it is a stub with fully resolved gem meta-data created by Ruby bundler,
355		* this dependency should be the main one. Otherwise, use dependency2 as
356		* main.
357		*
358		* This method returns null if any dependency is not from *.gemspec, or the
359		* two do not have the same packagePath. In this case, they should not be
360		* grouped.
361		*
362		* @param dependency1 dependency to compare
363		* @param dependency2 dependency to compare
364		* @return the main dependency; or null if a gemspec is not included in the
365		* analysis
366		*/
367		private Dependency getMainGemspecDependency(Dependency dependency1, Dependency dependency2) {
368	0	if (isSameRubyGem(dependency1, dependency2)) {
369	0	final File lFile = dependency1.getActualFile();
370	0	final File left = lFile.getParentFile();
371	0	if (left != null && left.getName().equalsIgnoreCase("specifications")) {
372	0	return dependency1;
373		}
374	0	return dependency2;
375		}
376	0	return null;
377		}
378
379		/**
380		* This is likely a very broken attempt at determining if the 'left'
381		* dependency is the 'core' library in comparison to the 'right' library.
382		*
383		* @param left the dependency to test
384		* @param right the dependency to test against
385		* @return a boolean indicating whether or not the left dependency should be
386		* considered the "core" version.
387		*/
388		boolean isCore(Dependency left, Dependency right) {
389	2	final String leftName = left.getFileName().toLowerCase();
390	2	final String rightName = right.getFileName().toLowerCase();
391
392		final boolean returnVal;
393	2	if (!rightName.matches(".\\.(tar\|tgz\|gz\|zip\|ear\|war).+") && leftName.matches(".\\.(tar\|tgz\|gz\|zip\|ear\|war).+")
394	2	\|\| rightName.contains("core") && !leftName.contains("core")
395	2	\|\| rightName.contains("kernel") && !leftName.contains("kernel")) {
396	0	returnVal = false;
397	2	} else if (rightName.matches(".\\.(tar\|tgz\|gz\|zip\|ear\|war).+") && !leftName.matches(".\\.(tar\|tgz\|gz\|zip\|ear\|war).+")
398	1	\|\| !rightName.contains("core") && leftName.contains("core")
399	1	\|\| !rightName.contains("kernel") && leftName.contains("kernel")) {
400	2	returnVal = true;
401		// } else if (leftName.matches(".struts2\\-core.") && rightName.matches(".xwork\\-core.")) {
402		// returnVal = true;
403		// } else if (rightName.matches(".struts2\\-core.") && leftName.matches(".xwork\\-core.")) {
404		// returnVal = false;
405		} else {
406		/*
407		* considered splitting the names up and comparing the components,
408		* but decided that the file name length should be sufficient as the
409		* "core" component, if this follows a normal naming protocol should
410		* be shorter:
411		* axis2-saaj-1.4.1.jar
412		* axis2-1.4.1.jar <-----
413		* axis2-kernel-1.4.1.jar
414		*/
415	0	returnVal = leftName.length() <= rightName.length();
416		}
417	2	LOGGER.debug("IsCore={} ({}, {})", returnVal, left.getFileName(), right.getFileName());
418	2	return returnVal;
419		}
420
421		/**
422		* Compares the SHA1 hashes of two dependencies to determine if they are
423		* equal.
424		*
425		* @param dependency1 a dependency object to compare
426		* @param dependency2 a dependency object to compare
427		* @return true if the sha1 hashes of the two dependencies match; otherwise
428		* false
429		*/
430		private boolean hashesMatch(Dependency dependency1, Dependency dependency2) {
431	2	if (dependency1 == null \|\| dependency2 == null \|\| dependency1.getSha1sum() == null \|\| dependency2.getSha1sum() == null) {
432	0	return false;
433		}
434	2	return dependency1.getSha1sum().equals(dependency2.getSha1sum());
435		}
436
437		/**
438		* Determines if the jar is shaded and the created pom.xml identified the
439		* same CPE as the jar - if so, the pom.xml dependency should be removed.
440		*
441		* @param dependency a dependency to check
442		* @param nextDependency another dependency to check
443		* @return true if on of the dependencies is a pom.xml and the identifiers
444		* between the two collections match; otherwise false
445		*/
446		private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
447	2	final String mainName = dependency.getFileName().toLowerCase();
448	2	final String nextName = nextDependency.getFileName().toLowerCase();
449	2	if (mainName.endsWith(".jar") && nextName.endsWith("pom.xml")) {
450	0	return dependency.getIdentifiers().containsAll(nextDependency.getIdentifiers());
451	2	} else if (nextName.endsWith(".jar") && mainName.endsWith("pom.xml")) {
452	0	return nextDependency.getIdentifiers().containsAll(dependency.getIdentifiers());
453		}
454	2	return false;
455		}
456
457		/**
458		* Determines which path is shortest; if path lengths are equal then we use
459		* compareTo of the string method to determine if the first path is smaller.
460		*
461		* @param left the first path to compare
462		* @param right the second path to compare
463		* @return <code>true</code> if the leftPath is the shortest; otherwise
464		* <code>false</code>
465		*/
466		protected boolean firstPathIsShortest(String left, String right) {
467	5	final String leftPath = left.replace('\\', '/');
468	5	final String rightPath = right.replace('\\', '/');
469
470	5	final int leftCount = countChar(leftPath, '/');
471	5	final int rightCount = countChar(rightPath, '/');
472	5	if (leftCount == rightCount) {
473	3	return leftPath.compareTo(rightPath) <= 0;
474		} else {
475	2	return leftCount < rightCount;
476		}
477		}
478
479		/**
480		* Counts the number of times the character is present in the string.
481		*
482		* @param string the string to count the characters in
483		* @param c the character to count
484		* @return the number of times the character is present in the string
485		*/
486		private int countChar(String string, char c) {
487	10	int count = 0;
488	10	final int max = string.length();
489	116	for (int i = 0; i < max; i++) {
490	106	if (c == string.charAt(i)) {
491	28	count++;
492		}
493		}
494	10	return count;
495		}
496
497		/**
498		* Checks if the given file path is contained within a war or ear file.
499		*
500		* @param filePath the file path to check
501		* @return true if the path contains '.war\' or '.ear\'.
502		*/
503		private boolean containedInWar(String filePath) {
504	0	return filePath == null ? false : filePath.matches(".\\.(ear\|war)[\\\\/].");
505		}
506		}