Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.FalsePositiveAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

FalsePositiveAnalyzer

73%

84/115

52%

60/114

6.545

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
 import java.util.ListIterator;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 
 /**
  * This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class FalsePositiveAnalyzer extends AbstractAnalyzer {
 
     //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
      * The set of file extensions supported by this analyzer.
      */
     private static final Set<String> EXTENSIONS = null;
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "False Positive Analyzer";
     /**
      * The phase that this analyzer is intended to run in.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
 
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
      *
      * @return a list of file EXTENSIONS supported by this analyzer.
      */
     public Set<String> getSupportedExtensions() {
         return EXTENSIONS;
     }
 
     /**
      * Returns the name of the analyzer.
      *
      * @return the name of the analyzer.
      */
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support
      * @return whether or not the specified file extension is supported by this analyzer.
      */
     public boolean supportsExtension(String extension) {
         return true;
     }
 
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
      * @return the phase that the analyzer is intended to run in.
      */
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
     //</editor-fold>
 
     /**
      * Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics.
      *
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
      * @throws AnalysisException is thrown if there is an error reading the JAR file.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         removeJreEntries(dependency);
         removeBadMatches(dependency);
         removeWrongVersionMatches(dependency);
         removeSpuriousCPE(dependency);
         addFalseNegativeCPEs(dependency);
     }
 
     /**
      * <p>
      * Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
      * <p>
      * Example:</p>
      * <code>
      * cpe:/a:some-vendor:some-product
      * cpe:/a:some-vendor:some-product:1.5
      * cpe:/a:some-vendor:some-product:1.5.2
      * </code>
      * <p>
      * Should be trimmed to:</p>
      * <code>
      * cpe:/a:some-vendor:some-product:1.5.2
      * </code>
      *
      * @param dependency the dependency being analyzed
      */
     @SuppressWarnings("null")
     private void removeSpuriousCPE(Dependency dependency) {
         final List<Identifier> ids = new ArrayList<Identifier>();
         ids.addAll(dependency.getIdentifiers());
         Collections.sort(ids);
         final ListIterator<Identifier> mainItr = ids.listIterator();
         while (mainItr.hasNext()) {
             final Identifier currentId = mainItr.next();
             final VulnerableSoftware currentCpe = parseCpe(currentId.getType(), currentId.getValue());
             if (currentCpe == null) {
                 continue;
             }
             final ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex());
             while (subItr.hasNext()) {
                 final Identifier nextId = subItr.next();
                 final VulnerableSoftware nextCpe = parseCpe(nextId.getType(), nextId.getValue());
                 if (nextCpe == null) {
                     continue;
                 }
                 //TODO fix the version problem below
                 if (currentCpe.getVendor().equals(nextCpe.getVendor())) {
                     if (currentCpe.getProduct().equals(nextCpe.getProduct())) {
                         // see if one is contained in the other.. remove the contained one from dependency.getIdentifier
                         final String currentVersion = currentCpe.getVersion();
                         final String nextVersion = nextCpe.getVersion();
                         if (currentVersion == null && nextVersion == null) {
                             //how did we get here?
                             Logger.getLogger(FalsePositiveAnalyzer.class
                                     .getName()).log(Level.FINE, "currentVersion and nextVersion are both null?");
                         } else if (currentVersion == null && nextVersion != null) {
                             dependency.getIdentifiers().remove(currentId);
                         } else if (nextVersion == null && currentVersion != null) {
                             dependency.getIdentifiers().remove(nextId);
                         } else if (currentVersion.length() < nextVersion.length()) {
                             if (nextVersion.startsWith(currentVersion) || "-".equals(currentVersion)) {
                                 dependency.getIdentifiers().remove(currentId);
                             }
                         } else {
                             if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) {
                                 dependency.getIdentifiers().remove(nextId);
                             }
                         }
                     }
                 }
             }
         }
     }
     /**
      * Regex to identify core java libraries and a few other commonly misidentified ones.
      */
     public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
             + "java(_platfrom_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
             + "jdk|jre|jsf|jsse)($|:.*)");
     /**
      * Regex to identify core java library files. This is currently incomplete.
      */
     public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
 
     /**
      * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
      *
      * @param dependency the dependency to remove JRE CPEs from
      */
     private void removeJreEntries(Dependency dependency) {
         final Set<Identifier> identifiers = dependency.getIdentifiers();
         final Iterator<Identifier> itr = identifiers.iterator();
         while (itr.hasNext()) {
             final Identifier i = itr.next();
             final Matcher coreCPE = CORE_JAVA.matcher(i.getValue());
             final Matcher coreFiles = CORE_FILES.matcher(dependency.getFileName());
             if (coreCPE.matches() && !coreFiles.matches()) {
                 itr.remove();
             }
 
             //replacecd with the regex above.
             //            if (("cpe:/a:sun:java".equals(i.getValue())
             //                    || "cpe:/a:oracle:java".equals(i.getValue())
             //                    || "cpe:/a:ibm:java".equals(i.getValue())
             //                    || "cpe:/a:sun:j2se".equals(i.getValue())
             //                    || "cpe:/a:oracle:j2se".equals(i.getValue())
             //                    || i.getValue().startsWith("cpe:/a:sun:java:")
             //                    || i.getValue().startsWith("cpe:/a:sun:j2se:")
             //                    || i.getValue().startsWith("cpe:/a:sun:java:jre")
             //                    || i.getValue().startsWith("cpe:/a:sun:java:jdk")
             //                    || i.getValue().startsWith("cpe:/a:sun:java_se")
             //                    || i.getValue().startsWith("cpe:/a:oracle:java_se")
             //                    || i.getValue().startsWith("cpe:/a:oracle:java:")
             //                    || i.getValue().startsWith("cpe:/a:oracle:j2se:")
             //                    || i.getValue().startsWith("cpe:/a:oracle:jre")
             //                    || i.getValue().startsWith("cpe:/a:oracle:jdk")
             //                    || i.getValue().startsWith("cpe:/a:ibm:java:"))
             //                    && !dependency.getFileName().toLowerCase().endsWith("rt.jar")) {
             //                itr.remove();
             //            }
         }
     }
 
     /**
      * Parses a CPE string into an IndexEntry.
      *
      * @param type the type of identifier
      * @param value the cpe identifier to parse
      * @return an VulnerableSoftware object constructed from the identifier
      */
     private VulnerableSoftware parseCpe(String type, String value) {
         if (!"cpe".equals(type)) {
             return null;
         }
         final VulnerableSoftware cpe = new VulnerableSoftware();
         try {
             cpe.parseName(value);
         } catch (UnsupportedEncodingException ex) {
             Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
             return null;
         }
         return cpe;
     }
 
     /**
      * Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific
      * problems identified when testing this on a LARGE volume of jar files.
      *
      * @param dependency the dependency to analyze
      */
     private void removeBadMatches(Dependency dependency) {
         final Set<Identifier> identifiers = dependency.getIdentifiers();
         final Iterator<Identifier> itr = identifiers.iterator();
 
         /* TODO - can we utilize the pom's groupid and artifactId to filter??? most of
          * these are due to low quality data.  Other idea would be to say any CPE
          * found based on LOW confidence evidence should have a different CPE type? (this
          * might be a better solution then just removing the URL for "best-guess" matches).
          */
         //Set<Evidence> groupId = dependency.getVendorEvidence().getEvidence("pom", "groupid");
         //Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
         while (itr.hasNext()) {
             final Identifier i = itr.next();
             //TODO move this startswith expression to a configuration file?
             if ("cpe".equals(i.getType())) {
                 if ((i.getValue().matches(".*c\\+\\+.*")
                         || i.getValue().startsWith("cpe:/a:jquery:jquery")
                         || i.getValue().startsWith("cpe:/a:prototypejs:prototype")
                         || i.getValue().startsWith("cpe:/a:yahoo:yui")
                         || i.getValue().startsWith("cpe:/a:file:file")
                         || i.getValue().startsWith("cpe:/a:mozilla:mozilla")
                         || i.getValue().startsWith("cpe:/a:cvs:cvs")
                         || i.getValue().startsWith("cpe:/a:ftp:ftp")
                         || i.getValue().startsWith("cpe:/a:ssh:ssh"))
                         && (dependency.getFileName().toLowerCase().endsWith(".jar")
                         || dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
                     itr.remove();
                 } else if (i.getValue().startsWith("cpe:/a:apache:maven")
                         && !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
                     itr.remove();
                 }
             }
         }
     }
 
     /**
      * Removes CPE matches for the wrong version of a dependency. Currently, this only covers Axis 1 & 2.
      *
      * @param dependency the dependency to analyze
      */
     private void removeWrongVersionMatches(Dependency dependency) {
         final Set<Identifier> identifiers = dependency.getIdentifiers();
         final Iterator<Identifier> itr = identifiers.iterator();
 
         final String fileName = dependency.getFileName();
         if (fileName != null && fileName.contains("axis2")) {
             while (itr.hasNext()) {
                 final Identifier i = itr.next();
                 if ("cpe".equals(i.getType())) {
                     final String cpe = i.getValue();
                     if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis:") || "cpe:/a:apache:axis".equals(cpe))) {
                         itr.remove();
                     }
                 }
             }
         } else if (fileName != null && fileName.contains("axis")) {
             while (itr.hasNext()) {
                 final Identifier i = itr.next();
                 if ("cpe".equals(i.getType())) {
                     final String cpe = i.getValue();
                     if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis2:") || "cpe:/a:apache:axis2".equals(cpe))) {
                         itr.remove();
                     }
                 }
             }
         }
     }
 
     /**
      * There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and
      * changes in product names, that based on given evidence we can add the related CPE entries to ensure a complete
      * list of CVE entries.
      *
      * @param dependency the dependency being analyzed
      */
     private void addFalseNegativeCPEs(Dependency dependency) {
         final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
         while (itr.hasNext()) {
             final Identifier i = itr.next();
             if ("cpe".equals(i.getType()) && i.getValue() != null
                     && (i.getValue().startsWith("cpe:/a:oracle:opensso:")
                     || i.getValue().startsWith("cpe:/a:oracle:opensso_enterprise:")
                     || i.getValue().startsWith("cpe:/a:sun:opensso_enterprise:")
                     || i.getValue().startsWith("cpe:/a:sun:opensso:"))) {
                 final String newCpe = String.format("cpe:/a:sun:opensso_enterprise:%s", i.getValue().substring(22));
                 final String newCpe2 = String.format("cpe:/a:oracle:opensso_enterprise:%s", i.getValue().substring(22));
                 final String newCpe3 = String.format("cpe:/a:sun:opensso:%s", i.getValue().substring(22));
                 final String newCpe4 = String.format("cpe:/a:oracle:opensso:%s", i.getValue().substring(22));
                 try {
                     dependency.addIdentifier("cpe",
                             newCpe,
                             String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe, "UTF-8")));
                     dependency.addIdentifier("cpe",
                             newCpe2,
                             String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe2, "UTF-8")));
                     dependency.addIdentifier("cpe",
                             newCpe3,
                             String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe3, "UTF-8")));
                     dependency.addIdentifier("cpe",
                             newCpe4,
                             String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe4, "UTF-8")));
                 } catch (UnsupportedEncodingException ex) {
                     Logger.getLogger(FalsePositiveAnalyzer.class
                             .getName()).log(Level.FINE, null, ex);
                 }
             }
         }
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import java.io.UnsupportedEncodingException;
21		import java.net.URLEncoder;
22		import java.util.ArrayList;
23		import java.util.Collections;
24		import java.util.Iterator;
25		import java.util.List;
26		import java.util.ListIterator;
27		import java.util.Set;
28		import java.util.logging.Level;
29		import java.util.logging.Logger;
30		import java.util.regex.Matcher;
31		import java.util.regex.Pattern;
32		import org.owasp.dependencycheck.Engine;
33		import org.owasp.dependencycheck.dependency.Dependency;
34		import org.owasp.dependencycheck.dependency.Identifier;
35		import org.owasp.dependencycheck.dependency.VulnerableSoftware;
36
37		/**
38		* This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.
39		*
40		* @author Jeremy Long <jeremy.long@owasp.org>
41		*/
42	24	public class FalsePositiveAnalyzer extends AbstractAnalyzer {
43
44		//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
45		/**
46		* The set of file extensions supported by this analyzer.
47		*/
48	2	private static final Set<String> EXTENSIONS = null;
49		/**
50		* The name of the analyzer.
51		*/
52		private static final String ANALYZER_NAME = "False Positive Analyzer";
53		/**
54		* The phase that this analyzer is intended to run in.
55		*/
56	2	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
57
58		/**
59		* Returns a list of file EXTENSIONS supported by this analyzer.
60		*
61		* @return a list of file EXTENSIONS supported by this analyzer.
62		*/
63		public Set<String> getSupportedExtensions() {
64	266	return EXTENSIONS;
65		}
66
67		/**
68		* Returns the name of the analyzer.
69		*
70		* @return the name of the analyzer.
71		*/
72		public String getName() {
73	20	return ANALYZER_NAME;
74		}
75
76		/**
77		* Returns whether or not this analyzer can process the given extension.
78		*
79		* @param extension the file extension to test for support
80		* @return whether or not the specified file extension is supported by this analyzer.
81		*/
82		public boolean supportsExtension(String extension) {
83	20	return true;
84		}
85
86		/**
87		* Returns the phase that the analyzer is intended to run in.
88		*
89		* @return the phase that the analyzer is intended to run in.
90		*/
91		public AnalysisPhase getAnalysisPhase() {
92	14	return ANALYSIS_PHASE;
93		}
94		//</editor-fold>
95
96		/**
97		* Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics.
98		*
99		* @param dependency the dependency to analyze.
100		* @param engine the engine that is scanning the dependencies
101		* @throws AnalysisException is thrown if there is an error reading the JAR file.
102		*/
103		@Override
104		public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
105	32	removeJreEntries(dependency);
106	32	removeBadMatches(dependency);
107	32	removeWrongVersionMatches(dependency);
108	32	removeSpuriousCPE(dependency);
109	32	addFalseNegativeCPEs(dependency);
110	32	}
111
112		/**
113		* <p>
114		* Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
115		* <p>
116		* Example:</p>
117		* <code>
118		* cpe:/a:some-vendor:some-product
119		* cpe:/a:some-vendor:some-product:1.5
120		* cpe:/a:some-vendor:some-product:1.5.2
121		* </code>
122		* <p>
123		* Should be trimmed to:</p>
124		* <code>
125		* cpe:/a:some-vendor:some-product:1.5.2
126		* </code>
127		*
128		* @param dependency the dependency being analyzed
129		*/
130		@SuppressWarnings("null")
131		private void removeSpuriousCPE(Dependency dependency) {
132	32	final List<Identifier> ids = new ArrayList<Identifier>();
133	32	ids.addAll(dependency.getIdentifiers());
134	32	Collections.sort(ids);
135	32	final ListIterator<Identifier> mainItr = ids.listIterator();
136	84	while (mainItr.hasNext()) {
137	52	final Identifier currentId = mainItr.next();
138	52	final VulnerableSoftware currentCpe = parseCpe(currentId.getType(), currentId.getValue());
139	52	if (currentCpe == null) {
140	10	continue;
141		}
142	42	final ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex());
143	84	while (subItr.hasNext()) {
144	42	final Identifier nextId = subItr.next();
145	42	final VulnerableSoftware nextCpe = parseCpe(nextId.getType(), nextId.getValue());
146	42	if (nextCpe == null) {
147	20	continue;
148		}
149		//TODO fix the version problem below
150	22	if (currentCpe.getVendor().equals(nextCpe.getVendor())) {
151	6	if (currentCpe.getProduct().equals(nextCpe.getProduct())) {
152		// see if one is contained in the other.. remove the contained one from dependency.getIdentifier
153	6	final String currentVersion = currentCpe.getVersion();
154	6	final String nextVersion = nextCpe.getVersion();
155	6	if (currentVersion == null && nextVersion == null) {
156		//how did we get here?
157	0	Logger.getLogger(FalsePositiveAnalyzer.class
158		.getName()).log(Level.FINE, "currentVersion and nextVersion are both null?");
159	6	} else if (currentVersion == null && nextVersion != null) {
160	6	dependency.getIdentifiers().remove(currentId);
161	0	} else if (nextVersion == null && currentVersion != null) {
162	0	dependency.getIdentifiers().remove(nextId);
163	0	} else if (currentVersion.length() < nextVersion.length()) {
164	0	if (nextVersion.startsWith(currentVersion) \|\| "-".equals(currentVersion)) {
165	0	dependency.getIdentifiers().remove(currentId);
166		}
167		} else {
168	0	if (currentVersion.startsWith(nextVersion) \|\| "-".equals(nextVersion)) {
169	0	dependency.getIdentifiers().remove(nextId);
170		}
171		}
172		}
173		}
174	22	}
175	42	}
176	32	}
177		/**
178		* Regex to identify core java libraries and a few other commonly misidentified ones.
179		*/
180	2	public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun\|oracle\|ibm):(j2[ems]e\|"
181		+ "java(_platfrom_micro_edition\|_runtime_environment\|_se\|virtual_machine\|se_development_kit\|fx)?\|"
182		+ "jdk\|jre\|jsf\|jsse)($\|:.*)");
183		/**
184		* Regex to identify core java library files. This is currently incomplete.
185		*/
186	2	public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt\|jsf[-].*\|jsse\|jfxrt\|jfr\|jce\|javaws\|deploy\|charsets)\\.jar$");
187
188		/**
189		* Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
190		*
191		* @param dependency the dependency to remove JRE CPEs from
192		*/
193		private void removeJreEntries(Dependency dependency) {
194	32	final Set<Identifier> identifiers = dependency.getIdentifiers();
195	32	final Iterator<Identifier> itr = identifiers.iterator();
196	88	while (itr.hasNext()) {
197	56	final Identifier i = itr.next();
198	56	final Matcher coreCPE = CORE_JAVA.matcher(i.getValue());
199	56	final Matcher coreFiles = CORE_FILES.matcher(dependency.getFileName());
200	56	if (coreCPE.matches() && !coreFiles.matches()) {
201	0	itr.remove();
202		}
203
204		//replacecd with the regex above.
205		// if (("cpe:/a:sun:java".equals(i.getValue())
206		// \|\| "cpe:/a:oracle:java".equals(i.getValue())
207		// \|\| "cpe:/a:ibm:java".equals(i.getValue())
208		// \|\| "cpe:/a:sun:j2se".equals(i.getValue())
209		// \|\| "cpe:/a:oracle:j2se".equals(i.getValue())
210		// \|\| i.getValue().startsWith("cpe:/a:sun:java:")
211		// \|\| i.getValue().startsWith("cpe:/a:sun:j2se:")
212		// \|\| i.getValue().startsWith("cpe:/a:sun:java:jre")
213		// \|\| i.getValue().startsWith("cpe:/a:sun:java:jdk")
214		// \|\| i.getValue().startsWith("cpe:/a:sun:java_se")
215		// \|\| i.getValue().startsWith("cpe:/a:oracle:java_se")
216		// \|\| i.getValue().startsWith("cpe:/a:oracle:java:")
217		// \|\| i.getValue().startsWith("cpe:/a:oracle:j2se:")
218		// \|\| i.getValue().startsWith("cpe:/a:oracle:jre")
219		// \|\| i.getValue().startsWith("cpe:/a:oracle:jdk")
220		// \|\| i.getValue().startsWith("cpe:/a:ibm:java:"))
221		// && !dependency.getFileName().toLowerCase().endsWith("rt.jar")) {
222		// itr.remove();
223		// }
224	56	}
225	32	}
226
227		/**
228		* Parses a CPE string into an IndexEntry.
229		*
230		* @param type the type of identifier
231		* @param value the cpe identifier to parse
232		* @return an VulnerableSoftware object constructed from the identifier
233		*/
234		private VulnerableSoftware parseCpe(String type, String value) {
235	94	if (!"cpe".equals(type)) {
236	30	return null;
237		}
238	64	final VulnerableSoftware cpe = new VulnerableSoftware();
239		try {
240	64	cpe.parseName(value);
241	0	} catch (UnsupportedEncodingException ex) {
242	0	Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
243	0	return null;
244	64	}
245	64	return cpe;
246		}
247
248		/**
249		* Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific
250		* problems identified when testing this on a LARGE volume of jar files.
251		*
252		* @param dependency the dependency to analyze
253		*/
254		private void removeBadMatches(Dependency dependency) {
255	32	final Set<Identifier> identifiers = dependency.getIdentifiers();
256	32	final Iterator<Identifier> itr = identifiers.iterator();
257
258		/* TODO - can we utilize the pom's groupid and artifactId to filter??? most of
259		* these are due to low quality data. Other idea would be to say any CPE
260		* found based on LOW confidence evidence should have a different CPE type? (this
261		* might be a better solution then just removing the URL for "best-guess" matches).
262		*/
263		//Set<Evidence> groupId = dependency.getVendorEvidence().getEvidence("pom", "groupid");
264		//Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
265	88	while (itr.hasNext()) {
266	56	final Identifier i = itr.next();
267		//TODO move this startswith expression to a configuration file?
268	56	if ("cpe".equals(i.getType())) {
269	46	if ((i.getValue().matches(".c\\+\\+.")
270		\|\| i.getValue().startsWith("cpe:/a:jquery:jquery")
271		\|\| i.getValue().startsWith("cpe:/a:prototypejs:prototype")
272		\|\| i.getValue().startsWith("cpe:/a:yahoo:yui")
273		\|\| i.getValue().startsWith("cpe:/a:file:file")
274		\|\| i.getValue().startsWith("cpe:/a:mozilla:mozilla")
275		\|\| i.getValue().startsWith("cpe:/a:cvs:cvs")
276		\|\| i.getValue().startsWith("cpe:/a:ftp:ftp")
277		\|\| i.getValue().startsWith("cpe:/a:ssh:ssh"))
278		&& (dependency.getFileName().toLowerCase().endsWith(".jar")
279		\|\| dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
280	2	itr.remove();
281	44	} else if (i.getValue().startsWith("cpe:/a:apache:maven")
282		&& !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
283	0	itr.remove();
284		}
285		}
286	56	}
287	32	}
288
289		/**
290		* Removes CPE matches for the wrong version of a dependency. Currently, this only covers Axis 1 & 2.
291		*
292		* @param dependency the dependency to analyze
293		*/
294		private void removeWrongVersionMatches(Dependency dependency) {
295	32	final Set<Identifier> identifiers = dependency.getIdentifiers();
296	32	final Iterator<Identifier> itr = identifiers.iterator();
297
298	32	final String fileName = dependency.getFileName();
299	32	if (fileName != null && fileName.contains("axis2")) {
300	8	while (itr.hasNext()) {
301	6	final Identifier i = itr.next();
302	6	if ("cpe".equals(i.getType())) {
303	4	final String cpe = i.getValue();
304	4	if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis:") \|\| "cpe:/a:apache:axis".equals(cpe))) {
305	2	itr.remove();
306		}
307		}
308	6	}
309	30	} else if (fileName != null && fileName.contains("axis")) {
310	0	while (itr.hasNext()) {
311	0	final Identifier i = itr.next();
312	0	if ("cpe".equals(i.getType())) {
313	0	final String cpe = i.getValue();
314	0	if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis2:") \|\| "cpe:/a:apache:axis2".equals(cpe))) {
315	0	itr.remove();
316		}
317		}
318	0	}
319		}
320	32	}
321
322		/**
323		* There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and
324		* changes in product names, that based on given evidence we can add the related CPE entries to ensure a complete
325		* list of CVE entries.
326		*
327		* @param dependency the dependency being analyzed
328		*/
329		private void addFalseNegativeCPEs(Dependency dependency) {
330	32	final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
331	78	while (itr.hasNext()) {
332	46	final Identifier i = itr.next();
333	46	if ("cpe".equals(i.getType()) && i.getValue() != null
334		&& (i.getValue().startsWith("cpe:/a:oracle:opensso:")
335		\|\| i.getValue().startsWith("cpe:/a:oracle:opensso_enterprise:")
336		\|\| i.getValue().startsWith("cpe:/a:sun:opensso_enterprise:")
337		\|\| i.getValue().startsWith("cpe:/a:sun:opensso:"))) {
338	0	final String newCpe = String.format("cpe:/a:sun:opensso_enterprise:%s", i.getValue().substring(22));
339	0	final String newCpe2 = String.format("cpe:/a:oracle:opensso_enterprise:%s", i.getValue().substring(22));
340	0	final String newCpe3 = String.format("cpe:/a:sun:opensso:%s", i.getValue().substring(22));
341	0	final String newCpe4 = String.format("cpe:/a:oracle:opensso:%s", i.getValue().substring(22));
342		try {
343	0	dependency.addIdentifier("cpe",
344		newCpe,
345		String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe, "UTF-8")));
346	0	dependency.addIdentifier("cpe",
347		newCpe2,
348		String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe2, "UTF-8")));
349	0	dependency.addIdentifier("cpe",
350		newCpe3,
351		String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe3, "UTF-8")));
352	0	dependency.addIdentifier("cpe",
353		newCpe4,
354		String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe4, "UTF-8")));
355	0	} catch (UnsupportedEncodingException ex) {
356	0	Logger.getLogger(FalsePositiveAnalyzer.class
357		.getName()).log(Level.FINE, null, ex);
358	0	}
359		}
360	46	}
361	32	}
362		}