Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

DependencyBundlingAnalyzer

48%

69/143

39%

59/150

7.846

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.File;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.ListIterator;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 import org.owasp.dependencycheck.utils.LogUtils;
 
 /**
  * <p>
  * This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
  * grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
  * same relative path then these should be grouped into a single dependency under the core/main library.</p>
  * <p>
  * Note, this grouping only works on dependencies with identified CVE entries</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
     /**
      * A pattern for obtaining the first part of a filename.
      */
     private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
     /**
      * a flag indicating if this analyzer has run. This analyzer only runs once.
      */
     private boolean analyzed = false;
     //</editor-fold>
     //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
     /**
      * The set of file extensions supported by this analyzer.
      */
     private static final Set<String> EXTENSIONS = null;
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Dependency Bundling Analyzer";
     /**
      * The phase that this analyzer is intended to run in.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
 
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
      *
      * @return a list of file EXTENSIONS supported by this analyzer.
      */
     public Set<String> getSupportedExtensions() {
         return EXTENSIONS;
     }
 
     /**
      * Returns the name of the analyzer.
      *
      * @return the name of the analyzer.
      */
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support
      * @return whether or not the specified file extension is supported by this analyzer.
      */
     public boolean supportsExtension(String extension) {
         return true;
     }
 
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
      * @return the phase that the analyzer is intended to run in.
      */
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
     //</editor-fold>
 
     /**
      * Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
      * identifiers they are likely related. The related dependencies are bundled into a single reportable item.
      *
      * @param ignore this analyzer ignores the dependency being analyzed
      * @param engine the engine that is scanning the dependencies
      * @throws AnalysisException is thrown if there is an error reading the JAR file.
      */
     @Override
     public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
         if (!analyzed) {
             analyzed = true;
             final Set<Dependency> dependenciesToRemove = new HashSet<Dependency>();
             final ListIterator<Dependency> mainIterator = engine.getDependencies().listIterator();
             //for (Dependency nextDependency : engine.getDependencies()) {
             while (mainIterator.hasNext()) {
                 final Dependency dependency = mainIterator.next();
                 if (mainIterator.hasNext()) {
                     final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
                     while (subIterator.hasNext()) {
                         final Dependency nextDependency = subIterator.next();
                         if (isShadedJar(dependency, nextDependency)) {
                             if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
                                 dependenciesToRemove.add(dependency);
                             } else {
                                 dependenciesToRemove.add(nextDependency);
                             }
                         } else if (hashesMatch(dependency, nextDependency)) {
                             if (isCore(dependency, nextDependency)) {
                                 mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                             } else {
                                 mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                             }
                         } else if (cpeIdentifiersMatch(dependency, nextDependency)
                                 && hasSameBasePath(dependency, nextDependency)
                                 && fileNameMatch(dependency, nextDependency)) {
 
                             if (isCore(dependency, nextDependency)) {
                                 mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                             } else {
                                 mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                             }
                         }
                     }
                 }
             }
             //removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
             // was difficult because of the inner iterator.
             for (Dependency d : dependenciesToRemove) {
                 engine.getDependencies().remove(d);
             }
         }
     }
 
     /**
      * Adds the relatedDependency to the dependency's related dependencies.
      *
      * @param dependency the main dependency
      * @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the
      * source of dependencies to remove
      * @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this
      * function adds to this collection
      */
     private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
         dependency.addRelatedDependency(relatedDependency);
         final Iterator<Dependency> i = relatedDependency.getRelatedDependencies().iterator();
         while (i.hasNext()) {
             dependency.addRelatedDependency(i.next());
             i.remove();
         }
         dependenciesToRemove.add(relatedDependency);
     }
 
     /**
      * Attempts to trim a maven repo to a common base path. This is typically
      * [drive]\[repo_location]\repository\[path1]\[path2].
      *
      * @param path the path to trim
      * @return a string representing the base path.
      */
     private String getBaseRepoPath(final String path) {
         int pos = path.indexOf("repository" + File.separator) + 11;
         if (pos < 0) {
             return path;
         }
         int tmp = path.indexOf(File.separator, pos);
         if (tmp <= 0) {
             return path;
         }
         if (tmp > 0) {
             pos = tmp + 1;
         }
         tmp = path.indexOf(File.separator, pos);
         if (tmp > 0) {
             pos = tmp + 1;
         }
         return path.substring(0, pos);
     }
 
     /**
      * Returns true if the file names (and version if it exists) of the two dependencies are sufficiently similar.
      *
      * @param dependency1 a dependency2 to compare
      * @param dependency2 a dependency2 to compare
      * @return true if the identifiers in the two supplied dependencies are equal
      */
     private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency1.getFileName() == null
                 || dependency2 == null || dependency2.getFileName() == null) {
             return false;
         }
         String fileName1 = dependency1.getFileName();
         String fileName2 = dependency2.getFileName();
 
         //update to deal with archive analyzer, the starting name maybe the same
         // as this is incorrectly looking at the starting path
         final File one = new File(fileName1);
         final File two = new File(fileName2);
         final String oneParent = one.getParent();
         final String twoParent = two.getParent();
         if (oneParent != null) {
             if (oneParent.equals(twoParent)) {
                 fileName1 = one.getName();
                 fileName2 = two.getName();
             } else {
                 return false;
             }
         } else if (twoParent != null) {
             return false;
         }
 
         //version check
         final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
         final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
         if (version1 != null && version2 != null) {
             if (!version1.equals(version2)) {
                 return false;
             }
         }
 
         //filename check
         final Matcher match1 = STARTING_TEXT_PATTERN.matcher(fileName1);
         final Matcher match2 = STARTING_TEXT_PATTERN.matcher(fileName2);
         if (match1.find() && match2.find()) {
             return match1.group().equals(match2.group());
         }
 
         return false;
     }
 
     /**
      * Returns true if the CPE identifiers in the two supplied dependencies are equal.
      *
      * @param dependency1 a dependency2 to compare
      * @param dependency2 a dependency2 to compare
      * @return true if the identifiers in the two supplied dependencies are equal
      */
     private boolean cpeIdentifiersMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency1.getIdentifiers() == null
                 || dependency2 == null || dependency2.getIdentifiers() == null) {
             return false;
         }
         boolean matches = false;
         int cpeCount1 = 0;
         int cpeCount2 = 0;
         for (Identifier i : dependency1.getIdentifiers()) {
             if ("cpe".equals(i.getType())) {
                 cpeCount1 += 1;
             }
         }
         for (Identifier i : dependency2.getIdentifiers()) {
             if ("cpe".equals(i.getType())) {
                 cpeCount2 += 1;
             }
         }
         if (cpeCount1 > 0 && cpeCount1 == cpeCount2) {
             for (Identifier i : dependency1.getIdentifiers()) {
                 matches |= dependency2.getIdentifiers().contains(i);
                 if (!matches) {
                     break;
                 }
             }
         }
         if (LogUtils.isVerboseLoggingEnabled()) {
             final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
             Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
         }
         return matches;
     }
 
     /**
      * Determines if the two dependencies have the same base path.
      *
      * @param dependency1 a Dependency object
      * @param dependency2 a Dependency object
      * @return true if the base paths of the dependencies are identical
      */
     private boolean hasSameBasePath(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency2 == null) {
             return false;
         }
         final File lFile = new File(dependency1.getFilePath());
         String left = lFile.getParent();
         final File rFile = new File(dependency2.getFilePath());
         String right = rFile.getParent();
         if (left == null) {
             return right == null;
         }
         if (left.equalsIgnoreCase(right)) {
             return true;
         }
         if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
             left = getBaseRepoPath(left);
             right = getBaseRepoPath(right);
         }
         if (left.equalsIgnoreCase(right)) {
             return true;
         }
         //new code
         for (Dependency child : dependency2.getRelatedDependencies()) {
             if (hasSameBasePath(dependency1, child)) {
                 return true;
             }
         }
         return false;
     }
 
     /**
      * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
      * to the 'right' library.
      *
      * @param left the dependency to test
      * @param right the dependency to test against
      * @return a boolean indicating whether or not the left dependency should be considered the "core" version.
      */
     boolean isCore(Dependency left, Dependency right) {
         final String leftName = left.getFileName().toLowerCase();
         final String rightName = right.getFileName().toLowerCase();
 
         final boolean returnVal;
         if (!rightName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") && leftName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+")
                 || rightName.contains("core") && !leftName.contains("core")
                 || rightName.contains("kernel") && !leftName.contains("kernel")) {
             returnVal = false;
         } else if (rightName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") && !leftName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+")
                 || !rightName.contains("core") && leftName.contains("core")
                 || !rightName.contains("kernel") && leftName.contains("kernel")) {
             returnVal = true;
         } else {
             /*
              * considered splitting the names up and comparing the components,
              * but decided that the file name length should be sufficient as the
              * "core" component, if this follows a normal naming protocol should
              * be shorter:
              * axis2-saaj-1.4.1.jar
              * axis2-1.4.1.jar       <-----
              * axis2-kernal-1.4.1.jar
              */
             returnVal = leftName.length() <= rightName.length();
         }
         if (LogUtils.isVerboseLoggingEnabled()) {
             final String msg = String.format("IsCore=%s (%s, %s)", returnVal, left.getFileName(), right.getFileName());
             Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
         }
         return returnVal;
     }
 
     /**
      * Compares the SHA1 hashes of two dependencies to determine if they are equal.
      *
      * @param dependency1 a dependency object to compare
      * @param dependency2 a dependency object to compare
      * @return true if the sha1 hashes of the two dependencies match; otherwise false
      */
     private boolean hashesMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency2 == null || dependency1.getSha1sum() == null || dependency2.getSha1sum() == null) {
             return false;
         }
         return dependency1.getSha1sum().equals(dependency2.getSha1sum());
     }
 
     /**
      * Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml
      * dependency should be removed.
      *
      * @param dependency a dependency to check
      * @param nextDependency another dependency to check
      * @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match;
      * otherwise false
      */
     private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
         final String mainName = dependency.getFileName().toLowerCase();
         final String nextName = nextDependency.getFileName().toLowerCase();
         if (mainName.endsWith(".jar") && nextName.endsWith("pom.xml")) {
             return dependency.getIdentifiers().containsAll(nextDependency.getIdentifiers());
         } else if (nextName.endsWith(".jar") && mainName.endsWith("pom.xml")) {
             return nextDependency.getIdentifiers().containsAll(dependency.getIdentifiers());
         }
         return false;
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
21		import java.io.File;
22		import java.util.HashSet;
23		import java.util.Iterator;
24		import java.util.ListIterator;
25		import java.util.Set;
26		import java.util.logging.Level;
27		import java.util.logging.Logger;
28		import java.util.regex.Matcher;
29		import java.util.regex.Pattern;
30		import org.owasp.dependencycheck.Engine;
31		import org.owasp.dependencycheck.dependency.Dependency;
32		import org.owasp.dependencycheck.dependency.Identifier;
33		import org.owasp.dependencycheck.utils.DependencyVersion;
34		import org.owasp.dependencycheck.utils.DependencyVersionUtil;
35		import org.owasp.dependencycheck.utils.LogUtils;
36
37		/**
38		* <p>
39		* This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
40		* grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
41		* same relative path then these should be grouped into a single dependency under the core/main library.</p>
42		* <p>
43		* Note, this grouping only works on dependencies with identified CVE entries</p>
44		*
45		* @author Jeremy Long <jeremy.long@owasp.org>
46		*/
47		public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
48
49		//<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
50		/**
51		* A pattern for obtaining the first part of a filename.
52		*/
53	1	private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
54		/**
55		* a flag indicating if this analyzer has run. This analyzer only runs once.
56		*/
57		private boolean analyzed = false;
58		//</editor-fold>
59		//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
60		/**
61		* The set of file extensions supported by this analyzer.
62		*/
63	1	private static final Set<String> EXTENSIONS = null;
64		/**
65		* The name of the analyzer.
66		*/
67		private static final String ANALYZER_NAME = "Dependency Bundling Analyzer";
68		/**
69		* The phase that this analyzer is intended to run in.
70		*/
71	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
72
73		/**
74		* Returns a list of file EXTENSIONS supported by this analyzer.
75		*
76		* @return a list of file EXTENSIONS supported by this analyzer.
77		*/
78		public Set<String> getSupportedExtensions() {
79	133	return EXTENSIONS;
80		}
81
82		/**
83		* Returns the name of the analyzer.
84		*
85		* @return the name of the analyzer.
86		*/
87		public String getName() {
88	10	return ANALYZER_NAME;
89		}
90
91		/**
92		* Returns whether or not this analyzer can process the given extension.
93		*
94		* @param extension the file extension to test for support
95		* @return whether or not the specified file extension is supported by this analyzer.
96		*/
97		public boolean supportsExtension(String extension) {
98	10	return true;
99		}
100
101		/**
102		* Returns the phase that the analyzer is intended to run in.
103		*
104		* @return the phase that the analyzer is intended to run in.
105		*/
106		public AnalysisPhase getAnalysisPhase() {
107	7	return ANALYSIS_PHASE;
108		}
109		//</editor-fold>
110
111		/**
112		* Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
113		* identifiers they are likely related. The related dependencies are bundled into a single reportable item.
114		*
115		* @param ignore this analyzer ignores the dependency being analyzed
116		* @param engine the engine that is scanning the dependencies
117		* @throws AnalysisException is thrown if there is an error reading the JAR file.
118		*/
119		@Override
120		public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
121	9	if (!analyzed) {
122	1	analyzed = true;
123	1	final Set<Dependency> dependenciesToRemove = new HashSet<Dependency>();
124	1	final ListIterator<Dependency> mainIterator = engine.getDependencies().listIterator();
125		//for (Dependency nextDependency : engine.getDependencies()) {
126	4	while (mainIterator.hasNext()) {
127	3	final Dependency dependency = mainIterator.next();
128	3	if (mainIterator.hasNext()) {
129	2	final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
130	5	while (subIterator.hasNext()) {
131	3	final Dependency nextDependency = subIterator.next();
132	3	if (isShadedJar(dependency, nextDependency)) {
133	0	if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
134	0	dependenciesToRemove.add(dependency);
135		} else {
136	0	dependenciesToRemove.add(nextDependency);
137		}
138	3	} else if (hashesMatch(dependency, nextDependency)) {
139	0	if (isCore(dependency, nextDependency)) {
140	0	mergeDependencies(dependency, nextDependency, dependenciesToRemove);
141		} else {
142	0	mergeDependencies(nextDependency, dependency, dependenciesToRemove);
143		}
144	3	} else if (cpeIdentifiersMatch(dependency, nextDependency)
145		&& hasSameBasePath(dependency, nextDependency)
146		&& fileNameMatch(dependency, nextDependency)) {
147
148	0	if (isCore(dependency, nextDependency)) {
149	0	mergeDependencies(dependency, nextDependency, dependenciesToRemove);
150		} else {
151	0	mergeDependencies(nextDependency, dependency, dependenciesToRemove);
152		}
153		}
154	3	}
155		}
156	3	}
157		//removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
158		// was difficult because of the inner iterator.
159	1	for (Dependency d : dependenciesToRemove) {
160	0	engine.getDependencies().remove(d);
161	0	}
162		}
163	9	}
164
165		/**
166		* Adds the relatedDependency to the dependency's related dependencies.
167		*
168		* @param dependency the main dependency
169		* @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the
170		* source of dependencies to remove
171		* @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this
172		* function adds to this collection
173		*/
174		private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
175	0	dependency.addRelatedDependency(relatedDependency);
176	0	final Iterator<Dependency> i = relatedDependency.getRelatedDependencies().iterator();
177	0	while (i.hasNext()) {
178	0	dependency.addRelatedDependency(i.next());
179	0	i.remove();
180		}
181	0	dependenciesToRemove.add(relatedDependency);
182	0	}
183
184		/**
185		* Attempts to trim a maven repo to a common base path. This is typically
186		* [drive]\[repo_location]\repository\[path1]\[path2].
187		*
188		* @param path the path to trim
189		* @return a string representing the base path.
190		*/
191		private String getBaseRepoPath(final String path) {
192	0	int pos = path.indexOf("repository" + File.separator) + 11;
193	0	if (pos < 0) {
194	0	return path;
195		}
196	0	int tmp = path.indexOf(File.separator, pos);
197	0	if (tmp <= 0) {
198	0	return path;
199		}
200	0	if (tmp > 0) {
201	0	pos = tmp + 1;
202		}
203	0	tmp = path.indexOf(File.separator, pos);
204	0	if (tmp > 0) {
205	0	pos = tmp + 1;
206		}
207	0	return path.substring(0, pos);
208		}
209
210		/**
211		* Returns true if the file names (and version if it exists) of the two dependencies are sufficiently similar.
212		*
213		* @param dependency1 a dependency2 to compare
214		* @param dependency2 a dependency2 to compare
215		* @return true if the identifiers in the two supplied dependencies are equal
216		*/
217		private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) {
218	0	if (dependency1 == null \|\| dependency1.getFileName() == null
219		\|\| dependency2 == null \|\| dependency2.getFileName() == null) {
220	0	return false;
221		}
222	0	String fileName1 = dependency1.getFileName();
223	0	String fileName2 = dependency2.getFileName();
224
225		//update to deal with archive analyzer, the starting name maybe the same
226		// as this is incorrectly looking at the starting path
227	0	final File one = new File(fileName1);
228	0	final File two = new File(fileName2);
229	0	final String oneParent = one.getParent();
230	0	final String twoParent = two.getParent();
231	0	if (oneParent != null) {
232	0	if (oneParent.equals(twoParent)) {
233	0	fileName1 = one.getName();
234	0	fileName2 = two.getName();
235		} else {
236	0	return false;
237		}
238	0	} else if (twoParent != null) {
239	0	return false;
240		}
241
242		//version check
243	0	final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
244	0	final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
245	0	if (version1 != null && version2 != null) {
246	0	if (!version1.equals(version2)) {
247	0	return false;
248		}
249		}
250
251		//filename check
252	0	final Matcher match1 = STARTING_TEXT_PATTERN.matcher(fileName1);
253	0	final Matcher match2 = STARTING_TEXT_PATTERN.matcher(fileName2);
254	0	if (match1.find() && match2.find()) {
255	0	return match1.group().equals(match2.group());
256		}
257
258	0	return false;
259		}
260
261		/**
262		* Returns true if the CPE identifiers in the two supplied dependencies are equal.
263		*
264		* @param dependency1 a dependency2 to compare
265		* @param dependency2 a dependency2 to compare
266		* @return true if the identifiers in the two supplied dependencies are equal
267		*/
268		private boolean cpeIdentifiersMatch(Dependency dependency1, Dependency dependency2) {
269	3	if (dependency1 == null \|\| dependency1.getIdentifiers() == null
270		\|\| dependency2 == null \|\| dependency2.getIdentifiers() == null) {
271	0	return false;
272		}
273	3	boolean matches = false;
274	3	int cpeCount1 = 0;
275	3	int cpeCount2 = 0;
276	3	for (Identifier i : dependency1.getIdentifiers()) {
277	3	if ("cpe".equals(i.getType())) {
278	3	cpeCount1 += 1;
279		}
280	3	}
281	3	for (Identifier i : dependency2.getIdentifiers()) {
282	3	if ("cpe".equals(i.getType())) {
283	3	cpeCount2 += 1;
284		}
285	3	}
286	3	if (cpeCount1 > 0 && cpeCount1 == cpeCount2) {
287	3	for (Identifier i : dependency1.getIdentifiers()) {
288	3	matches \|= dependency2.getIdentifiers().contains(i);
289	3	if (!matches) {
290	2	break;
291		}
292	1	}
293		}
294	3	if (LogUtils.isVerboseLoggingEnabled()) {
295	0	final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
296	0	Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
297		}
298	3	return matches;
299		}
300
301		/**
302		* Determines if the two dependencies have the same base path.
303		*
304		* @param dependency1 a Dependency object
305		* @param dependency2 a Dependency object
306		* @return true if the base paths of the dependencies are identical
307		*/
308		private boolean hasSameBasePath(Dependency dependency1, Dependency dependency2) {
309	1	if (dependency1 == null \|\| dependency2 == null) {
310	0	return false;
311		}
312	1	final File lFile = new File(dependency1.getFilePath());
313	1	String left = lFile.getParent();
314	1	final File rFile = new File(dependency2.getFilePath());
315	1	String right = rFile.getParent();
316	1	if (left == null) {
317	0	return right == null;
318		}
319	1	if (left.equalsIgnoreCase(right)) {
320	0	return true;
321		}
322	1	if (left.matches(".[/\\\\]repository[/\\\\].") && right.matches(".[/\\\\]repository[/\\\\].")) {
323	0	left = getBaseRepoPath(left);
324	0	right = getBaseRepoPath(right);
325		}
326	1	if (left.equalsIgnoreCase(right)) {
327	0	return true;
328		}
329		//new code
330	1	for (Dependency child : dependency2.getRelatedDependencies()) {
331	0	if (hasSameBasePath(dependency1, child)) {
332	0	return true;
333		}
334	0	}
335	1	return false;
336		}
337
338		/**
339		* This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
340		* to the 'right' library.
341		*
342		* @param left the dependency to test
343		* @param right the dependency to test against
344		* @return a boolean indicating whether or not the left dependency should be considered the "core" version.
345		*/
346		boolean isCore(Dependency left, Dependency right) {
347	2	final String leftName = left.getFileName().toLowerCase();
348	2	final String rightName = right.getFileName().toLowerCase();
349
350		final boolean returnVal;
351	2	if (!rightName.matches(".\\.(tar\|tgz\|gz\|zip\|ear\|war).+") && leftName.matches(".\\.(tar\|tgz\|gz\|zip\|ear\|war).+")
352		\|\| rightName.contains("core") && !leftName.contains("core")
353		\|\| rightName.contains("kernel") && !leftName.contains("kernel")) {
354	0	returnVal = false;
355	2	} else if (rightName.matches(".\\.(tar\|tgz\|gz\|zip\|ear\|war).+") && !leftName.matches(".\\.(tar\|tgz\|gz\|zip\|ear\|war).+")
356		\|\| !rightName.contains("core") && leftName.contains("core")
357		\|\| !rightName.contains("kernel") && leftName.contains("kernel")) {
358	2	returnVal = true;
359		} else {
360		/*
361		* considered splitting the names up and comparing the components,
362		* but decided that the file name length should be sufficient as the
363		* "core" component, if this follows a normal naming protocol should
364		* be shorter:
365		* axis2-saaj-1.4.1.jar
366		* axis2-1.4.1.jar <-----
367		* axis2-kernal-1.4.1.jar
368		*/
369	0	returnVal = leftName.length() <= rightName.length();
370		}
371	2	if (LogUtils.isVerboseLoggingEnabled()) {
372	0	final String msg = String.format("IsCore=%s (%s, %s)", returnVal, left.getFileName(), right.getFileName());
373	0	Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
374		}
375	2	return returnVal;
376		}
377
378		/**
379		* Compares the SHA1 hashes of two dependencies to determine if they are equal.
380		*
381		* @param dependency1 a dependency object to compare
382		* @param dependency2 a dependency object to compare
383		* @return true if the sha1 hashes of the two dependencies match; otherwise false
384		*/
385		private boolean hashesMatch(Dependency dependency1, Dependency dependency2) {
386	3	if (dependency1 == null \|\| dependency2 == null \|\| dependency1.getSha1sum() == null \|\| dependency2.getSha1sum() == null) {
387	0	return false;
388		}
389	3	return dependency1.getSha1sum().equals(dependency2.getSha1sum());
390		}
391
392		/**
393		* Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml
394		* dependency should be removed.
395		*
396		* @param dependency a dependency to check
397		* @param nextDependency another dependency to check
398		* @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match;
399		* otherwise false
400		*/
401		private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
402	3	final String mainName = dependency.getFileName().toLowerCase();
403	3	final String nextName = nextDependency.getFileName().toLowerCase();
404	3	if (mainName.endsWith(".jar") && nextName.endsWith("pom.xml")) {
405	0	return dependency.getIdentifiers().containsAll(nextDependency.getIdentifiers());
406	3	} else if (nextName.endsWith(".jar") && mainName.endsWith("pom.xml")) {
407	0	return nextDependency.getIdentifiers().containsAll(dependency.getIdentifiers());
408		}
409	3	return false;
410		}
411		}