Coverage Report

Coverage Report - org.owasp.dependencycheck.dependency.VulnerableSoftware

Classes in this File

Line Coverage

Branch Coverage

Complexity

VulnerableSoftware

73%

65/89

77%

56/72

3.278

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.dependency;
 
 import java.io.Serializable;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
 
 /**
  * A record containing information about vulnerable software. This is referenced from a vulnerability.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class VulnerableSoftware extends IndexEntry implements Serializable, Comparable<VulnerableSoftware> {
 
     /**
      * The serial version UID.
      */
     private static final long serialVersionUID = 307319490326651052L;
 
     /**
      * Parse a CPE entry from the cpe string representation.
      *
      * @param cpe a cpe entry (e.g. cpe:/a:vendor:software:version)
      */
     public void setCpe(String cpe) {
         try {
             parseName(cpe);
         } catch (UnsupportedEncodingException ex) {
             final String msg = String.format("Character encoding is unsupported for CPE '%s'.", cpe);
             Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.WARNING, msg);
             Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.FINE, null, ex);
             setName(cpe);
         }
     }
 
     /**
      * <p>
      * Parses a name attribute value, from the cpe.xml, into its corresponding parts: vendor, product, version,
      * revision.</p>
      * <p>
      * Example:</p>
      * <code>&nbsp;&nbsp;&nbsp;cpe:/a:apache:struts:1.1:rc2</code>
      *
      * <p>
      * Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
      * <li>Version: 1.1</li> <li>Revision: rc2</li> </ul>
      *
      * @param cpeName the cpe name
      * @throws UnsupportedEncodingException should never be thrown...
      */
     @Override
     public void parseName(String cpeName) throws UnsupportedEncodingException {
         this.name = cpeName;
         if (cpeName != null && cpeName.length() > 7) {
             final String[] data = cpeName.substring(7).split(":");
             if (data.length >= 1) {
                 this.setVendor(URLDecoder.decode(data[0].replace("+", "%2B"), "UTF-8"));
             }
             if (data.length >= 2) {
                 this.setProduct(URLDecoder.decode(data[1].replace("+", "%2B"), "UTF-8"));
             }
             if (data.length >= 3) {
                 version = URLDecoder.decode(data[2].replace("+", "%2B"), "UTF-8");
             }
             if (data.length >= 4) {
                 revision = URLDecoder.decode(data[3].replace("+", "%2B"), "UTF-8");
             }
             if (data.length >= 5) {
                 edition = URLDecoder.decode(data[4].replace("+", "%2B"), "UTF-8");
             }
         }
     }
     /**
      * If present, indicates that previous version are vulnerable.
      */
     private String previousVersion;
 
     /**
      * Indicates if previous versions of this software are vulnerable.
      *
      * @return if previous versions of this software are vulnerable
      */
     public boolean hasPreviousVersion() {
         return previousVersion != null;
     }
 
     /**
      * Get the value of previousVersion.
      *
      * @return the value of previousVersion
      */
     public String getPreviousVersion() {
         return previousVersion;
     }
 
     /**
      * Set the value of previousVersion.
      *
      * @param previousVersion new value of previousVersion
      */
     public void setPreviousVersion(String previousVersion) {
         this.previousVersion = previousVersion;
     }
 
     /**
      * Standard equals implementation to compare this VulnerableSoftware to another object.
      *
      * @param obj the object to compare
      * @return whether or not the objects are equal
      */
     @Override
     public boolean equals(Object obj) {
         if (obj == null) {
             return false;
         }
         if (getClass() != obj.getClass()) {
             return false;
         }
         final VulnerableSoftware other = (VulnerableSoftware) obj;
         if ((this.getName() == null) ? (other.getName() != null) : !this.getName().equals(other.getName())) {
             return false;
         }
         return true;
     }
 
     /**
      * Standard implementation of hashCode.
      *
      * @return the hashCode for the object
      */
     @Override
     public int hashCode() {
         int hash = 7;
         hash = 83 * hash + (this.getName() != null ? this.getName().hashCode() : 0);
         return hash;
     }
 
     /**
      * Standard toString() implementation display the name and whether or not previous versions are also affected.
      *
      * @return a string representation of the object
      */
     @Override
     public String toString() {
         return "VulnerableSoftware{ name=" + name + ", previousVersion=" + previousVersion + '}';
     }
 
     /**
      * Implementation of the comparable interface.
      *
      * @param vs the VulnerableSoftware to compare
      * @return an integer indicating the ordering of the two objects
      */
     @Override
     public int compareTo(VulnerableSoftware vs) {
         int result = 0;
         final String[] left = this.getName().split(":");
         final String[] right = vs.getName().split(":");
         final int max = (left.length <= right.length) ? left.length : right.length;
         if (max > 0) {
             for (int i = 0; result == 0 && i < max; i++) {
                 final String[] subLeft = left[i].split("\\.");
                 final String[] subRight = right[i].split("\\.");
                 final int subMax = (subLeft.length <= subRight.length) ? subLeft.length : subRight.length;
                 if (subMax > 0) {
                     for (int x = 0; result == 0 && x < subMax; x++) {
                         if (isPositiveInteger(subLeft[x]) && isPositiveInteger(subRight[x])) {
                             try {
                                 result = Long.valueOf(subLeft[x]).compareTo(Long.valueOf(subRight[x]));
 //                                final long iLeft = Long.parseLong(subLeft[x]);
 //                                final long iRight = Long.parseLong(subRight[x]);
 //                                if (iLeft != iRight) {
 //                                    if (iLeft > iRight) {
 //                                        result = 2;
 //                                    } else {
 //                                        result = -2;
 //                                    }
 //                                }
                             } catch (NumberFormatException ex) {
                                 //ignore the exception - they obviously aren't numbers
                                 if (!subLeft[x].equalsIgnoreCase(subRight[x])) {
                                     result = subLeft[x].compareToIgnoreCase(subRight[x]);
                                 }
                             }
                         } else {
                             result = subLeft[x].compareToIgnoreCase(subRight[x]);
                         }
                     }
                     if (result == 0) {
                         if (subLeft.length > subRight.length) {
                             result = 2;
                         }
                         if (subRight.length > subLeft.length) {
                             result = -2;
                         }
                     }
                 } else {
                     result = left[i].compareToIgnoreCase(right[i]);
                 }
             }
             if (result == 0) {
                 if (left.length > right.length) {
                     result = 2;
                 }
                 if (right.length > left.length) {
                     result = -2;
                 }
             }
         } else {
             result = this.getName().compareToIgnoreCase(vs.getName());
         }
         return result;
     }
 
     /**
      * Determines if the string passed in is a positive integer.
      *
      * @param str the string to test
      * @return true if the string only contains 0-9, otherwise false.
      */
     private static boolean isPositiveInteger(final String str) {
         if (str == null || str.isEmpty()) {
             return false;
         }
         for (int i = 0; i < str.length(); i++) {
             final char c = str.charAt(i);
             if (c < '0' || c > '9') {
                 return false;
             }
         }
         return true;
     }
     /**
      * The name of the cpe.
      */
     private String name;
 
     /**
      * Get the value of name.
      *
      * @return the value of name
      */
     public String getName() {
         return name;
     }
 
     /**
      * Set the value of name.
      *
      * @param name new value of name
      */
     public void setName(String name) {
         this.name = name;
     }
     /**
      * The product version number.
      */
     private String version;
 
     /**
      * Get the value of version.
      *
      * @return the value of version
      */
     public String getVersion() {
         return version;
     }
 
     /**
      * Set the value of version.
      *
      * @param version new value of version
      */
     public void setVersion(String version) {
         this.version = version;
     }
     /**
      * The product revision version.
      */
     private String revision;
 
     /**
      * Get the value of revision.
      *
      * @return the value of revision
      */
     public String getRevision() {
         return revision;
     }
 
     /**
      * Set the value of revision.
      *
      * @param revision new value of revision
      */
     public void setRevision(String revision) {
         this.revision = revision;
     }
     /**
      * The product edition.
      */
     private String edition;
 
     /**
      * Get the value of edition.
      *
      * @return the value of edition
      */
     public String getEdition() {
         return edition;
     }
 
     /**
      * Set the value of edition.
      *
      * @param edition new value of edition
      */
     public void setEdition(String edition) {
         this.edition = edition;
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.dependency;
19
20		import java.io.Serializable;
21		import java.io.UnsupportedEncodingException;
22		import java.net.URLDecoder;
23		import java.util.logging.Level;
24		import java.util.logging.Logger;
25		import org.owasp.dependencycheck.data.cpe.IndexEntry;
26
27		/**
28		* A record containing information about vulnerable software. This is referenced from a vulnerability.
29		*
30		* @author Jeremy Long <jeremy.long@owasp.org>
31		*/
32	62313	public class VulnerableSoftware extends IndexEntry implements Serializable, Comparable<VulnerableSoftware> {
33
34		/**
35		* The serial version UID.
36		*/
37		private static final long serialVersionUID = 307319490326651052L;
38
39		/**
40		* Parse a CPE entry from the cpe string representation.
41		*
42		* @param cpe a cpe entry (e.g. cpe:/a:vendor:software:version)
43		*/
44		public void setCpe(String cpe) {
45		try {
46	7716	parseName(cpe);
47	0	} catch (UnsupportedEncodingException ex) {
48	0	final String msg = String.format("Character encoding is unsupported for CPE '%s'.", cpe);
49	0	Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.WARNING, msg);
50	0	Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.FINE, null, ex);
51	0	setName(cpe);
52	7716	}
53	7716	}
54
55		/**
56		* <p>
57		* Parses a name attribute value, from the cpe.xml, into its corresponding parts: vendor, product, version,
58		* revision.</p>
59		* <p>
60		* Example:</p>
61		* <code>   cpe:/a:apache:struts:1.1:rc2</code>
62		*
63		* <p>
64		* Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
65		* <li>Version: 1.1</li> <li>Revision: rc2</li> </ul>
66		*
67		* @param cpeName the cpe name
68		* @throws UnsupportedEncodingException should never be thrown...
69		*/
70		@Override
71		public void parseName(String cpeName) throws UnsupportedEncodingException {
72	11292	this.name = cpeName;
73	11292	if (cpeName != null && cpeName.length() > 7) {
74	11292	final String[] data = cpeName.substring(7).split(":");
75	11292	if (data.length >= 1) {
76	11292	this.setVendor(URLDecoder.decode(data[0].replace("+", "%2B"), "UTF-8"));
77		}
78	11292	if (data.length >= 2) {
79	11292	this.setProduct(URLDecoder.decode(data[1].replace("+", "%2B"), "UTF-8"));
80		}
81	11292	if (data.length >= 3) {
82	11264	version = URLDecoder.decode(data[2].replace("+", "%2B"), "UTF-8");
83		}
84	11292	if (data.length >= 4) {
85	2318	revision = URLDecoder.decode(data[3].replace("+", "%2B"), "UTF-8");
86		}
87	11292	if (data.length >= 5) {
88	1	edition = URLDecoder.decode(data[4].replace("+", "%2B"), "UTF-8");
89		}
90		}
91	11292	}
92		/**
93		* If present, indicates that previous version are vulnerable.
94		*/
95		private String previousVersion;
96
97		/**
98		* Indicates if previous versions of this software are vulnerable.
99		*
100		* @return if previous versions of this software are vulnerable
101		*/
102		public boolean hasPreviousVersion() {
103	1985	return previousVersion != null;
104		}
105
106		/**
107		* Get the value of previousVersion.
108		*
109		* @return the value of previousVersion
110		*/
111		public String getPreviousVersion() {
112	0	return previousVersion;
113		}
114
115		/**
116		* Set the value of previousVersion.
117		*
118		* @param previousVersion new value of previousVersion
119		*/
120		public void setPreviousVersion(String previousVersion) {
121	43	this.previousVersion = previousVersion;
122	43	}
123
124		/**
125		* Standard equals implementation to compare this VulnerableSoftware to another object.
126		*
127		* @param obj the object to compare
128		* @return whether or not the objects are equal
129		*/
130		@Override
131		public boolean equals(Object obj) {
132	1	if (obj == null) {
133	0	return false;
134		}
135	1	if (getClass() != obj.getClass()) {
136	0	return false;
137		}
138	1	final VulnerableSoftware other = (VulnerableSoftware) obj;
139	1	if ((this.getName() == null) ? (other.getName() != null) : !this.getName().equals(other.getName())) {
140	1	return false;
141		}
142	0	return true;
143		}
144
145		/**
146		* Standard implementation of hashCode.
147		*
148		* @return the hashCode for the object
149		*/
150		@Override
151		public int hashCode() {
152	4516	int hash = 7;
153	4516	hash = 83 * hash + (this.getName() != null ? this.getName().hashCode() : 0);
154	4516	return hash;
155		}
156
157		/**
158		* Standard toString() implementation display the name and whether or not previous versions are also affected.
159		*
160		* @return a string representation of the object
161		*/
162		@Override
163		public String toString() {
164	0	return "VulnerableSoftware{ name=" + name + ", previousVersion=" + previousVersion + '}';
165		}
166
167		/**
168		* Implementation of the comparable interface.
169		*
170		* @param vs the VulnerableSoftware to compare
171		* @return an integer indicating the ordering of the two objects
172		*/
173		@Override
174		public int compareTo(VulnerableSoftware vs) {
175	51023	int result = 0;
176	51023	final String[] left = this.getName().split(":");
177	51023	final String[] right = vs.getName().split(":");
178	51023	final int max = (left.length <= right.length) ? left.length : right.length;
179	51023	if (max > 0) {
180	308355	for (int i = 0; result == 0 && i < max; i++) {
181	257332	final String[] subLeft = left[i].split("\\.");
182	257332	final String[] subRight = right[i].split("\\.");
183	257332	final int subMax = (subLeft.length <= subRight.length) ? subLeft.length : subRight.length;
184	257332	if (subMax > 0) {
185	578427	for (int x = 0; result == 0 && x < subMax; x++) {
186	321095	if (isPositiveInteger(subLeft[x]) && isPositiveInteger(subRight[x])) {
187		try {
188	111835	result = Long.valueOf(subLeft[x]).compareTo(Long.valueOf(subRight[x]));
189		// final long iLeft = Long.parseLong(subLeft[x]);
190		// final long iRight = Long.parseLong(subRight[x]);
191		// if (iLeft != iRight) {
192		// if (iLeft > iRight) {
193		// result = 2;
194		// } else {
195		// result = -2;
196		// }
197		// }
198	0	} catch (NumberFormatException ex) {
199		//ignore the exception - they obviously aren't numbers
200	0	if (!subLeft[x].equalsIgnoreCase(subRight[x])) {
201	0	result = subLeft[x].compareToIgnoreCase(subRight[x]);
202		}
203	111835	}
204		} else {
205	209260	result = subLeft[x].compareToIgnoreCase(subRight[x]);
206		}
207		}
208	257332	if (result == 0) {
209	208461	if (subLeft.length > subRight.length) {
210	1478	result = 2;
211		}
212	208461	if (subRight.length > subLeft.length) {
213	7	result = -2;
214		}
215		}
216		} else {
217	0	result = left[i].compareToIgnoreCase(right[i]);
218		}
219		}
220	51023	if (result == 0) {
221	667	if (left.length > right.length) {
222	578	result = 2;
223		}
224	667	if (right.length > left.length) {
225	10	result = -2;
226		}
227		}
228		} else {
229	0	result = this.getName().compareToIgnoreCase(vs.getName());
230		}
231	51023	return result;
232		}
233
234		/**
235		* Determines if the string passed in is a positive integer.
236		*
237		* @param str the string to test
238		* @return true if the string only contains 0-9, otherwise false.
239		*/
240		private static boolean isPositiveInteger(final String str) {
241	433024	if (str == null \|\| str.isEmpty()) {
242	14	return false;
243		}
244	674390	for (int i = 0; i < str.length(); i++) {
245	450626	final char c = str.charAt(i);
246	450626	if (c < '0' \|\| c > '9') {
247	209246	return false;
248		}
249		}
250	223764	return true;
251		}
252		/**
253		* The name of the cpe.
254		*/
255		private String name;
256
257		/**
258		* Get the value of name.
259		*
260		* @return the value of name
261		*/
262		public String getName() {
263	113404	return name;
264		}
265
266		/**
267		* Set the value of name.
268		*
269		* @param name new value of name
270		*/
271		public void setName(String name) {
272	0	this.name = name;
273	0	}
274		/**
275		* The product version number.
276		*/
277		private String version;
278
279		/**
280		* Get the value of version.
281		*
282		* @return the value of version
283		*/
284		public String getVersion() {
285	19734	return version;
286		}
287
288		/**
289		* Set the value of version.
290		*
291		* @param version new value of version
292		*/
293		public void setVersion(String version) {
294	0	this.version = version;
295	0	}
296		/**
297		* The product revision version.
298		*/
299		private String revision;
300
301		/**
302		* Get the value of revision.
303		*
304		* @return the value of revision
305		*/
306		public String getRevision() {
307	19236	return revision;
308		}
309
310		/**
311		* Set the value of revision.
312		*
313		* @param revision new value of revision
314		*/
315		public void setRevision(String revision) {
316	0	this.revision = revision;
317	0	}
318		/**
319		* The product edition.
320		*/
321		private String edition;
322
323		/**
324		* Get the value of edition.
325		*
326		* @return the value of edition
327		*/
328		public String getEdition() {
329	0	return edition;
330		}
331
332		/**
333		* Set the value of edition.
334		*
335		* @param edition new value of edition
336		*/
337		public void setEdition(String edition) {
338	0	this.edition = edition;
339	0	}
340		}