1 /*
2 * This file is part of dependency-check-core.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17 */
18 package org.owasp.dependencycheck.analyzer;
19
20 import java.io.File;
21 import org.apache.commons.io.FilenameUtils;
22 import org.owasp.dependencycheck.Engine;
23 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
24 import org.owasp.dependencycheck.dependency.Confidence;
25 import org.owasp.dependencycheck.dependency.Dependency;
26 import org.owasp.dependencycheck.utils.DependencyVersion;
27 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
28
29 /**
30 *
31 * Takes a dependency and analyzes the filename and determines the hashes.
32 *
33 * @author Jeremy Long
34 */
35 public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
36
37 //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
38 /**
39 * The name of the analyzer.
40 */
41 private static final String ANALYZER_NAME = "File Name Analyzer";
42 /**
43 * The phase that this analyzer is intended to run in.
44 */
45 private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
46
47 /**
48 * Returns the name of the analyzer.
49 *
50 * @return the name of the analyzer.
51 */
52 @Override
53 public String getName() {
54 return ANALYZER_NAME;
55 }
56
57 /**
58 * Returns the phase that the analyzer is intended to run in.
59 *
60 * @return the phase that the analyzer is intended to run in.
61 */
62 @Override
63 public AnalysisPhase getAnalysisPhase() {
64 return ANALYSIS_PHASE;
65 }
66 //</editor-fold>
67
68 /**
69 * Collects information about the file name.
70 *
71 * @param dependency the dependency to analyze.
72 * @param engine the engine that is scanning the dependencies
73 * @throws AnalysisException is thrown if there is an error reading the JAR file.
74 */
75 @Override
76 public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
77
78 //strip any path information that may get added by ArchiveAnalyzer, etc.
79 final File f = dependency.getActualFile();
80 final String fileName = FilenameUtils.removeExtension(f.getName());
81
82 //add version evidence
83 final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
84 if (version != null) {
85 // If the version number is just a number like 2 or 23, reduce the confidence
86 // a shade. This should hopefully correct for cases like log4j.jar or
87 // struts2-core.jar
88 if (version.getVersionParts() == null || version.getVersionParts().size() < 2) {
89 dependency.getVersionEvidence().addEvidence("file", "name",
90 version.toString(), Confidence.MEDIUM);
91 } else {
92 dependency.getVersionEvidence().addEvidence("file", "name",
93 version.toString(), Confidence.HIGHEST);
94 }
95 dependency.getVersionEvidence().addEvidence("file", "name",
96 fileName, Confidence.MEDIUM);
97 }
98
99 //add as vendor and product evidence
100 if (fileName.contains("-")) {
101 dependency.getProductEvidence().addEvidence("file", "name",
102 fileName, Confidence.HIGHEST);
103 dependency.getVendorEvidence().addEvidence("file", "name",
104 fileName, Confidence.HIGHEST);
105 } else {
106 dependency.getProductEvidence().addEvidence("file", "name",
107 fileName, Confidence.HIGH);
108 dependency.getVendorEvidence().addEvidence("file", "name",
109 fileName, Confidence.HIGH);
110 }
111 }
112 }