View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import java.util.ArrayList;
21  import java.util.Iterator;
22  import java.util.List;
23  import java.util.Set;
24  import org.owasp.dependencycheck.Engine;
25  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
26  import org.owasp.dependencycheck.dependency.Confidence;
27  import org.owasp.dependencycheck.dependency.Dependency;
28  import org.owasp.dependencycheck.dependency.Evidence;
29  
30  /**
31   *
32   * @author Jeremy Long
33   */
34  public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
35  
36      //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
37      /**
38       * The name of the analyzer.
39       */
40      private static final String ANALYZER_NAME = "Hint Analyzer";
41      /**
42       * The phase that this analyzer is intended to run in.
43       */
44      private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
45  
46      /**
47       * Returns the name of the analyzer.
48       *
49       * @return the name of the analyzer.
50       */
51      @Override
52      public String getName() {
53          return ANALYZER_NAME;
54      }
55  
56      /**
57       * Returns the phase that the analyzer is intended to run in.
58       *
59       * @return the phase that the analyzer is intended to run in.
60       */
61      @Override
62      public AnalysisPhase getAnalysisPhase() {
63          return ANALYSIS_PHASE;
64      }
65      //</editor-fold>
66  
67      /**
68       * The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of identifiers
69       * or vulnerabilities.
70       *
71       * @param dependency The dependency being analyzed
72       * @param engine The scanning engine
73       * @throws AnalysisException is thrown if there is an exception analyzing the dependency.
74       */
75      @Override
76      public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
77          final Evidence springTest1 = new Evidence("Manifest",
78                  "Implementation-Title",
79                  "Spring Framework",
80                  Confidence.HIGH);
81  
82          final Evidence springTest2 = new Evidence("Manifest",
83                  "Implementation-Title",
84                  "org.springframework.core",
85                  Confidence.HIGH);
86  
87          final Evidence springTest3 = new Evidence("Manifest",
88                  "Implementation-Title",
89                  "spring-core",
90                  Confidence.HIGH);
91  
92          final Evidence springTest4 = new Evidence("jar",
93                  "package name",
94                  "springframework",
95                  Confidence.LOW);
96  
97          final Evidence springSecurityTest1 = new Evidence("Manifest",
98                  "Bundle-Name",
99                  "Spring Security Core",
100                 Confidence.MEDIUM);
101 
102         final Evidence springSecurityTest2 = new Evidence("pom",
103                 "artifactid",
104                 "spring-security-core",
105                 Confidence.HIGH);
106 
107         final Evidence symfony = new Evidence("composer.lock",
108             "vendor",
109             "symfony",
110             Confidence.HIGHEST);
111 
112         final Evidence zendframeworkVendor = new Evidence("composer.lock",
113             "vendor",
114             "zendframework",
115             Confidence.HIGHEST);
116 
117         final Evidence zendframeworkProduct = new Evidence("composer.lock",
118             "product",
119             "zendframework",
120             Confidence.HIGHEST);
121 
122         //springsource/vware problem
123         final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
124         final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
125 
126         if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
127                 || (dependency.getFileName().contains("spring") && product.contains(springTest4))) {
128             dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
129             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
130             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
131             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
132         }
133 
134         if (vendor.contains(springTest4)) {
135             dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
136             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
137             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
138         }
139 
140         if (product.contains(springSecurityTest1) || product.contains(springSecurityTest2)) {
141             dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_security", Confidence.HIGH);
142             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
143             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
144         }
145 
146         if (vendor.contains(symfony)) {
147             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "sensiolabs", Confidence.HIGHEST);
148         }
149 
150         if (vendor.contains(zendframeworkVendor)) {
151             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "zend", Confidence.HIGHEST);
152         }
153 
154         if (product.contains(zendframeworkProduct)) {
155             dependency.getProductEvidence().addEvidence("hint analyzer", "vendor", "zend_framework", Confidence.HIGHEST);
156         }
157 
158         //sun/oracle problem
159         final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
160         final List<Evidence> newEntries = new ArrayList<Evidence>();
161         while (itr.hasNext()) {
162             final Evidence e = itr.next();
163             if ("sun".equalsIgnoreCase(e.getValue(false))) {
164                 final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "oracle", e.getConfidence());
165                 newEntries.add(newEvidence);
166             } else if ("oracle".equalsIgnoreCase(e.getValue(false))) {
167                 final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "sun", e.getConfidence());
168                 newEntries.add(newEvidence);
169             }
170         }
171         for (Evidence e : newEntries) {
172             dependency.getVendorEvidence().addEvidence(e);
173         }
174 
175     }
176 }