View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import java.io.File;
21  
22  import org.apache.commons.io.FilenameUtils;
23  import org.apache.commons.io.filefilter.NameFileFilter;
24  import org.owasp.dependencycheck.Engine;
25  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
26  import org.owasp.dependencycheck.dependency.Confidence;
27  import org.owasp.dependencycheck.dependency.Dependency;
28  import org.owasp.dependencycheck.utils.DependencyVersion;
29  import org.owasp.dependencycheck.utils.DependencyVersionUtil;
30  
31  /**
32   *
33   * Takes a dependency and analyzes the filename and determines the hashes.
34   *
35   * @author Jeremy Long
36   */
37  public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
38  
39      //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
40      /**
41       * The name of the analyzer.
42       */
43      private static final String ANALYZER_NAME = "File Name Analyzer";
44      /**
45       * The phase that this analyzer is intended to run in.
46       */
47      private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
48  
49      /**
50       * Returns the name of the analyzer.
51       *
52       * @return the name of the analyzer.
53       */
54      @Override
55      public String getName() {
56          return ANALYZER_NAME;
57      }
58  
59      /**
60       * Returns the phase that the analyzer is intended to run in.
61       *
62       * @return the phase that the analyzer is intended to run in.
63       */
64      @Override
65      public AnalysisPhase getAnalysisPhase() {
66          return ANALYSIS_PHASE;
67      }
68      //</editor-fold>
69  
70      /**
71       * Python init files
72       */
73      //CSOFF: WhitespaceAfter
74      private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{
75          "__init__.py",
76          "__init__.pyc",
77          "__init__.pyo",});
78      //CSON: WhitespaceAfter
79  
80      /**
81       * Collects information about the file name.
82       *
83       * @param dependency the dependency to analyze.
84       * @param engine the engine that is scanning the dependencies
85       * @throws AnalysisException is thrown if there is an error reading the JAR
86       * file.
87       */
88      @Override
89      public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
90  
91          //strip any path information that may get added by ArchiveAnalyzer, etc.
92          final File f = dependency.getActualFile();
93          final String fileName = FilenameUtils.removeExtension(f.getName());
94  
95          //add version evidence
96          final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
97          final String packageName = DependencyVersionUtil.parsePreVersion(fileName);
98          if (version != null) {
99              // If the version number is just a number like 2 or 23, reduce the confidence
100             // a shade. This should hopefully correct for cases like log4j.jar or
101             // struts2-core.jar
102             if (version.getVersionParts() == null || version.getVersionParts().size() < 2) {
103                 dependency.getVersionEvidence().addEvidence("file", "version",
104                         version.toString(), Confidence.MEDIUM);
105             } else {
106                 dependency.getVersionEvidence().addEvidence("file", "version",
107                         version.toString(), Confidence.HIGHEST);
108             }
109             dependency.getVersionEvidence().addEvidence("file", "name",
110                     packageName, Confidence.MEDIUM);
111         }
112 
113         if (!IGNORED_FILES.accept(f)) {
114             dependency.getProductEvidence().addEvidence("file", "name",
115                     packageName, Confidence.HIGH);
116             dependency.getVendorEvidence().addEvidence("file", "name",
117                     packageName, Confidence.HIGH);
118         }
119     }
120 }