Package org.owasp.dependencycheck.dependency

Examples of org.owasp.dependencycheck.dependency.EvidenceCollection


        final HashMap<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
        final HashMap<String, Integer> productIdentifiers = new HashMap<String, Integer>();
        analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers);

        final int classCount = classNames.size();
        final EvidenceCollection vendor = dependency.getVendorEvidence();
        final EvidenceCollection product = dependency.getProductEvidence();

        for (Map.Entry<String, Integer> entry : vendorIdentifiers.entrySet()) {
            final float ratio = entry.getValue() / (float) classCount;
            if (ratio > 0.5) {
                //TODO remove weighting
                vendor.addWeighting(entry.getKey());
                if (addPackagesAsEvidence && entry.getKey().length() > 1) {
                    vendor.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
                }
            }
        }
        for (Map.Entry<String, Integer> entry : productIdentifiers.entrySet()) {
            final float ratio = entry.getValue() / (float) classCount;
            if (ratio > 0.5) {
                product.addWeighting(entry.getKey());
                if (addPackagesAsEvidence && entry.getKey().length() > 1) {
                    product.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
                }
            }
        }
    }
View Full Code Here


                }
                return false;
            }
            final Attributes atts = manifest.getMainAttributes();

            final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
            final EvidenceCollection productEvidence = dependency.getProductEvidence();
            final EvidenceCollection versionEvidence = dependency.getVersionEvidence();

            final String source = "Manifest";

            for (Entry<Object, Object> entry : atts.entrySet()) {
                String key = entry.getKey().toString();
                String value = atts.getValue(key);
                if (HTML_DETECTION_PATTERN.matcher(value).find()) {
                    value = Jsoup.parse(value).text();
                }
                if (IGNORE_VALUES.contains(value)) {
                    continue;
                } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
                    foundSomething = true;
                    productEvidence.addEvidence(source, key, value, Confidence.HIGH);
                    addMatchingValues(classInformation, value, productEvidence);
                } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
                    foundSomething = true;
                    versionEvidence.addEvidence(source, key, value, Confidence.HIGH);
                } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
                    foundSomething = true;
                    vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
                    addMatchingValues(classInformation, value, vendorEvidence);
                } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR_ID.toString())) {
                    foundSomething = true;
                    vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                    addMatchingValues(classInformation, value, vendorEvidence);
                } else if (key.equalsIgnoreCase(BUNDLE_DESCRIPTION)) {
                    foundSomething = true;
                    addDescription(dependency, value, "manifest", key);
                    //productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                    addMatchingValues(classInformation, value, productEvidence);
                } else if (key.equalsIgnoreCase(BUNDLE_NAME)) {
                    foundSomething = true;
                    productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                    addMatchingValues(classInformation, value, productEvidence);
                } else if (key.equalsIgnoreCase(BUNDLE_VENDOR)) {
                    foundSomething = true;
                    vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
                    addMatchingValues(classInformation, value, vendorEvidence);
                } else if (key.equalsIgnoreCase(BUNDLE_VERSION)) {
                    foundSomething = true;
                    versionEvidence.addEvidence(source, key, value, Confidence.HIGH);
                } else if (key.equalsIgnoreCase(Attributes.Name.MAIN_CLASS.toString())) {
                    continue;
                    //skipping main class as if this has important information to add
                    // it will be added during class name analysis...  if other fields
                    // have the information from the class name then they will get added...
//                    foundSomething = true;
//                    productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
//                    vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
//                    addMatchingValues(classInformation, value, vendorEvidence);
//                    addMatchingValues(classInformation, value, productEvidence);
                } else {
                    key = key.toLowerCase();

                    if (!IGNORE_KEYS.contains(key)
                            && !key.endsWith("jdk")
                            && !key.contains("lastmodified")
                            && !key.endsWith("package")
                            && !key.endsWith("classpath")
                            && !key.endsWith("class-path")
                            && !key.endsWith("-scm") //todo change this to a regex?
                            && !key.startsWith("scm-")
                            && !value.trim().startsWith("scm:")
                            && !isImportPackage(key, value)
                            && !isPackage(key, value)) {

                        foundSomething = true;
                        if (key.contains("version")) {
                            if (key.contains("specification")) {
                                versionEvidence.addEvidence(source, key, value, Confidence.LOW);
                            } else {
                                versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                            }
                        } else if ("build-id".equals(key)) {
                            int pos = value.indexOf('(');
                            if (pos >= 0) {
                                value = value.substring(0, pos - 1);
                            }
                            pos = value.indexOf('[');
                            if (pos >= 0) {
                                value = value.substring(0, pos - 1);
                            }
                            versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                        } else if (key.contains("title")) {
                            productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                            addMatchingValues(classInformation, value, productEvidence);
                        } else if (key.contains("vendor")) {
                            if (key.contains("specification")) {
                                vendorEvidence.addEvidence(source, key, value, Confidence.LOW);
                            } else {
                                vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                                addMatchingValues(classInformation, value, vendorEvidence);
                            }
                        } else if (key.contains("name")) {
                            productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                            vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                            addMatchingValues(classInformation, value, vendorEvidence);
                            addMatchingValues(classInformation, value, productEvidence);
                        } else if (key.contains("license")) {
                            addLicense(dependency, value);
                        } else {
                            if (key.contains("description")) {
                                addDescription(dependency, value, "manifest", key);
                            } else {
                                productEvidence.addEvidence(source, key, value, Confidence.LOW);
                                vendorEvidence.addEvidence(source, key, value, Confidence.LOW);
                                addMatchingValues(classInformation, value, vendorEvidence);
                                addMatchingValues(classInformation, value, productEvidence);
                                if (value.matches(".*\\d.*")) {
                                    final StringTokenizer tokenizer = new StringTokenizer(value, " ");
                                    while (tokenizer.hasMoreElements()) {
                                        final String s = tokenizer.nextToken();
                                        if (s.matches("^[0-9.]+$")) {
                                            versionEvidence.addEvidence(source, key, s, Confidence.LOW);
                                        }
                                    }
                                }
                            }
                        }
View Full Code Here

TOP

Related Classes of org.owasp.dependencycheck.dependency.EvidenceCollection

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.