moved owasp dep from idecli pom to security pom, mor work in Main

MattesMrzik · Nov 14, 2023 · 5f162e2 · 5f162e2
1 parent 59f6a1b
commit 5f162e2
Show file tree

Hide file tree

Showing 6 changed files with 111 additions and 56 deletions.
diff --git a/cli/pom.xml b/cli/pom.xml
@@ -20,12 +20,6 @@
   </properties>
 
   <dependencies>
-    <!-- Other configurations and properties -->
-    <dependency>
-      <groupId>org.owasp</groupId>
-      <artifactId>dependency-check-core</artifactId>
-      <version>8.4.2</version>
-    </dependency>
     <!-- unpack tar, gzip, bzip2 -->
     <dependency>
       <groupId>org.apache.commons</groupId>

diff --git a/cli/src/main/java/com/devonfw/tools/ide/tool/java/JavaUrlUpdater.java b/cli/src/main/java/com/devonfw/tools/ide/tool/java/JavaUrlUpdater.java
@@ -26,6 +26,18 @@ protected String mapVersion(String version) {
     return super.mapVersion(version);
   }
 
+  protected String getCPEVendor() {
+    return "eclipse";
+  }
+
+  protected String getCPEProduct() {
+    return "temurin";
+  }
+
+
+
+
+
   @Override
   protected void addVersion(UrlVersion urlVersion) {
 

diff --git a/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java b/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java
@@ -97,6 +97,18 @@ protected final String getToolWithEdition() {
     return tool + "/" + edition;
   }
 
+  protected String getCPEVendor() {
+    return "";
+  }
+
+  protected String getCPEProduct() {
+    return "";
+  }
+
+  protected String mapUrlVersionToCPEVersion(String version) {
+    return version;
+  }
+
   /**
    * Retrieves the response body from a given URL.
    *

diff --git a/cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java b/cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java
@@ -95,4 +95,10 @@ public void updateAll() {
     }
   }
 
+  public String getVendor(String tool) {
+    AbstractUrlUpdater  matchedUpdater = (AbstractUrlUpdater) updaters.stream().filter(updater -> updater.getTool().equals(tool)).toArray()[0];
+    return matchedUpdater.getCPEVendor();
+//    updaters.stream().filter(updater -> updater.getTool().equals(tool)).findFirst().ifPresent(AbstractUrlUpdater::getVendor);
+  }
+
 }
diff --git a/security/pom.xml b/security/pom.xml
@@ -18,6 +18,12 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>
+        <!-- Other configurations and properties -->
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-core</artifactId>
+            <version>8.4.2</version>
+        </dependency>
         <dependency>
             <groupId>com.devonfw.tools.IDEasy</groupId>
             <artifactId>ide-cli</artifactId>

diff --git a/security/src/main/java/com/devonfw/tools/security/Main.java b/security/src/main/java/com/devonfw/tools/security/Main.java
@@ -1,12 +1,22 @@
 package com.devonfw.tools.security;
 
+import com.devonfw.tools.ide.context.IdeContext;
+import com.devonfw.tools.ide.context.IdeContextConsole;
+import com.devonfw.tools.ide.log.IdeLogLevel;
+import com.devonfw.tools.ide.tool.ToolCommandlet;
+import com.devonfw.tools.ide.url.model.folder.UrlVersion;
+import com.devonfw.tools.ide.url.updater.AbstractUrlUpdater;
+import com.devonfw.tools.ide.url.updater.UpdateManager;
+import com.devonfw.tools.ide.url.updater.UrlUpdater;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
 import org.owasp.dependencycheck.dependency.*;
 import org.owasp.dependencycheck.exception.ExceptionCollection;
 import org.owasp.dependencycheck.exception.ReportException;
 import org.owasp.dependencycheck.utils.Settings;
 
+
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -17,79 +27,94 @@
 import java.util.List;
 
 public class Main {
+  // TODO is owasp dependence i main pomxlm correc tor should i move it to security pomxml
+
   public static void main(String[] args) throws ReportException {
 
-    //TODO, wenn eine cve gefunden wird. dann in ide cli prompen und auch die cve sagen, damit der user selbst entschienden kann ob es vielleicht doch nicht eine false positive is. weil zb der vendor nicht so richtig gemached worden ist
+    // TODO edit depedency check properties file to switch off analysers, this file is currently read only
+    // TODO maybe this can be done in pom.xml
+
+    //TODO, wenn eine cve gefunden wird. dann in ide cli prompten und auch die cve sagen, damit der user selbst entschienden kann ob es vielleicht doch nicht eine false positive is. weil zb der vendor nicht so richtig gemached worden ist
 
     // TODO  ~/.m2/repository/org/owasp/dependency-check-utils/8.4.2/data/7.0/odc.update.lock
     // why is this not in projects dir but in user dir?
 
     Settings settings = new Settings();
-    Engine engine = new Engine(settings);
+    File dir;
 
-    // das brauche ich um die file endung zu akzeptieren
-    FileTypeAnalyzer myAnalyzer = new UrlAnalyzer();
-    // engine.getAnalyzers().add(myAnalyzer);
-    engine.getFileTypeAnalyzers().add(myAnalyzer);
-    List<Dependency> dependencyList = engine.scan("C:\\projects\\_ide\\myUrls");
-    System.out.println("size of dependencylist is " + dependencyList.size());
 
-    for (Dependency dependency : dependencyList) {
-      // TODO soll ich auch noch die ulr splitten und die zu evidence machen?
-      String filePath = dependency.getFilePath();
-      Path parent = Paths.get(filePath).getParent();
-      String tool = parent.getParent().getParent().getFileName().toString();
-      String edition = parent.getParent().getFileName().toString();
-      String version = parent.getFileName().toString();
+    settings.setBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, false);
 
-      String vendor = ""; // maybe split url and take domain or second and third after /
 
-      // TODO is versions od dependency updated when adding evidence?
+    try (Engine engine = new Engine(settings)) {
 
-      Evidence productEvidence = new Evidence("mysoure", "myname", tool, Confidence.HIGH);
-      dependency.addEvidence(EvidenceType.PRODUCT, productEvidence);
+      // das brauche ich um die file endung zu akzeptieren
+      FileTypeAnalyzer myAnalyzer = new UrlAnalyzer();
+      // engine.getAnalyzers().add(myAnalyzer);
+      engine.getFileTypeAnalyzers().add(myAnalyzer);
+//      engine.getAnalyzers(AnalysisPhase.INFORMATION_COLLECTION).add(new UrlAnalyzer());
+      List<Dependency> dependencyList = engine.scan("C:\\projects\\_ide\\myUrls");
+      System.out.println("size of dependencyList is " + dependencyList.size());
 
-      Evidence editionEvidence = new Evidence("mysoure", "myname", edition, Confidence.HIGH);
-      dependency.addEvidence(EvidenceType.PRODUCT, editionEvidence);
+      // add my infos to dependency
+      for (Dependency dependency : dependencyList) {
+        // TODO soll ich auch noch die ulr splitten und die zu evidence machen?
+        String filePath = dependency.getFilePath();
+        Path parent = Paths.get(filePath).getParent();
+        String tool = parent.getParent().getParent().getFileName().toString();
+        String edition = parent.getParent().getFileName().toString();
+        String version = parent.getFileName().toString();
 
-      Evidence versionEvidence = new Evidence("mysoure", "myname", version, Confidence.HIGH);
-      dependency.addEvidence(EvidenceType.VERSION, versionEvidence);
 
-      Evidence vendorEvidence = new Evidence("mysoure", "myname", "oracle", Confidence.HIGH);
-      dependency.addEvidence(EvidenceType.VENDOR, vendorEvidence);
+        // TODO is versions od dependency updated when adding evidence?
 
-      // Evidence vendorEvidence = new Evidence("mysoure", "myname", "oracle", Confidence.HIGH);
-      // dependency.addEvidence(EvidenceType.VENDOR, vendorEvidence);
-      // dependency.getAvailableVersions();
-    }
+        // from the context I want to get the JavaUrlUpdater
+        //        UpdateManager updateManager = new UpdateManager(ideContext.getUrlsPath(), null);
+        //        String vendor = updateManager.getVendor("java");
 
-    // TODO oder kann ich doch manche analyzer weg machen?
-    // welche sollen weg?
-    try {
-      engine.analyzeDependencies();// needed for db stuff which is private
-      for (Dependency dependency : engine.getDependencies()) {
-        engine.removeDependency(dependency);
-        for (EvidenceType type : EvidenceType.values()) {
-          for (Evidence evidence : dependency.getEvidence(type)) {
-            if (!evidence.getName().equals("myname")) {
-              dependency.removeEvidence(type, evidence);
+        Evidence productEvidence = new Evidence("mysoure", "myname", tool, Confidence.HIGH);
+        dependency.addEvidence(EvidenceType.PRODUCT, productEvidence);
+
+        Evidence editionEvidence = new Evidence("mysoure", "myname", edition, Confidence.HIGH);
+        dependency.addEvidence(EvidenceType.PRODUCT, editionEvidence);
+
+        Evidence versionEvidence = new Evidence("mysoure", "myname", version, Confidence.HIGH);
+        dependency.addEvidence(EvidenceType.VERSION, versionEvidence);
+
+        Evidence vendorEvidence = new Evidence("mysoure", "myname", "oracle", Confidence.HIGH);
+        dependency.addEvidence(EvidenceType.VENDOR, vendorEvidence);
+
+
+      }
+
+      // TODO oder kann ich doch manche analyzer weg machen?
+      // welche sollen weg?
+      try {
+        engine.analyzeDependencies();// needed for db stuff which is private
+        for (Dependency dependency : engine.getDependencies()) {
+          engine.removeDependency(dependency);
+          for (EvidenceType type : EvidenceType.values()) {
+            for (Evidence evidence : dependency.getEvidence(type)) {
+              if (!evidence.getName().equals("myname")) {
+                dependency.removeEvidence(type, evidence);
+              }
             }
           }
+          engine.addDependency(dependency);
         }
-        engine.addDependency(dependency);
-      }
 
-    } catch (ExceptionCollection e) {
-      throw new RuntimeException(e);
-    }
+      } catch (ExceptionCollection e) {
+        throw new RuntimeException(e);
+      }
 
-    // TODO dont do this with this method but try to do it by hand, since i cant seem to add my URL analyzer to the map of engine
-    // look at path and them extract name and version and vendor maybe from url
-    List<Throwable> exceptionsList = new ArrayList<>();
-    ExceptionCollection exceptions = new ExceptionCollection(exceptionsList);
+      // TODO dont do this with this method but try to do it by hand, since i cant seem to add my URL analyzer to the map of engine
+      // look at path and them extract name and version and vendor maybe from url
+      List<Throwable> exceptionsList = new ArrayList<>();
+      ExceptionCollection exceptions = new ExceptionCollection(exceptionsList);
 
-    File dir = new File("C:\\projects\\devonfw\\report");
-    engine.writeReports("applicationName", "groupId", "artifactId", "version", dir, "JSON", exceptions);
+      dir = new File("C:\\projects\\devonfw\\report");
+      engine.writeReports("applicationName", "groupId", "artifactId", "version", dir, "JSON", exceptions);
+    }
 
 
     String filename = dir.toString() + "\\dependency-check-report.json";