From c3b25419ffd167a0ead6385716842110a7788d42 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Sun, 27 Aug 2023 14:35:50 +0200 Subject: [PATCH 1/3] fix: Ensure evidences added by hints are not subsequently removed by filters Fixes #5894 --- .../analyzer/HintAnalyzer.java | 2 +- .../analyzer/VersionFilterAnalyzer.java | 5 ++- .../dependencycheck/dependency/Evidence.java | 42 ++++++++++++++++++- .../dependencycheck/xml/hints/HintRule.java | 6 +-- .../analyzer/HintAnalyzerTest.java | 10 ++--- 5 files changed, 52 insertions(+), 13 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java index 7b181d71be2..40857c20259 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java @@ -198,7 +198,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An for (VendorDuplicatingHintRule dhr : vendorHints) { if (dhr.getValue().equalsIgnoreCase(e.getValue())) { dependency.addEvidence(EvidenceType.VENDOR, new Evidence(e.getSource() + " (hint)", - e.getName(), dhr.getDuplicate(), e.getConfidence())); + e.getName(), dhr.getDuplicate(), e.getConfidence(), true)); } } } diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java index b8a7f57c447..f295e036ecd 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java @@ -136,7 +136,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An final Set remove; if (dependency.getVersion() != null) { remove = dependency.getEvidence(EvidenceType.VERSION).stream() - .filter(e -> !dependency.getVersion().equals(e.getValue())) + .filter(e -> !e.isFromHint() && !dependency.getVersion().equals(e.getValue())) .collect(Collectors.toSet()); } else { remove = new HashSet<>(); @@ -165,7 +165,8 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An LOGGER.debug("filtering evidence from {}", dependency.getFileName()); for (Evidence e : dependency.getEvidence(EvidenceType.VERSION)) { - if (!(pomMatch && VERSION.equals(e.getName()) + if (!e.isFromHint() && + !(pomMatch && VERSION.equals(e.getName()) && (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource()))) && !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource())) && !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) { diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index 82eb1ae1fbc..1aaff551ead 100644 --- a/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -59,6 +59,11 @@ public class Evidence implements Serializable, Comparable { */ private Confidence confidence; + /** + * Whether the evidence originates from a hint. + */ + private boolean fromHint; + /** * Creates a new Evidence object. */ @@ -74,10 +79,24 @@ public Evidence() { * @param confidence the confidence of the evidence. */ public Evidence(String source, String name, String value, Confidence confidence) { + this(source, name, value, confidence, false); + } + + /** + * Creates a new Evidence objects. + * + * @param source the source of the evidence. + * @param name the name of the evidence. + * @param value the value of the evidence. + * @param confidence the confidence of the evidence. + * @param fromHint whether the evidence was introduced by a hint. + */ + public Evidence(String source, String name, String value, Confidence confidence, boolean fromHint) { this.source = source; this.name = name; this.value = value; this.confidence = confidence; + this.fromHint = fromHint; } /** @@ -152,6 +171,24 @@ public void setConfidence(Confidence confidence) { this.confidence = confidence; } + /** + * Get the value of fromHint. + * + * @return the value of fromHint + */ + public boolean isFromHint() { + return fromHint; + } + + /** + * Set the value of fromHint. + * + * @param fromHint new value of fromHint + */ + public void setFromHint(boolean fromHint) { + this.fromHint = fromHint; + } + /** * Implements the hashCode for Evidence. * @@ -187,6 +224,7 @@ public boolean equals(Object obj) { .append(this.name == null ? null : this.name.toLowerCase(), o.name == null ? null : o.name.toLowerCase()) .append(this.value == null ? null : this.value.toLowerCase(), o.value == null ? null : o.value.toLowerCase()) .append(this.confidence, o.getConfidence()) + .append(this.fromHint, o.isFromHint()) .build(); } @@ -196,7 +234,6 @@ public boolean equals(Object obj) { * @param o the evidence being compared * @return an integer indicating the ordering of the two objects */ - @SuppressWarnings("deprecation") @Override public int compareTo(@NotNull Evidence o) { return new CompareToBuilder() @@ -204,6 +241,7 @@ public int compareTo(@NotNull Evidence o) { .append(this.name == null ? null : this.name.toLowerCase(), o.name == null ? null : o.name.toLowerCase()) .append(this.value == null ? null : this.value.toLowerCase(), o.value == null ? null : o.value.toLowerCase()) .append(this.confidence, o.getConfidence()) + .append(this.fromHint, o.isFromHint()) .toComparison(); } @@ -214,6 +252,6 @@ public int compareTo(@NotNull Evidence o) { */ @Override public String toString() { - return "Evidence{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence + '}'; + return "Evidence{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence + ", fromHint=" + fromHint + '}'; } } diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java b/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java index a1ec3009b13..399196ea698 100644 --- a/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java +++ b/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java @@ -147,7 +147,7 @@ public List getGivenVendor() { * @param confidence the confidence of the evidence */ public void addAddProduct(String source, String name, String value, Confidence confidence) { - addProduct.add(new Evidence(source, name, value, confidence)); + addProduct.add(new Evidence(source, name, value, confidence, true)); } /** @@ -168,7 +168,7 @@ public List getAddProduct() { * @param confidence the confidence of the evidence */ public void addAddVersion(String source, String name, String value, Confidence confidence) { - addVersion.add(new Evidence(source, name, value, confidence)); + addVersion.add(new Evidence(source, name, value, confidence, true)); } /** @@ -189,7 +189,7 @@ public List getAddVersion() { * @param confidence the confidence of the evidence */ public void addAddVendor(String source, String name, String value, Confidence confidence) { - addVendor.add(new Evidence(source, name, value, confidence)); + addVendor.add(new Evidence(source, name, value, confidence, true)); } /** diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java index f5737ca7bf8..88c36b6de9f 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java @@ -86,11 +86,11 @@ public void testAnalyze() throws Exception { sdep = d; } } - final Evidence springTest1 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST); - final Evidence springTest2 = new Evidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGHEST); - final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST); - final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST); - final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST); + final Evidence springTest1 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST, true); + final Evidence springTest2 = new Evidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGHEST, true); + final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST, true); + final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST, true); + final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST, true); assertFalse(gdep.contains(EvidenceType.PRODUCT, springTest1)); assertFalse(gdep.contains(EvidenceType.VENDOR, springTest2)); From d1c57e9f6a428b87ccccfd4b71049f37a3d024d8 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Sun, 27 Aug 2023 14:56:18 +0200 Subject: [PATCH 2/3] chore: remove obsolete hint from the base-hints as #534 is properly resolved since the change to JSON NVD feeds as per #646 https://github.com/jeremylong/DependencyCheck/issues/646#issuecomment-500242331 --- .../resources/dependencycheck-base-hint.xml | 42 ------------------- 1 file changed, 42 deletions(-) diff --git a/core/src/main/resources/dependencycheck-base-hint.xml b/core/src/main/resources/dependencycheck-base-hint.xml index 044a7b1432d..b85ad3b8f8c 100644 --- a/core/src/main/resources/dependencycheck-base-hint.xml +++ b/core/src/main/resources/dependencycheck-base-hint.xml @@ -148,48 +148,6 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From 4a3a00b7a159869ec9c0b840828d43a10524921b Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Sun, 27 Aug 2023 15:41:54 +0200 Subject: [PATCH 3/3] style: Process checkstyle review findings --- .../owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java | 4 ++-- .../java/org/owasp/dependencycheck/dependency/Evidence.java | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java index f295e036ecd..1cd1ad432f2 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java @@ -165,8 +165,8 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An LOGGER.debug("filtering evidence from {}", dependency.getFileName()); for (Evidence e : dependency.getEvidence(EvidenceType.VERSION)) { - if (!e.isFromHint() && - !(pomMatch && VERSION.equals(e.getName()) + if (!e.isFromHint() + && !(pomMatch && VERSION.equals(e.getName()) && (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource()))) && !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource())) && !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) { diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index 1aaff551ead..a726d613850 100644 --- a/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -252,6 +252,7 @@ public int compareTo(@NotNull Evidence o) { */ @Override public String toString() { - return "Evidence{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence + ", fromHint=" + fromHint + '}'; + return "Evidence{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence + + ", fromHint=" + fromHint + '}'; } }