Skip to content

Commit

Permalink
fix: Do not filter out evidences added by hints (#5900)
Browse files Browse the repository at this point in the history
  • Loading branch information
@aikebah
aikebah committed Oct 5, 2023
1 parent 0112100 commit 19dd71b
Show file tree
Hide file tree
Showing 6 changed files with 53 additions and 55 deletions.
2 changes: 1 addition & 1 deletion core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
for (VendorDuplicatingHintRule dhr : vendorHints) {
if (dhr.getValue().equalsIgnoreCase(e.getValue())) {
dependency.addEvidence(EvidenceType.VENDOR, new Evidence(e.getSource() + " (hint)",
e.getName(), dhr.getDuplicate(), e.getConfidence()));
e.getName(), dhr.getDuplicate(), e.getConfidence(), true));
}
}
}
Expand Down
5 changes: 3 additions & 2 deletions core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
final Set<Evidence> remove;
if (dependency.getVersion() != null) {
remove = dependency.getEvidence(EvidenceType.VERSION).stream()
.filter(e -> !dependency.getVersion().equals(e.getValue()))
.filter(e -> !e.isFromHint() && !dependency.getVersion().equals(e.getValue()))
.collect(Collectors.toSet());
} else {
remove = new HashSet<>();
Expand Down Expand Up @@ -165,7 +165,8 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
LOGGER.debug("filtering evidence from {}", dependency.getFileName());

for (Evidence e : dependency.getEvidence(EvidenceType.VERSION)) {
if (!(pomMatch && VERSION.equals(e.getName())
if (!e.isFromHint()
&& !(pomMatch && VERSION.equals(e.getName())
&& (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource())))
&& !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource()))
&& !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) {
Expand Down
43 changes: 41 additions & 2 deletions core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@ public class Evidence implements Serializable, Comparable<Evidence> {
*/
private Confidence confidence;

/**
* Whether the evidence originates from a hint.
*/
private boolean fromHint;

/**
* Creates a new Evidence object.
*/
Expand All @@ -74,10 +79,24 @@ public Evidence() {
* @param confidence the confidence of the evidence.
*/
public Evidence(String source, String name, String value, Confidence confidence) {
this(source, name, value, confidence, false);
}

/**
* Creates a new Evidence objects.
*
* @param source the source of the evidence.
* @param name the name of the evidence.
* @param value the value of the evidence.
* @param confidence the confidence of the evidence.
* @param fromHint whether the evidence was introduced by a hint.
*/
public Evidence(String source, String name, String value, Confidence confidence, boolean fromHint) {
this.source = source;
this.name = name;
this.value = value;
this.confidence = confidence;
this.fromHint = fromHint;
}

/**
Expand Down Expand Up @@ -152,6 +171,24 @@ public void setConfidence(Confidence confidence) {
this.confidence = confidence;
}

/**
* Get the value of fromHint.
*
* @return the value of fromHint
*/
public boolean isFromHint() {
return fromHint;
}

/**
* Set the value of fromHint.
*
* @param fromHint new value of fromHint
*/
public void setFromHint(boolean fromHint) {
this.fromHint = fromHint;
}

/**
* Implements the hashCode for Evidence.
*
Expand Down Expand Up @@ -187,6 +224,7 @@ public boolean equals(Object obj) {
.append(this.name == null ? null : this.name.toLowerCase(), o.name == null ? null : o.name.toLowerCase())
.append(this.value == null ? null : this.value.toLowerCase(), o.value == null ? null : o.value.toLowerCase())
.append(this.confidence, o.getConfidence())
.append(this.fromHint, o.isFromHint())
.build();
}

Expand All @@ -196,14 +234,14 @@ public boolean equals(Object obj) {
* @param o the evidence being compared
* @return an integer indicating the ordering of the two objects
*/
@SuppressWarnings("deprecation")
@Override
public int compareTo(@NotNull Evidence o) {
return new CompareToBuilder()
.append(this.source == null ? null : this.source.toLowerCase(), o.source == null ? null : o.source.toLowerCase())
.append(this.name == null ? null : this.name.toLowerCase(), o.name == null ? null : o.name.toLowerCase())
.append(this.value == null ? null : this.value.toLowerCase(), o.value == null ? null : o.value.toLowerCase())
.append(this.confidence, o.getConfidence())
.append(this.fromHint, o.isFromHint())
.toComparison();
}

Expand All @@ -214,6 +252,7 @@ public int compareTo(@NotNull Evidence o) {
*/
@Override
public String toString() {
return "Evidence{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence + '}';
return "Evidence{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence
+ ", fromHint=" + fromHint + '}';
}
}
6 changes: 3 additions & 3 deletions core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ public List<EvidenceMatcher> getGivenVendor() {
* @param confidence the confidence of the evidence
*/
public void addAddProduct(String source, String name, String value, Confidence confidence) {
addProduct.add(new Evidence(source, name, value, confidence));
addProduct.add(new Evidence(source, name, value, confidence, true));
}

/**
Expand All @@ -168,7 +168,7 @@ public List<Evidence> getAddProduct() {
* @param confidence the confidence of the evidence
*/
public void addAddVersion(String source, String name, String value, Confidence confidence) {
addVersion.add(new Evidence(source, name, value, confidence));
addVersion.add(new Evidence(source, name, value, confidence, true));
}

/**
Expand All @@ -189,7 +189,7 @@ public List<Evidence> getAddVersion() {
* @param confidence the confidence of the evidence
*/
public void addAddVendor(String source, String name, String value, Confidence confidence) {
addVendor.add(new Evidence(source, name, value, confidence));
addVendor.add(new Evidence(source, name, value, confidence, true));
}

/**
Expand Down
42 changes: 0 additions & 42 deletions core/src/main/resources/dependencycheck-base-hint.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,48 +148,6 @@
</add>
</hint>

<!-- begin hack for temporary patch of issue #534-->
<hint>
<given>
<fileName regex="true" contains=".*hibernate-validator-5\.0\..*"/>
</given>
<add>
<evidence type="version" source="hint" name="version" value="5.0" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<fileName regex="true" contains=".*hibernate-validator-5\.1\.[01].*"/>
</given>
<add>
<evidence type="version" source="hint" name="version" value="5.1" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<fileName regex="true" contains=".*hibernate-validator-4\.1\..*"/>
</given>
<add>
<evidence type="version" source="hint" name="version" value="4.1.0" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<fileName regex="true" contains=".*hibernate-validator-4\.2\.0.*"/>
</given>
<add>
<evidence type="version" source="hint" name="version" value="4.2.0" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<fileName regex="true" contains=".*hibernate-validator-4\.3\.[01]\..*"/>
</given>
<add>
<evidence type="version" source="hint" name="version" value="4.3.0" confidence="HIGHEST"/>
</add>
</hint>
<!-- end hack for temporary patch of issue #534-->
<!-- creating a spring boot starter project can cause your app to incorrectly be flagged as spring-->
<hint>
<given>
Expand Down
10 changes: 5 additions & 5 deletions core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,11 @@ public void testAnalyze() throws Exception {
sdep = d;
}
}
final Evidence springTest1 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST);
final Evidence springTest2 = new Evidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGHEST);
final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST);
final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST);
final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST);
final Evidence springTest1 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST, true);
final Evidence springTest2 = new Evidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGHEST, true);
final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST, true);
final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST, true);
final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST, true);

assertFalse(gdep.contains(EvidenceType.PRODUCT, springTest1));
assertFalse(gdep.contains(EvidenceType.VENDOR, springTest2));
Expand Down

0 comments on commit 19dd71b

Please sign in to comment.