Tag List Report
The following document contains the listing of user tags found in the code. Below is the summary of the occurrences per tag.
| Tag Class | Total number of occurrences | Tag strings used by tag class |
|---|---|---|
| Todo Work | 69 | todo, FIXME |
Each tag is detailed below:
Todo Work
Number of occurrences found in the code: 69
| org.owasp.dependencycheck.Engine | Line |
|---|---|
| - is this actually necassary???? Collections.sort(dependencies); dependenciesExternalView = null; | 288 |
| org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer | Line |
| - we can likely create a valid CPE as a low confidence guess using cpe:2.3:a:[name]_project:[name]:[version] (and add a targetSw of npm/node) | 171 |
| - if we start doing CPE analysis on node - we need to exclude description as it creates too many FP | 327 |
| org.owasp.dependencycheck.analyzer.ArchiveAnalyzer | Line |
| - can we get more evidence from the parent? EAR contains module name, etc. analyze the dependency (i.e. extract files) if it is a supported type. | 314 |
| org.owasp.dependencycheck.analyzer.ArtifactoryAnalyzer | Line |
| add caching | 236 |
| org.owasp.dependencycheck.analyzer.AutoconfAnalyzerTest | Line |
| fix these | 91 |
| org.owasp.dependencycheck.analyzer.CPEAnalyzer | Line |
| - should the weighting be at a "word" level as opposed to phrase level? Or combined word and phrase? remember the reason we are counting the frequency of "phrases" as opposed to terms is that we need to keep the correct sequence of terms from the evidence so the term concatenating analyzer works correctly and will causes searches to take spring framework and produce: spring springframework framework | 564 |
| - does this nullify some of the fuzzy matching that happens in the lucene search? for instance CPE some-component and in the evidence we have SomeComponent. | 647 |
| - should this have a package manager only flag instead of just looking for NPM | 650 |
| - likely need to change the split... not sure if this will work for CPE with special chars | 703 |
| the following algorithm incorrectly identifies things as a lower version if there lower confidence evidence when the current (highest) version number is newer then anything in the NVD. | 837 |
| - review and update for new JSON data | 859 |
| - while this gets the job down it is slow; consider refactoring | 964 |
| - we need to filter this so that we only use this if something in the dependency.getName() matches the vendor/product in some way | 1046 |
| org.owasp.dependencycheck.analyzer.DartAnalyzer | Line |
| - add configuration to allow skipping dev dependencies. | 150 |
| org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer | Line |
| this null check was added for #1296 - but I believe this to be related to virtual dependencies we may want to merge project references on virtual dependencies... | 210 |
| - should we get rid of this merging? It removes a true BOM... | 389 |
| org.owasp.dependencycheck.analyzer.FalsePositiveAnalyzer | Line |
| fix the version problem below | 183 |
| - can we utilize the pom's groupid and artifactId to filter??? most of these are due to low quality data. Other idea would be to say any CPE found based on LOW confidence evidence should have a different CPE type? (this might be a better solution then just removing the URL for "best-guess" matches). | 244 |
| move this startsWith expression to the base suppression file | 252 |
| move this to the hint analyzer | 385 |
| org.owasp.dependencycheck.analyzer.JarAnalyzer | Line |
| add breakpoint on groov-all to find out why commons-cli is not added as a new dependency? | 430 |
| remove weighting? | 816 |
| remove weighting | 826 |
| change this to a regex? | 930 |
| add a hashSet and only analyze any given key once. | 1257 |
| org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer | Line |
| while we are supporting props - we still do not support Directory.Build.targets | 142 |
| org.owasp.dependencycheck.analyzer.NodePackageAnalyzer | Line |
| make this an error that gets logged | 291 |
| - we should use the integrity value instead of calculating the SHA1/MD5 | 424 |
| - we should use the integrity value instead of calculating the SHA1/MD5 | 441 |
| org.owasp.dependencycheck.analyzer.NpmCPEAnalyzer | Line |
| this is a hack because we use the same singleton CPE Index as the CPE Analyzer thus to filter to just node products we can't run in the same phase. possibly extenend the CPE Index to include an ecosystem and use that as a filter for node.. | 61 |
| org.owasp.dependencycheck.analyzer.OssIndexAnalyzer | Line |
| - can we enhance anything other than the references? | 273 |
| consider if we want/need to extract version-ranges to apply to vulnerable-software? | 393 |
| org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer | Line |
| - this seems broken as we are cycling over py files and could be grabbing versions from multiple? | 344 |
| org.owasp.dependencycheck.analyzer.RetireJsAnalyzer | Line |
| implement this | 121 |
| - can we refactor this to avoid russian doll syndrome (i.e. nesting)? CSOFF: NestedForDepth | 335 |
| - convert to map/collect | 361 |
| org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer | Line |
| support Rakefile = FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build(); | 84 |
| other checking? | 269 |
| org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzerTest | Line |
| place holder to test Rakefile support public void testAnalyzeRakefile() throws AnalysisException { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/gems/pg-0.18.4/Rakefile")); analyzer.analyze(result, null); assertTrue(result.size() > 0); assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); assertEquals("pg", result.getName()); assertEquals("0.18.4", result.getVersion()); assertEquals("pg:0.18.4", result.getDisplayFileName()); } | 122 |
| org.owasp.dependencycheck.analyzer.SwiftAnalyzersTest | Line |
| when version processing is added, update the expected name. | 231 |
| org.owasp.dependencycheck.analyzer.SwiftPackageManagerAnalyzer | Line |
| SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies. Future interesting metadata: version, license, homepage, author, summary, etc. | 170 |
| org.owasp.dependencycheck.data.artifactory.ArtifactorySearch | Line |
| Investigate why sha256 parameter is not working API defined https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API#ArtifactoryRESTAPI-ChecksumSearch | 194 |
| org.owasp.dependencycheck.data.cache.DataCacheFactory | Line |
| we may want to instrument w/ jdiagnostics per #2509 | 138 |
| we may want to instrument w/ jdiagnostics per #2509 | 163 |
| we may want to instrument w/ jdiagnostics per #2509 | 188 |
| org.owasp.dependencycheck.data.nodeaudit.NpmPayloadBuilder | Line |
| I think the following is dead code and no real "dependencies" section in a lock file will look like this | 187 |
| org.owasp.dependencycheck.data.nvd.ecosystem.DescriptionEcosystemMapper | Line |
| could be checked afterwards | 236 |
| org.owasp.dependencycheck.data.nvdcve.CveDB | Line |
| this is may also be an issue for MS SQL, if an issue is created we'll just need | 1226 |
| this is may also be an issue for MS SQL, if an issue is created we'll just need | 2005 |
| org.owasp.dependencycheck.data.nvdcve.CveItemOperator | Line |
| the following was added to reduce the need for the slow UPDATE_ECOSYSTEM2 query the following should be analyzed to determine if an ecosystem should be returned. Note that these all have 'bindings' in the description of a vulnerability in more than one case these were related to language bindings; as such the list need to be reviewed and refined. | 77 |
| org.owasp.dependencycheck.data.nvdcve.DriverLoader | Line |
| add usage count so we don't de-register a driver that is in use. | 152 |
| org.owasp.dependencycheck.data.ossindex.ODCConnectionTransport | Line |
| consider to promote pre-emptive authentication by default to the Downloader and also load the OSSIndex credentials there. | 77 |
| org.owasp.dependencycheck.data.update.NvdApiDataSource | Line |
| get results per page from the API as it could adjust automatically | 369 |
| org.owasp.dependencycheck.data.update.NvdApiDataSourceTest | Line |
| review the generated test code and remove the default call to fail. fail("The test case is a prototype."); } | 74 |
| org.owasp.dependencycheck.dependency.Dependency | Line |
| the following assertion should be removed after initial testing and implementation | 495 |
| - should we check for type of identifier? I.e. could we see a Purl and GenericIdentifier with the same value | 501 |
| org.owasp.dependencycheck.dependency.VulnerableSoftware | Line |
| implement versionStart etc. | 197 |
| - if the vulnerablity has an update we are might not be collecting it correctly... as such, this check might cause FN if the CVE has an update in the data set | 200 |
| - if the vulnerablity has an update we are might not be collecting it correctly... as such, this check might cause FN if the CVE has an update in the data set | 341 |
| org.owasp.dependencycheck.dependency.naming.PurlIdentifier | Line |
| update package url implementation to implement compare.. | 219 |
| org.owasp.dependencycheck.processing.BundlerAuditProcessor | Line |
| add package URL - note, this may require parsing the gemfile.lock and getting the version for each entry | 322 |
| org.owasp.dependencycheck.utils.DependencyVersion | Line |
| steal better version of code from compareTo | 154 |
| org.owasp.dependencycheck.utils.DependencyVersionTest | Line |
| (code review): should this be here/do something? assertEquals("0", parts.get(2)); | 54 |
| org.owasp.dependencycheck.utils.PEParser | Line |
| - name table refer to data outside image directory for (int i = 0; i < id.size(); i++) { ImportDirectoryEntry e = id.getEntry(i); dr.jumpTo(e.getNameRVA() - baseAddress); String name = dr.readUtf(); dr.jumpTo(e.getImportLookupTableRVA() - baseAddress); ImportDirectoryTable nt = readImportDirectoryTable(dr, baseAddress); dr.jumpTo(e.getImportAddressTableRVA() - baseAddress); ImportDirectoryTable at = null; // readImportDirectoryTable(dr, // baseAddress); id.add(name, nt, at); } | 565 |
| this is an index into the export table | 608 |
| org.owasp.dependencycheck.utils.WriteLock | Line |
| - this 30 minute check needs to be configurable. | 255 |
| org.owasp.dependencycheck.xml.suppression.SuppressionRule | Line |
| validate this comparison | 529 |
| check for regex - not just type | 613 |