@ThreadSafe public class DependencyBundlingAnalyzer extends AbstractDependencyComparingAnalyzer
This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path then these should be grouped into a single dependency under the core/main library.
Note, this grouping only works on dependencies with identified CVE entries
Constructor and Description |
---|
DependencyBundlingAnalyzer() |
Modifier and Type | Method and Description |
---|---|
protected boolean |
evaluateDependencies(Dependency dependency,
Dependency nextDependency,
java.util.Set<Dependency> dependenciesToRemove)
Evaluates the dependencies
|
static boolean |
firstPathIsShortest(java.lang.String left,
java.lang.String right)
Determines which path is shortest; if path lengths are equal then we use
compareTo of the string method to determine if the first path is smaller.
|
AnalysisPhase |
getAnalysisPhase()
Returns the phase that the analyzer is intended to run in.
|
protected java.lang.String |
getAnalyzerEnabledSettingKey()
Returns the setting key to determine if the analyzer is enabled.
|
java.lang.String |
getName()
Returns the name of the analyzer.
|
protected boolean |
isCore(Dependency left,
Dependency right)
This is likely a very broken attempt at determining if the 'left'
dependency is the 'core' library in comparison to the 'right' library.
|
protected boolean |
isShadedJar(Dependency dependency,
Dependency nextDependency)
Determines if the jar is shaded and the created pom.xml identified the
same CPE as the jar - if so, the pom.xml dependency should be removed.
|
protected boolean |
isWebJar(Dependency dependency,
Dependency nextDependency)
Determines if a JS file is from a webjar dependency.
|
static void |
mergeDependencies(Dependency dependency,
Dependency relatedDependency,
java.util.Set<Dependency> dependenciesToRemove)
Adds the relatedDependency to the dependency's related dependencies.
|
static void |
mergeDependencies(Dependency dependency,
Dependency relatedDependency,
java.util.Set<Dependency> dependenciesToRemove,
boolean copyVulnsAndIds)
Adds the relatedDependency to the dependency's related dependencies.
|
static boolean |
npmVersionsMatch(java.lang.String current,
java.lang.String next)
Determine if the dependency version is equal in the given dependencies.
|
analyzeDependency, getAnalyzed, supportsParallelProcessing
analyze, close, closeAnalyzer, getSettings, initialize, isEnabled, prepare, prepareAnalyzer, setEnabled
public java.lang.String getName()
public AnalysisPhase getAnalysisPhase()
protected java.lang.String getAnalyzerEnabledSettingKey()
Returns the setting key to determine if the analyzer is enabled.
getAnalyzerEnabledSettingKey
in class AbstractAnalyzer
protected boolean evaluateDependencies(Dependency dependency, Dependency nextDependency, java.util.Set<Dependency> dependenciesToRemove)
evaluateDependencies
in class AbstractDependencyComparingAnalyzer
dependency
- a dependency to comparenextDependency
- a dependency to comparedependenciesToRemove
- a set of dependencies that will be removedpublic static void mergeDependencies(Dependency dependency, Dependency relatedDependency, java.util.Set<Dependency> dependenciesToRemove)
dependency
- the main dependencyrelatedDependency
- a collection of dependencies to be removed from
the main analysis loop, this is the source of dependencies to removedependenciesToRemove
- a collection of dependencies that will be
removed from the main analysis loop, this function adds to this
collectionpublic static void mergeDependencies(Dependency dependency, Dependency relatedDependency, java.util.Set<Dependency> dependenciesToRemove, boolean copyVulnsAndIds)
dependency
- the main dependencyrelatedDependency
- a collection of dependencies to be removed from
the main analysis loop, this is the source of dependencies to removedependenciesToRemove
- a collection of dependencies that will be
removed from the main analysis loop, this function adds to this
collectioncopyVulnsAndIds
- whether or not identifiers and vulnerabilities are
copiedprotected boolean isCore(Dependency left, Dependency right)
left
- the dependency to testright
- the dependency to test againstprotected boolean isWebJar(Dependency dependency, Dependency nextDependency)
dependency
- the first dependency to comparenextDependency
- the second dependency to comparetrue
if the dependency is a web jar and the next
dependency is a JS file from the web jar; otherwise false
protected boolean isShadedJar(Dependency dependency, Dependency nextDependency)
dependency
- a dependency to checknextDependency
- another dependency to checkpublic static boolean firstPathIsShortest(java.lang.String left, java.lang.String right)
left
- the first path to compareright
- the second path to comparetrue
if the leftPath is the shortest; otherwise
false
public static boolean npmVersionsMatch(java.lang.String current, java.lang.String next)
current
- a dependency version to comparenext
- a dependency version to compareCopyright© 2012-21 Jeremy Long. All Rights Reserved.