Package org.owasp.dependencycheck.analyzer

Class DependencyBundlingAnalyzer

  • All Implemented Interfaces:
    Analyzer
    @ThreadSafe
public class DependencyBundlingAnalyzer
extends AbstractDependencyComparingAnalyzer

    This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path then these should be grouped into a single dependency under the core/main library.

    Note, this grouping only works on dependencies with identified CVE entries

    Author:
    Jeremy Long

    • Constructor Detail

      • DependencyBundlingAnalyzer

        public DependencyBundlingAnalyzer()

    • Method Detail

      • getName

        public java.lang.String getName()
        Returns the name of the analyzer.
        Returns:
        the name of the analyzer.

      • getAnalysisPhase

        public AnalysisPhase getAnalysisPhase()
        Returns the phase that the analyzer is intended to run in.
        Returns:
        the phase that the analyzer is intended to run in.

      • getAnalyzerEnabledSettingKey

        protected java.lang.String getAnalyzerEnabledSettingKey()

        Returns the setting key to determine if the analyzer is enabled.

        Specified by:
        getAnalyzerEnabledSettingKey in class AbstractAnalyzer
        Returns:
        the key for the analyzer's enabled property

      • evaluateDependencies

        protected boolean evaluateDependencies​(Dependency dependency,
                                       Dependency nextDependency,
                                       java.util.Set<Dependency> dependenciesToRemove)
        Evaluates the dependencies
        Specified by:
        evaluateDependencies in class AbstractDependencyComparingAnalyzer
        Parameters:
        dependency - a dependency to compare
        nextDependency - a dependency to compare
        dependenciesToRemove - a set of dependencies that will be removed
        Returns:
        true if a dependency is removed; otherwise false

      • mergeDependencies

        public static void mergeDependencies​(Dependency dependency,
                                     Dependency relatedDependency,
                                     java.util.Set<Dependency> dependenciesToRemove)
        Adds the relatedDependency to the dependency's related dependencies.
        Parameters:
        dependency - the main dependency
        relatedDependency - a collection of dependencies to be removed from the main analysis loop, this is the source of dependencies to remove
        dependenciesToRemove - a collection of dependencies that will be removed from the main analysis loop, this function adds to this collection

      • mergeDependencies

        public static void mergeDependencies​(Dependency dependency,
                                     Dependency relatedDependency,
                                     java.util.Set<Dependency> dependenciesToRemove,
                                     boolean copyVulnsAndIds)
        Adds the relatedDependency to the dependency's related dependencies.
        Parameters:
        dependency - the main dependency
        relatedDependency - a collection of dependencies to be removed from the main analysis loop, this is the source of dependencies to remove
        dependenciesToRemove - a collection of dependencies that will be removed from the main analysis loop, this function adds to this collection
        copyVulnsAndIds - whether or not identifiers and vulnerabilities are copied

      • isCore

        protected boolean isCore​(Dependency left,
                         Dependency right)
        This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the 'right' library.
        Parameters:
        left - the dependency to test
        right - the dependency to test against
        Returns:
        a boolean indicating whether or not the left dependency should be considered the "core" version.

      • isWebJar

        protected boolean isWebJar​(Dependency dependency,
                           Dependency nextDependency)
        Determines if a JS file is from a webjar dependency.
        Parameters:
        dependency - the first dependency to compare
        nextDependency - the second dependency to compare
        Returns:
        true if the dependency is a web jar and the next dependency is a JS file from the web jar; otherwise false

      • isShadedJar

        protected boolean isShadedJar​(Dependency dependency,
                              Dependency nextDependency)
        Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml dependency should be removed.
        Parameters:
        dependency - a dependency to check
        nextDependency - another dependency to check
        Returns:
        true if on of the dependencies is a pom.xml and the identifiers between the two collections match; otherwise false

      • firstPathIsShortest

        public static boolean firstPathIsShortest​(java.lang.String left,
                                          java.lang.String right)
        Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to determine if the first path is smaller.
        Parameters:
        left - the first path to compare
        right - the second path to compare
        Returns:
        true if the leftPath is the shortest; otherwise false

      • npmVersionsMatch

        public static boolean npmVersionsMatch​(java.lang.String current,
                                       java.lang.String next)
        Determine if the dependency version is equal in the given dependencies. This method attempts to evaluate version range checks.
        Parameters:
        current - a dependency version to compare
        next - a dependency version to compare
        Returns:
        true if the version is equal in both dependencies; otherwise false