Package org.owasp.dependencycheck.analyzer

Class DependencyMergingAnalyzer

  • All Implemented Interfaces:
    Analyzer
    public class DependencyMergingAnalyzer
extends AbstractDependencyComparingAnalyzer

    This analyzer will merge dependencies, created from different source, into a single dependency.

    Author:
    Jeremy Long

    • Constructor Detail

      • DependencyMergingAnalyzer

        public DependencyMergingAnalyzer()

    • Method Detail

      • getName

        public java.lang.String getName()
        Returns the name of the analyzer.
        Returns:
        the name of the analyzer.

      • getAnalysisPhase

        public AnalysisPhase getAnalysisPhase()
        Returns the phase that the analyzer is intended to run in.
        Returns:
        the phase that the analyzer is intended to run in.

      • getAnalyzerEnabledSettingKey

        protected java.lang.String getAnalyzerEnabledSettingKey()

        Returns the setting key to determine if the analyzer is enabled.

        Specified by:
        getAnalyzerEnabledSettingKey in class AbstractAnalyzer
        Returns:
        the key for the analyzer's enabled property

      • evaluateDependencies

        protected boolean evaluateDependencies​(Dependency dependency,
                                       Dependency nextDependency,
                                       java.util.Set<Dependency> dependenciesToRemove)
        Evaluates the dependencies
        Specified by:
        evaluateDependencies in class AbstractDependencyComparingAnalyzer
        Parameters:
        dependency - a dependency to compare
        nextDependency - a dependency to compare
        dependenciesToRemove - a set of dependencies that will be removed
        Returns:
        true if a dependency is removed; otherwise false

      • mergeDependencies

        public static void mergeDependencies​(Dependency dependency,
                                     Dependency relatedDependency,
                                     java.util.Set<Dependency> dependenciesToRemove)
        Adds the relatedDependency to the dependency's related dependencies.
        Parameters:
        dependency - the main dependency
        relatedDependency - a collection of dependencies to be removed from the main analysis loop, this is the source of dependencies to remove
        dependenciesToRemove - a collection of dependencies that will be removed from the main analysis loop, this function adds to this collection

      • isSameRubyGem

        protected boolean isSameRubyGem​(Dependency dependency1,
                                Dependency dependency2)
        Bundling Ruby gems that are identified from different .gemspec files but denote the same package path. This happens when Ruby bundler installs an application's dependencies by running "bundle install".
        Parameters:
        dependency1 - dependency to compare
        dependency2 - dependency to compare
        Returns:
        true if the the dependencies being analyzed appear to be the same; otherwise false

      • getMainGemspecDependency

        protected Dependency getMainGemspecDependency​(Dependency dependency1,
                                              Dependency dependency2)
        Ruby gems installed by "bundle install" can have zero or more *.gemspec files, all of which have the same packagePath and should be grouped. If one of these gemspec is from <parent>/specifications/*.gemspec, because it is a stub with fully resolved gem meta-data created by Ruby bundler, this dependency should be the main one. Otherwise, use dependency2 as main. This method returns null if any dependency is not from *.gemspec, or the two do not have the same packagePath. In this case, they should not be grouped.
        Parameters:
        dependency1 - dependency to compare
        dependency2 - dependency to compare
        Returns:
        the main dependency; or null if a gemspec is not included in the analysis

      • isSameSwiftPackage

        protected boolean isSameSwiftPackage​(Dependency dependency1,
                                     Dependency dependency2)
        Bundling same swift dependencies with the same packagePath but identified by different file type analyzers.
        Parameters:
        dependency1 - dependency to test
        dependency2 - dependency to test
        Returns:
        true if the dependencies appear to be the same; otherwise false

      • getMainSwiftDependency

        protected Dependency getMainSwiftDependency​(Dependency dependency1,
                                            Dependency dependency2)
        Determines which of the swift dependencies should be considered the primary.
        Parameters:
        dependency1 - the first swift dependency to compare
        dependency2 - the second swift dependency to compare
        Returns:
        the primary swift dependency

      • getMainAndroidDependency

        protected Dependency getMainAndroidDependency​(Dependency dependency1,
                                              Dependency dependency2)
        Determines which of the android dependencies should be considered the primary.
        Parameters:
        dependency1 - the first android dependency to compare
        dependency2 - the second android dependency to compare
        Returns:
        the primary swift dependency

      • getMainDotnetDependency

        protected Dependency getMainDotnetDependency​(Dependency dependency1,
                                             Dependency dependency2)
        Determines which of the dotnet dependencies should be considered the primary.
        Parameters:
        dependency1 - the first dotnet dependency to compare
        dependency2 - the second dotnet dependency to compare
        Returns:
        the primary swift dependency

      • getMainVirtualDependency

        protected Dependency getMainVirtualDependency​(Dependency dependency1,
                                              Dependency dependency2)
        Determines which of the virtual dependencies should be considered the primary.
        Parameters:
        dependency1 - the first virtual dependency to compare
        dependency2 - the second virtual dependency to compare
        Returns:
        the first virtual dependency (or {code null} if they are not to be considered mergeable virtual dependencies)