Package org.owasp.dependencycheck.analyzer

Class FalsePositiveAnalyzer

java.lang.Object

org.owasp.dependencycheck.analyzer.AbstractAnalyzer

org.owasp.dependencycheck.analyzer.FalsePositiveAnalyzer

All Implemented Interfaces:

Analyzer

@ThreadSafe
public class FalsePositiveAnalyzer
extends AbstractAnalyzer

This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.

Author:

Jeremy Long

Field Summary

Fields

Modifier and Type	Field	Description
static java.util.regex.Pattern	CORE_FILES	Regex to identify core java library files.
static java.util.regex.Pattern	CORE_JAVA	Regex to identify core java libraries and a few other commonly misidentified ones.
static java.util.regex.Pattern	CORE_JAVA_JSF	Regex to identify core jsf libraries.
static java.util.regex.Pattern	CORE_JSF_FILES	Regex to identify core jsf java library files.

Constructor Summary

Constructors

Constructor	Description
FalsePositiveAnalyzer()

Method Summary

Modifier and Type	Method	Description
protected void	analyzeDependency(Dependency dependency, Engine engine)	Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics.
AnalysisPhase	getAnalysisPhase()	Returns the phase that the analyzer is intended to run in.
protected java.lang.String	getAnalyzerEnabledSettingKey()	Returns the setting key to determine if the analyzer is enabled.
java.lang.String	getName()	Returns the name of the analyzer.
protected void	removeBadMatches(Dependency dependency)	Removes bad CPE matches for a dependency.

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractAnalyzer

analyze, close, closeAnalyzer, getSettings, initialize, isEnabled, prepare, prepareAnalyzer, setEnabled, supportsParallelProcessing

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CORE_JAVA

public static final java.util.regex.Pattern CORE_JAVA

Regex to identify core java libraries and a few other commonly misidentified ones.

CORE_JAVA_JSF

public static final java.util.regex.Pattern CORE_JAVA_JSF

Regex to identify core jsf libraries.

CORE_FILES

public static final java.util.regex.Pattern CORE_FILES

Regex to identify core java library files. This is currently incomplete.

CORE_JSF_FILES

public static final java.util.regex.Pattern CORE_JSF_FILES

Regex to identify core jsf java library files. This is currently incomplete.

Constructor Detail

FalsePositiveAnalyzer

public FalsePositiveAnalyzer()

Method Detail

getName

public java.lang.String getName()

Returns the name of the analyzer.

Returns:

the name of the analyzer.

getAnalysisPhase

public AnalysisPhase getAnalysisPhase()

Returns the phase that the analyzer is intended to run in.

Returns:

the phase that the analyzer is intended to run in.

getAnalyzerEnabledSettingKey

protected java.lang.String getAnalyzerEnabledSettingKey()

Returns the setting key to determine if the analyzer is enabled.

Specified by:

getAnalyzerEnabledSettingKey in class AbstractAnalyzer

Returns:

the key for the analyzer's enabled property

analyzeDependency

protected void analyzeDependency(Dependency dependency,
                                 Engine engine)
                          throws AnalysisException

Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics.

Specified by:

analyzeDependency in class AbstractAnalyzer

Parameters:

dependency - the dependency to analyze.

engine - the engine that is scanning the dependencies

Throws:

AnalysisException - is thrown if there is an error reading the JAR file.

removeBadMatches

protected void removeBadMatches(Dependency dependency)

Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific problems identified when testing this on a LARGE volume of jar files.

Parameters:

dependency - the dependency to analyze