Package org.owasp.dependencycheck.dependency

Class Dependency

  • All Implemented Interfaces:
    java.io.Serializable
    @ThreadSafe
public class Dependency
extends java.lang.Object
implements java.io.Serializable
    A program dependency. This object is one of the core components within DependencyCheck. It is used to collect information about the dependency in the form of evidence. The Evidence is then used to determine if there are any known, published, vulnerabilities associated with the program dependency.
    Author:
    Jeremy Long
    See Also:
    Serialized Form

    • Field Detail

      • NAME_COMPARATOR

        public static final java.util.Comparator<Dependency> NAME_COMPARATOR
        Simple sorting by display file name and actual file path.

    • Constructor Detail

      • Dependency

        public Dependency()
        Constructs a new Dependency object.

      • Dependency

        public Dependency​(java.io.File file)
        Constructs a new Dependency object.
        Parameters:
        file - the File to create the dependency object from.

      • Dependency

        public Dependency​(java.io.File file,
                  boolean isVirtual)
        Constructs a new Dependency object.
        Parameters:
        file - the File to create the dependency object from.
        isVirtual - specifies if the dependency is virtual indicating the file doesn't actually exist.

      • Dependency

        public Dependency​(boolean isVirtual)
        Constructs a new Dependency object.
        Parameters:
        isVirtual - specifies if the dependency is virtual indicating the file doesn't actually exist.

    • Method Detail

      • getPackagePath

        public java.lang.String getPackagePath()
        Returns the package path.
        Returns:
        the package path

      • setPackagePath

        public void setPackagePath​(java.lang.String packagePath)
        Sets the package path.
        Parameters:
        packagePath - the package path

      • getFileName

        public java.lang.String getFileName()
        Returns the file name of the dependency.
        Returns:
        the file name of the dependency

      • setFileName

        public void setFileName​(java.lang.String fileName)
        Sets the file name of the dependency.
        Parameters:
        fileName - the file name of the dependency

      • getActualFilePath

        public java.lang.String getActualFilePath()
        Gets the file path of the dependency.
        Returns:
        the file path of the dependency

      • setActualFilePath

        public void setActualFilePath​(java.lang.String actualFilePath)
        Sets the actual file path of the dependency on disk.
        Parameters:
        actualFilePath - the file path of the dependency

      • getActualFile

        public java.io.File getActualFile()
        Gets a reference to the File object.
        Returns:
        the File object

      • getDisplayFileName

        public java.lang.String getDisplayFileName()
        Returns the file name to display in reports; if no display file name has been set it will default to constructing a name based on the name and version fields, otherwise it will return the actual file name.
        Returns:
        the file name to display

      • setDisplayFileName

        public void setDisplayFileName​(java.lang.String displayName)
        Sets the file name to display in reports.
        Parameters:
        displayName - the name to display

      • getFilePath

        public java.lang.String getFilePath()

        Gets the file path of the dependency.

        NOTE: This may not be the actual path of the file on disk. The actual path of the file on disk can be obtained via the getActualFilePath().

        Returns:
        the file path of the dependency

      • setFilePath

        public void setFilePath​(java.lang.String filePath)
        Sets the file path of the dependency.
        Parameters:
        filePath - the file path of the dependency

      • getMd5sum

        public java.lang.String getMd5sum()
        Returns the MD5 Checksum of the dependency file.
        Returns:
        the MD5 Checksum

      • setMd5sum

        public void setMd5sum​(java.lang.String md5sum)
        Sets the MD5 Checksum of the dependency.
        Parameters:
        md5sum - the MD5 Checksum

      • getSha1sum

        public java.lang.String getSha1sum()
        Returns the SHA1 Checksum of the dependency.
        Returns:
        the SHA1 Checksum

      • setSha1sum

        public void setSha1sum​(java.lang.String sha1sum)
        Sets the SHA1 Checksum of the dependency.
        Parameters:
        sha1sum - the SHA1 Checksum

      • getSha256sum

        public java.lang.String getSha256sum()
        Returns the SHA256 Checksum of the dependency.
        Returns:
        the SHA256 Checksum of the dependency

      • setSha256sum

        public void setSha256sum​(java.lang.String sha256sum)

      • getSoftwareIdentifiers

        public java.util.Set<Identifier> getSoftwareIdentifiers()
        Returns an unmodifiable set of software identifiers.
        Returns:
        an unmodifiable set of software identifiers

      • getVulnerableSoftwareIdentifiers

        public java.util.Set<Identifier> getVulnerableSoftwareIdentifiers()
        Returns an unmodifiable set of vulnerability identifiers.
        Returns:
        an unmodifiable set of vulnerability identifiers

      • getVulnerableSoftwareIdentifiersCount

        public int getVulnerableSoftwareIdentifiersCount()
        Returns the count of vulnerability identifiers.
        Returns:
        the count of vulnerability identifiers

      • hasKnownExploitedVulnerability

        public boolean hasKnownExploitedVulnerability()
        Returns true if the dependency has a known exploited vulnerability.
        Returns:
        true if the dependency has a known exploited vulnerability; otherwise false.

      • addSoftwareIdentifiers

        protected void addSoftwareIdentifiers​(java.util.Set<Identifier> identifiers)
        Adds a set of Identifiers to the current list of software identifiers. Only used for testing.
        Parameters:
        identifiers - A set of Identifiers

      • addVulnerableSoftwareIdentifiers

        protected void addVulnerableSoftwareIdentifiers​(java.util.Set<Identifier> identifiers)
        Adds a set of Identifiers to the current list of vulnerable software identifiers. Only used for testing.
        Parameters:
        identifiers - A set of Identifiers

      • addSoftwareIdentifier

        public void addSoftwareIdentifier​(Identifier identifier)
        Adds an entry to the list of detected Identifiers for the dependency file.
        Parameters:
        identifier - a reference to the identifier to add

      • addVulnerableSoftwareIdentifier

        public void addVulnerableSoftwareIdentifier​(Identifier identifier)
        Adds an entry to the list of detected vulnerable software identifiers for the dependency file.
        Parameters:
        identifier - a reference to the identifier to add

      • removeVulnerableSoftwareIdentifier

        public void removeVulnerableSoftwareIdentifier​(Identifier i)
        Removes a vulnerable software identifier from the set of identifiers.
        Parameters:
        i - the identifier to remove

      • addAsEvidence

        public void addAsEvidence​(java.lang.String source,
                          MavenArtifact mavenArtifact,
                          Confidence confidence)
        Adds the Maven artifact as evidence.
        Parameters:
        source - The source of the evidence
        mavenArtifact - The Maven artifact
        confidence - The confidence level of this evidence

      • getSuppressedIdentifiers

        public java.util.Set<Identifier> getSuppressedIdentifiers()
        Get the unmodifiable set of suppressedIdentifiers.
        Returns:
        the value of suppressedIdentifiers

      • addSuppressedIdentifier

        public void addSuppressedIdentifier​(Identifier identifier)
        Adds an identifier to the list of suppressed identifiers.
        Parameters:
        identifier - an identifier that was suppressed.

      • getVulnerabilities

        public java.util.Set<Vulnerability> getVulnerabilities()
        Get the unmodifiable sorted set of vulnerabilities.
        Returns:
        the unmodifiable sorted set of vulnerabilities

      • getVulnerabilities

        public java.util.Set<Vulnerability> getVulnerabilities​(boolean sorted)
        Get the unmodifiable list of vulnerabilities; optionally sorted.
        Parameters:
        sorted - if true the list will be sorted
        Returns:
        the unmodifiable list set of vulnerabilities

      • getVulnerabilitiesCount

        public int getVulnerabilitiesCount()
        Get vulnerability count.
        Returns:
        the count of vulnerabilities

      • getSuppressedVulnerabilities

        public java.util.Set<Vulnerability> getSuppressedVulnerabilities()
        Get an unmodifiable set of suppressedVulnerabilities.
        Returns:
        the unmodifiable sorted set of suppressedVulnerabilities

      • getSuppressedVulnerabilities

        public java.util.Set<Vulnerability> getSuppressedVulnerabilities​(boolean sorted)
        Get an unmodifiable, optionally sorted. set of suppressedVulnerabilities.
        Parameters:
        sorted - whether or not the set is sorted
        Returns:
        the unmodifiable sorted set of suppressedVulnerabilities

      • addSuppressedVulnerability

        public void addSuppressedVulnerability​(Vulnerability vulnerability)
        Adds a vulnerability to the set of suppressed vulnerabilities.
        Parameters:
        vulnerability - the vulnerability that was suppressed

      • getDescription

        public java.lang.String getDescription()
        Get the value of description.
        Returns:
        the value of description

      • setDescription

        public void setDescription​(java.lang.String description)
        Set the value of description.
        Parameters:
        description - new value of description

      • getLicense

        public java.lang.String getLicense()
        Get the value of license.
        Returns:
        the value of license

      • setLicense

        public void setLicense​(java.lang.String license)
        Set the value of license.
        Parameters:
        license - new value of license

      • getName

        public java.lang.String getName()
        Returns:
        the name

      • setName

        public void setName​(java.lang.String name)
        Parameters:
        name - the name to set

      • addVulnerability

        public void addVulnerability​(Vulnerability vulnerability)
        Adds a vulnerability to the dependency.
        Parameters:
        vulnerability - a vulnerability

      • addVulnerabilities

        public void addVulnerabilities​(java.util.List<Vulnerability> vulnerabilities)
        Adds a list of vulnerabilities to the dependency.
        Parameters:
        vulnerabilities - a list of vulnerabilities

      • removeVulnerability

        public void removeVulnerability​(Vulnerability v)
        Removes the given vulnerability from the list.
        Parameters:
        v - the vulnerability to remove

      • getRelatedDependencies

        public java.util.Set<Dependency> getRelatedDependencies()
        Get the unmodifiable set of relatedDependencies. This field is used to collect other dependencies which really represent the same dependency, and may be presented as one item in reports.
        Returns:
        the unmodifiable set of relatedDependencies

      • clearRelatedDependencies

        public void clearRelatedDependencies()
        Clears the relatedDependencies.

      • getIncludedBy

        public java.util.Set<IncludedByReference> getIncludedBy()
        Get the unmodifiable set of includedBy (the list of parents of this transitive dependency).
        Returns:
        the unmodifiable set of includedBy

      • addIncludedBy

        public void addIncludedBy​(java.lang.String includedBy)
        Adds the parent or root of the transitive dependency chain (i.e., this was included by the parent dependency X).
        Parameters:
        includedBy - a project reference

      • addIncludedBy

        public void addIncludedBy​(java.lang.String includedBy,
                          java.lang.String type)
        Adds the parent or root of the transitive dependency chain (i.e., this was included by the parent dependency X).
        Parameters:
        includedBy - a project reference
        type - the type of project reference (i.e. 'plugins', 'buildEnv')

      • addAllIncludedBy

        public void addAllIncludedBy​(java.util.Set<IncludedByReference> includedBy)
        Adds a set of project references.
        Parameters:
        includedBy - a set of project references

      • getProjectReferences

        public java.util.Set<java.lang.String> getProjectReferences()
        Get the unmodifiable set of projectReferences.
        Returns:
        the unmodifiable set of projectReferences

      • addProjectReference

        public void addProjectReference​(java.lang.String projectReference)
        Adds a project reference.
        Parameters:
        projectReference - a project reference

      • addAllProjectReferences

        public void addAllProjectReferences​(java.util.Set<java.lang.String> projectReferences)
        Add a collection of project reference.
        Parameters:
        projectReferences - a set of project references

      • addRelatedDependency

        public void addRelatedDependency​(Dependency dependency)
        Adds a related dependency.
        Parameters:
        dependency - a reference to the related dependency

      • removeRelatedDependencies

        public void removeRelatedDependencies​(Dependency dependency)
        Removes a related dependency.
        Parameters:
        dependency - the dependency to remove

      • getAvailableVersions

        public java.util.List<java.lang.String> getAvailableVersions()
        Get the value of availableVersions.
        Returns:
        the value of availableVersions

      • addAvailableVersion

        public void addAvailableVersion​(java.lang.String version)
        Adds a version to the available version list.
        Parameters:
        version - the version to add to the list

      • isVirtual

        public boolean isVirtual()
        Returns whether or not this dependency is virtual or not. Virtual dependencies are specified during object constructor. No setter.
        Returns:
        true if Dependency is virtual, false if not

      • equals

        public boolean equals​(java.lang.Object obj)
        Implementation of the equals method.
        Parameters:
        obj - the object to compare
        Returns:
        true if the objects are equal, otherwise false

      • hashCode

        public int hashCode()
        Generates the HashCode.
        Returns:
        the HashCode

      • toString

        public java.lang.String toString()
        Standard toString() implementation showing the filename, actualFilePath, and filePath.
        Returns:
        the string representation of the file

      • addSuppressedVulnerabilities

        public void addSuppressedVulnerabilities​(java.util.List<Vulnerability> vulns)
        Add a list of suppressed vulnerabilities to the collection.
        Parameters:
        vulns - the list of suppressed vulnerabilities to add

      • getVersion

        public java.lang.String getVersion()
        Returns:
        the version

      • setVersion

        public void setVersion​(java.lang.String version)
        Parameters:
        version - the version to set

      • getEcosystem

        public java.lang.String getEcosystem()
        Returns:
        the ecosystem

      • setEcosystem

        public void setEcosystem​(java.lang.String ecosystem)
        Parameters:
        ecosystem - the ecosystem to set

      • getIterator

        public java.lang.Iterable<Evidence> getIterator​(EvidenceType type,
                                                Confidence confidence)
        Used to iterate over evidence of the specified type and confidence.
        Parameters:
        type - the evidence type to iterate over
        confidence - the confidence level for the evidence to be iterated over.
        Returns:
        Iterable<Evidence> an iterable collection of evidence

      • addEvidence

        public void addEvidence​(EvidenceType type,
                        Evidence e)
        Adds evidence to the collection.
        Parameters:
        type - the type of evidence (vendor, product, version)
        e - Evidence

      • removeEvidence

        public void removeEvidence​(EvidenceType type,
                           Evidence e)
        Removes evidence from the collection.
        Parameters:
        type - the type of evidence (vendor, product, version)
        e - Evidence.

      • addEvidence

        public void addEvidence​(EvidenceType type,
                        java.lang.String source,
                        java.lang.String name,
                        java.lang.String value,
                        Confidence confidence)
        Creates an Evidence object from the parameters and adds the resulting object to the evidence collection.
        Parameters:
        type - the type of evidence (vendor, product, version)
        source - the source of the Evidence.
        name - the name of the Evidence.
        value - the value of the Evidence.
        confidence - the confidence of the Evidence.

      • addVendorWeighting

        public void addVendorWeighting​(java.lang.String str)
        Adds term to the vendor weighting collection. The terms added here are used later to boost the score of other terms. This is a way of combining evidence from multiple sources to boost the confidence of the given evidence. Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted strings; as such, we will boost the confidence of the term Apache.
        Parameters:
        str - to add to the weighting collection.

      • addProductWeighting

        public void addProductWeighting​(java.lang.String str)
        Adds term to the product weighting collection. The terms added here are used later to boost the score of other terms. This is a way of combining evidence from multiple sources to boost the confidence of the given evidence. Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted strings; as such, we will boost the confidence of the term Apache.
        Parameters:
        str - to add to the weighting collection.

      • getVendorWeightings

        public java.util.Set<java.lang.String> getVendorWeightings()
        Returns an unmodifiable set of vendor Weightings - a list of terms that are believed to be of higher confidence when also found in another location.
        Returns:
        an unmodifiable set of vendor weighting strings

      • getProductWeightings

        public java.util.Set<java.lang.String> getProductWeightings()
        Returns an unmodifiable set of product Weightings - a list of terms that are believed to be of higher confidence when also found in another location.
        Returns:
        an unmodifiable set of vendor weighting strings

      • getEvidence

        public java.util.Set<Evidence> getEvidence​(EvidenceType type)
        Returns the unmodifiable set of evidence of the given type.
        Parameters:
        type - the type of evidence (vendor, product, version)
        Returns:
        the unmodifiable set of evidence

      • getEvidence

        public java.util.Set<Evidence> getEvidence()
        Returns the unmodifiable set of evidence.
        Returns:
        the unmodifiable set of evidence

      • contains

        public boolean contains​(EvidenceType type,
                        Evidence e)
        Tests if the evidence collection contains the given evidence.
        Parameters:
        type - the type of evidence (vendor, product, version)
        e - the evidence to search
        Returns:
        true if the evidence is found; otherwise false

      • contains

        public boolean contains​(EvidenceType type,
                        Confidence confidence)
        Returns whether or not the collection contains evidence of a specified type and confidence.
        Parameters:
        type - the type of evidence (vendor, product, version)
        confidence - A Confidence value.
        Returns:
        boolean.

      • size

        public int size()
        Returns the number of elements in the EvidenceCollection.
        Returns:
        the number of elements in the collection.