Fork me on GitHub

Tag List Report

The following document contains the listing of user tags found in the code. Below is the summary of the occurrences per tag.

Tag Class Total number of occurrences Tag strings used by tag class
Todo Work 68 todo, FIXME

Each tag is detailed below:

Todo Work

Number of occurrences found in the code: 68

org.owasp.dependencycheck.Engine Line
- is this actually necassary???? Collections.sort(dependencies); dependenciesExternalView = null; 288
org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer Line
- we can likely create a valid CPE as a low confidence guess using cpe:2.3:a:[name]_project:[name]:[version] (and add a targetSw of npm/node) 171
- if we start doing CPE analysis on node - we need to exclude description as it creates too many FP 327
org.owasp.dependencycheck.analyzer.ArchiveAnalyzer Line
- can we get more evidence from the parent? EAR contains module name, etc. analyze the dependency (i.e. extract files) if it is a supported type. 314
org.owasp.dependencycheck.analyzer.ArtifactoryAnalyzer Line
add caching 236
org.owasp.dependencycheck.analyzer.AutoconfAnalyzerTest Line
fix these 91
org.owasp.dependencycheck.analyzer.CPEAnalyzer Line
- should the weighting be at a "word" level as opposed to phrase level? Or combined word and phrase? remember the reason we are counting the frequency of "phrases" as opposed to terms is that we need to keep the correct sequence of terms from the evidence so the term concatenating analyzer works correctly and will causes searches to take spring framework and produce: spring springframework framework 564
- does this nullify some of the fuzzy matching that happens in the lucene search? for instance CPE some-component and in the evidence we have SomeComponent. 647
- should this have a package manager only flag instead of just looking for NPM 650
- likely need to change the split... not sure if this will work for CPE with special chars 703
the following algorithm incorrectly identifies things as a lower version if there lower confidence evidence when the current (highest) version number is newer then anything in the NVD. 837
- review and update for new JSON data 859
- while this gets the job down it is slow; consider refactoring 964
- we need to filter this so that we only use this if something in the dependency.getName() matches the vendor/product in some way 1046
org.owasp.dependencycheck.analyzer.DartAnalyzer Line
- add configuration to allow skipping dev dependencies. 150
org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer Line
this null check was added for #1296 - but I believe this to be related to virtual dependencies we may want to merge project references on virtual dependencies... 210
- should we get rid of this merging? It removes a true BOM... 389
org.owasp.dependencycheck.analyzer.FalsePositiveAnalyzer Line
fix the version problem below 183
- can we utilize the pom's groupid and artifactId to filter??? most of these are due to low quality data. Other idea would be to say any CPE found based on LOW confidence evidence should have a different CPE type? (this might be a better solution then just removing the URL for "best-guess" matches). 244
move this startsWith expression to the base suppression file 252
move this to the hint analyzer 385
org.owasp.dependencycheck.analyzer.JarAnalyzer Line
add breakpoint on groov-all to find out why commons-cli is not added as a new dependency? 430
remove weighting? 816
remove weighting 826
change this to a regex? 930
add a hashSet and only analyze any given key once. 1257
org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer Line
while we are supporting props - we still do not support Directory.Build.targets 142
org.owasp.dependencycheck.analyzer.NodePackageAnalyzer Line
make this an error that gets logged 291
- we should use the integrity value instead of calculating the SHA1/MD5 424
- we should use the integrity value instead of calculating the SHA1/MD5 441
org.owasp.dependencycheck.analyzer.NpmCPEAnalyzer Line
this is a hack because we use the same singleton CPE Index as the CPE Analyzer thus to filter to just node products we can't run in the same phase. possibly extenend the CPE Index to include an ecosystem and use that as a filter for node.. 61
org.owasp.dependencycheck.analyzer.OssIndexAnalyzer Line
- can we enhance anything other than the references? 273
consider if we want/need to extract version-ranges to apply to vulnerable-software? 393
org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer Line
- this seems broken as we are cycling over py files and could be grabbing versions from multiple? 344
org.owasp.dependencycheck.analyzer.RetireJsAnalyzer Line
implement this 121
- can we refactor this to avoid russian doll syndrome (i.e. nesting)? CSOFF: NestedForDepth 335
- convert to map/collect 361
org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer Line
support Rakefile = FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build(); 84
other checking? 269
org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzerTest Line
place holder to test Rakefile support public void testAnalyzeRakefile() throws AnalysisException { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/gems/pg-0.18.4/Rakefile")); analyzer.analyze(result, null); assertTrue(result.size() > 0); assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); assertEquals("pg", result.getName()); assertEquals("0.18.4", result.getVersion()); assertEquals("pg:0.18.4", result.getDisplayFileName()); } 122
org.owasp.dependencycheck.analyzer.SwiftAnalyzersTest Line
when version processing is added, update the expected name. 175
org.owasp.dependencycheck.analyzer.SwiftPackageManagerAnalyzer Line
SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies. Future interesting metadata: version, license, homepage, author, summary, etc. 170
org.owasp.dependencycheck.data.artifactory.ArtifactorySearch Line
Investigate why sha256 parameter is not working API defined https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API#ArtifactoryRESTAPI-ChecksumSearch 194
org.owasp.dependencycheck.data.cache.DataCacheFactory Line
we may want to instrument w/ jdiagnostics per #2509 138
we may want to instrument w/ jdiagnostics per #2509 163
we may want to instrument w/ jdiagnostics per #2509 188
org.owasp.dependencycheck.data.nodeaudit.NpmPayloadBuilder Line
I think the following is dead code and no real "dependencies" section in a lock file will look like this 177
org.owasp.dependencycheck.data.nvd.ecosystem.DescriptionEcosystemMapper Line
could be checked afterwards 236
org.owasp.dependencycheck.data.nvdcve.CveDB Line
this is may also be an issue for MS SQL, if an issue is created we'll just need 981
this is may also be an issue for MS SQL, if an issue is created we'll just need 1661
org.owasp.dependencycheck.data.nvdcve.CveItemOperator Line
the following was added to reduce the need for the slow UPDATE_ECOSYSTEM2 query the following should be analyzed to determine if an ecosystem should be returned. Note that these all have 'bindings' in the description of a vulnerability in more than one case these were related to language bindings; as such the list need to be reviewed and refined. 77
org.owasp.dependencycheck.data.nvdcve.DriverLoader Line
add usage count so we don't de-register a driver that is in use. 152
org.owasp.dependencycheck.data.update.KnownExploitedDataSource Line
- add all the proxy config, likely use the same as configured for NVD 78
org.owasp.dependencycheck.data.update.NvdApiDataSourceTest Line
review the generated test code and remove the default call to fail. fail("The test case is a prototype."); } 74
org.owasp.dependencycheck.dependency.Dependency Line
the following assertion should be removed after initial testing and implementation 495
- should we check for type of identifier? I.e. could we see a Purl and GenericIdentifier with the same value 501
org.owasp.dependencycheck.dependency.VulnerableSoftware Line
implement versionStart etc. 197
- if the vulnerablity has an update we are might not be collecting it correctly... as such, this check might cause FN if the CVE has an update in the data set 200
- if the vulnerablity has an update we are might not be collecting it correctly... as such, this check might cause FN if the CVE has an update in the data set 341
org.owasp.dependencycheck.dependency.naming.PurlIdentifier Line
update package url implementation to implement compare.. 219
org.owasp.dependencycheck.processing.BundlerAuditProcessor Line
add package URL - note, this may require parsing the gemfile.lock and getting the version for each entry 320
org.owasp.dependencycheck.utils.DependencyVersion Line
steal better version of code from compareTo 154
org.owasp.dependencycheck.utils.DependencyVersionTest Line
(code review): should this be here/do something? assertEquals("0", parts.get(2)); 54
org.owasp.dependencycheck.utils.PEParser Line
- name table refer to data outside image directory for (int i = 0; i < id.size(); i++) { ImportDirectoryEntry e = id.getEntry(i); dr.jumpTo(e.getNameRVA() - baseAddress); String name = dr.readUtf(); dr.jumpTo(e.getImportLookupTableRVA() - baseAddress); ImportDirectoryTable nt = readImportDirectoryTable(dr, baseAddress); dr.jumpTo(e.getImportAddressTableRVA() - baseAddress); ImportDirectoryTable at = null; // readImportDirectoryTable(dr, // baseAddress); id.add(name, nt, at); } 565
this is an index into the export table 608
org.owasp.dependencycheck.utils.WriteLock Line
- this 30 minute check needs to be configurable. 255
org.owasp.dependencycheck.xml.suppression.SuppressionRule Line
validate this comparison 529
check for regex - not just type 613