org.owasp.dependencycheck.analyzer

Class DependencyBundlingAnalyzer

java.lang.Object

org.owasp.dependencycheck.analyzer.AbstractAnalyzer

org.owasp.dependencycheck.analyzer.AbstractDependencyComparingAnalyzer

org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer

All Implemented Interfaces:

Analyzer

@ThreadSafe
public class DependencyBundlingAnalyzer
extends AbstractDependencyComparingAnalyzer

This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path then these should be grouped into a single dependency under the core/main library.

Note, this grouping only works on dependencies with identified CVE entries

Author:

Jeremy Long

Constructor Summary

Constructors

Constructor and Description
DependencyBundlingAnalyzer()

Method Summary

Modifier and Type	Method and Description
protected boolean	evaluateDependencies(Dependency dependency, Dependency nextDependency, Set<Dependency> dependenciesToRemove) Evaluates the dependencies
protected boolean	firstPathIsShortest(String left, String right) Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to determine if the first path is smaller.
AnalysisPhase	getAnalysisPhase() Returns the phase that the analyzer is intended to run in.
protected String	getAnalyzerEnabledSettingKey() Returns the setting key to determine if the analyzer is enabled.
String	getName() Returns the name of the analyzer.
protected boolean	isCore(Dependency left, Dependency right) This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the 'right' library.
protected boolean	isShadedJar(Dependency dependency, Dependency nextDependency) Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml dependency should be removed.
protected boolean	isWebJar(Dependency dependency, Dependency nextDependency) Determines if a JS file is from a webjar dependency.
static void	mergeDependencies(Dependency dependency, Dependency relatedDependency, Set<Dependency> dependenciesToRemove) Adds the relatedDependency to the dependency's related dependencies.
static void	mergeDependencies(Dependency dependency, Dependency relatedDependency, Set<Dependency> dependenciesToRemove, boolean copyVulnsAndIds) Adds the relatedDependency to the dependency's related dependencies.
static boolean	npmVersionsMatch(String current, String next) Determine if the dependency version is equal in the given dependencies.

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractDependencyComparingAnalyzer

analyzeDependency, getAnalyzed, supportsParallelProcessing

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractAnalyzer

analyze, close, closeAnalyzer, getSettings, initialize, isEnabled, prepare, prepareAnalyzer, setEnabled

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DependencyBundlingAnalyzer

public DependencyBundlingAnalyzer()

Method Detail

getName

public String getName()

Returns the name of the analyzer.

Returns:

the name of the analyzer.

getAnalysisPhase

public AnalysisPhase getAnalysisPhase()

Returns the phase that the analyzer is intended to run in.

Returns:

the phase that the analyzer is intended to run in.

getAnalyzerEnabledSettingKey

protected String getAnalyzerEnabledSettingKey()

Returns the setting key to determine if the analyzer is enabled.

Specified by:

getAnalyzerEnabledSettingKey in class AbstractAnalyzer

Returns:

the key for the analyzer's enabled property

evaluateDependencies

protected boolean evaluateDependencies(Dependency dependency,
                                       Dependency nextDependency,
                                       Set<Dependency> dependenciesToRemove)

Evaluates the dependencies

Specified by:

evaluateDependencies in class AbstractDependencyComparingAnalyzer

Parameters:

dependency - a dependency to compare

nextDependency - a dependency to compare

dependenciesToRemove - a set of dependencies that will be removed

Returns:

true if a dependency is removed; otherwise false

mergeDependencies

public static void mergeDependencies(Dependency dependency,
                                     Dependency relatedDependency,
                                     Set<Dependency> dependenciesToRemove)

Adds the relatedDependency to the dependency's related dependencies.

Parameters:

dependency - the main dependency

relatedDependency - a collection of dependencies to be removed from the main analysis loop, this is the source of dependencies to remove

dependenciesToRemove - a collection of dependencies that will be removed from the main analysis loop, this function adds to this collection

mergeDependencies

public static void mergeDependencies(Dependency dependency,
                                     Dependency relatedDependency,
                                     Set<Dependency> dependenciesToRemove,
                                     boolean copyVulnsAndIds)

Adds the relatedDependency to the dependency's related dependencies.

Parameters:

dependency - the main dependency

relatedDependency - a collection of dependencies to be removed from the main analysis loop, this is the source of dependencies to remove

dependenciesToRemove - a collection of dependencies that will be removed from the main analysis loop, this function adds to this collection

copyVulnsAndIds - whether or not identifiers and vulnerabilities are copied

isCore

protected boolean isCore(Dependency left,
                         Dependency right)

This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the 'right' library.

Parameters:

left - the dependency to test

right - the dependency to test against

Returns:

a boolean indicating whether or not the left dependency should be considered the "core" version.

isWebJar

protected boolean isWebJar(Dependency dependency,
                           Dependency nextDependency)

Determines if a JS file is from a webjar dependency.

Parameters:

dependency - the first dependency to compare

nextDependency - the second dependency to compare

Returns:

true if the dependency is a web jar and the next dependency is a JS file from the web jar; otherwise false

isShadedJar

protected boolean isShadedJar(Dependency dependency,
                              Dependency nextDependency)

Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml dependency should be removed.

Parameters:

dependency - a dependency to check

nextDependency - another dependency to check

Returns:

true if on of the dependencies is a pom.xml and the identifiers between the two collections match; otherwise false

firstPathIsShortest

protected boolean firstPathIsShortest(String left,
                                      String right)

Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to determine if the first path is smaller.

Parameters:

left - the first path to compare

right - the second path to compare

Returns:

true if the leftPath is the shortest; otherwise false

npmVersionsMatch

public static boolean npmVersionsMatch(String current,
                                       String next)

Determine if the dependency version is equal in the given dependencies. This method attempts to evaluate version range checks.

Parameters:

current - a dependency version to compare

next - a dependency version to compare

Returns:

true if the version is equal in both dependencies; otherwise false