org.owasp.dependencycheck.analyzer

Class DependencyMergingAnalyzer

java.lang.Object

org.owasp.dependencycheck.analyzer.AbstractAnalyzer

org.owasp.dependencycheck.analyzer.AbstractDependencyComparingAnalyzer

org.owasp.dependencycheck.analyzer.DependencyMergingAnalyzer

All Implemented Interfaces:

Analyzer

public class DependencyMergingAnalyzer
extends AbstractDependencyComparingAnalyzer

This analyzer will merge dependencies, created from different source, into a single dependency.

Author:

Jeremy Long

Constructor Summary

Constructors

Constructor and Description
DependencyMergingAnalyzer()

Method Summary

Modifier and Type	Method and Description
protected boolean	evaluateDependencies(Dependency dependency, Dependency nextDependency, Set<Dependency> dependenciesToRemove) Evaluates the dependencies
AnalysisPhase	getAnalysisPhase() Returns the phase that the analyzer is intended to run in.
protected String	getAnalyzerEnabledSettingKey() Returns the setting key to determine if the analyzer is enabled.
protected Dependency	getMainAndroidDependency(Dependency dependency1, Dependency dependency2) Determines which of the android dependencies should be considered the primary.
protected Dependency	getMainDotnetDependency(Dependency dependency1, Dependency dependency2) Determines which of the dotnet dependencies should be considered the primary.
protected Dependency	getMainGemspecDependency(Dependency dependency1, Dependency dependency2) Ruby gems installed by "bundle install" can have zero or more *.gemspec files, all of which have the same packagePath and should be grouped.
protected Dependency	getMainSwiftDependency(Dependency dependency1, Dependency dependency2) Determines which of the swift dependencies should be considered the primary.
String	getName() Returns the name of the analyzer.
protected boolean	isSameRubyGem(Dependency dependency1, Dependency dependency2) Bundling Ruby gems that are identified from different .gemspec files but denote the same package path.
protected boolean	isSameSwiftPackage(Dependency dependency1, Dependency dependency2) Bundling same swift dependencies with the same packagePath but identified by different file type analyzers.
static void	mergeDependencies(Dependency dependency, Dependency relatedDependency, Set<Dependency> dependenciesToRemove) Adds the relatedDependency to the dependency's related dependencies.

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractDependencyComparingAnalyzer

analyzeDependency, getAnalyzed, supportsParallelProcessing

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractAnalyzer

analyze, close, closeAnalyzer, getSettings, initialize, isEnabled, prepare, prepareAnalyzer, setEnabled

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DependencyMergingAnalyzer

public DependencyMergingAnalyzer()

Method Detail

getName

public String getName()

Returns the name of the analyzer.

Returns:

the name of the analyzer.

getAnalysisPhase

public AnalysisPhase getAnalysisPhase()

Returns the phase that the analyzer is intended to run in.

Returns:

the phase that the analyzer is intended to run in.

getAnalyzerEnabledSettingKey

protected String getAnalyzerEnabledSettingKey()

Returns the setting key to determine if the analyzer is enabled.

Specified by:

getAnalyzerEnabledSettingKey in class AbstractAnalyzer

Returns:

the key for the analyzer's enabled property

evaluateDependencies

protected boolean evaluateDependencies(Dependency dependency,
                                       Dependency nextDependency,
                                       Set<Dependency> dependenciesToRemove)

Evaluates the dependencies

Specified by:

evaluateDependencies in class AbstractDependencyComparingAnalyzer

Parameters:

dependency - a dependency to compare

nextDependency - a dependency to compare

dependenciesToRemove - a set of dependencies that will be removed

Returns:

true if a dependency is removed; otherwise false

mergeDependencies

public static void mergeDependencies(Dependency dependency,
                                     Dependency relatedDependency,
                                     Set<Dependency> dependenciesToRemove)

Adds the relatedDependency to the dependency's related dependencies.

Parameters:

dependency - the main dependency

relatedDependency - a collection of dependencies to be removed from the main analysis loop, this is the source of dependencies to remove

dependenciesToRemove - a collection of dependencies that will be removed from the main analysis loop, this function adds to this collection

isSameRubyGem

protected boolean isSameRubyGem(Dependency dependency1,
                                Dependency dependency2)

Bundling Ruby gems that are identified from different .gemspec files but denote the same package path. This happens when Ruby bundler installs an application's dependencies by running "bundle install".

Parameters:

dependency1 - dependency to compare

dependency2 - dependency to compare

Returns:

true if the the dependencies being analyzed appear to be the same; otherwise false

getMainGemspecDependency

protected Dependency getMainGemspecDependency(Dependency dependency1,
                                              Dependency dependency2)

Ruby gems installed by "bundle install" can have zero or more *.gemspec files, all of which have the same packagePath and should be grouped. If one of these gemspec is from <parent>/specifications/*.gemspec, because it is a stub with fully resolved gem meta-data created by Ruby bundler, this dependency should be the main one. Otherwise, use dependency2 as main. This method returns null if any dependency is not from *.gemspec, or the two do not have the same packagePath. In this case, they should not be grouped.

Parameters:

dependency1 - dependency to compare

dependency2 - dependency to compare

Returns:

the main dependency; or null if a gemspec is not included in the analysis

isSameSwiftPackage

protected boolean isSameSwiftPackage(Dependency dependency1,
                                     Dependency dependency2)

Bundling same swift dependencies with the same packagePath but identified by different file type analyzers.

Parameters:

dependency1 - dependency to test

dependency2 - dependency to test

Returns:

true if the dependencies appear to be the same; otherwise false

getMainSwiftDependency

protected Dependency getMainSwiftDependency(Dependency dependency1,
                                            Dependency dependency2)

Determines which of the swift dependencies should be considered the primary.

Parameters:

dependency1 - the first swift dependency to compare

dependency2 - the second swift dependency to compare

Returns:

the primary swift dependency

getMainAndroidDependency

protected Dependency getMainAndroidDependency(Dependency dependency1,
                                              Dependency dependency2)

Determines which of the android dependencies should be considered the primary.

Parameters:

dependency1 - the first android dependency to compare

dependency2 - the second android dependency to compare

Returns:

the primary swift dependency

getMainDotnetDependency

protected Dependency getMainDotnetDependency(Dependency dependency1,
                                             Dependency dependency2)

Determines which of the dotnet dependencies should be considered the primary.

Parameters:

dependency1 - the first dotnet dependency to compare

dependency2 - the second dotnet dependency to compare

Returns:

the primary swift dependency