org.owasp.dependencycheck.dependency

Class Dependency

java.lang.Object

org.owasp.dependencycheck.dependency.Dependency

All Implemented Interfaces:

Serializable

@ThreadSafe
public class Dependency
extends Object
implements Serializable

A program dependency. This object is one of the core components within DependencyCheck. It is used to collect information about the dependency in the form of evidence. The Evidence is then used to determine if there are any known, published, vulnerabilities associated with the program dependency.

Author:

Jeremy Long

See Also:

Serialized Form

Constructor Summary

Constructors

Constructor and Description
Dependency() Constructs a new Dependency object.
Dependency(boolean isVirtual) Constructs a new Dependency object.
Dependency(File file) Constructs a new Dependency object.
Dependency(File file, boolean isVirtual) Constructs a new Dependency object.

Method Summary

Modifier and Type	Method and Description
void	addAllProjectReferences(Set<String> projectReferences) Add a collection of project reference.
void	addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) Adds the Maven artifact as evidence.
void	addAvailableVersion(String version) Adds a version to the available version list.
void	addEvidence(EvidenceType type, Evidence e) Adds evidence to the collection.
void	addEvidence(EvidenceType type, String source, String name, String value, Confidence confidence) Creates an Evidence object from the parameters and adds the resulting object to the evidence collection.
void	addProductWeighting(String str) Adds term to the product weighting collection.
void	addProjectReference(String projectReference) Adds a project reference.
void	addRelatedDependency(Dependency dependency) Adds a related dependency.
void	addSoftwareIdentifier(Identifier identifier) Adds an entry to the list of detected Identifiers for the dependency file.
protected void	addSoftwareIdentifiers(Set<Identifier> identifiers) Adds a set of Identifiers to the current list of software identifiers.
void	addSuppressedIdentifier(Identifier identifier) Adds an identifier to the list of suppressed identifiers.
void	addSuppressedVulnerabilities(List<Vulnerability> vulns) Add a list of suppressed vulnerabilities to the collection.
void	addSuppressedVulnerability(Vulnerability vulnerability) Adds a vulnerability to the set of suppressed vulnerabilities.
void	addVendorWeighting(String str) Adds term to the vendor weighting collection.
void	addVulnerabilities(List<Vulnerability> vulnerabilities) Adds a list of vulnerabilities to the dependency.
void	addVulnerability(Vulnerability vulnerability) Adds a vulnerability to the dependency.
void	addVulnerableSoftwareIdentifier(Identifier identifier) Adds an entry to the list of detected vulnerable software identifiers for the dependency file.
protected void	addVulnerableSoftwareIdentifiers(Set<Identifier> identifiers) Adds a set of Identifiers to the current list of vulnerable software identifiers.
boolean	contains(EvidenceType type, Confidence confidence) Returns whether or not the collection contains evidence of a specified type and confidence.
boolean	contains(EvidenceType type, Evidence e) Tests if the evidence collection contains the given evidence.
boolean	equals(Object obj) Implementation of the equals method.
File	getActualFile() Gets a reference to the File object.
String	getActualFilePath() Gets the file path of the dependency.
List<String>	getAvailableVersions() Get the value of availableVersions.
String	getDescription() Get the value of description.
String	getDisplayFileName() Returns the file name to display in reports; if no display file name has been set it will default to constructing a name based on the name and version fields, otherwise it will return the actual file name.
String	getEcosystem()
Set<Evidence>	getEvidence() Returns the unmodifiable set of evidence.
Set<Evidence>	getEvidence(EvidenceType type) Returns the unmodifiable set of evidence of the given type.
String	getFileName() Returns the file name of the dependency.
String	getFilePath() Gets the file path of the dependency.
Iterable<Evidence>	getIterator(EvidenceType type, Confidence confidence) Used to iterate over evidence of the specified type and confidence.
String	getLicense() Get the value of license.
String	getMd5sum() Returns the MD5 Checksum of the dependency file.
String	getName()
String	getPackagePath() Returns the package path.
Set<String>	getProductWeightings() Returns an unmodifiable set of product Weightings - a list of terms that are believed to be of higher confidence when also found in another location.
Set<String>	getProjectReferences() Get the unmodifiable set of projectReferences.
Set<Dependency>	getRelatedDependencies() Get the unmodifiable set of relatedDependencies.
String	getSha1sum() Returns the SHA1 Checksum of the dependency.
String	getSha256sum() Returns the SHA256 Checksum of the dependency.
Set<Identifier>	getSoftwareIdentifiers() Returns an unmodifiable set of software identifiers.
Set<Identifier>	getSuppressedIdentifiers() Get the unmodifiable set of suppressedIdentifiers.
Set<Vulnerability>	getSuppressedVulnerabilities() Get an unmodifiable set of suppressedVulnerabilities.
Set<Vulnerability>	getSuppressedVulnerabilities(boolean sorted) Get an unmodifiable, optionally sorted.
Set<String>	getVendorWeightings() Returns an unmodifiable set of vendor Weightings - a list of terms that are believed to be of higher confidence when also found in another location.
String	getVersion()
Set<Vulnerability>	getVulnerabilities() Get the unmodifiable sorted set of vulnerabilities.
Set<Vulnerability>	getVulnerabilities(boolean sorted) Get the unmodifiable list of vulnerabilities; optionally sorted.
Set<Identifier>	getVulnerableSoftwareIdentifiers() Returns an unmodifiable set of vulnerability identifiers.
int	hashCode() Generates the HashCode.
boolean	isVirtual() Returns whether or not this dependency is virtual or not.
void	removeEvidence(EvidenceType type, Evidence e) Removes evidence from the collection.
void	removeRelatedDependencies(Dependency dependency) Removes a related dependency.
void	removeVulnerability(Vulnerability v) Removes the given vulnerability from the list.
void	removeVulnerableSoftwareIdentifier(Identifier i) Removes a vulnerable software identifier from the set of identifiers.
void	setActualFilePath(String actualFilePath) Sets the actual file path of the dependency on disk.
void	setDescription(String description) Set the value of description.
void	setDisplayFileName(String displayName) Sets the file name to display in reports.
void	setEcosystem(String ecosystem)
void	setFileName(String fileName) Sets the file name of the dependency.
void	setFilePath(String filePath) Sets the file path of the dependency.
void	setLicense(String license) Set the value of license.
void	setMd5sum(String md5sum) Sets the MD5 Checksum of the dependency.
void	setName(String name)
void	setPackagePath(String packagePath) Sets the package path.
void	setSha1sum(String sha1sum) Sets the SHA1 Checksum of the dependency.
void	setSha256sum(String sha256sum)
void	setVersion(String version)
int	size() Returns the number of elements in the EvidenceCollection.
String	toString() Standard toString() implementation showing the filename, actualFilePath, and filePath.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

Dependency

public Dependency()

Constructs a new Dependency object.

Dependency

public Dependency(File file)

Constructs a new Dependency object.

Parameters:

file - the File to create the dependency object from.

Dependency

public Dependency(File file,
                  boolean isVirtual)

Constructs a new Dependency object.

Parameters:

file - the File to create the dependency object from.

isVirtual - specifies if the dependency is virtual indicating the file doesn't actually exist.

Dependency

public Dependency(boolean isVirtual)

Constructs a new Dependency object.

Parameters:

isVirtual - specifies if the dependency is virtual indicating the file doesn't actually exist.

Method Detail

getPackagePath

public String getPackagePath()

Returns the package path.

Returns:

the package path

setPackagePath

public void setPackagePath(String packagePath)

Sets the package path.

Parameters:

packagePath - the package path

getFileName

public String getFileName()

Returns the file name of the dependency.

Returns:

the file name of the dependency

setFileName

public void setFileName(String fileName)

Sets the file name of the dependency.

Parameters:

fileName - the file name of the dependency

getActualFilePath

public String getActualFilePath()

Gets the file path of the dependency.

Returns:

the file path of the dependency

setActualFilePath

public void setActualFilePath(String actualFilePath)

Sets the actual file path of the dependency on disk.

Parameters:

actualFilePath - the file path of the dependency

getActualFile

public File getActualFile()

Gets a reference to the File object.

Returns:

the File object

getDisplayFileName

public String getDisplayFileName()

Returns the file name to display in reports; if no display file name has been set it will default to constructing a name based on the name and version fields, otherwise it will return the actual file name.

Returns:

the file name to display

setDisplayFileName

public void setDisplayFileName(String displayName)

Sets the file name to display in reports.

Parameters:

displayName - the name to display

getFilePath

public String getFilePath()

Gets the file path of the dependency.

NOTE: This may not be the actual path of the file on disk. The actual path of the file on disk can be obtained via the getActualFilePath().

Returns:

the file path of the dependency

setFilePath

public void setFilePath(String filePath)

Sets the file path of the dependency.

Parameters:

filePath - the file path of the dependency

getMd5sum

public String getMd5sum()

Returns the MD5 Checksum of the dependency file.

Returns:

the MD5 Checksum

setMd5sum

public void setMd5sum(String md5sum)

Sets the MD5 Checksum of the dependency.

Parameters:

md5sum - the MD5 Checksum

getSha1sum

public String getSha1sum()

Returns the SHA1 Checksum of the dependency.

Returns:

the SHA1 Checksum

setSha1sum

public void setSha1sum(String sha1sum)

Sets the SHA1 Checksum of the dependency.

Parameters:

sha1sum - the SHA1 Checksum

getSha256sum

public String getSha256sum()

Returns the SHA256 Checksum of the dependency.

Returns:

the SHA256 Checksum of the dependency

setSha256sum

public void setSha256sum(String sha256sum)

getSoftwareIdentifiers

public Set<Identifier> getSoftwareIdentifiers()

Returns an unmodifiable set of software identifiers.

Returns:

an unmodifiable set of software identifiers

getVulnerableSoftwareIdentifiers

public Set<Identifier> getVulnerableSoftwareIdentifiers()

Returns an unmodifiable set of vulnerability identifiers.

Returns:

an unmodifiable set of vulnerability identifiers

addSoftwareIdentifiers

protected void addSoftwareIdentifiers(Set<Identifier> identifiers)

Adds a set of Identifiers to the current list of software identifiers. Only used for testing.

Parameters:

identifiers - A set of Identifiers

addVulnerableSoftwareIdentifiers

protected void addVulnerableSoftwareIdentifiers(Set<Identifier> identifiers)

Adds a set of Identifiers to the current list of vulnerable software identifiers. Only used for testing.

Parameters:

identifiers - A set of Identifiers

addSoftwareIdentifier

public void addSoftwareIdentifier(Identifier identifier)

Adds an entry to the list of detected Identifiers for the dependency file.

Parameters:

identifier - a reference to the identifier to add

addVulnerableSoftwareIdentifier

public void addVulnerableSoftwareIdentifier(Identifier identifier)

Adds an entry to the list of detected vulnerable software identifiers for the dependency file.

Parameters:

identifier - a reference to the identifier to add

removeVulnerableSoftwareIdentifier

public void removeVulnerableSoftwareIdentifier(Identifier i)

Removes a vulnerable software identifier from the set of identifiers.

Parameters:

i - the identifier to remove

addAsEvidence

public void addAsEvidence(String source,
                          MavenArtifact mavenArtifact,
                          Confidence confidence)

Adds the Maven artifact as evidence.

Parameters:

source - The source of the evidence

mavenArtifact - The Maven artifact

confidence - The confidence level of this evidence

getSuppressedIdentifiers

public Set<Identifier> getSuppressedIdentifiers()

Get the unmodifiable set of suppressedIdentifiers.

Returns:

the value of suppressedIdentifiers

addSuppressedIdentifier

public void addSuppressedIdentifier(Identifier identifier)

Adds an identifier to the list of suppressed identifiers.

Parameters:

identifier - an identifier that was suppressed.

getVulnerabilities

public Set<Vulnerability> getVulnerabilities()

Get the unmodifiable sorted set of vulnerabilities.

Returns:

the unmodifiable sorted set of vulnerabilities

getVulnerabilities

public Set<Vulnerability> getVulnerabilities(boolean sorted)

Get the unmodifiable list of vulnerabilities; optionally sorted.

Parameters:

sorted - if true the list will be sorted

Returns:

the unmodifiable list set of vulnerabilities

getSuppressedVulnerabilities

public Set<Vulnerability> getSuppressedVulnerabilities()

Get an unmodifiable set of suppressedVulnerabilities.

Returns:

the unmodifiable sorted set of suppressedVulnerabilities

getSuppressedVulnerabilities

public Set<Vulnerability> getSuppressedVulnerabilities(boolean sorted)

Get an unmodifiable, optionally sorted. set of suppressedVulnerabilities.

Parameters:

sorted - whether or not the set is sorted

Returns:

the unmodifiable sorted set of suppressedVulnerabilities

addSuppressedVulnerability

public void addSuppressedVulnerability(Vulnerability vulnerability)

Adds a vulnerability to the set of suppressed vulnerabilities.

Parameters:

vulnerability - the vulnerability that was suppressed

getDescription

public String getDescription()

Get the value of description.

Returns:

the value of description

setDescription

public void setDescription(String description)

Set the value of description.

Parameters:

description - new value of description

getLicense

public String getLicense()

Get the value of license.

Returns:

the value of license

setLicense

public void setLicense(String license)

Set the value of license.

Parameters:

license - new value of license

getName

public String getName()

Returns:

the name

setName

public void setName(String name)

Parameters:

name - the name to set

addVulnerability

public void addVulnerability(Vulnerability vulnerability)

Adds a vulnerability to the dependency.

Parameters:

vulnerability - a vulnerability

addVulnerabilities

public void addVulnerabilities(List<Vulnerability> vulnerabilities)

Adds a list of vulnerabilities to the dependency.

Parameters:

vulnerabilities - a list of vulnerabilities

removeVulnerability

public void removeVulnerability(Vulnerability v)

Removes the given vulnerability from the list.

Parameters:

v - the vulnerability to remove

getRelatedDependencies

public Set<Dependency> getRelatedDependencies()

Get the unmodifiable set of relatedDependencies. This field is used to collect other dependencies which really represent the same dependency, and may be presented as one item in reports.

Returns:

the unmodifiable set of relatedDependencies

getProjectReferences

public Set<String> getProjectReferences()

Get the unmodifiable set of projectReferences.

Returns:

the unmodifiable set of projectReferences

addProjectReference

public void addProjectReference(String projectReference)

Adds a project reference.

Parameters:

projectReference - a project reference

addAllProjectReferences

public void addAllProjectReferences(Set<String> projectReferences)

Add a collection of project reference.

Parameters:

projectReferences - a set of project references

addRelatedDependency

public void addRelatedDependency(Dependency dependency)

Adds a related dependency.

Parameters:

dependency - a reference to the related dependency

removeRelatedDependencies

public void removeRelatedDependencies(Dependency dependency)

Removes a related dependency.

Parameters:

dependency - the dependency to remove

getAvailableVersions

public List<String> getAvailableVersions()

Get the value of availableVersions.

Returns:

the value of availableVersions

addAvailableVersion

public void addAvailableVersion(String version)

Adds a version to the available version list.

Parameters:

version - the version to add to the list

isVirtual

public boolean isVirtual()

Returns whether or not this dependency is virtual or not. Virtual dependencies are specified during object constructor. No setter.

Returns:

true if Dependency is virtual, false if not

equals

public boolean equals(Object obj)

Implementation of the equals method.

Parameters:

obj - the object to compare

Returns:

true if the objects are equal, otherwise false

hashCode

public int hashCode()

Generates the HashCode.

Returns:

the HashCode

toString

public String toString()

Standard toString() implementation showing the filename, actualFilePath, and filePath.

Returns:

the string representation of the file

addSuppressedVulnerabilities

public void addSuppressedVulnerabilities(List<Vulnerability> vulns)

Add a list of suppressed vulnerabilities to the collection.

Parameters:

vulns - the list of suppressed vulnerabilities to add

getVersion

public String getVersion()

Returns:

the version

setVersion

public void setVersion(String version)

Parameters:

version - the version to set

getEcosystem

public String getEcosystem()

Returns:

the ecosystem

setEcosystem

public void setEcosystem(String ecosystem)

Parameters:

ecosystem - the ecosystem to set

getIterator

public Iterable<Evidence> getIterator(EvidenceType type,
                                      Confidence confidence)

Used to iterate over evidence of the specified type and confidence.

Parameters:

type - the evidence type to iterate over

confidence - the confidence level for the evidence to be iterated over.

Returns:

Iterable<Evidence> an iterable collection of evidence

addEvidence

public void addEvidence(EvidenceType type,
                        Evidence e)

Adds evidence to the collection.

Parameters:

type - the type of evidence (vendor, product, version)

e - Evidence

removeEvidence

public void removeEvidence(EvidenceType type,
                           Evidence e)

Removes evidence from the collection.

Parameters:

type - the type of evidence (vendor, product, version)

e - Evidence.

addEvidence

public void addEvidence(EvidenceType type,
                        String source,
                        String name,
                        String value,
                        Confidence confidence)

Creates an Evidence object from the parameters and adds the resulting object to the evidence collection.

Parameters:

type - the type of evidence (vendor, product, version)

source - the source of the Evidence.

name - the name of the Evidence.

value - the value of the Evidence.

confidence - the confidence of the Evidence.

addVendorWeighting

public void addVendorWeighting(String str)

Adds term to the vendor weighting collection. The terms added here are used later to boost the score of other terms. This is a way of combining evidence from multiple sources to boost the confidence of the given evidence. Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted strings; as such, we will boost the confidence of the term Apache.

Parameters:

str - to add to the weighting collection.

addProductWeighting

public void addProductWeighting(String str)

Adds term to the product weighting collection. The terms added here are used later to boost the score of other terms. This is a way of combining evidence from multiple sources to boost the confidence of the given evidence. Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted strings; as such, we will boost the confidence of the term Apache.

Parameters:

str - to add to the weighting collection.

getVendorWeightings

public Set<String> getVendorWeightings()

Returns an unmodifiable set of vendor Weightings - a list of terms that are believed to be of higher confidence when also found in another location.

Returns:

an unmodifiable set of vendor weighting strings

getProductWeightings

public Set<String> getProductWeightings()

Returns an unmodifiable set of product Weightings - a list of terms that are believed to be of higher confidence when also found in another location.

Returns:

an unmodifiable set of vendor weighting strings

getEvidence

public Set<Evidence> getEvidence(EvidenceType type)

Returns the unmodifiable set of evidence of the given type.

Parameters:

type - the type of evidence (vendor, product, version)

Returns:

the unmodifiable set of evidence

getEvidence

public Set<Evidence> getEvidence()

Returns the unmodifiable set of evidence.

Returns:

the unmodifiable set of evidence

contains

public boolean contains(EvidenceType type,
                        Evidence e)

Tests if the evidence collection contains the given evidence.

Parameters:

type - the type of evidence (vendor, product, version)

e - the evidence to search

Returns:

true if the evidence is found; otherwise false

contains

public boolean contains(EvidenceType type,
                        Confidence confidence)

Returns whether or not the collection contains evidence of a specified type and confidence.

Parameters:

type - the type of evidence (vendor, product, version)

confidence - A Confidence value.

Returns:

boolean.

size

public int size()

Returns the number of elements in the EvidenceCollection.

Returns:

the number of elements in the collection.