Merge branch 'jeremylong:main' into gitlab-dependency-scan

jeremylong · Oct 9, 2023 · 374b003 · 374b003
2 parents 831357c + 949661b
commit 374b003
Show file tree

Hide file tree

Showing 24 changed files with 140 additions and 103 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -22,7 +22,7 @@ jobs:
         run: |
           cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import
           gpg --list-secret-keys --keyid-format LONG
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v3
@@ -126,7 +126,7 @@ jobs:
       DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v3

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -33,7 +33,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -10,7 +10,7 @@ jobs:
   scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up JDK 1.8
         id: jdk-8
         uses: actions/setup-java@v3

diff --git a/.github/workflows/false-positive-approvals.yml b/.github/workflows/false-positive-approvals.yml
@@ -20,7 +20,7 @@ jobs:
       github.event.comment.user.login == 'nhumblot')  }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: generatedSuppressions
       - uses: actions/[email protected]

diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml
@@ -32,7 +32,7 @@ jobs:
                 repo: context.repo.repo
               })
               )
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           path: odc
       - name: Parse False Positive Issue

diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
@@ -18,6 +18,6 @@ jobs:
       statuses: write
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5.2.0
+      - uses: amannn/action-semantic-pull-request@v5.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
@@ -13,7 +13,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v3
@@ -50,7 +50,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v3
@@ -90,7 +90,7 @@ jobs:
       pull-requests: write
     name: Audit
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v3

diff --git a/.github/workflows/purge-cache.yml b/.github/workflows/purge-cache.yml
@@ -10,7 +10,7 @@ jobs:
     name: Purge GitHub Cache
     runs-on: ubuntu-latest 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v3

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
         run: |
           cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import
           gpg --list-secret-keys --keyid-format LONG
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v3
@@ -142,7 +142,7 @@ jobs:
           path: ~/OWASP-Dependency-Check
           key: docker-repo
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Download release build
         uses: actions/download-artifact@v3
         with:
@@ -164,7 +164,7 @@ jobs:
     needs: build
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Get version
         id: get-version
         run: |
@@ -256,7 +256,7 @@ jobs:
     needs: build
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Download Site
         uses: actions/download-artifact@v3
         with:

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -49,6 +49,7 @@
 import org.apache.lucene.search.ScoreDoc;
 import org.apache.lucene.search.TopDocs;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
@@ -831,7 +832,7 @@ protected boolean determineIdentifiers(Dependency dependency, String vendor, Str
         String bestGuessURL = null;
         final Set<IdentifierMatch> collected = new HashSet<>();
 
-        considerDependencyVersion(dependency, vendor, product, currentConfidence, collected, bestGuess);
+        considerDependencyVersion(dependency, vendor, product, currentConfidence, collected);
 
         //TODO the following algorithm incorrectly identifies things as a lower version
         // if there lower confidence evidence when the current (highest) version number
@@ -1019,15 +1020,14 @@ private void addExactMatch(Cpe vs, String updateVersion, Confidence conf,
      * @param vendor the vendor name
      * @param confidence the current confidence level
      * @param collected a reference to the identifiers matched
-     * @param bestGuess the current best guess as to the dependency version
      * @throws AnalysisException thrown if aliens attacked and valid input could
      * not be used to construct a CPE
      * @throws UnsupportedEncodingException thrown if run on a system that
      * doesn't support UTF-8
      */
     private void considerDependencyVersion(Dependency dependency,
             String vendor, String product, Confidence confidence,
-            final Set<IdentifierMatch> collected, DependencyVersion bestGuess)
+            final Set<IdentifierMatch> collected)
             throws AnalysisException, UnsupportedEncodingException {
 
         if (dependency.getVersion() != null && !dependency.getVersion().isEmpty()) {
@@ -1037,7 +1037,8 @@ private void considerDependencyVersion(Dependency dependency,
             if (dependency.getName() != null && !dependency.getName().isEmpty()) {
                 final String name = dependency.getName();
                 for (String word : product.split("[^a-zA-Z0-9]")) {
-                    useDependencyVersion &= name.contains(word) || stopWords.contains(word);
+                    useDependencyVersion &= name.contains(word) || stopWords.contains(word)
+                            || wordMatchesEcosystem(dependency.getEcosystem(), word);
                 }
             }
 
@@ -1055,13 +1056,33 @@ private void considerDependencyVersion(Dependency dependency,
                         final IdentifierMatch match = new IdentifierMatch(depCpe, url, IdentifierConfidence.EXACT_MATCH, confidence);
                         collected.add(match);
                     } catch (CpeValidationException ex) {
-                        throw new AnalysisException(String.format("Unable to create a CPE for %s:%s:%s", vendor, product, bestGuess.toString()));
+                        throw new AnalysisException(String.format("Unable to create a CPE for %s:%s:%s", vendor, product, depVersion));
                     }
                 }
             }
         }
     }
 
+    /**
+     * If a CPE product word represents the ecosystem of a dependency it is not required
+     * to appear in the dependencyName to still consider the CPE product a match.
+     *
+     * @param ecosystem The ecosystem of the dependency
+     * @param word       The word from the CPE product to check
+     * @return {@code true} when the CPE product word is known to match the ecosystem of the dependency
+     * @implNote This method is not intended to cover every possible case where the ecosystem is represented by the word. It is a
+     * best-effort attempt to prevent {@link #considerDependencyVersion(Dependency, String, String, Confidence, Set)}
+     * from not taking an exact-match versioned CPE into account because the ecosystem-related word does not appear in
+     * the dependencyName. It helps prevent false-positive cases like https://github.com/jeremylong/DependencyCheck/issues/5545
+     * @see #considerDependencyVersion(Dependency, String, String, Confidence, Set)
+     */
+    private boolean wordMatchesEcosystem(@Nullable String ecosystem, String word) {
+        if (Ecosystem.JAVA.equalsIgnoreCase(word)) {
+            return Ecosystem.JAVA.equals(ecosystem);
+        }
+        return false;
+    }
+
     /**
      * <p>
      * Returns the setting key to determine if the analyzer is enabled.</p>

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -198,7 +198,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
             for (VendorDuplicatingHintRule dhr : vendorHints) {
                 if (dhr.getValue().equalsIgnoreCase(e.getValue())) {
                     dependency.addEvidence(EvidenceType.VENDOR, new Evidence(e.getSource() + " (hint)",
-                            e.getName(), dhr.getDuplicate(), e.getConfidence()));
+                            e.getName(), dhr.getDuplicate(), e.getConfidence(), true));
                 }
             }
         }

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PipAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PipAnalyzer.java
@@ -74,7 +74,7 @@ public class PipAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * o * Matches AC_INIT variables in the output configure script.
      */
-    private static final Pattern PACKAGE_VERSION = Pattern.compile("^([^#].*?)(?:[=>]=([\\.\\*0-9]+?))?$", Pattern.MULTILINE);
+    private static final Pattern PACKAGE_VERSION = Pattern.compile("^([^#].*?)(?:[=~>]=([\\.\\*0-9]+?))?$", Pattern.MULTILINE);
 
     /**
      * The file filter used to determine which files this analyzer supports.

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzer.java
@@ -81,7 +81,7 @@ public class PipfileAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * o * Matches AC_INIT variables in the output configure script.
      */
-    private static final Pattern PACKAGE_VERSION = Pattern.compile("^([^#].*?) = \"(?:[=>]=([\\.\\*0-9]+?))?\"$", Pattern.MULTILINE);
+    private static final Pattern PACKAGE_VERSION = Pattern.compile("^([^#].*?) = \"(?:[=~>]=([\\.\\*0-9]+?))?\"$", Pattern.MULTILINE);
 
     /**
      * The file filter used to determine which files this analyzer supports.

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java
@@ -136,7 +136,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         final Set<Evidence> remove;
         if (dependency.getVersion() != null) {
             remove = dependency.getEvidence(EvidenceType.VERSION).stream()
-                    .filter(e -> !dependency.getVersion().equals(e.getValue()))
+                    .filter(e -> !e.isFromHint() && !dependency.getVersion().equals(e.getValue()))
                     .collect(Collectors.toSet());
         } else {
             remove = new HashSet<>();
@@ -165,7 +165,8 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
                     LOGGER.debug("filtering evidence from {}", dependency.getFileName());
 
                     for (Evidence e : dependency.getEvidence(EvidenceType.VERSION)) {
-                        if (!(pomMatch && VERSION.equals(e.getName())
+                        if (!e.isFromHint()
+                                && !(pomMatch && VERSION.equals(e.getName())
                                 && (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource())))
                                 && !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource()))
                                 && !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) {

diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
@@ -59,6 +59,11 @@ public class Evidence implements Serializable, Comparable<Evidence> {
      */
     private Confidence confidence;
 
+    /**
+     * Whether the evidence originates from a hint.
+     */
+    private boolean fromHint;
+
     /**
      * Creates a new Evidence object.
      */
@@ -74,10 +79,24 @@ public Evidence() {
      * @param confidence the confidence of the evidence.
      */
     public Evidence(String source, String name, String value, Confidence confidence) {
+        this(source, name, value, confidence, false);
+    }
+
+    /**
+     * Creates a new Evidence objects.
+     *
+     * @param source     the source of the evidence.
+     * @param name       the name of the evidence.
+     * @param value      the value of the evidence.
+     * @param confidence the confidence of the evidence.
+     * @param fromHint whether the evidence was introduced by a hint.
+     */
+    public Evidence(String source, String name, String value, Confidence confidence, boolean fromHint) {
         this.source = source;
         this.name = name;
         this.value = value;
         this.confidence = confidence;
+        this.fromHint = fromHint;
     }
 
     /**
@@ -152,6 +171,24 @@ public void setConfidence(Confidence confidence) {
         this.confidence = confidence;
     }
 
+    /**
+     * Get the value of fromHint.
+     *
+     * @return the value of fromHint
+     */
+    public boolean isFromHint() {
+        return fromHint;
+    }
+
+    /**
+     * Set the value of fromHint.
+     *
+     * @param fromHint new value of fromHint
+     */
+    public void setFromHint(boolean fromHint) {
+        this.fromHint = fromHint;
+    }
+
     /**
      * Implements the hashCode for Evidence.
      *
@@ -187,6 +224,7 @@ public boolean equals(Object obj) {
                 .append(this.name == null ? null : this.name.toLowerCase(), o.name == null ? null : o.name.toLowerCase())
                 .append(this.value == null ? null : this.value.toLowerCase(), o.value == null ? null : o.value.toLowerCase())
                 .append(this.confidence, o.getConfidence())
+                .append(this.fromHint, o.isFromHint())
                 .build();
     }
 
@@ -196,14 +234,14 @@ public boolean equals(Object obj) {
      * @param o the evidence being compared
      * @return an integer indicating the ordering of the two objects
      */
-    @SuppressWarnings("deprecation")
     @Override
     public int compareTo(@NotNull Evidence o) {
         return new CompareToBuilder()
                 .append(this.source == null ? null : this.source.toLowerCase(), o.source == null ? null : o.source.toLowerCase())
                 .append(this.name == null ? null : this.name.toLowerCase(), o.name == null ? null : o.name.toLowerCase())
                 .append(this.value == null ? null : this.value.toLowerCase(), o.value == null ? null : o.value.toLowerCase())
                 .append(this.confidence, o.getConfidence())
+                .append(this.fromHint, o.isFromHint())
                 .toComparison();
     }
 
@@ -214,6 +252,7 @@ public int compareTo(@NotNull Evidence o) {
      */
     @Override
     public String toString() {
-        return "Evidence{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence + '}';
+        return "Evidence{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence
+                + ", fromHint=" + fromHint + '}';
     }
 }
diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java b/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java
@@ -147,7 +147,7 @@ public List<EvidenceMatcher> getGivenVendor() {
      * @param confidence the confidence of the evidence
      */
     public void addAddProduct(String source, String name, String value, Confidence confidence) {
-        addProduct.add(new Evidence(source, name, value, confidence));
+        addProduct.add(new Evidence(source, name, value, confidence, true));
     }
 
     /**
@@ -168,7 +168,7 @@ public List<Evidence> getAddProduct() {
      * @param confidence the confidence of the evidence
      */
     public void addAddVersion(String source, String name, String value, Confidence confidence) {
-        addVersion.add(new Evidence(source, name, value, confidence));
+        addVersion.add(new Evidence(source, name, value, confidence, true));
     }
 
     /**
@@ -189,7 +189,7 @@ public List<Evidence> getAddVersion() {
      * @param confidence the confidence of the evidence
      */
     public void addAddVendor(String source, String name, String value, Confidence confidence) {
-        addVendor.add(new Evidence(source, name, value, confidence));
+        addVendor.add(new Evidence(source, name, value, confidence, true));
     }
 
     /**