Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name #5901

Merged
merged 2 commits into from
Oct 5, 2023
Merged

fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name #5901

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e85c587
fix: buestGuess was not actually used in the method except improperly…
aikebah Aug 1, 2023
d8298cf
fix: do not require ecosystem-related words from CPE-product in depen…
aikebah Aug 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 26 additions & 5 deletions core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
import org.apache.lucene.search.ScoreDoc;
import org.apache.lucene.search.TopDocs;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
Expand Down Expand Up @@ -831,7 +832,7 @@ protected boolean determineIdentifiers(Dependency dependency, String vendor, Str
String bestGuessURL = null;
final Set<IdentifierMatch> collected = new HashSet<>();

considerDependencyVersion(dependency, vendor, product, currentConfidence, collected, bestGuess);
considerDependencyVersion(dependency, vendor, product, currentConfidence, collected);

//TODO the following algorithm incorrectly identifies things as a lower version
// if there lower confidence evidence when the current (highest) version number
Expand Down Expand Up @@ -1019,15 +1020,14 @@ private void addExactMatch(Cpe vs, String updateVersion, Confidence conf,
* @param vendor the vendor name
* @param confidence the current confidence level
* @param collected a reference to the identifiers matched
* @param bestGuess the current best guess as to the dependency version
* @throws AnalysisException thrown if aliens attacked and valid input could
* not be used to construct a CPE
* @throws UnsupportedEncodingException thrown if run on a system that
* doesn't support UTF-8
*/
private void considerDependencyVersion(Dependency dependency,
String vendor, String product, Confidence confidence,
final Set<IdentifierMatch> collected, DependencyVersion bestGuess)
final Set<IdentifierMatch> collected)
throws AnalysisException, UnsupportedEncodingException {

if (dependency.getVersion() != null && !dependency.getVersion().isEmpty()) {
Expand All @@ -1037,7 +1037,8 @@ private void considerDependencyVersion(Dependency dependency,
if (dependency.getName() != null && !dependency.getName().isEmpty()) {
final String name = dependency.getName();
for (String word : product.split("[^a-zA-Z0-9]")) {
useDependencyVersion &= name.contains(word) || stopWords.contains(word);
useDependencyVersion &= name.contains(word) || stopWords.contains(word)
|| wordMatchesEcosystem(dependency.getEcosystem(), word);
}
}

Expand All @@ -1055,13 +1056,33 @@ private void considerDependencyVersion(Dependency dependency,
final IdentifierMatch match = new IdentifierMatch(depCpe, url, IdentifierConfidence.EXACT_MATCH, confidence);
collected.add(match);
} catch (CpeValidationException ex) {
throw new AnalysisException(String.format("Unable to create a CPE for %s:%s:%s", vendor, product, bestGuess.toString()));
throw new AnalysisException(String.format("Unable to create a CPE for %s:%s:%s", vendor, product, depVersion));
}
}
}
}
}

/**
* If a CPE product word represents the ecosystem of a dependency it is not required
* to appear in the dependencyName to still consider the CPE product a match.
*
* @param ecosystem The ecosystem of the dependency
* @param word The word from the CPE product to check
* @return {@code true} when the CPE product word is known to match the ecosystem of the dependency
* @implNote This method is not intended to cover every possible case where the ecosystem is represented by the word. It is a
* best-effort attempt to prevent {@link #considerDependencyVersion(Dependency, String, String, Confidence, Set)}
* from not taking an exact-match versioned CPE into account because the ecosystem-related word does not appear in
* the dependencyName. It helps prevent false-positive cases like https://github.com/jeremylong/DependencyCheck/issues/5545
* @see #considerDependencyVersion(Dependency, String, String, Confidence, Set)
*/
private boolean wordMatchesEcosystem(@Nullable String ecosystem, String word) {
if (Ecosystem.JAVA.equalsIgnoreCase(word)) {
return Ecosystem.JAVA.equals(ecosystem);
}
return false;
}

/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
Expand Down