@Override public int compareTo(Object _o) { VulnerableDependency other = null; if(_o instanceof VulnerableDependency) other = (VulnerableDependency)_o; else throw new IllegalArgumentException(); final int filename_comparison = this.getDep().getFilename().compareTo(other.getDep().getFilename()); final int bugid_comparison = this.getBug().getBugId().compareTo(other.getBug().getBugId()); if(filename_comparison!=0) return filename_comparison; else return bugid_comparison; }
public String getResultAsString() { final StringBuilder builder = new StringBuilder(); // Explanatory text if(exceptionThreshold.equalsIgnoreCase(THRESHOLD_DEP_ON)) builder.append("The application depends on the following vulnerable archives: "); else if(exceptionThreshold.equalsIgnoreCase(THRESHOLD_POT_EXE)) builder.append("The application potentially executes vulnerable code of the following vulnerable archives (or reachability was not checked): "); else if(exceptionThreshold.equalsIgnoreCase(THRESHOLD_ACT_EXE)) builder.append("The application actually executes vulnerable code of the following vulnerable archives (or no tests were run): "); // Will it result in a build exception? int i = 0; for(AggregatedVuln v: this.vulnsAboveThreshold) { for(VulnerableDependency analysis: v.getAnalyses()) { if(analysis.isThrowsException()) { builder.append(System.getProperty("line.separator")).append(" ").append(++i).append(": "); builder.append("[filename=").append(v.filename); builder.append(", scope=").append(analysis.getDep().getScope()); builder.append(", transitive=").append(analysis.getDep().getTransitive()); builder.append(", wellknownSha1=").append(analysis.getDep().getLib().isWellknownDigest()); builder.append(", isAffectedVersionConfirmed=").append(analysis.isAffectedVersionConfirmed()); builder.append(", bug=").append(v.bug.getBugId()).append("]"); } } } return builder.toString(); }
/** * Returns true of the given set of dependencies already contains a {@link Dependency} with the same library' digest, parent and relativePath, false otherwise. * * @param _deps * @param _dep * @return */ public static Dependency getDependency(Set<Dependency> _deps, Dependency _dep) { for(Dependency d: _deps) { if(d.getLib().equals(_dep.getLib()) && d.getParent().equalLibParentRelPath(_dep.getParent()) && d.getRelativePath().equals(_dep.getRelativePath())) { return d; } } return null; }
final Dependency dep = new Dependency(); dep.setLib(pack.getLibrary()); dep.setApp(this.getApplication()); final Path download_path = pack.getDownloadPath(); if(download_path!=null) { dep.setFilename(download_path.getFileName().toString()); dep.setPath(download_path.toString()); dep.setDeclared(true); dep.setScope(Scope.RUNTIME); dep.setTransitive( (prj_package!=null && prj_package.requires(pack) ? false : true) ); final Dependency dep = new Dependency(); dep.setLib(nested_lib); dep.setApp(this.getApplication()); final Path archive_path = paa.getArchivePath(); if(archive_path!=null) { dep.setFilename(archive_path.getFileName().toString()); dep.setPath(archive_path.toString()); dep.setDeclared(false); // Nested in one of the above packages dep.setScope(Scope.RUNTIME); dep.setTransitive(true);
dep = new Dependency(this.goal.getGoalContext().getApplication(), lib, Scope.valueOf(a.getScope().toUpperCase()), !direct_artifacts.contains(a), null, a.getFile().toPath().toString()); dep_for_path.put(a.getFile().toPath(), dep); getLog().info("Dependency [" + StringUtil.padLeft(++count, 4) + "]: Dependency [libid=" + dep.getLib().getLibraryId() + ", path " + a.getFile().getPath() + ", direct=" + direct_artifacts.contains(a) + ", scope=" + dep.getScope() + "] created for Maven artifact [g=" + a.getGroupId() + ", a=" + a.getArtifactId() + ", base version=" + a.getBaseVersion() + ", version=" + a.getVersion() + ", classifier=" + a.getClassifier() + "]"); getLog().info(" " + this.trailToString(a.getDependencyTrail(), " => "));
final AggregatedVuln new_av = new AggregatedVuln(v.getDep().getLib().getDigest(), v.getDep().getFilename(), v.getBug()); final AggregatedVuln added_av = this.update(this.vulns, new_av); if(v.getDep().getLib().getLibraryId()!=null && this.isAmongAggregatedModules(v.getDep().getLib().getLibraryId())) log.warn("Skipping [" + v.getBug().getBugId() + "] for dependency of " + prj + " on " + v.getDep().getLib().getLibraryId() + ", the latter is one of the aggregated modules"); else added_av.addAnalysis(v);
if(dep.getPath()!=null && Paths.get(dep.getPath()).toFile().canRead()) { final Set<MaliciousnessAnalysisResult> results = loop.isMalicious(Paths.get(dep.getPath()).toFile()); final Library lib = dep.getLib(); if(lib!=null) { if(lib.hasValidDigest()) { BackendConnector.getInstance().uploadLibrary(lib); if(CoreConfiguration.isJarUploadEnabled()) BackendConnector.getInstance().uploadLibraryFile(lib.getDigest(), Paths.get(dep.getPath()));
int blacklisted_deps_count = 0; for(Dependency dep: deps) { if(dep.getScope()!=null) { for(String scope: scopes) { if(scope.equalsIgnoreCase(dep.getScope().toString())) { this.blacklistedJars.add(dep.getFilename()); blacklisted_deps_count++; break;
@Override public String toString() { final StringBuffer b = new StringBuffer(); b.append("[app=").append(this.app.toString()).append(", lib=").append(this.lib.toString()).append(", filename=").append(this.filename).append(", scope=").append(this.scope).append(", trans=").append(this.getTransitive()).append("]"); return b.toString(); } }
/** * Returns true if the given analysis will not lead to a build exception according to the * configured scope blacklists and excluded bugs. * @param _a * @param _excl_scopes * @param _excl_bugs * @return */ private boolean isIgnoredForBuildException(VulnerableDependency _a, String _bugid) { return (this.excludedScopes!=null && _a.getDep().getScope()!=null && this.excludedScopes.contains(_a.getDep().getScope().toString(), ComparisonMode.EQUALS, CaseSensitivity.CASE_INSENSITIVE)) || (this.excludedBugs!=null && this.excludedBugs.contains(_bugid, ComparisonMode.EQUALS, CaseSensitivity.CASE_INSENSITIVE)) || (this.ignoreUnassessed(_a)); }
dep = mgr.getMavenDependency(ja.getPath()); final Dependency new_dep = new Dependency(); new_dep.setLib(ja.getLibrary()); new_dep.setApp(this.getApplication()); new_dep.setFilename(ja.getFileName()); new_dep.setPath(ja.getPath().toString()); new_dep.setScope( (dep!=null ? dep.getScope() : Scope.RUNTIME) ); new_dep.setTransitive( (ja.getParent()!= null? new Boolean(true) :(dep!=null ? new Boolean(dep.getTransitive()) : new Boolean(false)) ) ); new_dep.setDeclared( ((dep!=null && ja.getParent()==null) ? new Boolean(true): new Boolean(false)) );
/** * Returns the {@link Dependency} for the given {@link Library}, null if no such dependency exists. * * @param _deps * @param _lib * @return */ public static Dependency getLibraryDependency(Set<Dependency> _deps, Library _lib) { for(Dependency d: _deps) { if(d.getLib().equals(_lib)) { return d; } } return null; }
/** * Returns a set of dependencies such that every {@link Dependency} points to a different {@link Library}. * This is needed because {@link Dependency#equals(Object)} considers all kinds of members of {@link Dependency}, while * the relational database table storing dependencies does not. * * @param _deps * @param _lib * @return */ public static Set<Dependency> removeDuplicateLibraryDependencies(Collection<Dependency> _deps) { final Set<Dependency> clean_set = new HashSet<Dependency>(); if(_deps!=null) { for(Dependency d: _deps) { final Dependency existing_dep = DependencyUtil.getLibraryDependency(clean_set, d.getLib()); if(existing_dep==null) { clean_set.add(d); } else { log.warn("Dependency " + d + " removed from set, one on the same library already exists: " + existing_dep); } } } return clean_set; }
private boolean ignoreUnassessed(VulnerableDependency _a) { if(this.ignoreUnassessed.equalsIgnoreCase(IGN_UNASS_OFF)) return false; else if(this.ignoreUnassessed.equalsIgnoreCase(IGN_UNASS_ALL)) return !_a.isAffectedVersionConfirmed(); else return !_a.isAffectedVersionConfirmed() && _a.getDep().getLib().isWellknownDigest(); }
ja.setLibraryId(this.getMavenDependency(p).getLib().getLibraryId());
.getVulnDeps(Boolean.valueOf(true)); for (VulnerableDependency vd : unconfirmedBugs) { if (vd.getDep().getLib().getLibraryId() != null) { if (!contained.contains(vd.getBug().getBugId())) { bugsToAnalyze.add(new Bug(vd.getBug().getBugId(), null));
if(a.getLibraryId()!=null && dep.getLib()!=null && dep.getLib().getLibraryId()!=null) { if(a.getLibraryId().equals(dep.getLib().getLibraryId())) { else if(a.getLib()!=null && a.getLib()==dep.getLib()){ if(a.getSource() == AffectedVersionSource.MANUAL){ this.setAffectedVersion((a.getAffected())?1:0); System.out.println("affectedLib with both LIB: " + a.getLib() + " , and LIBID: " + dep.getLib());