Class DependencyBundlingAnalyzer

java.lang.Object
org.owasp.dependencycheck.analyzer.AbstractAnalyzer
org.owasp.dependencycheck.analyzer.AbstractDependencyComparingAnalyzer
org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer
All Implemented Interfaces:
Analyzer
@ThreadSafe public class DependencyBundlingAnalyzer extends AbstractDependencyComparingAnalyzer

This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path then these should be grouped into a single dependency under the core/main library.

Note, this grouping only works on dependencies with identified CVE entries

Author:
Jeremy Long

  • Constructor Details

    • DependencyBundlingAnalyzer

      public DependencyBundlingAnalyzer()

  • Method Details

    • getName

      public String getName()
      Returns the name of the analyzer.
      Returns:
      the name of the analyzer.

    • getAnalysisPhase

      public AnalysisPhase getAnalysisPhase()
      Returns the phase that the analyzer is intended to run in.
      Returns:
      the phase that the analyzer is intended to run in.

    • getAnalyzerEnabledSettingKey

      protected String getAnalyzerEnabledSettingKey()

      Returns the setting key to determine if the analyzer is enabled.

      Specified by:
      getAnalyzerEnabledSettingKey in class AbstractAnalyzer
      Returns:
      the key for the analyzer's enabled property

    • evaluateDependencies

      protected boolean evaluateDependencies(Dependency dependency, Dependency nextDependency, Set<Dependency> dependenciesToRemove)
      Evaluates the dependencies
      Specified by:
      evaluateDependencies in class AbstractDependencyComparingAnalyzer
      Parameters:
      dependency - a dependency to compare
      nextDependency - a dependency to compare
      dependenciesToRemove - a set of dependencies that will be removed
      Returns:
      true if a dependency is removed; otherwise false

    • mergeDependencies

      public static void mergeDependencies(Dependency dependency, Dependency relatedDependency, Set<Dependency> dependenciesToRemove)
      Adds the relatedDependency to the dependency's related dependencies.
      Parameters:
      dependency - the main dependency
      relatedDependency - a collection of dependencies to be removed from the main analysis loop, this is the source of dependencies to remove
      dependenciesToRemove - a collection of dependencies that will be removed from the main analysis loop, this function adds to this collection

    • mergeDependencies

      public static void mergeDependencies(Dependency dependency, Dependency relatedDependency, Set<Dependency> dependenciesToRemove, boolean copyVulnsAndIds)
      Adds the relatedDependency to the dependency's related dependencies.
      Parameters:
      dependency - the main dependency
      relatedDependency - a collection of dependencies to be removed from the main analysis loop, this is the source of dependencies to remove
      dependenciesToRemove - a collection of dependencies that will be removed from the main analysis loop, this function adds to this collection
      copyVulnsAndIds - whether or not identifiers and vulnerabilities are copied

    • isCore

      protected boolean isCore(Dependency left, Dependency right)
      This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the 'right' library.
      Parameters:
      left - the dependency to test
      right - the dependency to test against
      Returns:
      a boolean indicating whether or not the left dependency should be considered the "core" version.

    • isWebJar

      protected boolean isWebJar(Dependency dependency, Dependency nextDependency)
      Determines if a JS file is from a webjar dependency.
      Parameters:
      dependency - the first dependency to compare
      nextDependency - the second dependency to compare
      Returns:
      true if the dependency is a web jar and the next dependency is a JS file from the web jar; otherwise false

    • isShadedJar

      protected boolean isShadedJar(Dependency dependency, Dependency nextDependency)
      Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml dependency should be removed.
      Parameters:
      dependency - a dependency to check
      nextDependency - another dependency to check
      Returns:
      true if on of the dependencies is a pom.xml and the identifiers between the two collections match; otherwise false

    • firstPathIsShortest

      public static boolean firstPathIsShortest(String left, String right)
      Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to determine if the first path is smaller.
      Parameters:
      left - the first path to compare
      right - the second path to compare
      Returns:
      true if the leftPath is the shortest; otherwise false

    • npmVersionsMatch

      public static boolean npmVersionsMatch(String current, String next)
      Determine if the dependency version is equal in the given dependencies. This method attempts to evaluate version range checks.
      Parameters:
      current - a dependency version to compare
      next - a dependency version to compare
      Returns:
      true if the version is equal in both dependencies; otherwise false