Class Dependency

java.lang.Object
org.owasp.dependencycheck.dependency.Dependency
All Implemented Interfaces:
Serializable
@ThreadSafe public class Dependency extends Object implements Serializable
A program dependency. This object is one of the core components within DependencyCheck. It is used to collect information about the dependency in the form of evidence. The Evidence is then used to determine if there are any known, published, vulnerabilities associated with the program dependency.
Author:
Jeremy Long
See Also:

  • Field Details

    • NAME_COMPARATOR

      public static final Comparator<Dependency> NAME_COMPARATOR
      Simple sorting by display file name and actual file path.

  • Constructor Details

    • Dependency

      public Dependency()
      Constructs a new Dependency object.

    • Dependency

      public Dependency(File file)
      Constructs a new Dependency object.
      Parameters:
      file - the File to create the dependency object from.

    • Dependency

      public Dependency(File file, boolean isVirtual)
      Constructs a new Dependency object.
      Parameters:
      file - the File to create the dependency object from.
      isVirtual - specifies if the dependency is virtual indicating the file doesn't actually exist.

    • Dependency

      public Dependency(boolean isVirtual)
      Constructs a new Dependency object.
      Parameters:
      isVirtual - specifies if the dependency is virtual indicating the file doesn't actually exist.

  • Method Details

    • getPackagePath

      public String getPackagePath()
      Returns the package path.
      Returns:
      the package path

    • setPackagePath

      public void setPackagePath(String packagePath)
      Sets the package path.
      Parameters:
      packagePath - the package path

    • getFileName

      public String getFileName()
      Returns the file name of the dependency.
      Returns:
      the file name of the dependency

    • setFileName

      public void setFileName(String fileName)
      Sets the file name of the dependency.
      Parameters:
      fileName - the file name of the dependency

    • getActualFilePath

      public String getActualFilePath()
      Gets the file path of the dependency.
      Returns:
      the file path of the dependency

    • setActualFilePath

      public void setActualFilePath(String actualFilePath)
      Sets the actual file path of the dependency on disk.
      Parameters:
      actualFilePath - the file path of the dependency

    • getActualFile

      public File getActualFile()
      Gets a reference to the File object.
      Returns:
      the File object

    • getDisplayFileName

      public String getDisplayFileName()
      Returns the file name to display in reports; if no display file name has been set it will default to constructing a name based on the name and version fields, otherwise it will return the actual file name.
      Returns:
      the file name to display

    • setDisplayFileName

      public void setDisplayFileName(String displayName)
      Sets the file name to display in reports.
      Parameters:
      displayName - the name to display

    • getFilePath

      public String getFilePath()

      Gets the file path of the dependency.

      NOTE: This may not be the actual path of the file on disk. The actual path of the file on disk can be obtained via the getActualFilePath().

      Returns:
      the file path of the dependency

    • setFilePath

      public void setFilePath(String filePath)
      Sets the file path of the dependency.
      Parameters:
      filePath - the file path of the dependency

    • getMd5sum

      public String getMd5sum()
      Returns the MD5 Checksum of the dependency file.
      Returns:
      the MD5 Checksum

    • setMd5sum

      public void setMd5sum(String md5sum)
      Sets the MD5 Checksum of the dependency.
      Parameters:
      md5sum - the MD5 Checksum

    • getSha1sum

      public String getSha1sum()
      Returns the SHA1 Checksum of the dependency.
      Returns:
      the SHA1 Checksum

    • setSha1sum

      public void setSha1sum(String sha1sum)
      Sets the SHA1 Checksum of the dependency.
      Parameters:
      sha1sum - the SHA1 Checksum

    • getSha256sum

      public String getSha256sum()
      Returns the SHA256 Checksum of the dependency.
      Returns:
      the SHA256 Checksum of the dependency

    • setSha256sum

      public void setSha256sum(String sha256sum)

    • getSoftwareIdentifiers

      public Set<Identifier> getSoftwareIdentifiers()
      Returns an unmodifiable set of software identifiers.
      Returns:
      an unmodifiable set of software identifiers

    • getVulnerableSoftwareIdentifiers

      public Set<Identifier> getVulnerableSoftwareIdentifiers()
      Returns an unmodifiable set of vulnerability identifiers.
      Returns:
      an unmodifiable set of vulnerability identifiers

    • getVulnerableSoftwareIdentifiersCount

      public int getVulnerableSoftwareIdentifiersCount()
      Returns the count of vulnerability identifiers.
      Returns:
      the count of vulnerability identifiers

    • hasKnownExploitedVulnerability

      public boolean hasKnownExploitedVulnerability()
      Returns true if the dependency has a known exploited vulnerability.
      Returns:
      true if the dependency has a known exploited vulnerability; otherwise false.

    • addSoftwareIdentifiers

      protected void addSoftwareIdentifiers(Set<Identifier> identifiers)
      Adds a set of Identifiers to the current list of software identifiers. Only used for testing.
      Parameters:
      identifiers - A set of Identifiers

    • addVulnerableSoftwareIdentifiers

      protected void addVulnerableSoftwareIdentifiers(Set<Identifier> identifiers)
      Adds a set of Identifiers to the current list of vulnerable software identifiers. Only used for testing.
      Parameters:
      identifiers - A set of Identifiers

    • addSoftwareIdentifier

      public void addSoftwareIdentifier(Identifier identifier)
      Adds an entry to the list of detected Identifiers for the dependency file.
      Parameters:
      identifier - a reference to the identifier to add

    • addVulnerableSoftwareIdentifier

      public void addVulnerableSoftwareIdentifier(Identifier identifier)
      Adds an entry to the list of detected vulnerable software identifiers for the dependency file.
      Parameters:
      identifier - a reference to the identifier to add

    • removeVulnerableSoftwareIdentifier

      public void removeVulnerableSoftwareIdentifier(Identifier i)
      Removes a vulnerable software identifier from the set of identifiers.
      Parameters:
      i - the identifier to remove

    • addAsEvidence

      public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence)
      Adds the Maven artifact as evidence.
      Parameters:
      source - The source of the evidence
      mavenArtifact - The Maven artifact
      confidence - The confidence level of this evidence

    • getSuppressedIdentifiers

      public Set<Identifier> getSuppressedIdentifiers()
      Get the unmodifiable set of suppressedIdentifiers.
      Returns:
      the value of suppressedIdentifiers

    • addSuppressedIdentifier

      public void addSuppressedIdentifier(Identifier identifier)
      Adds an identifier to the list of suppressed identifiers.
      Parameters:
      identifier - an identifier that was suppressed.

    • getVulnerabilities

      public Set<Vulnerability> getVulnerabilities()
      Get the unmodifiable sorted set of vulnerabilities.
      Returns:
      the unmodifiable sorted set of vulnerabilities

    • getVulnerabilities

      public Set<Vulnerability> getVulnerabilities(boolean sorted)
      Get the unmodifiable list of vulnerabilities; optionally sorted.
      Parameters:
      sorted - if true the list will be sorted
      Returns:
      the unmodifiable list set of vulnerabilities

    • getVulnerabilitiesCount

      public int getVulnerabilitiesCount()
      Get vulnerability count.
      Returns:
      the count of vulnerabilities

    • getSuppressedVulnerabilities

      public Set<Vulnerability> getSuppressedVulnerabilities()
      Get an unmodifiable set of suppressedVulnerabilities.
      Returns:
      the unmodifiable sorted set of suppressedVulnerabilities

    • getSuppressedVulnerabilities

      public Set<Vulnerability> getSuppressedVulnerabilities(boolean sorted)
      Get an unmodifiable, optionally sorted. set of suppressedVulnerabilities.
      Parameters:
      sorted - whether or not the set is sorted
      Returns:
      the unmodifiable sorted set of suppressedVulnerabilities

    • addSuppressedVulnerability

      public void addSuppressedVulnerability(Vulnerability vulnerability)
      Adds a vulnerability to the set of suppressed vulnerabilities.
      Parameters:
      vulnerability - the vulnerability that was suppressed

    • getDescription

      public String getDescription()
      Get the value of description.
      Returns:
      the value of description

    • setDescription

      public void setDescription(String description)
      Set the value of description.
      Parameters:
      description - new value of description

    • getLicense

      public String getLicense()
      Get the value of license.
      Returns:
      the value of license

    • setLicense

      public void setLicense(String license)
      Set the value of license.
      Parameters:
      license - new value of license

    • getName

      public String getName()
      Returns:
      the name

    • setName

      public void setName(String name)
      Parameters:
      name - the name to set

    • addVulnerability

      public void addVulnerability(Vulnerability vulnerability)
      Adds a vulnerability to the dependency.
      Parameters:
      vulnerability - a vulnerability

    • addVulnerabilities

      public void addVulnerabilities(List<Vulnerability> vulnerabilities)
      Adds a list of vulnerabilities to the dependency.
      Parameters:
      vulnerabilities - a list of vulnerabilities

    • removeVulnerability

      public void removeVulnerability(Vulnerability v)
      Removes the given vulnerability from the list.
      Parameters:
      v - the vulnerability to remove

    • getRelatedDependencies

      public Set<Dependency> getRelatedDependencies()
      Get the unmodifiable set of relatedDependencies. This field is used to collect other dependencies which really represent the same dependency, and may be presented as one item in reports.
      Returns:
      the unmodifiable set of relatedDependencies

    • clearRelatedDependencies

      public void clearRelatedDependencies()
      Clears the relatedDependencies.

    • getIncludedBy

      public Set<IncludedByReference> getIncludedBy()
      Get the unmodifiable set of includedBy (the list of parents of this transitive dependency).
      Returns:
      the unmodifiable set of includedBy

    • addIncludedBy

      public void addIncludedBy(String includedBy)
      Adds the parent or root of the transitive dependency chain (i.e., this was included by the parent dependency X).
      Parameters:
      includedBy - a project reference

    • addIncludedBy

      public void addIncludedBy(String includedBy, String type)
      Adds the parent or root of the transitive dependency chain (i.e., this was included by the parent dependency X).
      Parameters:
      includedBy - a project reference
      type - the type of project reference (i.e. 'plugins', 'buildEnv')

    • addAllIncludedBy

      public void addAllIncludedBy(Set<IncludedByReference> includedBy)
      Adds a set of project references.
      Parameters:
      includedBy - a set of project references

    • getProjectReferences

      public Set<String> getProjectReferences()
      Get the unmodifiable set of projectReferences.
      Returns:
      the unmodifiable set of projectReferences

    • addProjectReference

      public void addProjectReference(String projectReference)
      Adds a project reference.
      Parameters:
      projectReference - a project reference

    • addAllProjectReferences

      public void addAllProjectReferences(Set<String> projectReferences)
      Add a collection of project reference.
      Parameters:
      projectReferences - a set of project references

    • addRelatedDependency

      public void addRelatedDependency(Dependency dependency)
      Adds a related dependency.
      Parameters:
      dependency - a reference to the related dependency

    • removeRelatedDependencies

      public void removeRelatedDependencies(Dependency dependency)
      Removes a related dependency.
      Parameters:
      dependency - the dependency to remove

    • getAvailableVersions

      public List<String> getAvailableVersions()
      Get the value of availableVersions.
      Returns:
      the value of availableVersions

    • addAvailableVersion

      public void addAvailableVersion(String version)
      Adds a version to the available version list.
      Parameters:
      version - the version to add to the list

    • isVirtual

      public boolean isVirtual()
      Returns whether or not this dependency is virtual or not. Virtual dependencies are specified during object constructor. No setter.
      Returns:
      true if Dependency is virtual, false if not

    • equals

      public boolean equals(Object obj)
      Implementation of the equals method.
      Parameters:
      obj - the object to compare
      Returns:
      true if the objects are equal, otherwise false

    • hashCode

      public int hashCode()
      Generates the HashCode.
      Returns:
      the HashCode

    • toString

      public String toString()
      Standard toString() implementation showing the filename, actualFilePath, and filePath.
      Returns:
      the string representation of the file

    • addSuppressedVulnerabilities

      public void addSuppressedVulnerabilities(List<Vulnerability> vulns)
      Add a list of suppressed vulnerabilities to the collection.
      Parameters:
      vulns - the list of suppressed vulnerabilities to add

    • getVersion

      public String getVersion()
      Returns:
      the version

    • setVersion

      public void setVersion(String version)
      Parameters:
      version - the version to set

    • getEcosystem

      public String getEcosystem()
      Returns:
      the ecosystem

    • setEcosystem

      public void setEcosystem(String ecosystem)
      Parameters:
      ecosystem - the ecosystem to set

    • getIterator

      public Iterable<Evidence> getIterator(EvidenceType type, Confidence confidence)
      Used to iterate over evidence of the specified type and confidence.
      Parameters:
      type - the evidence type to iterate over
      confidence - the confidence level for the evidence to be iterated over.
      Returns:
      Iterable<Evidence> an iterable collection of evidence

    • addEvidence

      public void addEvidence(EvidenceType type, Evidence e)
      Adds evidence to the collection.
      Parameters:
      type - the type of evidence (vendor, product, version)
      e - Evidence

    • removeEvidence

      public void removeEvidence(EvidenceType type, Evidence e)
      Removes evidence from the collection.
      Parameters:
      type - the type of evidence (vendor, product, version)
      e - Evidence.

    • addEvidence

      public void addEvidence(EvidenceType type, String source, String name, String value, Confidence confidence)
      Creates an Evidence object from the parameters and adds the resulting object to the evidence collection.
      Parameters:
      type - the type of evidence (vendor, product, version)
      source - the source of the Evidence.
      name - the name of the Evidence.
      value - the value of the Evidence.
      confidence - the confidence of the Evidence.

    • addVendorWeighting

      public void addVendorWeighting(String str)
      Adds term to the vendor weighting collection. The terms added here are used later to boost the score of other terms. This is a way of combining evidence from multiple sources to boost the confidence of the given evidence. Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted strings; as such, we will boost the confidence of the term Apache.
      Parameters:
      str - to add to the weighting collection.

    • addProductWeighting

      public void addProductWeighting(String str)
      Adds term to the product weighting collection. The terms added here are used later to boost the score of other terms. This is a way of combining evidence from multiple sources to boost the confidence of the given evidence. Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted strings; as such, we will boost the confidence of the term Apache.
      Parameters:
      str - to add to the weighting collection.

    • getVendorWeightings

      public Set<String> getVendorWeightings()
      Returns an unmodifiable set of vendor Weightings - a list of terms that are believed to be of higher confidence when also found in another location.
      Returns:
      an unmodifiable set of vendor weighting strings

    • getProductWeightings

      public Set<String> getProductWeightings()
      Returns an unmodifiable set of product Weightings - a list of terms that are believed to be of higher confidence when also found in another location.
      Returns:
      an unmodifiable set of vendor weighting strings

    • getEvidence

      public Set<Evidence> getEvidence(EvidenceType type)
      Returns the unmodifiable set of evidence of the given type.
      Parameters:
      type - the type of evidence (vendor, product, version)
      Returns:
      the unmodifiable set of evidence

    • getEvidence

      public Set<Evidence> getEvidence()
      Returns the unmodifiable set of evidence.
      Returns:
      the unmodifiable set of evidence

    • contains

      public boolean contains(EvidenceType type, Evidence e)
      Tests if the evidence collection contains the given evidence.
      Parameters:
      type - the type of evidence (vendor, product, version)
      e - the evidence to search
      Returns:
      true if the evidence is found; otherwise false

    • contains

      public boolean contains(EvidenceType type, Confidence confidence)
      Returns whether or not the collection contains evidence of a specified type and confidence.
      Parameters:
      type - the type of evidence (vendor, product, version)
      confidence - A Confidence value.
      Returns:
      boolean.

    • size

      public int size()
      Returns the number of elements in the EvidenceCollection.
      Returns:
      the number of elements in the collection.