/** * Returns the {@link Dependency} for the given {@link Library}, null if no such dependency exists. * * @param _deps * @param _lib * @return */ public static Dependency getLibraryDependency(Set<Dependency> _deps, Library _lib) { for(Dependency d: _deps) { if(d.getLib().equals(_lib)) { return d; } } return null; }
/** * Returns a set of dependencies such that every {@link Dependency} points to a different {@link Library}. * This is needed because {@link Dependency#equals(Object)} considers all kinds of members of {@link Dependency}, while * the relational database table storing dependencies does not. * * @param _deps * @param _lib * @return */ public static Set<Dependency> removeDuplicateLibraryDependencies(Collection<Dependency> _deps) { final Set<Dependency> clean_set = new HashSet<Dependency>(); if(_deps!=null) { for(Dependency d: _deps) { final Dependency existing_dep = DependencyUtil.getLibraryDependency(clean_set, d.getLib()); if(existing_dep==null) { clean_set.add(d); } else { log.warn("Dependency " + d + " removed from set, one on the same library already exists: " + existing_dep); } } } return clean_set; }
private boolean ignoreUnassessed(VulnerableDependency _a) { if(this.ignoreUnassessed.equalsIgnoreCase(IGN_UNASS_OFF)) return false; else if(this.ignoreUnassessed.equalsIgnoreCase(IGN_UNASS_ALL)) return !_a.isAffectedVersionConfirmed(); else return !_a.isAffectedVersionConfirmed() && _a.getDep().getLib().isWellknownDigest(); }
public String getResultAsString() { final StringBuilder builder = new StringBuilder(); // Explanatory text if(exceptionThreshold.equalsIgnoreCase(THRESHOLD_DEP_ON)) builder.append("The application depends on the following vulnerable archives: "); else if(exceptionThreshold.equalsIgnoreCase(THRESHOLD_POT_EXE)) builder.append("The application potentially executes vulnerable code of the following vulnerable archives (or reachability was not checked): "); else if(exceptionThreshold.equalsIgnoreCase(THRESHOLD_ACT_EXE)) builder.append("The application actually executes vulnerable code of the following vulnerable archives (or no tests were run): "); // Will it result in a build exception? int i = 0; for(AggregatedVuln v: this.vulnsAboveThreshold) { for(VulnerableDependency analysis: v.getAnalyses()) { if(analysis.isThrowsException()) { builder.append(System.getProperty("line.separator")).append(" ").append(++i).append(": "); builder.append("[filename=").append(v.filename); builder.append(", scope=").append(analysis.getDep().getScope()); builder.append(", transitive=").append(analysis.getDep().getTransitive()); builder.append(", wellknownSha1=").append(analysis.getDep().getLib().isWellknownDigest()); builder.append(", isAffectedVersionConfirmed=").append(analysis.isAffectedVersionConfirmed()); builder.append(", bug=").append(v.bug.getBugId()).append("]"); } } } return builder.toString(); }
/** * Returns true of the given set of dependencies already contains a {@link Dependency} with the same library' digest, parent and relativePath, false otherwise. * * @param _deps * @param _dep * @return */ public static Dependency getDependency(Set<Dependency> _deps, Dependency _dep) { for(Dependency d: _deps) { if(d.getLib().equals(_dep.getLib()) && d.getParent().equalLibParentRelPath(_dep.getParent()) && d.getRelativePath().equals(_dep.getRelativePath())) { return d; } } return null; }
dep_for_path.put(a.getFile().toPath(), dep); getLog().info("Dependency [" + StringUtil.padLeft(++count, 4) + "]: Dependency [libid=" + dep.getLib().getLibraryId() + ", path " + a.getFile().getPath() + ", direct=" + direct_artifacts.contains(a) + ", scope=" + dep.getScope() + "] created for Maven artifact [g=" + a.getGroupId() + ", a=" + a.getArtifactId() + ", base version=" + a.getBaseVersion() + ", version=" + a.getVersion() + ", classifier=" + a.getClassifier() + "]"); getLog().info(" " + this.trailToString(a.getDependencyTrail(), " => "));
ja.setLibraryId(this.getMavenDependency(p).getLib().getLibraryId());
.getVulnDeps(Boolean.valueOf(true)); for (VulnerableDependency vd : unconfirmedBugs) { if (vd.getDep().getLib().getLibraryId() != null) { if (!contained.contains(vd.getBug().getBugId())) { bugsToAnalyze.add(new Bug(vd.getBug().getBugId(), null));
final AggregatedVuln new_av = new AggregatedVuln(v.getDep().getLib().getDigest(), v.getDep().getFilename(), v.getBug()); final AggregatedVuln added_av = this.update(this.vulns, new_av); if(v.getDep().getLib().getLibraryId()!=null && this.isAmongAggregatedModules(v.getDep().getLib().getLibraryId())) log.warn("Skipping [" + v.getBug().getBugId() + "] for dependency of " + prj + " on " + v.getDep().getLib().getLibraryId() + ", the latter is one of the aggregated modules"); else added_av.addAnalysis(v);
final Library lib = dep.getLib(); if(lib!=null) { if(lib.hasValidDigest()) {
if(a.getLibraryId()!=null && dep.getLib()!=null && dep.getLib().getLibraryId()!=null) { if(a.getLibraryId().equals(dep.getLib().getLibraryId())) { else if(a.getLib()!=null && a.getLib()==dep.getLib()){ if(a.getSource() == AffectedVersionSource.MANUAL){ this.setAffectedVersion((a.getAffected())?1:0); System.out.println("affectedLib with both LIB: " + a.getLib() + " , and LIBID: " + dep.getLib());