public String getResultAsString() { final StringBuilder builder = new StringBuilder(); // Explanatory text if(exceptionThreshold.equalsIgnoreCase(THRESHOLD_DEP_ON)) builder.append("The application depends on the following vulnerable archives: "); else if(exceptionThreshold.equalsIgnoreCase(THRESHOLD_POT_EXE)) builder.append("The application potentially executes vulnerable code of the following vulnerable archives (or reachability was not checked): "); else if(exceptionThreshold.equalsIgnoreCase(THRESHOLD_ACT_EXE)) builder.append("The application actually executes vulnerable code of the following vulnerable archives (or no tests were run): "); // Will it result in a build exception? int i = 0; for(AggregatedVuln v: this.vulnsAboveThreshold) { for(VulnerableDependency analysis: v.getAnalyses()) { if(analysis.isThrowsException()) { builder.append(System.getProperty("line.separator")).append(" ").append(++i).append(": "); builder.append("[filename=").append(v.filename); builder.append(", scope=").append(analysis.getDep().getScope()); builder.append(", transitive=").append(analysis.getDep().getTransitive()); builder.append(", wellknownSha1=").append(analysis.getDep().getLib().isWellknownDigest()); builder.append(", isAffectedVersionConfirmed=").append(analysis.isAffectedVersionConfirmed()); builder.append(", bug=").append(v.bug.getBugId()).append("]"); } } } return builder.toString(); }
@Override public int compareTo(Object _o) { VulnerableDependency other = null; if(_o instanceof VulnerableDependency) other = (VulnerableDependency)_o; else throw new IllegalArgumentException(); final int filename_comparison = this.getDep().getFilename().compareTo(other.getDep().getFilename()); final int bugid_comparison = this.getBug().getBugId().compareTo(other.getBug().getBugId()); if(filename_comparison!=0) return filename_comparison; else return bugid_comparison; }
private boolean ignoreUnassessed(VulnerableDependency _a) { if(this.ignoreUnassessed.equalsIgnoreCase(IGN_UNASS_OFF)) return false; else if(this.ignoreUnassessed.equalsIgnoreCase(IGN_UNASS_ALL)) return !_a.isAffectedVersionConfirmed(); else return !_a.isAffectedVersionConfirmed() && _a.getDep().getLib().isWellknownDigest(); }
/** * Returns true if the given analysis will not lead to a build exception according to the * configured scope blacklists and excluded bugs. * @param _a * @param _excl_scopes * @param _excl_bugs * @return */ private boolean isIgnoredForBuildException(VulnerableDependency _a, String _bugid) { return (this.excludedScopes!=null && _a.getDep().getScope()!=null && this.excludedScopes.contains(_a.getDep().getScope().toString(), ComparisonMode.EQUALS, CaseSensitivity.CASE_INSENSITIVE)) || (this.excludedBugs!=null && this.excludedBugs.contains(_bugid, ComparisonMode.EQUALS, CaseSensitivity.CASE_INSENSITIVE)) || (this.ignoreUnassessed(_a)); }
.getVulnDeps(Boolean.valueOf(true)); for (VulnerableDependency vd : unconfirmedBugs) { if (vd.getDep().getLib().getLibraryId() != null) { if (!contained.contains(vd.getBug().getBugId())) { bugsToAnalyze.add(new Bug(vd.getBug().getBugId(), null));
final AggregatedVuln new_av = new AggregatedVuln(v.getDep().getLib().getDigest(), v.getDep().getFilename(), v.getBug()); final AggregatedVuln added_av = this.update(this.vulns, new_av); if(v.getDep().getLib().getLibraryId()!=null && this.isAmongAggregatedModules(v.getDep().getLib().getLibraryId())) log.warn("Skipping [" + v.getBug().getBugId() + "] for dependency of " + prj + " on " + v.getDep().getLib().getLibraryId() + ", the latter is one of the aggregated modules"); else added_av.addAnalysis(v);