Support dependency-check 8.0.0 (dependency-check#758)

* Support dependency-check 8.0.0 * Add Unit tests for includedby
jordannstrong · Feb 23, 2023 · 0ddad06 · 0ddad06
1 parent d381eaa
commit 0ddad06
Show file tree

Hide file tree

Showing 35 changed files with 14,088 additions and 6,609 deletions.
diff --git a/examples/multi-module-maven/pom.xml b/examples/multi-module-maven/pom.xml
@@ -54,7 +54,7 @@
                 <plugin>
                     <groupId>org.owasp</groupId>
                     <artifactId>dependency-check-maven</artifactId>
-                    <version>6.0.3</version>
+                    <version>8.0.2</version>
                     <configuration>
                         <format>ALL</format>
                     </configuration>

diff --git a/examples/single-module-gradle/build.gradle b/examples/single-module-gradle/build.gradle
@@ -3,7 +3,7 @@ buildscript {
         mavenCentral()
     }
     dependencies {
-        classpath 'org.owasp:dependency-check-gradle:6.5.3'
+        classpath 'org.owasp:dependency-check-gradle:8.0.2'
     }
 }
 

diff --git a/examples/single-module-kotlin-dsl-gradle/build.gradle.kts b/examples/single-module-kotlin-dsl-gradle/build.gradle.kts
@@ -4,7 +4,7 @@ plugins {
     application
     kotlin("jvm") version "1.3.50"
     id("org.sonarqube") version "3.3"
-    id("org.owasp.dependencycheck") version "6.5.3"
+    id("org.owasp.dependencycheck") version "8.0.2"
 }
 
 repositories {

diff --git a/examples/single-module-maven/pom.xml b/examples/single-module-maven/pom.xml
@@ -71,7 +71,7 @@
             <plugin>
                 <groupId>org.owasp</groupId>
                 <artifactId>dependency-check-maven</artifactId>
-                <version>6.0.3</version>
+                <version>8.0.2</version>
                 <configuration>
                     <format>ALL</format>
                 </configuration>

diff --git a/...dency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java b/...dency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java
@@ -31,6 +31,9 @@
 import org.sonar.dependencycheck.parser.element.Vulnerability;
 import org.sonar.dependencycheck.reason.DependencyReason;
 import org.sonar.dependencycheck.reason.Language;
+import org.sonar.dependencycheck.reason.SoftwareDependency;
+import org.sonar.dependencycheck.reason.maven.MavenDependency;
+import org.sonar.dependencycheck.reason.npm.NPMDependency;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 
@@ -108,36 +111,26 @@ public static Float severityToScore(String severity, Configuration config) {
         return DependencyCheckUtils.severityToScore(severity, severityBlocker, severityCritical, severityMajor, severityMinor);
     }
 
-    public static Optional<Identifier> getMavenIdentifier(@NonNull Dependency dependency) {
+    public static Optional<MavenDependency> getMavenDependency(@NonNull Dependency dependency) {
         Optional<Collection<Identifier>> packages = dependency.getPackages();
         if (packages.isPresent()) {
             for (Identifier identifier : packages.get()) {
-                if (Identifier.isMavenPackage(identifier)) {
-                    return Optional.of(identifier);
+                Optional<SoftwareDependency> softwareDependency = DependencyCheckUtils.convertToSoftwareDependency(identifier.getId());
+                if (softwareDependency.isPresent() && softwareDependency.get() instanceof MavenDependency) {
+                    return Optional.of((MavenDependency) softwareDependency.get());
                 }
             }
         }
         return Optional.empty();
     }
 
-    public static Optional<Identifier> getNPMIdentifier(@NonNull Dependency dependency) {
+    public static Optional<NPMDependency> getNPMDependency(@NonNull Dependency dependency) {
         Optional<Collection<Identifier>> packages = dependency.getPackages();
         if (packages.isPresent()) {
             for (Identifier identifier : packages.get()) {
-                if (Identifier.isNPMPackage(identifier)) {
-                    return Optional.of(identifier);
-                }
-            }
-        }
-        return Optional.empty();
-    }
-
-    public static Optional<Identifier> getJavaScriptIdentifier(@NonNull Dependency dependency) {
-        Optional<Collection<Identifier>> packages = dependency.getPackages();
-        if (packages.isPresent()) {
-            for (Identifier identifier : packages.get()) {
-                if (Identifier.isJavaScriptPackage(identifier)) {
-                    return Optional.of(identifier);
+                Optional<SoftwareDependency> softwareDependency = DependencyCheckUtils.convertToSoftwareDependency(identifier.getId());
+                if (softwareDependency.isPresent() && softwareDependency.get() instanceof NPMDependency) {
+                    return Optional.of((NPMDependency) softwareDependency.get());
                 }
             }
         }
@@ -208,4 +201,52 @@ public static Optional<DependencyReason> getBestDependencyReason(@NonNull Depend
         }
         return dependencyReasons.stream().sorted(comparatorFileLength).sorted(comparatorTextRange).findFirst();
     }
+
+    /**
+     *
+     * @param reference
+     * @return
+     */
+    public static Optional<SoftwareDependency> convertToSoftwareDependency(@NonNull String reference) {
+        if (StringUtils.isNotBlank(reference)) {
+            if (reference.contains("maven")) {
+                return convertToMavenDependency(reference);
+            } else if (reference.contains("npm") || reference.contains("javascript")) {
+                return convertToNPMDependency(reference);
+            }
+        }
+        return Optional.empty();
+    }
+
+    private static Optional<SoftwareDependency> convertToMavenDependency(@NonNull String reference) {
+        // pkg:maven/struts/[email protected] -> struts/[email protected]
+        String dependency = StringUtils.substringAfter(reference, "/");
+        String groupId = StringUtils.substringBefore(dependency, "/");
+        String artifactId = StringUtils.substringBetween(dependency, "/", "@");
+        if (StringUtils.isAnyBlank(groupId, artifactId)) {
+            return Optional.empty();
+        }
+        String version = StringUtils.substringAfter(dependency, "@");
+        return Optional.of(new MavenDependency(groupId, artifactId, StringUtils.isBlank(version) ? null : version));
+    }
+
+    private static Optional<SoftwareDependency> convertToNPMDependency(@NonNull String reference) {
+        // pkg:npm/[email protected] -> [email protected]
+        // pkg:npm/mime -> mime
+        String dependency = StringUtils.substringAfter(reference, "/");
+        String name = StringUtils.substringBefore(dependency, "@");
+        if (StringUtils.isBlank(name)) {
+            return Optional.empty();
+        }
+        String version = StringUtils.substringAfter(dependency, "@");
+        return Optional.of(new NPMDependency(name, StringUtils.isBlank(version) ? null : version));
+    }
+
+    public static boolean isMavenDependency(@NonNull SoftwareDependency dep) {
+        return dep instanceof MavenDependency;
+    }
+
+    public static boolean isNPMDependency(@NonNull SoftwareDependency dep) {
+        return dep instanceof NPMDependency;
+    }
 }
diff --git a/.../main/java/org/sonar/dependencycheck/parser/deserializer/MavenDependencyDeserializer.java b/.../main/java/org/sonar/dependencycheck/parser/deserializer/MavenDependencyDeserializer.java
@@ -24,7 +24,7 @@
 import java.util.List;
 
 import org.apache.commons.lang3.StringUtils;
-import org.sonar.dependencycheck.reason.maven.MavenDependency;
+import org.sonar.dependencycheck.reason.maven.MavenDependencyLocation;
 
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.core.JsonToken;
@@ -33,7 +33,7 @@
 
 import edu.umd.cs.findbugs.annotations.Nullable;
 
-public class MavenDependencyDeserializer extends StdDeserializer<List<MavenDependency>>{
+public class MavenDependencyDeserializer extends StdDeserializer<List<MavenDependencyLocation>>{
 
     /**
      *
@@ -49,13 +49,14 @@ protected MavenDependencyDeserializer(@Nullable Class<?> vc) {
     }
 
     @Override
-    public List<MavenDependency> deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {
-        List<MavenDependency> mavenDependencies = new LinkedList<>();
+    public List<MavenDependencyLocation> deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {
+        List<MavenDependencyLocation> mavenDependencies = new LinkedList<>();
         while (jsonParser.nextToken() != JsonToken.END_OBJECT) {
             if (StringUtils.equalsIgnoreCase("dependency", jsonParser.getCurrentName())) {
                 // We found a dependency
                 String groupId = "";
                 String artifactId = "";
+                String version = "";
                 int startLineNr = jsonParser.getCurrentLocation().getLineNr();
                 while (jsonParser.nextToken() != JsonToken.END_OBJECT) {
                     if (StringUtils.equalsIgnoreCase("artifactId", jsonParser.getCurrentName())) {
@@ -64,9 +65,12 @@ public List<MavenDependency> deserialize(JsonParser jsonParser, DeserializationC
                     if (StringUtils.equalsIgnoreCase("groupId", jsonParser.getCurrentName())) {
                         groupId = jsonParser.getValueAsString();
                     }
+                    if (StringUtils.equalsIgnoreCase("version", jsonParser.getCurrentName())) {
+                        version = jsonParser.getValueAsString();
+                    }
                 }
                 int endLineNr = jsonParser.getCurrentLocation().getLineNr();
-                mavenDependencies.add(new MavenDependency(groupId, artifactId, startLineNr, endLineNr));
+                mavenDependencies.add(new MavenDependencyLocation(groupId, artifactId, version, startLineNr, endLineNr));
             }
         }
         return mavenDependencies;

diff --git a/.../src/main/java/org/sonar/dependencycheck/parser/deserializer/MavenParentDeserializer.java b/.../src/main/java/org/sonar/dependencycheck/parser/deserializer/MavenParentDeserializer.java
@@ -22,7 +22,7 @@
 import java.io.IOException;
 
 import org.apache.commons.lang3.StringUtils;
-import org.sonar.dependencycheck.reason.maven.MavenParent;
+import org.sonar.dependencycheck.reason.maven.MavenDependencyLocation;
 
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.core.JsonToken;
@@ -31,7 +31,7 @@
 
 import edu.umd.cs.findbugs.annotations.Nullable;
 
-public class MavenParentDeserializer extends StdDeserializer<MavenParent>{
+public class MavenParentDeserializer extends StdDeserializer<MavenDependencyLocation>{
 
     /**
      *
@@ -47,15 +47,23 @@ protected MavenParentDeserializer(@Nullable Class<?> vc) {
     }
 
     @Override
-    public MavenParent deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {
+    public MavenDependencyLocation deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {
         int startLineNr = jsonParser.getCurrentLocation().getLineNr();
         String groupId = "";
+        String artifactId = "";
+        String version = "";
         while (jsonParser.nextToken() != JsonToken.END_OBJECT) {
             if (StringUtils.equalsIgnoreCase("groupId", jsonParser.getCurrentName())) {
                 groupId = jsonParser.getValueAsString();
             }
+            if (StringUtils.equalsIgnoreCase("artifactId", jsonParser.getCurrentName())) {
+                artifactId = jsonParser.getValueAsString();
+            }
+            if (StringUtils.equalsIgnoreCase("version", jsonParser.getCurrentName())) {
+                version = jsonParser.getValueAsString();
+            }
         }
         int endLineNr = jsonParser.getCurrentLocation().getLineNr();
-        return new MavenParent(groupId, startLineNr, endLineNr);
+        return new MavenDependencyLocation(groupId, artifactId, version, startLineNr, endLineNr);
     }
 }
diff --git a/...java/org/sonar/dependencycheck/parser/deserializer/PackageLockDependencyDeserializer.java b/...java/org/sonar/dependencycheck/parser/deserializer/PackageLockDependencyDeserializer.java
@@ -24,7 +24,7 @@
 import java.util.List;
 
 import org.apache.commons.lang3.StringUtils;
-import org.sonar.dependencycheck.reason.npm.NPMDependency;
+import org.sonar.dependencycheck.reason.npm.NPMDependencyLocation;
 
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.core.JsonToken;
@@ -33,7 +33,7 @@
 
 import edu.umd.cs.findbugs.annotations.Nullable;
 
-public class PackageLockDependencyDeserializer extends StdDeserializer<List<NPMDependency>> {
+public class PackageLockDependencyDeserializer extends StdDeserializer<List<NPMDependencyLocation>> {
     /**
      *
      */
@@ -48,15 +48,15 @@ protected PackageLockDependencyDeserializer(@Nullable Class<?> vc) {
     }
 
     @Override
-    public List<NPMDependency> deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {
-        List<NPMDependency> npmDependencies = new LinkedList<>();
+    public List<NPMDependencyLocation> deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {
+        List<NPMDependencyLocation> npmDependencies = new LinkedList<>();
         while (!JsonToken.END_OBJECT.equals(jsonParser.nextToken())) {
             if (JsonToken.START_OBJECT.equals(jsonParser.currentToken())) {
                 String name = jsonParser.getCurrentName();
                 int startLineNr = jsonParser.getCurrentLocation().getLineNr();
                 String version = scanWholeDependencyForVersion(jsonParser);
                 int endLineNr = jsonParser.getCurrentLocation().getLineNr();
-                npmDependencies.add(new NPMDependency(name, version, startLineNr, endLineNr));
+                npmDependencies.add(new NPMDependencyLocation(name, version, startLineNr, endLineNr));
             }
         }
         return npmDependencies;

diff --git a/...dency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Dependency.java b/...dency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Dependency.java
@@ -27,6 +27,8 @@
 import java.util.Optional;
 
 import org.sonar.api.config.Configuration;
+import org.sonar.dependencycheck.base.DependencyCheckUtils;
+import org.sonar.dependencycheck.reason.SoftwareDependency;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
@@ -46,6 +48,7 @@ public class Dependency {
     private final List<Vulnerability> vulnerabilities;
     private final Optional<Collection<Identifier>> packages;
     private final Optional<Collection<Identifier>> vulnerabilityIds;
+    private final Optional<Collection<IncludedBy>> includedBy;
 
     @JsonCreator
     public Dependency(@JsonProperty(value = "fileName", required = true) @NonNull String fileName,
@@ -55,8 +58,8 @@ public Dependency(@JsonProperty(value = "fileName", required = true) @NonNull St
                       @JsonProperty(value = "evidenceCollected") Map<String, List<Evidence>> evidenceCollected,
                       @JsonProperty(value = "vulnerabilities") List<Vulnerability> vulnerabilities,
                       @JsonProperty(value = "packages") @Nullable Collection<Identifier> packages,
-                      @JsonProperty(value = "vulnerabilityIds") @Nullable Collection<Identifier> vulnerabilityIds)
-                      {
+                      @JsonProperty(value = "vulnerabilityIds") @Nullable Collection<Identifier> vulnerabilityIds,
+                      @JsonProperty(value = "includedBy") @Nullable Collection<IncludedBy> includedBy) {
         this.fileName = fileName;
         this.filePath = filePath;
         this.md5 = Optional.ofNullable(md5Hash);
@@ -65,6 +68,8 @@ public Dependency(@JsonProperty(value = "fileName", required = true) @NonNull St
         this.vulnerabilities = vulnerabilities;
         this.packages = Optional.ofNullable(packages);
         this.vulnerabilityIds = Optional.ofNullable(vulnerabilityIds);
+        this.includedBy = Optional.ofNullable(includedBy);
+
     }
 
     public String getFileName() {
@@ -104,10 +109,18 @@ public Optional<Collection<Identifier>> getVulnerabilityIds() {
         return vulnerabilityIds;
     }
 
+    /**
+     * @return the includedBy
+     */
+    public Optional<Collection<IncludedBy>> getIncludedBy() {
+        return includedBy;
+    }
+
     public boolean isJavaDependency() {
         if (packages.isPresent()) {
             for (Identifier identifier : packages.get()) {
-                if (Identifier.isMavenPackage(identifier)) {
+                Optional<SoftwareDependency> dep = DependencyCheckUtils.convertToSoftwareDependency(identifier.getId());
+                if (dep.isPresent() && DependencyCheckUtils.isMavenDependency(dep.get())) {
                     return true;
                 }
             }
@@ -118,7 +131,8 @@ public boolean isJavaDependency() {
     public boolean isJavaScriptDependency() {
         if (packages.isPresent()) {
             for (Identifier identifier : packages.get()) {
-                if (Identifier.isNPMPackage(identifier) || Identifier.isJavaScriptPackage(identifier)) {
+                Optional<SoftwareDependency> dep = DependencyCheckUtils.convertToSoftwareDependency(identifier.getId());
+                if (dep.isPresent() && DependencyCheckUtils.isNPMDependency(dep.get())) {
                     return true;
                 }
             }