Examples of org.owasp.dependencycheck.utils.DependencyVersion

• org.owasp.dependencycheck.utils.DependencyVersion

  Simple object to track the parts of a version number. The parts are contained in a List such that version 1.2.3 will be stored as: versionParts[0] = 1; versionParts[1] = 2; versionParts[2] = 3;

  Note, the parser contained in this class expects the version numbers to be separated by periods. If a different separator is used the parser will likely fail.

  @author Jeremy Long

        if (version == null) {
            return false;
        }

        for (Evidence e : EvidenceCollection.EVIDENCE_USED.filter(this)) {
            final DependencyVersion value = DependencyVersionUtil.parseVersion(e.getValue());
            if (value != null && value.matchesAtLeastThreeLevels(version)) {
                return true;
            }
        }
        return false;
    }

     */
    @Test
    public void testIsAffected() throws Exception {
        String vendor = "openssl";
        String product = "openssl";
        DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
        String cpeId = "cpe:/a:openssl:openssl:1.0.1e";
        String previous = "y";

        CveDB instance = new CveDB();
        assertFalse(instance.isAffected(vendor, product, identifiedVersion, cpeId, previous));

        try {
            cpe.parseName(cpeStr);
        } catch (UnsupportedEncodingException ex) {
            LOGGER.log(Level.FINEST, null, ex);
        }
        final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
        final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();

        PreparedStatement ps;
        final HashSet<String> cveEntries = new HashSet<String>();
        try {

     * @return true if the identified version is affected, otherwise false
     */
    protected boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
        boolean affected = false;
        final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
        final DependencyVersion v = parseDependencyVersion(cpeId);
        final boolean prevAffected = previous != null && !previous.isEmpty();
        if (v == null || "-".equals(v.toString())) { //all versions
            affected = true;
        } else if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
            if (prevAffected) {
                affected = true;
            }
        } else if (identifiedVersion.equals(v) || (prevAffected && identifiedVersion.compareTo(v) < 0)) {
            if (isStruts) { //struts 2 vulns don't affect struts 1
                if (identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
                    affected = true;
                }
            } else {
                affected = true;
            }

     *
     * @param cpe a cpe object
     * @return a dependency version
     */
    private DependencyVersion parseDependencyVersion(VulnerableSoftware cpe) {
        DependencyVersion cpeVersion;
        if (cpe.getVersion() != null && cpe.getVersion().length() > 0) {
            String versionText;
            if (cpe.getRevision() != null && cpe.getRevision().length() > 0) {
                versionText = String.format("%s.%s", cpe.getVersion(), cpe.getRevision());
            } else {
                versionText = cpe.getVersion();
            }
            cpeVersion = DependencyVersionUtil.parseVersion(versionText);
        } else {
            cpeVersion = new DependencyVersion("-");
        }
        return cpeVersion;
    }

     * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
     */
    protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
            Confidence currentConfidence) throws UnsupportedEncodingException {
        final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product);
        DependencyVersion bestGuess = new DependencyVersion("-");
        Confidence bestGuessConf = null;
        boolean hasBroadMatch = false;
        final List<IdentifierMatch> collected = new ArrayList<IdentifierMatch>();
        for (Confidence conf : Confidence.values()) {
//            if (conf.compareTo(currentConfidence) > 0) {
//                break;
//            }
            for (Evidence evidence : dependency.getVersionEvidence().iterator(conf)) {
                final DependencyVersion evVer = DependencyVersionUtil.parseVersion(evidence.getValue());
                if (evVer == null) {
                    continue;
                }
                for (VulnerableSoftware vs : cpes) {
                    DependencyVersion dbVer;
                    if (vs.getRevision() != null && !vs.getRevision().isEmpty()) {
                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + "." + vs.getRevision());
                    } else {
                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion());
                    }
                    if (dbVer == null) { //special case, no version specified - everything is vulnerable
                        hasBroadMatch = true;
                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.BROAD_MATCH, conf);
                        collected.add(match);
                    } else if (evVer.equals(dbVer)) { //yeah! exact match
                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
                        collected.add(match);
                    } else {
                        //TODO the following isn't quite right is it? need to think about this guessing game a bit more.
                        if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
                                && evVer.matchesAtLeastThreeLevels(dbVer)) {
                            if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
                                if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
                                    bestGuess = dbVer;
                                    bestGuessConf = conf;
                                }
                            }
                        }

        if (pos > 0) {
            fileName = fileName.substring(0, pos);
        }

        //add version evidence
        final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
        if (version != null) {
            // If the version number is just a number like 2 or 23, reduce the confidence
            // a shade. This should hopefully correct for cases like log4j.jar or
            // struts2-core.jar
            if (version.getVersionParts() == null || version.getVersionParts().size() < 2) {
                dependency.getVersionEvidence().addEvidence("file", "name",
                        version.toString(), Confidence.MEDIUM);
            } else {
                dependency.getVersionEvidence().addEvidence("file", "name",
                        version.toString(), Confidence.HIGHEST);
            }
            dependency.getVersionEvidence().addEvidence("file", "name",
                    fileName, Confidence.MEDIUM);
        }

        } else if (twoParent != null) {
            return false;
        }

        //version check
        final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
        final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
        if (version1 != null && version2 != null) {
            if (!version1.equals(version2)) {
                return false;
            }
        }