Skip to content

Commit

Permalink
fix: Hint Analyzer should run before VersionFilter Analyzer (#5818)
Browse files Browse the repository at this point in the history
  • Loading branch information
aikebah authored Aug 19, 2023
1 parent 49c6591 commit a29afc4
Show file tree
Hide file tree
Showing 9 changed files with 87 additions and 11 deletions.
8 changes: 6 additions & 2 deletions core/src/main/java/org/owasp/dependencycheck/Engine.java
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,9 @@
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.INITIAL;
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_FINDING_ANALYSIS;
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION;
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION1;
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION2;
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION3;
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_FINDING_ANALYSIS;
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_INFORMATION_COLLECTION;
Expand Down Expand Up @@ -1294,7 +1296,9 @@ public enum Mode {
PRE_INFORMATION_COLLECTION,
INFORMATION_COLLECTION,
INFORMATION_COLLECTION2,
POST_INFORMATION_COLLECTION
POST_INFORMATION_COLLECTION1,
POST_INFORMATION_COLLECTION2,
POST_INFORMATION_COLLECTION3
),
/**
* In evidence processing mode the {@link Engine} processes the evidence
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,54 +26,126 @@ public enum AnalysisPhase {

/**
* Initialization phase.
* @implNote Bound analyzers are {@link ArchiveAnalyzer}
*/
INITIAL,
/**
* Pre information collection phase.
* @implNote Bound analyzers are {@link ElixirMixAuditAnalyzer},{@link RubyBundleAuditAnalyzer}
*/
PRE_INFORMATION_COLLECTION,
/**
* Information collection phase.
* @implNote Bound analyzers are
* {@link ArtifactoryAnalyzer}
* {@link AssemblyAnalyzer}
* {@link AutoconfAnalyzer}
* {@link CMakeAnalyzer}
* {@link CentralAnalyzer}
* {@link CocoaPodsAnalyzer}
* {@link ComposerLockAnalyzer}
* {@link DartAnalyzer}
* {@link FileNameAnalyzer}
* {@link GolangDepAnalyzer}
* {@link GolangModAnalyzer}
* {@link JarAnalyzer}
* {@link LibmanAnalyzer}
* {@link MSBuildProjectAnalyzer}
* {@link NexusAnalyzer}
* {@link NodeAuditAnalyzer}
* {@link NugetconfAnalyzer}
* {@link NuspecAnalyzer}
* {@link OpenSSLAnalyzer}
* {@link PinnedMavenInstallAnalyzer}
* {@link PipAnalyzer}
* {@link PipfileAnalyzer}
* {@link PipfilelockAnalyzer}
* {@link PoetryAnalyzer}
* {@link PythonDistributionAnalyzer}
* {@link PythonPackageAnalyzer}
* {@link RubyGemspecAnalyzer}
* {@link RubyBundlerAnalyzer}
* {@link SwiftPackageManagerAnalyzer}
* {@link SwiftPackageResolvedAnalyzer}
*/
INFORMATION_COLLECTION,
/**
* Information collection phase 2.
* @implNote Bound analyzers are
* {@link PEAnalyzer}
*/
INFORMATION_COLLECTION2,
/**
* Post information collection phase.
* Post information collection phase 1.
* @implNote Bound analyzers are
* {@link DependencyMergingAnalyzer}
*/
POST_INFORMATION_COLLECTION,
POST_INFORMATION_COLLECTION1,
/**
* Post information collection phase 2.
* @implNote Bound analyzers are
* {@link HintAnalyzer} (must run before {@link VersionFilterAnalyzer}, should run after {@link DependencyMergingAnalyzer})
*/
POST_INFORMATION_COLLECTION2,
/**
* Post information collection phase 3.
* @implNote Bound analyzers are
* {@link VersionFilterAnalyzer}
*/
POST_INFORMATION_COLLECTION3,
/**
* Pre identifier analysis phase.
* @implNote Bound analyzers are
* {@link NpmCPEAnalyzer} (must run in a separate phase from {@link CPEAnalyzer} due to singleton re-use)
*/
PRE_IDENTIFIER_ANALYSIS,
/**
* Identifier analysis phase.
* @implNote Bound analyzers are
* {@link CPEAnalyzer}
*/
IDENTIFIER_ANALYSIS,
/**
* Post identifier analysis phase.
* @implNote Bound analyzers are
* {@link CpeSuppressionAnalyzer}
* {@link FalsePositiveAnalyzer}
*/
POST_IDENTIFIER_ANALYSIS,
/**
* Pre finding analysis phase.
* @implNote No analyzers bound to this phase
*/
PRE_FINDING_ANALYSIS,
/**
* Finding analysis phase.
* @implNote Bound analyzers are
* {@link NodeAuditAnalyzer}
* {@link NvdCveAnalyzer}
* {@link PnpmAuditAnalyzer}
* {@link RetireJsAnalyzer}
* {@link YarnAuditAnalyzer}
*
*/
FINDING_ANALYSIS,
/**
* Finding analysis phase 2.
* @implNote Bound analyzers are
* {@link OssIndexAnalyzer}
*/
FINDING_ANALYSIS_PHASE2,
/**
* Post analysis phase.
* @implNote Bound analyzers are
* {@link KnownExploitedVulnerabilityAnalyzer}
* {@link VulnerabilitySuppressionAnalyzer}
*/
POST_FINDING_ANALYSIS,
/**
* The final analysis phase.
* @implNote Bound analyzers are
* {@link DependencyBundlingAnalyzer}
* {@link UnusedSuppressionRuleAnalyzer}
*/
FINAL
}
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION;
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION1;
/**
* Used for synchronization when merging related dependencies.
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ public class HintAnalyzer extends AbstractAnalyzer {
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION2;

/**
* Returns the name of the analyzer.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ public class NpmCPEAnalyzer extends CPEAnalyzer {
/**
* The Logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(CPEAnalyzer.class);
private static final Logger LOGGER = LoggerFactory.getLogger(NpmCPEAnalyzer.class);

/**
* Returns the analysis phase that this analyzer should run in.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer {
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION;
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION3;

//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Standard implementation of Analyzer">
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ public void testGetName() {
@Test
public void testGetAnalysisPhase() {
DependencyMergingAnalyzer instance = new DependencyMergingAnalyzer();
AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION;
AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION1;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ public void testGetName() {
@Test
public void testGetAnalysisPhase() {
HintAnalyzer instance = new HintAnalyzer();
AnalysisPhase expResult = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION2;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ public void testGetName() {
public void testGetAnalysisPhase() {
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.initialize(getSettings());
AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION;
AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION3;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}
Expand Down

0 comments on commit a29afc4

Please sign in to comment.