diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index eac7a93587a..f15a7fd93aa 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -284,20 +284,24 @@ private void updateDependency(final AssemblyData data, Dependency dependency) { if (!StringUtils.isBlank(data.getCompanyName())) { dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "CompanyName", data.getCompanyName(), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "CompanyName", data.getCompanyName(), Confidence.LOW); addMatchingValues(data.getNamespaces(), data.getCompanyName(), dependency, EvidenceType.VENDOR); } if (!StringUtils.isBlank(data.getProductName())) { dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "ProductName", data.getProductName(), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "ProductName", data.getProductName(), Confidence.MEDIUM); addMatchingValues(data.getNamespaces(), data.getProductName(), dependency, EvidenceType.PRODUCT); } if (!StringUtils.isBlank(data.getFileDescription())) { dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "FileDescription", data.getFileDescription(), Confidence.HIGH); + dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "FileDescription", data.getFileDescription(), Confidence.LOW); addMatchingValues(data.getNamespaces(), data.getFileDescription(), dependency, EvidenceType.PRODUCT); } final String internalName = data.getInternalName(); if (!StringUtils.isBlank(internalName)) { dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "InternalName", internalName, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "InternalName", internalName, Confidence.LOW); addMatchingValues(data.getNamespaces(), internalName, dependency, EvidenceType.PRODUCT); addMatchingValues(data.getNamespaces(), internalName, dependency, EvidenceType.VENDOR); if (dependency.getName() == null && StringUtils.containsIgnoreCase(dependency.getActualFile().getName(), internalName)) { @@ -313,6 +317,7 @@ private void updateDependency(final AssemblyData data, Dependency dependency) { final String originalFilename = data.getOriginalFilename(); if (!StringUtils.isBlank(originalFilename)) { dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "OriginalFilename", originalFilename, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "OriginalFilename", originalFilename, Confidence.LOW); addMatchingValues(data.getNamespaces(), originalFilename, dependency, EvidenceType.PRODUCT); if (dependency.getName() == null && StringUtils.containsIgnoreCase(dependency.getActualFile().getName(), originalFilename)) { final String ext = FileUtils.getFileExtension(originalFilename); diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java index 4283383e0ce..08c059b8a70 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java @@ -195,12 +195,15 @@ private void extractConfigureScriptEvidence(Dependency dependency, if (!value.isEmpty()) { if (variable.endsWith("NAME")) { dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.MEDIUM); } else if ("VERSION".equals(variable)) { dependency.addEvidence(EvidenceType.VERSION, name, variable, value, Confidence.HIGHEST); } else if ("BUGREPORT".equals(variable)) { dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH); + dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.MEDIUM); } else if ("URL".equals(variable)) { dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH); + dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.MEDIUM); } } } diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java index a4389af7397..4b347bd3061 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java @@ -260,6 +260,7 @@ private void analyzePodspecDependency(Dependency dependency) final String summary = determineEvidence(contents, blockVariable, "summary"); if (!summary.isEmpty()) { dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "summary", summary, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "summary", summary, Confidence.MEDIUM); } final String author = determineEvidence(contents, blockVariable, "authors?"); @@ -269,6 +270,7 @@ private void analyzePodspecDependency(Dependency dependency) final String homepage = determineEvidence(contents, blockVariable, "homepage"); if (!homepage.isEmpty()) { dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "homepage", homepage, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "homepage", homepage, Confidence.LOW); } final String license = determineEvidence(contents, blockVariable, "licen[cs]es?"); if (!license.isEmpty()) { diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index 3970c58d1c9..43be4322194 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -133,7 +133,9 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An d.setSha256sum(Checksum.getSHA256Checksum(filePath)); d.setMd5sum(Checksum.getMD5Checksum(filePath)); d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST); + d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.MEDIUM); d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST); + d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGH); d.addEvidence(EvidenceType.VERSION, COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST); return d; }).forEach((d) -> { diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzer.java index 4a524062d82..71e531cfeb5 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzer.java @@ -208,8 +208,10 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy child.setName(name); child.setVersion(version); - child.addEvidence(EvidenceType.VENDOR, FILE_NAME, "vendor", (vendor != null ? vendor : name), - Confidence.HIGHEST); + if (vendor != null) { + child.addEvidence(EvidenceType.VENDOR, FILE_NAME, "vendor", vendor, Confidence.HIGHEST); + } + child.addEvidence(EvidenceType.VENDOR, FILE_NAME, "name", name, Confidence.HIGH); child.addEvidence(EvidenceType.PRODUCT, FILE_NAME, "name", name, Confidence.HIGHEST); child.addEvidence(EvidenceType.VERSION, FILE_NAME, "version", version, Confidence.HIGHEST); diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzer.java index 6a67b07c3e4..f68718e4947 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzer.java @@ -185,6 +185,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An child.setMd5sum(Checksum.getMD5Checksum(String.format("%s:%s", id, version))); child.addEvidence(EvidenceType.PRODUCT, "msbuild", "id", id, Confidence.HIGHEST); + child.addEvidence(EvidenceType.VENDOR, "msbuild", "id", id, Confidence.MEDIUM); child.addEvidence(EvidenceType.VERSION, "msbuild", "version", version, Confidence.HIGHEST); if (id.indexOf('.') > 0) { @@ -193,10 +194,12 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An // example: Microsoft.EntityFrameworkCore child.addEvidence(EvidenceType.VENDOR, "msbuild", "id", parts[0], Confidence.MEDIUM); child.addEvidence(EvidenceType.PRODUCT, "msbuild", "id", parts[1], Confidence.MEDIUM); + child.addEvidence(EvidenceType.VENDOR, "msbuild", "id", parts[1], Confidence.LOW); if (parts.length > 2) { final String rest = id.substring(id.indexOf('.') + 1); child.addEvidence(EvidenceType.PRODUCT, "msbuild", "id", rest, Confidence.MEDIUM); + child.addEvidence(EvidenceType.VENDOR, "msbuild", "id", rest, Confidence.LOW); } } else { // example: jQuery diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java index 3e98913ef2e..11417208d6e 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java @@ -182,6 +182,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy child.setMd5sum(Checksum.getMD5Checksum(String.format("%s:%s", id, version))); child.addEvidence(EvidenceType.VERSION, "packages.config", "version", np.getVersion(), Confidence.HIGHEST); child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", np.getId(), Confidence.HIGHEST); + child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", np.getId(), Confidence.MEDIUM); // handle package names the same way as the MSBuild analyzer if (id.indexOf('.') > 0) { @@ -190,10 +191,12 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy // example: Microsoft.EntityFrameworkCore child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", parts[0], Confidence.MEDIUM); child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", parts[1], Confidence.MEDIUM); + child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", parts[1], Confidence.LOW); if (parts.length > 2) { final String rest = id.substring(id.indexOf('.') + 1); child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", rest, Confidence.MEDIUM); + child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", rest, Confidence.LOW); } } else { // example: jQuery diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 5f3124dc0c4..44aeb555023 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -158,6 +158,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "authors", np.getAuthors(), Confidence.HIGH); dependency.addEvidence(EvidenceType.VERSION, "nuspec", "version", np.getVersion(), Confidence.HIGHEST); dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "id", np.getId(), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "id", np.getId(), Confidence.HIGH); dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "description", np.getDescription(), Confidence.LOW); dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "description", np.getDescription(), Confidence.LOW); dependency.setName(np.getId()); @@ -178,6 +179,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy } if (np.getTitle() != null) { dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "title", np.getTitle(), Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "title", np.getTitle(), Confidence.LOW); } } catch (Throwable e) { throw new AnalysisException(e); diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PEAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PEAnalyzer.java index d097daa7469..3d8f23c76b3 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/PEAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/PEAnalyzer.java @@ -185,6 +185,7 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin break; case "InternalName": dependency.addEvidence(EvidenceType.PRODUCT, "PE Header", "InternalName", value, Confidence.MEDIUM); + dependency.addEvidence(EvidenceType.VENDOR, "PE Header", "InternalName", value, Confidence.LOW); determineDependencyName(dependency, value); break; case "LegalCopyright": @@ -201,6 +202,7 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin break; case "ProductName": dependency.addEvidence(EvidenceType.PRODUCT, "PE Header", "ProductName", value, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, "PE Header", "ProductName", value, Confidence.MEDIUM); determineDependencyName(dependency, value); break; default: diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java index b62e006681e..0be4239329f 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java @@ -207,6 +207,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An d.setEcosystem(Ecosystem.JAVA); d.addEvidence(EvidenceType.VENDOR, "project", "groupid", group, Confidence.HIGHEST); d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", artifact, Confidence.HIGHEST); + d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", artifact, Confidence.HIGH); d.addEvidence(EvidenceType.VERSION, "project", "version", version, Confidence.HIGHEST); d.setName(String.format("%s:%s", group, artifact)); d.setFilePath(String.format("%s>>%s", dependency.getActualFile(), dep.getCoord())); diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 059abe4a3b2..8396fb8f6e2 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -211,6 +211,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) //"The __init__.py files are required to make Python treat the directories as containing packages" //see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html; dependency.addEvidence(EvidenceType.PRODUCT, file.getName(), "PackageName", parentName, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, file.getName(), "PackageName", parentName, Confidence.MEDIUM); dependency.setName(parentName); final File[] fileList = parent.listFiles(PY_FILTER); diff --git a/core/src/main/java/org/owasp/dependencycheck/processing/BundlerAuditProcessor.java b/core/src/main/java/org/owasp/dependencycheck/processing/BundlerAuditProcessor.java index f962db627ce..091224ab5a9 100644 --- a/core/src/main/java/org/owasp/dependencycheck/processing/BundlerAuditProcessor.java +++ b/core/src/main/java/org/owasp/dependencycheck/processing/BundlerAuditProcessor.java @@ -319,6 +319,7 @@ private Dependency createDependencyForGem(Engine engine, File gemFile, String pa dependency.setSha1sum(Checksum.getSHA1Checksum(displayFileName)); dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); dependency.addEvidence(EvidenceType.PRODUCT, "bundler-audit", "Name", gem, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, "bundler-audit", "Name", gem, Confidence.HIGH); //TODO add package URL - note, this may require parsing the gemfile.lock and getting the version for each entry dependency.setDisplayFileName(displayFileName); diff --git a/core/src/main/java/org/owasp/dependencycheck/processing/MixAuditProcessor.java b/core/src/main/java/org/owasp/dependencycheck/processing/MixAuditProcessor.java index 3dda31c7b61..342a529d7d0 100644 --- a/core/src/main/java/org/owasp/dependencycheck/processing/MixAuditProcessor.java +++ b/core/src/main/java/org/owasp/dependencycheck/processing/MixAuditProcessor.java @@ -166,6 +166,7 @@ private Dependency createDependency(Dependency parentDependency, String packageN dep.addEvidence(EvidenceType.VERSION, "mix_audit", "Version", version, Confidence.HIGHEST); dep.addEvidence(EvidenceType.PRODUCT, "mix_audit", "Package", packageName, Confidence.HIGHEST); + dep.addEvidence(EvidenceType.VENDOR, "mix_audit", "Package", packageName, Confidence.HIGH); try { final PackageURL purl = PackageURLBuilder.aPackageURL().withType("hex").withName(packageName) diff --git a/core/src/test/java/org/owasp/dependencycheck/EngineIT.java b/core/src/test/java/org/owasp/dependencycheck/EngineIT.java index c4a4e31ee5b..8917aa57e9b 100644 --- a/core/src/test/java/org/owasp/dependencycheck/EngineIT.java +++ b/core/src/test/java/org/owasp/dependencycheck/EngineIT.java @@ -120,6 +120,7 @@ public void testEngine() throws IOException, InvalidSettingException, DatabaseEx allowedMessages.add("../tmp/evil.txt"); allowedMessages.add("malformed input off : 5, length : 1"); allowedMessages.add("Python `pyproject.toml` found and there is not a `poetry.lock` or `requirements.txt`"); + allowedMessages.add("file from the NPM Audit API (PnpmAuditAnalyzer)"); for (Throwable t : ex.getExceptions()) { boolean isOk = false; if (t.getMessage() != null) { diff --git a/core/src/test/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgentIT.java b/core/src/test/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgentIT.java index bcd74ab60ec..959ec75bcee 100644 --- a/core/src/test/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgentIT.java +++ b/core/src/test/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgentIT.java @@ -80,6 +80,7 @@ private Dependency createDependency(final String vendor, final String name, fina } if (name != null) { dependency.addEvidence(EvidenceType.PRODUCT, "dependency-track", "name", name, Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VENDOR, "dependency-track", "name", name, Confidence.HIGH); dependency.addProductWeighting(name); } if (version != null) {