org.owasp.dependencycheck.analyzer

Class AbstractDependencyComparingAnalyzer

java.lang.Object

org.owasp.dependencycheck.analyzer.AbstractAnalyzer

org.owasp.dependencycheck.analyzer.AbstractDependencyComparingAnalyzer

All Implemented Interfaces:

Analyzer

Direct Known Subclasses:

DependencyBundlingAnalyzer, DependencyMergingAnalyzer

@ThreadSafe
public abstract class AbstractDependencyComparingAnalyzer
extends AbstractAnalyzer

This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path then these should be grouped into a single dependency under the core/main library.

Note, this grouping only works on dependencies with identified CVE entries

Author:

Jeremy Long

Constructor Summary

Constructors

Constructor and Description
AbstractDependencyComparingAnalyzer()

Method Summary

Modifier and Type	Method and Description
protected void	analyzeDependency(Dependency ignore, Engine engine) Analyzes a set of dependencies.
protected abstract boolean	evaluateDependencies(Dependency dependency, Dependency nextDependency, java.util.Set<Dependency> dependenciesToRemove) Evaluates the dependencies
protected boolean	getAnalyzed() Returns a flag indicating if this analyzer has run.
boolean	supportsParallelProcessing() Does not support parallel processing as it only runs once and then operates on all dependencies.

Methods inherited from class org.owasp.dependencycheck.analyzer.AbstractAnalyzer

analyze, close, closeAnalyzer, getAnalyzerEnabledSettingKey, getSettings, initialize, isEnabled, prepare, prepareAnalyzer, setEnabled

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.owasp.dependencycheck.analyzer.Analyzer

getAnalysisPhase, getName

Constructor Detail

AbstractDependencyComparingAnalyzer

public AbstractDependencyComparingAnalyzer()

Method Detail

getAnalyzed

protected boolean getAnalyzed()

Returns a flag indicating if this analyzer has run. This analyzer only runs once. Note this is currently only used in the unit tests.

Returns:

a flag indicating if this analyzer has run. This analyzer only runs once

supportsParallelProcessing

public final boolean supportsParallelProcessing()

Does not support parallel processing as it only runs once and then operates on all dependencies.

Specified by:

supportsParallelProcessing in interface Analyzer

Overrides:

supportsParallelProcessing in class AbstractAnalyzer

Returns:

whether or not parallel processing is enabled

See Also:

AbstractAnalyzer.analyze(Dependency, Engine)

analyzeDependency

protected void analyzeDependency(Dependency ignore,
                                 Engine engine)
                          throws AnalysisException

Analyzes a set of dependencies. If they have been found to have the same base path and the same set of identifiers they are likely related. The related dependencies are bundled into a single reportable item.

Specified by:

analyzeDependency in class AbstractAnalyzer

Parameters:

ignore - this analyzer ignores the dependency being analyzed

engine - the engine that is scanning the dependencies

Throws:

AnalysisException - is thrown if there is an error reading the JAR file.

evaluateDependencies

protected abstract boolean evaluateDependencies(Dependency dependency,
                                                Dependency nextDependency,
                                                java.util.Set<Dependency> dependenciesToRemove)

Evaluates the dependencies

Parameters:

dependency - a dependency to compare

nextDependency - a dependency to compare

dependenciesToRemove - a set of dependencies that will be removed

Returns:

true if a dependency is removed; otherwise false