From 40f4e91d76dc1cfa270834794611d7966bf3cf54 Mon Sep 17 00:00:00 2001 From: Jordan Strong Date: Fri, 24 Feb 2023 10:01:35 -0500 Subject: [PATCH 1/2] Reduce number of CVE collisions dependency-check/dependency-check-sonar-plugin#682 --- .../base/DependencyCheckUtils.java | 2 +- .../reason/DependencyReason.java | 12 ++-- .../reason/GradleDependencyReason.java | 45 +++++++------- .../reason/MavenDependencyReason.java | 58 ++++++++++++------- .../reason/NPMDependencyReason.java | 17 +++--- .../reason/GradleDependencyReasonTest.java | 12 ++-- .../reason/MavenDependencyReasonTest.java | 34 +++++------ .../reason/NPMDependencyReasonTest.java | 20 +++---- 8 files changed, 111 insertions(+), 89 deletions(-) diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java index 47797eca..1f986761 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java @@ -186,7 +186,7 @@ public static boolean summarizeVulnerabilities(Configuration config) { public static Optional getBestDependencyReason(@NonNull Dependency dependency, @NonNull Collection dependencyReasons) { - Comparator comparatorTextRange = Comparator.comparing(r -> r.getBestTextRange(dependency)); + Comparator comparatorTextRange = Comparator.comparing(r -> r.getBestTextRange(dependency, null)); // Shorter Files-Names indicates to be a root configuration file Comparator comparatorFileLength = Comparator.comparingInt(r -> r.getInputComponent().toString().length()); diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/DependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/DependencyReason.java index a5177d83..9fb5c1ca 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/DependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/DependencyReason.java @@ -21,6 +21,7 @@ package org.sonar.dependencycheck.reason; import java.util.List; +import java.util.Map; import org.sonar.api.batch.fs.InputComponent; import org.sonar.api.batch.fs.InputFile; @@ -76,8 +77,9 @@ public Language getLanguage() { return language; } - protected static TextRangeConfidence addDependencyToFirstLine(Dependency dependency, InputFile inputFile) { - LOGGER.debug("We haven't found a TextRange for {} in {}. We link to first line with {} confidence", dependency.getFileName(), inputFile, Confidence.LOW); + protected static TextRangeConfidence addDependencyToFirstLine(Map k, InputFile inputFile) { + Dependency dependency = k.entrySet().iterator().next().getKey(); + LOGGER.debug("We haven't found a TextRange for {} in {}. We link to first line with {} confidence", dependency.getFileName(), inputFile, Confidence.LOW); return new TextRangeConfidence(inputFile.selectLine(1), Confidence.LOW); } /** @@ -87,7 +89,7 @@ protected static TextRangeConfidence addDependencyToFirstLine(Dependency depende * @return TextRange */ @NonNull - public abstract TextRangeConfidence getBestTextRange(Dependency dependency); + public abstract TextRangeConfidence getBestTextRange(Dependency dependency, Vulnerability vulnerability); public void addIssue(SensorContext context, Dependency dependency) { dependency.sortVulnerabilityBycvssScore(context.config()); @@ -95,7 +97,7 @@ public void addIssue(SensorContext context, Dependency dependency) { Vulnerability highestVulnerability = vulnerabilities.get(0); Severity severity = DependencyCheckUtils.cvssToSonarQubeSeverity(highestVulnerability.getCvssScore(context.config()), context.config()); - TextRangeConfidence textRange = getBestTextRange(dependency); + TextRangeConfidence textRange = getBestTextRange(dependency, null); InputComponent inputComponent = getInputComponent(); NewIssue sonarIssue = context.newIssue(); @@ -116,7 +118,7 @@ public void addIssue(SensorContext context, Dependency dependency) { public void addIssue(SensorContext context, Dependency dependency, Vulnerability vulnerability) { Severity severity = DependencyCheckUtils.cvssToSonarQubeSeverity(vulnerability.getCvssScore(context.config()), context.config()); - TextRangeConfidence textRange = getBestTextRange(dependency); + TextRangeConfidence textRange = getBestTextRange(dependency, vulnerability); InputComponent inputComponent = getInputComponent(); NewIssue sonarIssue = context.newIssue(); diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java index ab558c98..4d229b92 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.util.Collection; +import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.Optional; @@ -36,15 +37,17 @@ import org.sonar.dependencycheck.parser.element.Confidence; import org.sonar.dependencycheck.parser.element.Dependency; import org.sonar.dependencycheck.parser.element.IncludedBy; +import org.sonar.dependencycheck.parser.element.Vulnerability; import org.sonar.dependencycheck.reason.maven.MavenDependency; import edu.umd.cs.findbugs.annotations.NonNull; +import edu.umd.cs.findbugs.annotations.Nullable; public class GradleDependencyReason extends DependencyReason { private final InputFile buildGradle; private String content; - private final Map dependencyMap; + private final Map, TextRangeConfidence> dependencyMap; private static final Logger LOGGER = Loggers.get(GradleDependencyReason.class); @@ -62,45 +65,45 @@ public GradleDependencyReason(@NonNull InputFile buildGradle) { @Override @NonNull - public TextRangeConfidence getBestTextRange(@NonNull Dependency dependency) { + public TextRangeConfidence getBestTextRange(@NonNull Dependency dependency, @Nullable Vulnerability vulnerability) { if (dependencyMap.containsKey(dependency)) { return dependencyMap.get(dependency); } else { Optional mavenDependency = DependencyCheckUtils.getMavenDependency(dependency); if (mavenDependency.isPresent()) { - fillArtifactMatch(dependency, mavenDependency.get()); + fillArtifactMatch(dependency, vulnerability, mavenDependency.get()); } else { LOGGER.debug("No artifactId found for Dependency {}", dependency.getFileName()); } Optional> includedBys = dependency.getIncludedBy(); if (includedBys.isPresent()) { - workOnIncludedBy(dependency, includedBys.get()); + workOnIncludedBy(dependency, vulnerability, includedBys.get()); } - dependencyMap.computeIfAbsent(dependency, k -> addDependencyToFirstLine(k, buildGradle)); + dependencyMap.computeIfAbsent(Collections.singletonMap(dependency, vulnerability), k -> addDependencyToFirstLine(k, buildGradle)); } - return dependencyMap.get(dependency); + return dependencyMap.get(Collections.singletonMap(dependency, vulnerability)); } - private void workOnIncludedBy(@NonNull Dependency dependency, Collection includedBys) { + private void workOnIncludedBy(@NonNull Dependency dependency, @Nullable Vulnerability vulnerability, Collection includedBys) { for (IncludedBy includedBy : includedBys) { String reference = includedBy.getReference(); if (StringUtils.isNotBlank(reference)) { Optional softwareDependency = DependencyCheckUtils.convertToSoftwareDependency(reference); if (softwareDependency.isPresent() && DependencyCheckUtils.isMavenDependency(softwareDependency.get())) { - fillArtifactMatch(dependency, (MavenDependency) softwareDependency.get()); + fillArtifactMatch(dependency, vulnerability, (MavenDependency) softwareDependency.get()); } } } } - private void putDependencyMap(@NonNull Dependency dependency, TextRangeConfidence newTextRange) { + private void putDependencyMap(@NonNull Dependency dependency, @Nullable Vulnerability vulnerability, TextRangeConfidence newTextRange) { if (dependencyMap.containsKey(dependency)) { TextRangeConfidence oldTextRange = dependencyMap.get(dependency); if (oldTextRange.getConfidence().compareTo(newTextRange.getConfidence()) > 0) { - dependencyMap.put(dependency, newTextRange); + dependencyMap.put(Collections.singletonMap(dependency, vulnerability), newTextRange); } } else { - dependencyMap.put(dependency, newTextRange); + dependencyMap.put(Collections.singletonMap(dependency, vulnerability), newTextRange); } } @@ -111,7 +114,7 @@ private void putDependencyMap(@NonNull Dependency dependency, TextRangeConfidenc * @param mavenDependency Identifier for gradle * @return TextRange if found in gradle, else null */ - private void fillArtifactMatch(@NonNull Dependency dependency, MavenDependency mavenDependency) { + private void fillArtifactMatch(@NonNull Dependency dependency, @Nullable Vulnerability vulnerability, MavenDependency mavenDependency) { try (final Scanner scanner = new Scanner(content)) { int linenumber = 0; while (scanner.hasNextLine()) { @@ -123,18 +126,18 @@ private void fillArtifactMatch(@NonNull Dependency dependency, MavenDependency m if (depVersion.isPresent() && lineFromFile.contains(depVersion.get())) { LOGGER.debug("Found a artifactId, groupId and version match in {}", buildGradle); - putDependencyMap(dependency, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGHEST)); + putDependencyMap(dependency, vulnerability, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGHEST)); + return; + } else { + LOGGER.debug("Found a artifactId and groupId match in {} on line {}", buildGradle, linenumber); + putDependencyMap(dependency, vulnerability, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGH)); } - LOGGER.debug("Found a artifactId and groupId match in {} on line {}", buildGradle, linenumber); - putDependencyMap(dependency, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGH)); - } - if (lineFromFile.contains(mavenDependency.getArtifactId())) { + } else if (lineFromFile.contains(mavenDependency.getArtifactId())) { LOGGER.debug("Found a artifactId match in {} for {}", buildGradle, mavenDependency.getArtifactId()); - putDependencyMap(dependency, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.MEDIUM)); - } - if (lineFromFile.contains(mavenDependency.getGroupId())) { + putDependencyMap(dependency, vulnerability, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.MEDIUM)); + } else if (lineFromFile.contains(mavenDependency.getGroupId())) { LOGGER.debug("Found a groupId match in {} for {}", buildGradle, mavenDependency.getGroupId()); - putDependencyMap(dependency, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.MEDIUM)); + putDependencyMap(dependency, vulnerability, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.MEDIUM)); } } } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java index c0b7f193..38c07b76 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java @@ -21,7 +21,9 @@ package org.sonar.dependencycheck.reason; import java.io.IOException; +import java.math.BigInteger; import java.util.Collection; +import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.Optional; @@ -37,16 +39,18 @@ import org.sonar.dependencycheck.parser.element.Confidence; import org.sonar.dependencycheck.parser.element.Dependency; import org.sonar.dependencycheck.parser.element.IncludedBy; +import org.sonar.dependencycheck.parser.element.Vulnerability; import org.sonar.dependencycheck.reason.maven.MavenDependency; import org.sonar.dependencycheck.reason.maven.MavenDependencyLocation; import org.sonar.dependencycheck.reason.maven.MavenPomModel; import edu.umd.cs.findbugs.annotations.NonNull; +import edu.umd.cs.findbugs.annotations.Nullable; public class MavenDependencyReason extends DependencyReason { private final InputFile pom; - private final Map dependencyMap; + private final Map, TextRangeConfidence> dependencyMap; private MavenPomModel pomModel; private static final Logger LOGGER = Loggers.get(MavenDependencyReason.class); @@ -66,30 +70,30 @@ public MavenDependencyReason(@NonNull InputFile pom) { @Override @NonNull - public TextRangeConfidence getBestTextRange(@NonNull Dependency dependency) { + public TextRangeConfidence getBestTextRange(@NonNull Dependency dependency, @Nullable Vulnerability vulnerability) { if (!dependencyMap.containsKey(dependency)) { Optional mavenDependency = DependencyCheckUtils.getMavenDependency(dependency); if (mavenDependency.isPresent()) { - fillArtifactMatch(dependency, mavenDependency.get()); + fillArtifactMatch(dependency, vulnerability, mavenDependency.get()); } else { LOGGER.debug("No Identifier with type maven found for Dependency {}", dependency.getFileName()); } Optional> includedBys = dependency.getIncludedBy(); if (includedBys.isPresent()) { - workOnIncludedBy(dependency, includedBys.get()); + workOnIncludedBy(dependency, vulnerability, includedBys.get()); } - dependencyMap.computeIfAbsent(dependency, k -> addDependencyToFirstLine(k, pom)); + dependencyMap.computeIfAbsent(Collections.singletonMap(dependency, vulnerability), k -> addDependencyToFirstLine(k, pom)); } - return dependencyMap.get(dependency); + return dependencyMap.get(Collections.singletonMap(dependency, vulnerability)); } - private void workOnIncludedBy(@NonNull Dependency dependency, Collection includedBys) { + private void workOnIncludedBy(@NonNull Dependency dependency, @Nullable Vulnerability vulnerability, Collection includedBys) { for (IncludedBy includedBy : includedBys) { String reference = includedBy.getReference(); if (StringUtils.isNotBlank(reference)) { Optional softwareDependency = DependencyCheckUtils.convertToSoftwareDependency(reference); if (softwareDependency.isPresent() && DependencyCheckUtils.isMavenDependency(softwareDependency.get())) { - fillArtifactMatch(dependency, (MavenDependency) softwareDependency.get()); + fillArtifactMatch(dependency, vulnerability, (MavenDependency) softwareDependency.get()); } } } @@ -99,30 +103,40 @@ private void workOnIncludedBy(@NonNull Dependency dependency, Collection + private void fillArtifactMatch(@NonNull Dependency dependency, @Nullable Vulnerability vulnerability, MavenDependency mavenDependency) { + BigInteger cveNum = BigInteger.valueOf(0); + if(vulnerability != null) { + String name = vulnerability.getName().replaceAll("[^\\d]", ""); + if(!StringUtils.isEmpty(name)) { + cveNum = new BigInteger(name); + } + } + + final int cve = cveNum.intValue(); + + // Try to find in for (MavenDependencyLocation mavenDependencyLocation : pomModel.getDependencies()) { - checkPomDependency(mavenDependency, mavenDependencyLocation) - .ifPresent(textRange -> putDependencyMap(dependency, textRange)); + checkPomDependency(mavenDependency, mavenDependencyLocation, cve) + .ifPresent(textRange -> putDependencyMap(dependency, vulnerability, textRange)); } // Check Parent if present pomModel.getParent() - .ifPresent(parent -> checkPomDependency(mavenDependency, parent) - .ifPresent(textRange -> putDependencyMap(dependency, textRange))); + .ifPresent(parent -> checkPomDependency(mavenDependency, parent, cve) + .ifPresent(textRange -> putDependencyMap(dependency, vulnerability, textRange))); } - private void putDependencyMap(@NonNull Dependency dependency, TextRangeConfidence newTextRange) { + private void putDependencyMap(@NonNull Dependency dependency, @Nullable Vulnerability vulnerability, TextRangeConfidence newTextRange) { if (dependencyMap.containsKey(dependency)) { TextRangeConfidence oldTextRange = dependencyMap.get(dependency); if (oldTextRange.getConfidence().compareTo(newTextRange.getConfidence()) > 0) { - dependencyMap.put(dependency, newTextRange); + dependencyMap.put(Collections.singletonMap(dependency, vulnerability), newTextRange); } } else { - dependencyMap.put(dependency, newTextRange); + dependencyMap.put(Collections.singletonMap(dependency, vulnerability), newTextRange); } } - private Optional checkPomDependency(MavenDependency mavenDependency, MavenDependencyLocation mavenDependencyLocation) { + private Optional checkPomDependency(MavenDependency mavenDependency, MavenDependencyLocation mavenDependencyLocation, int cveNum) { if (StringUtils.equals(mavenDependency.getArtifactId(), mavenDependencyLocation.getArtifactId()) && StringUtils.equals(mavenDependency.getGroupId(), mavenDependencyLocation.getGroupId())) { Optional depVersion = mavenDependency.getVersion(); @@ -130,18 +144,18 @@ private Optional checkPomDependency(MavenDependency mavenDe if (depVersion.isPresent() && depLocVersion.isPresent() && StringUtils.equals(depVersion.get(), depLocVersion.get())) { LOGGER.debug("Found a artifactId, groupId and version match in {} ({} - {})", pom, mavenDependencyLocation.getStartLineNr(), mavenDependencyLocation.getEndLineNr()); - return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(mavenDependencyLocation.getStartLineNr()).start(), pom.selectLine(mavenDependencyLocation.getEndLineNr()).end()), Confidence.HIGHEST)); + return Optional.of(new TextRangeConfidence(pom.newRange(mavenDependencyLocation.getStartLineNr(), cveNum, mavenDependencyLocation.getEndLineNr(), cveNum + 1), Confidence.HIGHEST)); } LOGGER.debug("Found a artifactId and groupId match in {} ({} - {})", pom, mavenDependencyLocation.getStartLineNr(), mavenDependencyLocation.getEndLineNr()); - return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(mavenDependencyLocation.getStartLineNr()).start(), pom.selectLine(mavenDependencyLocation.getEndLineNr()).end()), Confidence.HIGH)); + return Optional.of(new TextRangeConfidence(pom.newRange(mavenDependencyLocation.getStartLineNr(), cveNum, mavenDependencyLocation.getEndLineNr(), cveNum + 1), Confidence.HIGH)); } if (StringUtils.equals(mavenDependency.getArtifactId(), mavenDependencyLocation.getArtifactId())) { LOGGER.debug("Found a artifactId match in {} ({} - {})", pom, mavenDependencyLocation.getStartLineNr(), mavenDependencyLocation.getEndLineNr()); - return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(mavenDependencyLocation.getStartLineNr()).start(), pom.selectLine(mavenDependencyLocation.getEndLineNr()).end()), Confidence.MEDIUM)); + return Optional.of(new TextRangeConfidence(pom.newRange(mavenDependencyLocation.getStartLineNr(), cveNum, mavenDependencyLocation.getEndLineNr(), cveNum + 1), Confidence.MEDIUM)); } if (StringUtils.equals(mavenDependency.getGroupId(), mavenDependencyLocation.getGroupId())) { LOGGER.debug("Found a groupId match in {} ({} - {})", pom, mavenDependencyLocation.getStartLineNr(), mavenDependencyLocation.getEndLineNr()); - return Optional.of(new TextRangeConfidence(pom.newRange(pom.selectLine(mavenDependencyLocation.getStartLineNr()).start(), pom.selectLine(mavenDependencyLocation.getEndLineNr()).end()), Confidence.MEDIUM)); + return Optional.of(new TextRangeConfidence(pom.newRange(mavenDependencyLocation.getStartLineNr(), cveNum, mavenDependencyLocation.getEndLineNr(), cveNum + 1), Confidence.MEDIUM)); } return Optional.empty(); } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java index ad16074a..0e02fcff 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java @@ -21,6 +21,7 @@ package org.sonar.dependencycheck.reason; import java.io.IOException; +import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.Optional; @@ -35,17 +36,19 @@ import org.sonar.dependencycheck.parser.ReportParserException; import org.sonar.dependencycheck.parser.element.Confidence; import org.sonar.dependencycheck.parser.element.Dependency; +import org.sonar.dependencycheck.parser.element.Vulnerability; import org.sonar.dependencycheck.reason.npm.NPMDependency; import org.sonar.dependencycheck.reason.npm.NPMDependencyLocation; import org.sonar.dependencycheck.reason.npm.PackageLockModel; import edu.umd.cs.findbugs.annotations.NonNull; +import edu.umd.cs.findbugs.annotations.Nullable; public class NPMDependencyReason extends DependencyReason { private final InputFile packageLock; private PackageLockModel packageLockModel; - private final Map dependencyMap; + private final Map, TextRangeConfidence> dependencyMap; private static final Logger LOGGER = Loggers.get(NPMDependencyReason.class); @@ -75,24 +78,24 @@ public InputComponent getInputComponent() { @NonNull @Override - public TextRangeConfidence getBestTextRange(Dependency dependency) { + public TextRangeConfidence getBestTextRange(Dependency dependency, @Nullable Vulnerability vulnerability) { if (!dependencyMap.containsKey(dependency)) { Optional npmDependency = DependencyCheckUtils.getNPMDependency(dependency); if (npmDependency.isPresent()) { - fillArtifactMatch(dependency, npmDependency.get()); + fillArtifactMatch(dependency, vulnerability, npmDependency.get()); } else { LOGGER.debug("No Identifier with type npm/javascript found for Dependency {}", dependency.getFileName()); } - dependencyMap.computeIfAbsent(dependency, k -> addDependencyToFirstLine(k, packageLock)); + dependencyMap.computeIfAbsent(Collections.singletonMap(dependency, vulnerability), k -> addDependencyToFirstLine(k, packageLock)); } - return dependencyMap.get(dependency); + return dependencyMap.get(Collections.singletonMap(dependency, vulnerability)); } - private void fillArtifactMatch(@NonNull Dependency dependency, NPMDependency npmDependency) { + private void fillArtifactMatch(@NonNull Dependency dependency, @NonNull Vulnerability vulnerability, NPMDependency npmDependency) { // Try to find in for (NPMDependencyLocation npmDependencyLocation : packageLockModel.getDependencies()) { checkNPMDependency(npmDependency, npmDependencyLocation) - .ifPresent(textrange -> dependencyMap.put(dependency, textrange)); + .ifPresent(textrange -> dependencyMap.put(Collections.singletonMap(dependency, vulnerability), textrange)); } } diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/GradleDependencyReasonTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/GradleDependencyReasonTest.java index 23cf8088..0f5e5dff 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/GradleDependencyReasonTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/GradleDependencyReasonTest.java @@ -76,7 +76,7 @@ void foundDependency() throws IOException { Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = gradle.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = gradle.getBestTextRange(dependency, null); assertNotNull(textRangeConfidence); assertEquals(Confidence.HIGHEST, textRangeConfidence.getConfidence()); assertEquals(24, textRangeConfidence.getTextRange().start().line()); @@ -84,7 +84,7 @@ void foundDependency() throws IOException { assertEquals(24, textRangeConfidence.getTextRange().end().line()); assertEquals(44, textRangeConfidence.getTextRange().end().lineOffset()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(gradle.getBestTextRange(dependency), gradle.getBestTextRange(dependency)); + assertEquals(gradle.getBestTextRange(dependency, null), gradle.getBestTextRange(dependency, null)); } @Test @@ -97,7 +97,7 @@ void foundDependencyWithIncludedBy() throws IOException { IncludedBy includedBy = new IncludedBy(); includedBy.put(IncludedBy.REFERENCE_KEYWORD, "pkg:maven/org.owasp/dependency-check-gradle@3.3.4"); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(), Collections.emptyList(), identifiersCollected, Collections.emptyList(), Arrays.asList(includedBy)); - TextRangeConfidence textRangeConfidence = gradle.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = gradle.getBestTextRange(dependency, null); assertNotNull(textRangeConfidence); assertEquals(Confidence.HIGHEST, textRangeConfidence.getConfidence()); assertEquals(23, textRangeConfidence.getTextRange().start().line()); @@ -105,7 +105,7 @@ void foundDependencyWithIncludedBy() throws IOException { assertEquals(23, textRangeConfidence.getTextRange().end().line()); assertEquals(53, textRangeConfidence.getTextRange().end().lineOffset()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(gradle.getBestTextRange(dependency), gradle.getBestTextRange(dependency)); + assertEquals(gradle.getBestTextRange(dependency, null), gradle.getBestTextRange(dependency, null)); } @Test @@ -116,11 +116,11 @@ void foundNoDependency() throws IOException { Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = gradle.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = gradle.getBestTextRange(dependency, null); assertNotNull(textRangeConfidence); assertEquals(LINE_NOT_FOUND, textRangeConfidence.getTextRange().start().line()); assertEquals(Confidence.LOW, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(gradle.getBestTextRange(dependency), gradle.getBestTextRange(dependency)); + assertEquals(gradle.getBestTextRange(dependency, null), gradle.getBestTextRange(dependency, null)); } } diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/MavenDependencyReasonTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/MavenDependencyReasonTest.java index f2d6ab0d..09ec9f89 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/MavenDependencyReasonTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/MavenDependencyReasonTest.java @@ -76,16 +76,16 @@ void foundDependency() throws IOException { Collection packageidentifiers1 = new ArrayList<>(); packageidentifiers1.add(identifier1); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency, null); assertTrue(maven.isReasonable()); assertNotNull(textRangeConfidence); assertEquals(46, textRangeConfidence.getTextRange().start().line()); assertEquals(0, textRangeConfidence.getTextRange().start().lineOffset()); assertEquals(50, textRangeConfidence.getTextRange().end().line()); - assertEquals(21, textRangeConfidence.getTextRange().end().lineOffset()); + assertEquals(1, textRangeConfidence.getTextRange().end().lineOffset()); assertEquals(Confidence.HIGHEST, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(maven.getBestTextRange(dependency), maven.getBestTextRange(dependency)); + assertEquals(maven.getBestTextRange(dependency, null), maven.getBestTextRange(dependency, null)); } @Test @@ -98,16 +98,16 @@ void foundDependencyWithIncludedBy() throws IOException { IncludedBy includedBy = new IncludedBy(); includedBy.put(IncludedBy.REFERENCE_KEYWORD, "pkg:maven/com.sun.mail/javax.mail@1.4.4"); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(), Collections.emptyList(), packageidentifiers1, Collections.emptyList(), Arrays.asList(includedBy)); - TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency, null); assertTrue(maven.isReasonable()); assertNotNull(textRangeConfidence); assertEquals(51, textRangeConfidence.getTextRange().start().line()); assertEquals(0, textRangeConfidence.getTextRange().start().lineOffset()); assertEquals(55, textRangeConfidence.getTextRange().end().line()); - assertEquals(21, textRangeConfidence.getTextRange().end().lineOffset()); + assertEquals(1, textRangeConfidence.getTextRange().end().lineOffset()); assertEquals(Confidence.HIGHEST, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(maven.getBestTextRange(dependency), maven.getBestTextRange(dependency)); + assertEquals(maven.getBestTextRange(dependency, null), maven.getBestTextRange(dependency, null)); } @Test @@ -118,16 +118,16 @@ void foundDependencyOnlyWithArtifactID() throws IOException { Collection packageidentifiers1 = new ArrayList<>(); packageidentifiers1.add(identifier1); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency, null); assertTrue(maven.isReasonable()); assertNotNull(textRangeConfidence); assertEquals(46, textRangeConfidence.getTextRange().start().line()); assertEquals(0, textRangeConfidence.getTextRange().start().lineOffset()); assertEquals(50, textRangeConfidence.getTextRange().end().line()); - assertEquals(21, textRangeConfidence.getTextRange().end().lineOffset()); + assertEquals(1, textRangeConfidence.getTextRange().end().lineOffset()); assertEquals(Confidence.MEDIUM, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(maven.getBestTextRange(dependency), maven.getBestTextRange(dependency)); + assertEquals(maven.getBestTextRange(dependency, null), maven.getBestTextRange(dependency, null)); } @Test @@ -138,16 +138,16 @@ void foundDependencyOnlyWithGroupID() throws IOException { Collection packageidentifiers1 = new ArrayList<>(); packageidentifiers1.add(identifier1); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency, null); assertTrue(maven.isReasonable()); assertNotNull(textRangeConfidence); assertEquals(46, textRangeConfidence.getTextRange().start().line()); assertEquals(0, textRangeConfidence.getTextRange().start().lineOffset()); assertEquals(50, textRangeConfidence.getTextRange().end().line()); - assertEquals(21, textRangeConfidence.getTextRange().end().lineOffset()); + assertEquals(1, textRangeConfidence.getTextRange().end().lineOffset()); assertEquals(Confidence.MEDIUM, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(maven.getBestTextRange(dependency), maven.getBestTextRange(dependency)); + assertEquals(maven.getBestTextRange(dependency, null), maven.getBestTextRange(dependency, null)); } @Test @@ -158,16 +158,16 @@ void foundParent() throws IOException { Collection packageidentifiers1 = new ArrayList<>(); packageidentifiers1.add(identifier1); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency, null); assertTrue(maven.isReasonable()); assertNotNull(textRangeConfidence); assertEquals(18, textRangeConfidence.getTextRange().start().line()); assertEquals(0, textRangeConfidence.getTextRange().start().lineOffset()); assertEquals(21, textRangeConfidence.getTextRange().end().line()); - assertEquals(13, textRangeConfidence.getTextRange().end().lineOffset()); + assertEquals(1, textRangeConfidence.getTextRange().end().lineOffset()); assertEquals(Confidence.MEDIUM, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(maven.getBestTextRange(dependency), maven.getBestTextRange(dependency)); + assertEquals(maven.getBestTextRange(dependency, null), maven.getBestTextRange(dependency, null)); } @@ -179,12 +179,12 @@ void foundNoDependency() throws IOException { Collection packageidentifiers1 = new ArrayList<>(); packageidentifiers1.add(identifier1); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), packageidentifiers1, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = maven.getBestTextRange(dependency, null); // Check for default location, first line in file with low confidence assertNotNull(textRangeConfidence); assertEquals(LINE_NOT_FOUND, textRangeConfidence.getTextRange().start().line()); assertEquals(Confidence.LOW, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(maven.getBestTextRange(dependency), maven.getBestTextRange(dependency)); + assertEquals(maven.getBestTextRange(dependency, null), maven.getBestTextRange(dependency, null)); } } diff --git a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java index eb7958a4..2222e16d 100644 --- a/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java +++ b/sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java @@ -74,7 +74,7 @@ void foundDependencyJavascript() throws IOException { Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency, null); assertTrue(npm.isReasonable()); assertNotNull(textRangeConfidence); assertEquals(335, textRangeConfidence.getTextRange().start().line()); @@ -83,7 +83,7 @@ void foundDependencyJavascript() throws IOException { assertEquals(6, textRangeConfidence.getTextRange().end().lineOffset()); assertEquals(Confidence.HIGHEST, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(npm.getBestTextRange(dependency), npm.getBestTextRange(dependency)); + assertEquals(npm.getBestTextRange(dependency, null), npm.getBestTextRange(dependency, null)); } @Test @@ -94,7 +94,7 @@ void foundDependencyNPM() throws IOException { Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency, null); assertTrue(npm.isReasonable()); assertNotNull(textRangeConfidence); assertEquals(7, textRangeConfidence.getTextRange().start().line()); @@ -103,7 +103,7 @@ void foundDependencyNPM() throws IOException { assertEquals(6, textRangeConfidence.getTextRange().end().lineOffset()); assertEquals(Confidence.HIGHEST, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(npm.getBestTextRange(dependency), npm.getBestTextRange(dependency)); + assertEquals(npm.getBestTextRange(dependency, null), npm.getBestTextRange(dependency, null)); } @Test @@ -114,7 +114,7 @@ void foundDependencyNPMOnlyWithName() throws IOException { Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency, null); assertTrue(npm.isReasonable()); assertNotNull(textRangeConfidence); assertEquals(7, textRangeConfidence.getTextRange().start().line()); @@ -123,7 +123,7 @@ void foundDependencyNPMOnlyWithName() throws IOException { assertEquals(6, textRangeConfidence.getTextRange().end().lineOffset()); assertEquals(Confidence.HIGH, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(npm.getBestTextRange(dependency), npm.getBestTextRange(dependency)); + assertEquals(npm.getBestTextRange(dependency, null), npm.getBestTextRange(dependency, null)); } @Test @@ -134,7 +134,7 @@ void foundDependencyNPMWithoutVersion() throws IOException { Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency, null); assertTrue(npm.isReasonable()); assertNotNull(textRangeConfidence); assertEquals(7, textRangeConfidence.getTextRange().start().line()); @@ -143,7 +143,7 @@ void foundDependencyNPMWithoutVersion() throws IOException { assertEquals(6, textRangeConfidence.getTextRange().end().lineOffset()); assertEquals(Confidence.HIGH, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(npm.getBestTextRange(dependency), npm.getBestTextRange(dependency)); + assertEquals(npm.getBestTextRange(dependency, null), npm.getBestTextRange(dependency, null)); } @Test @@ -154,13 +154,13 @@ void foundNoDependency() throws IOException { Collection identifiersCollected = new ArrayList<>(); identifiersCollected.add(identifier); Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null); - TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency); + TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency, null); assertTrue(npm.isReasonable()); assertNotNull(textRangeConfidence); assertEquals(LINE_NOT_FOUND, textRangeConfidence.getTextRange().start().line()); assertEquals(Confidence.LOW, textRangeConfidence.getConfidence()); // verify that same dependency points to the same TextRange, use of HashMap - assertEquals(npm.getBestTextRange(dependency), npm.getBestTextRange(dependency)); + assertEquals(npm.getBestTextRange(dependency, null), npm.getBestTextRange(dependency, null)); } } From 455c2222cc832d4eff07c7bb5f26a686d3fe3161 Mon Sep 17 00:00:00 2001 From: Jordan Strong Date: Mon, 27 Feb 2023 10:29:30 -0500 Subject: [PATCH 2/2] Change dependency-vulnerability Map to Pair --- .../reason/DependencyReason.java | 6 +++--- .../reason/GradleDependencyReason.java | 17 ++++++++--------- .../reason/MavenDependencyReason.java | 12 ++++++------ .../reason/NPMDependencyReason.java | 10 +++++----- 4 files changed, 22 insertions(+), 23 deletions(-) diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/DependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/DependencyReason.java index 9fb5c1ca..32896cae 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/DependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/DependencyReason.java @@ -21,8 +21,8 @@ package org.sonar.dependencycheck.reason; import java.util.List; -import java.util.Map; +import org.apache.commons.lang3.tuple.Pair; import org.sonar.api.batch.fs.InputComponent; import org.sonar.api.batch.fs.InputFile; import org.sonar.api.batch.rule.Severity; @@ -77,8 +77,8 @@ public Language getLanguage() { return language; } - protected static TextRangeConfidence addDependencyToFirstLine(Map k, InputFile inputFile) { - Dependency dependency = k.entrySet().iterator().next().getKey(); + protected static TextRangeConfidence addDependencyToFirstLine(Pair pair, InputFile inputFile) { + Dependency dependency = pair.getKey(); LOGGER.debug("We haven't found a TextRange for {} in {}. We link to first line with {} confidence", dependency.getFileName(), inputFile, Confidence.LOW); return new TextRangeConfidence(inputFile.selectLine(1), Confidence.LOW); } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java index 4d229b92..6ed16569 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java @@ -22,13 +22,13 @@ import java.io.IOException; import java.util.Collection; -import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.Optional; import java.util.Scanner; import org.apache.commons.lang3.StringUtils; +import org.apache.commons.lang3.tuple.Pair; import org.sonar.api.batch.fs.InputComponent; import org.sonar.api.batch.fs.InputFile; import org.sonar.api.utils.log.Logger; @@ -47,7 +47,7 @@ public class GradleDependencyReason extends DependencyReason { private final InputFile buildGradle; private String content; - private final Map, TextRangeConfidence> dependencyMap; + private final Map, TextRangeConfidence> dependencyMap; private static final Logger LOGGER = Loggers.get(GradleDependencyReason.class); @@ -79,9 +79,9 @@ public TextRangeConfidence getBestTextRange(@NonNull Dependency dependency, @Nul if (includedBys.isPresent()) { workOnIncludedBy(dependency, vulnerability, includedBys.get()); } - dependencyMap.computeIfAbsent(Collections.singletonMap(dependency, vulnerability), k -> addDependencyToFirstLine(k, buildGradle)); + dependencyMap.computeIfAbsent(Pair.of(dependency, vulnerability), k -> addDependencyToFirstLine(k, buildGradle)); } - return dependencyMap.get(Collections.singletonMap(dependency, vulnerability)); + return dependencyMap.get(Pair.of(dependency, vulnerability)); } private void workOnIncludedBy(@NonNull Dependency dependency, @Nullable Vulnerability vulnerability, Collection includedBys) { @@ -100,10 +100,10 @@ private void putDependencyMap(@NonNull Dependency dependency, @Nullable Vulnerab if (dependencyMap.containsKey(dependency)) { TextRangeConfidence oldTextRange = dependencyMap.get(dependency); if (oldTextRange.getConfidence().compareTo(newTextRange.getConfidence()) > 0) { - dependencyMap.put(Collections.singletonMap(dependency, vulnerability), newTextRange); + dependencyMap.put(Pair.of(dependency, vulnerability), newTextRange); } } else { - dependencyMap.put(Collections.singletonMap(dependency, vulnerability), newTextRange); + dependencyMap.put(Pair.of(dependency, vulnerability), newTextRange); } } @@ -128,10 +128,9 @@ private void fillArtifactMatch(@NonNull Dependency dependency, @Nullable Vulnera LOGGER.debug("Found a artifactId, groupId and version match in {}", buildGradle); putDependencyMap(dependency, vulnerability, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGHEST)); return; - } else { - LOGGER.debug("Found a artifactId and groupId match in {} on line {}", buildGradle, linenumber); - putDependencyMap(dependency, vulnerability, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGH)); } + LOGGER.debug("Found a artifactId and groupId match in {} on line {}", buildGradle, linenumber); + putDependencyMap(dependency, vulnerability, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGH)); } else if (lineFromFile.contains(mavenDependency.getArtifactId())) { LOGGER.debug("Found a artifactId match in {} for {}", buildGradle, mavenDependency.getArtifactId()); putDependencyMap(dependency, vulnerability, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.MEDIUM)); diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java index 38c07b76..aa3cb4e0 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/MavenDependencyReason.java @@ -23,12 +23,12 @@ import java.io.IOException; import java.math.BigInteger; import java.util.Collection; -import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.Optional; import org.apache.commons.lang3.StringUtils; +import org.apache.commons.lang3.tuple.Pair; import org.sonar.api.batch.fs.InputComponent; import org.sonar.api.batch.fs.InputFile; import org.sonar.api.utils.log.Logger; @@ -50,7 +50,7 @@ public class MavenDependencyReason extends DependencyReason { private final InputFile pom; - private final Map, TextRangeConfidence> dependencyMap; + private final Map, TextRangeConfidence> dependencyMap; private MavenPomModel pomModel; private static final Logger LOGGER = Loggers.get(MavenDependencyReason.class); @@ -82,9 +82,9 @@ public TextRangeConfidence getBestTextRange(@NonNull Dependency dependency, @Nul if (includedBys.isPresent()) { workOnIncludedBy(dependency, vulnerability, includedBys.get()); } - dependencyMap.computeIfAbsent(Collections.singletonMap(dependency, vulnerability), k -> addDependencyToFirstLine(k, pom)); + dependencyMap.computeIfAbsent(Pair.of(dependency, vulnerability), k -> addDependencyToFirstLine(k, pom)); } - return dependencyMap.get(Collections.singletonMap(dependency, vulnerability)); + return dependencyMap.get(Pair.of(dependency, vulnerability)); } private void workOnIncludedBy(@NonNull Dependency dependency, @Nullable Vulnerability vulnerability, Collection includedBys) { @@ -129,10 +129,10 @@ private void putDependencyMap(@NonNull Dependency dependency, @Nullable Vulnerab if (dependencyMap.containsKey(dependency)) { TextRangeConfidence oldTextRange = dependencyMap.get(dependency); if (oldTextRange.getConfidence().compareTo(newTextRange.getConfidence()) > 0) { - dependencyMap.put(Collections.singletonMap(dependency, vulnerability), newTextRange); + dependencyMap.put(Pair.of(dependency, vulnerability), newTextRange); } } else { - dependencyMap.put(Collections.singletonMap(dependency, vulnerability), newTextRange); + dependencyMap.put(Pair.of(dependency, vulnerability), newTextRange); } } diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java index 0e02fcff..ba4915d8 100644 --- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java +++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java @@ -21,12 +21,12 @@ package org.sonar.dependencycheck.reason; import java.io.IOException; -import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.Optional; import org.apache.commons.lang3.StringUtils; +import org.apache.commons.lang3.tuple.Pair; import org.sonar.api.batch.fs.InputComponent; import org.sonar.api.batch.fs.InputFile; import org.sonar.api.utils.log.Logger; @@ -48,7 +48,7 @@ public class NPMDependencyReason extends DependencyReason { private final InputFile packageLock; private PackageLockModel packageLockModel; - private final Map, TextRangeConfidence> dependencyMap; + private final Map, TextRangeConfidence> dependencyMap; private static final Logger LOGGER = Loggers.get(NPMDependencyReason.class); @@ -86,16 +86,16 @@ public TextRangeConfidence getBestTextRange(Dependency dependency, @Nullable Vul } else { LOGGER.debug("No Identifier with type npm/javascript found for Dependency {}", dependency.getFileName()); } - dependencyMap.computeIfAbsent(Collections.singletonMap(dependency, vulnerability), k -> addDependencyToFirstLine(k, packageLock)); + dependencyMap.computeIfAbsent(Pair.of(dependency, vulnerability), k -> addDependencyToFirstLine(k, packageLock)); } - return dependencyMap.get(Collections.singletonMap(dependency, vulnerability)); + return dependencyMap.get(Pair.of(dependency, vulnerability)); } private void fillArtifactMatch(@NonNull Dependency dependency, @NonNull Vulnerability vulnerability, NPMDependency npmDependency) { // Try to find in for (NPMDependencyLocation npmDependencyLocation : packageLockModel.getDependencies()) { checkNPMDependency(npmDependency, npmDependencyLocation) - .ifPresent(textrange -> dependencyMap.put(Collections.singletonMap(dependency, vulnerability), textrange)); + .ifPresent(textrange -> dependencyMap.put(Pair.of(dependency, vulnerability), textrange)); } }