fix: Do not filter out evidences added by hints (#5900)

aikebah · web-flow · commit 19dd71b08626 · 2023-10-05T07:08:22.000-07:00
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -198,7 +198,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
             for (VendorDuplicatingHintRule dhr : vendorHints) {
                 if (dhr.getValue().equalsIgnoreCase(e.getValue())) {
                     dependency.addEvidence(EvidenceType.VENDOR, new Evidence(e.getSource() + " (hint)",
-                            e.getName(), dhr.getDuplicate(), e.getConfidence()));
+                            e.getName(), dhr.getDuplicate(), e.getConfidence(), true));
                 }
             }
         }
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java
@@ -136,7 +136,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         final Set<Evidence> remove;
         if (dependency.getVersion() != null) {
             remove = dependency.getEvidence(EvidenceType.VERSION).stream()
-                    .filter(e -> !dependency.getVersion().equals(e.getValue()))
+                    .filter(e -> !e.isFromHint() && !dependency.getVersion().equals(e.getValue()))
                     .collect(Collectors.toSet());
         } else {
             remove = new HashSet<>();
@@ -165,7 +165,8 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
                     LOGGER.debug("filtering evidence from {}", dependency.getFileName());
 
                     for (Evidence e : dependency.getEvidence(EvidenceType.VERSION)) {
-                        if (!(pomMatch && VERSION.equals(e.getName())
+                        if (!e.isFromHint()
+                                && !(pomMatch && VERSION.equals(e.getName())
                                 && (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource())))
                                 && !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource()))
                                 && !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) {
diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
@@ -59,6 +59,11 @@ public class Evidence implements Serializable, Comparable<Evidence> {
      */
     private Confidence confidence;
 
+    /**
+     * Whether the evidence originates from a hint.
+     */
+    private boolean fromHint;
+
     /**
      * Creates a new Evidence object.
      */
@@ -74,10 +79,24 @@ public Evidence() {
      * @param confidence the confidence of the evidence.
      */
     public Evidence(String source, String name, String value, Confidence confidence) {
+        this(source, name, value, confidence, false);
+    }
+
+    /**
+     * Creates a new Evidence objects.
+     *
+     * @param source     the source of the evidence.
+     * @param name       the name of the evidence.
+     * @param value      the value of the evidence.
+     * @param confidence the confidence of the evidence.
+     * @param fromHint whether the evidence was introduced by a hint.
+     */
+    public Evidence(String source, String name, String value, Confidence confidence, boolean fromHint) {
         this.source = source;
         this.name = name;
         this.value = value;
         this.confidence = confidence;
+        this.fromHint = fromHint;
     }
 
     /**
@@ -152,6 +171,24 @@ public void setConfidence(Confidence confidence) {
         this.confidence = confidence;
     }
 
+    /**
+     * Get the value of fromHint.
+     *
+     * @return the value of fromHint
+     */
+    public boolean isFromHint() {
+        return fromHint;
+    }
+
+    /**
+     * Set the value of fromHint.
+     *
+     * @param fromHint new value of fromHint
+     */
+    public void setFromHint(boolean fromHint) {
+        this.fromHint = fromHint;
+    }
+
     /**
      * Implements the hashCode for Evidence.
      *
@@ -187,6 +224,7 @@ public boolean equals(Object obj) {
                 .append(this.name == null ? null : this.name.toLowerCase(), o.name == null ? null : o.name.toLowerCase())
                 .append(this.value == null ? null : this.value.toLowerCase(), o.value == null ? null : o.value.toLowerCase())
                 .append(this.confidence, o.getConfidence())
+                .append(this.fromHint, o.isFromHint())
                 .build();
     }
 
@@ -196,14 +234,14 @@ public boolean equals(Object obj) {
      * @param o the evidence being compared
      * @return an integer indicating the ordering of the two objects
      */
-    @SuppressWarnings("deprecation")
     @Override
     public int compareTo(@NotNull Evidence o) {
         return new CompareToBuilder()
                 .append(this.source == null ? null : this.source.toLowerCase(), o.source == null ? null : o.source.toLowerCase())
                 .append(this.name == null ? null : this.name.toLowerCase(), o.name == null ? null : o.name.toLowerCase())
                 .append(this.value == null ? null : this.value.toLowerCase(), o.value == null ? null : o.value.toLowerCase())
                 .append(this.confidence, o.getConfidence())
+                .append(this.fromHint, o.isFromHint())
                 .toComparison();
     }
 
@@ -214,6 +252,7 @@ public int compareTo(@NotNull Evidence o) {
      */
     @Override
     public String toString() {
-        return "Evidence{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence + '}';
+        return "Evidence{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence
+                + ", fromHint=" + fromHint + '}';
     }
 }
diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java b/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java
@@ -147,7 +147,7 @@ public List<EvidenceMatcher> getGivenVendor() {
      * @param confidence the confidence of the evidence
      */
     public void addAddProduct(String source, String name, String value, Confidence confidence) {
-        addProduct.add(new Evidence(source, name, value, confidence));
+        addProduct.add(new Evidence(source, name, value, confidence, true));
     }
 
     /**
@@ -168,7 +168,7 @@ public List<Evidence> getAddProduct() {
      * @param confidence the confidence of the evidence
      */
     public void addAddVersion(String source, String name, String value, Confidence confidence) {
-        addVersion.add(new Evidence(source, name, value, confidence));
+        addVersion.add(new Evidence(source, name, value, confidence, true));
     }
 
     /**
@@ -189,7 +189,7 @@ public List<Evidence> getAddVersion() {
      * @param confidence the confidence of the evidence
      */
     public void addAddVendor(String source, String name, String value, Confidence confidence) {
-        addVendor.add(new Evidence(source, name, value, confidence));
+        addVendor.add(new Evidence(source, name, value, confidence, true));
     }
 
     /**
diff --git a/core/src/main/resources/dependencycheck-base-hint.xml b/core/src/main/resources/dependencycheck-base-hint.xml
@@ -148,48 +148,6 @@
         </add>
     </hint>
     
-    <!-- begin hack for temporary patch of issue #534-->
-    <hint>
-        <given>
-            <fileName regex="true" contains=".*hibernate-validator-5\.0\..*"/>
-        </given>
-        <add>
-            <evidence type="version" source="hint" name="version" value="5.0" confidence="HIGHEST"/>
-        </add>
-    </hint>
-    <hint>
-        <given>
-            <fileName regex="true" contains=".*hibernate-validator-5\.1\.[01].*"/>
-        </given>
-        <add>
-            <evidence type="version" source="hint" name="version" value="5.1" confidence="HIGHEST"/>
-        </add>
-    </hint>
-    <hint>
-        <given>
-            <fileName regex="true" contains=".*hibernate-validator-4\.1\..*"/>
-        </given>
-        <add>
-            <evidence type="version" source="hint" name="version" value="4.1.0" confidence="HIGHEST"/>
-        </add>
-    </hint>
-    <hint>
-        <given>
-            <fileName regex="true" contains=".*hibernate-validator-4\.2\.0.*"/>
-        </given>
-        <add>
-            <evidence type="version" source="hint" name="version" value="4.2.0" confidence="HIGHEST"/>
-        </add>
-    </hint>
-    <hint>
-        <given>
-            <fileName regex="true" contains=".*hibernate-validator-4\.3\.[01]\..*"/>
-        </given>
-        <add>
-            <evidence type="version" source="hint" name="version" value="4.3.0" confidence="HIGHEST"/>
-        </add>
-    </hint>
-    <!-- end hack for temporary patch of issue #534-->
     <!-- creating a spring boot starter project can cause your app to incorrectly be flagged as spring-->
     <hint>
         <given>
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
@@ -86,11 +86,11 @@ public void testAnalyze() throws Exception {
                     sdep = d;
                 }
             }
-            final Evidence springTest1 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST);
-            final Evidence springTest2 = new Evidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGHEST);
-            final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST);
-            final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST);
-            final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST);
+            final Evidence springTest1 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST, true);
+            final Evidence springTest2 = new Evidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGHEST, true);
+            final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST, true);
+            final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGHEST, true);
+            final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGHEST, true);
 
             assertFalse(gdep.contains(EvidenceType.PRODUCT, springTest1));
             assertFalse(gdep.contains(EvidenceType.VENDOR, springTest2));

Original file line number	Diff line number	Diff line change
`@@ -198,7 +198,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An`
`198`	`198`	`for (VendorDuplicatingHintRule dhr : vendorHints) {`
`199`	`199`	`if (dhr.getValue().equalsIgnoreCase(e.getValue())) {`
`200`	`200`	`dependency.addEvidence(EvidenceType.VENDOR, new Evidence(e.getSource() + " (hint)",`
`201`		`- e.getName(), dhr.getDuplicate(), e.getConfidence()));`
	`201`	`+ e.getName(), dhr.getDuplicate(), e.getConfidence(), true));`
`202`	`202`	`}`
`203`	`203`	`}`
`204`	`204`	`}`