From ab35d9892fa6b4a79eaaf0c0a96f420d4f495a4e Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Sun, 27 Aug 2023 18:57:10 +0200 Subject: [PATCH 1/2] fix: Allow for ~= in addition to == and >= version constraint in requirements.txt and pipfile Fixes #5898 --- .../java/org/owasp/dependencycheck/analyzer/PipAnalyzer.java | 2 +- .../org/owasp/dependencycheck/analyzer/PipfileAnalyzer.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PipAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PipAnalyzer.java index 90ef79c6491..417ab6c5f5c 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/PipAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/PipAnalyzer.java @@ -74,7 +74,7 @@ public class PipAnalyzer extends AbstractFileTypeAnalyzer { /** * o * Matches AC_INIT variables in the output configure script. */ - private static final Pattern PACKAGE_VERSION = Pattern.compile("^([^#].*?)(?:[=>]=([\\.\\*0-9]+?))?$", Pattern.MULTILINE); + private static final Pattern PACKAGE_VERSION = Pattern.compile("^([^#].*?)(?:[=~>]=([\\.\\*0-9]+?))?$", Pattern.MULTILINE); /** * The file filter used to determine which files this analyzer supports. diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzer.java index 76905edf0bb..e014241542c 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzer.java @@ -81,7 +81,7 @@ public class PipfileAnalyzer extends AbstractFileTypeAnalyzer { /** * o * Matches AC_INIT variables in the output configure script. */ - private static final Pattern PACKAGE_VERSION = Pattern.compile("^([^#].*?) = \"(?:[=>]=([\\.\\*0-9]+?))?\"$", Pattern.MULTILINE); + private static final Pattern PACKAGE_VERSION = Pattern.compile("^([^#].*?) = \"(?:[=~>]=([\\.\\*0-9]+?))?\"$", Pattern.MULTILINE); /** * The file filter used to determine which files this analyzer supports. From 351a55008681ec149e7f8705bc739e1bb0b73a5d Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Sun, 27 Aug 2023 19:36:02 +0200 Subject: [PATCH 2/2] fix: Add a ~= to the testcases --- .../analyzer/PipAnalyzerTest.java | 16 ++++++++++++---- .../analyzer/PipfileAnalyzerTest.java | 16 ++++++++++++---- src/test/resources/Pipfile | 1 + src/test/resources/requirements.txt | 3 ++- 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerTest.java index 4f5f24c1f9a..331b13b115d 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerTest.java @@ -103,17 +103,25 @@ public void testAnalyzePackageJson() throws Exception { engine.addDependency(result); analyzer.analyze(result, engine); assertFalse(ArrayUtils.contains(engine.getDependencies(), result)); - assertEquals(23, engine.getDependencies().length); - boolean found = false; + assertEquals(24, engine.getDependencies().length); + boolean foundPyYAML = false; + boolean foundCryptography = false; for (Dependency d : engine.getDependencies()) { if ("PyYAML".equals(d.getName())) { - found = true; + foundPyYAML = true; assertEquals("3.12", d.getVersion()); assertThat(d.getDisplayFileName(), equalTo("PyYAML:3.12")); assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem()); } + if ("cryptography".equals(d.getName())) { + foundCryptography = true; + assertEquals("1.8.2", d.getVersion()); + assertThat(d.getDisplayFileName(), equalTo("cryptography:1.8.2")); + assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem()); + } } - assertTrue("Expeced to find PyYAML", found); + assertTrue("Expected to find PyYAML", foundPyYAML); + assertTrue("Expected to find cryptography", foundCryptography); } } } diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzerTest.java index 1a38ef6c2b5..f19c62fad24 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzerTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzerTest.java @@ -101,17 +101,25 @@ public void testAnalyzePackageJson() throws Exception { engine.addDependency(result); analyzer.analyze(result, engine); assertFalse(ArrayUtils.contains(engine.getDependencies(), result)); - assertEquals(39, engine.getDependencies().length); - boolean found = false; + assertEquals(40, engine.getDependencies().length); + boolean foundUrllib3 = false; + boolean foundCryptography = false; for (Dependency d : engine.getDependencies()) { if ("urllib3".equals(d.getName())) { - found = true; + foundUrllib3 = true; assertEquals("1.25.9", d.getVersion()); assertThat(d.getDisplayFileName(), equalTo("urllib3:1.25.9")); assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem()); } + if ("cryptography".equals(d.getName())) { + foundCryptography = true; + assertEquals("1.8.2", d.getVersion()); + assertThat(d.getDisplayFileName(), equalTo("cryptography:1.8.2")); + assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem()); + } } - assertTrue("Expeced to find urllib3", found); + assertTrue("Expeced to find urllib3", foundUrllib3); + assertTrue("Expeced to find cryptography", foundCryptography); } } } diff --git a/src/test/resources/Pipfile b/src/test/resources/Pipfile index 185efcd3f25..42eff047f41 100644 --- a/src/test/resources/Pipfile +++ b/src/test/resources/Pipfile @@ -46,6 +46,7 @@ py-flags = "==1.1.2" CacheControl = "==0.12.5" prometheus_client = "==0.7.1" PyYAML = "==5.3.1" +cryptography = "~=1.8.2" [requires] python_version = "3.6" diff --git a/src/test/resources/requirements.txt b/src/test/resources/requirements.txt index 3a73a505d13..8e5544b98b4 100644 --- a/src/test/resources/requirements.txt +++ b/src/test/resources/requirements.txt @@ -20,4 +20,5 @@ six==1.11.0 spyne==2.12.14 suds-jurko==0.6 urllib3 -Werkzeug>=0.14.1 \ No newline at end of file +Werkzeug>=0.14.1 +cryptography~=1.8.2 \ No newline at end of file