diff --git a/.gitignore b/.gitignore index 6336b982d41..57122b3d187 100644 --- a/.gitignore +++ b/.gitignore @@ -34,4 +34,6 @@ velocity.log /core/data/ # Apple macOS operating system Desktop Services Store files -.DS_Store \ No newline at end of file +.DS_Store +/.vscode +/maven/.factorypath diff --git a/cli/src/test/resources/sample.properties b/cli/src/test/resources/sample.properties index 3b214ca03e9..50afbad00d3 100644 --- a/cli/src/test/resources/sample.properties +++ b/cli/src/test/resources/sample.properties @@ -27,6 +27,7 @@ analyzer.dependencybundling.enabled=true analyzer.dependencymerging.enabled=true analyzer.falsepositive.enabled=true analyzer.filename.enabled=true +analyzer.pe.enabled=true analyzer.hint.enabled=true analyzer.nvdcve.enabled=true analyzer.vulnerabilitysuppression.enabled=true diff --git a/cli/src/test/resources/sample2.properties b/cli/src/test/resources/sample2.properties index 8f38c54a430..d5b553a956c 100644 --- a/cli/src/test/resources/sample2.properties +++ b/cli/src/test/resources/sample2.properties @@ -27,6 +27,7 @@ analyzer.dependencybundling.enabled=false analyzer.dependencymerging.enabled=false analyzer.falsepositive.enabled=false analyzer.filename.enabled=false +analyzer.pe.enabled=false analyzer.hint.enabled=false analyzer.nvdcve.enabled=false analyzer.vulnerabilitysuppression.enabled=false diff --git a/core/pom.xml b/core/pom.xml index ec7fd016681..b820bfffd42 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -168,6 +168,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. + + org.whitesource + pecoff4j + org.apache.commons commons-jcs-core diff --git a/core/src/main/java/org/owasp/dependencycheck/Engine.java b/core/src/main/java/org/owasp/dependencycheck/Engine.java index 8fe72d53aac..f178fe87632 100644 --- a/core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -98,6 +98,7 @@ public enum Mode { INITIAL, PRE_INFORMATION_COLLECTION, INFORMATION_COLLECTION, + INFORMATION_COLLECTION2, POST_INFORMATION_COLLECTION ), /** diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java index d9e9e916478..818ba2186c8 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java @@ -36,6 +36,10 @@ public enum AnalysisPhase { * Information collection phase. */ INFORMATION_COLLECTION, + /** + * Information collection phase 2. + */ + INFORMATION_COLLECTION2, /** * Post information collection phase. */ diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 31b0657b94e..a7bef475bc9 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -215,7 +215,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy dependency.addEvidence(EvidenceType.VERSION, "grokassembly", "ProductVersion", data.getProductVersion(), Confidence.HIGHEST); } if (!StringUtils.isEmpty(data.getFileVersion())) { - dependency.addEvidence(EvidenceType.VERSION, "grokassembly", "FileVersion", data.getFileVersion(), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "grokassembly", "FileVersion", data.getFileVersion(), Confidence.HIGH); } if (data.getFileVersion() != null && data.getProductVersion() != null) { diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java index 7444a9233d6..2d0c37bd244 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java @@ -130,7 +130,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An if (version.getVersionParts() == null || version.getVersionParts().size() < 2) { dependency.addEvidence(EvidenceType.VERSION, "file", "version", version.toString(), Confidence.MEDIUM); } else { - dependency.addEvidence(EvidenceType.VERSION, "file", "version", version.toString(), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.VERSION, "file", "version", version.toString(), Confidence.HIGH); } dependency.addEvidence(EvidenceType.VERSION, "file", "name", packageName, Confidence.MEDIUM); } diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PEAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PEAnalyzer.java new file mode 100644 index 00000000000..23b102c2057 --- /dev/null +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/PEAnalyzer.java @@ -0,0 +1,282 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2020 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import com.github.packageurl.MalformedPackageURLException; +import java.io.File; +import java.io.FileFilter; +import java.io.IOException; + +import org.boris.pecoff4j.PE; +import org.boris.pecoff4j.ResourceDirectory; +import org.boris.pecoff4j.ResourceEntry; +import org.boris.pecoff4j.constant.ResourceType; +import org.boris.pecoff4j.io.PEParser; +import org.boris.pecoff4j.io.ResourceParser; +import org.boris.pecoff4j.resources.StringFileInfo; +import org.boris.pecoff4j.resources.StringTable; +import org.boris.pecoff4j.resources.VersionInfo; +import org.boris.pecoff4j.util.ResourceHelper; + +import javax.annotation.concurrent.ThreadSafe; +import org.apache.commons.lang3.StringUtils; + +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.dependency.EvidenceType; +import org.owasp.dependencycheck.dependency.naming.GenericIdentifier; +import org.owasp.dependencycheck.dependency.naming.PurlIdentifier; +import org.owasp.dependencycheck.exception.InitializationException; +import org.owasp.dependencycheck.utils.DependencyVersion; +import org.owasp.dependencycheck.utils.DependencyVersionUtil; +import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.FileUtils; +import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Takes a dependency and analyze the PE header for meta data that can be used + * to identify the library. + * + * @author Amodio Pesce + */ +@ThreadSafe +@Experimental +public class PEAnalyzer extends AbstractFileTypeAnalyzer { + + // + /** + * Logger + */ + private static final Logger LOGGER = LoggerFactory.getLogger(AssemblyAnalyzer.class); + /** + * The name of the analyzer. + */ + private static final String ANALYZER_NAME = "PE Analyzer"; + + /** + * The phase that this analyzer is intended to run in. + */ + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION2; + /** + * The set of file extensions supported by this analyzer. + */ + private static final String[] EXTENSIONS = {"exe", "dll"}; + + /** + * The file filter used to determine which files this analyzer supports. + */ + private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer. + */ + public static final String DEPENDENCY_ECOSYSTEM = "native"; + + /** + * Returns the name of the analyzer. + * + * @return the name of the analyzer. + */ + @Override + public String getName() { + return ANALYZER_NAME; + } + + /** + * Returns the phase that the analyzer is intended to run in. + * + * @return the phase that the analyzer is intended to run in. + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return ANALYSIS_PHASE; + } + + /** + *

+ * Returns the setting key to determine if the analyzer is enabled.

+ * + * @return the key for the analyzer's enabled property + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_PE_ENABLED; + } + + /** + * Returns the FileFilter. + * + * @return the FileFilter + */ + @Override + protected FileFilter getFileFilter() { + return FILTER; + } + + @Override + protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException { + //nothing to prepare + } + + /** + * Collects information about the file name. + * + * @param dependency the dependency to analyze. + * @param engine the engine that is scanning the dependencies + * @throws AnalysisException is thrown if there is an error analyzing the PE + * file. + */ + @Override + protected void analyzeDependency(final Dependency dependency, final Engine engine) throws AnalysisException { + for (Evidence e : dependency.getEvidence()) { + if ("grokassembly".equals(e.getSource())) { + LOGGER.debug("Skipping {} because it was already analyzed by the Assembly Analyzer", dependency.getFileName()); + return; + } + } + try { + final File fileToCheck = dependency.getActualFile(); + final PE pe = PEParser.parse(fileToCheck.getPath()); + final ResourceDirectory rd = pe.getImageData().getResourceTable(); + final ResourceEntry[] entries = ResourceHelper.findResources(rd, ResourceType.VERSION_INFO); + for (ResourceEntry entrie : entries) { + final byte[] data = entrie.getData(); + final VersionInfo version = ResourceParser.readVersionInfo(data); + final StringFileInfo strings = version.getStringFileInfo(); + final StringTable table = strings.getTable(0); + String pVersion = null; + String fVersion = null; + + for (int j = 0; j < table.getCount(); j++) { + final String key = table.getString(j).getKey(); + final String value = table.getString(j).getValue(); + switch (key) { + case "ProductVersion": + dependency.addEvidence(EvidenceType.VERSION, "PE Header", "ProductVersion", value, Confidence.HIGHEST); + pVersion = value; + break; + case "CompanyName": + dependency.addEvidence(EvidenceType.VENDOR, "PE Header", "CompanyName", value, Confidence.HIGHEST); + break; + case "FileVersion": + dependency.addEvidence(EvidenceType.VERSION, "PE Header", "FileVersion", value, Confidence.HIGH); + fVersion = value; + break; + case "InternalName": + dependency.addEvidence(EvidenceType.PRODUCT, "PE Header", "InternalName", value, Confidence.MEDIUM); + determineDependencyName(dependency, value); + break; + case "LegalCopyright": + dependency.addEvidence(EvidenceType.VENDOR, "PE Header", "LegalCopyright", value, Confidence.HIGHEST); + if (dependency.getLicense() != null && dependency.getLicense().length() > 0) { + dependency.setLicense(dependency.getLicense() + "/n/nLegal Copyright: " + value); + } else { + dependency.setLicense("Legal Copyright: " + value); + } + break; + case "OriginalFilename": + dependency.addEvidence(EvidenceType.VERSION, "PE Header", "OriginalFilename", value, Confidence.MEDIUM); + determineDependencyName(dependency, value); + break; + case "ProductName": + dependency.addEvidence(EvidenceType.PRODUCT, "PE Header", "ProductName", value, Confidence.HIGHEST); + determineDependencyName(dependency, value); + break; + } + if (fVersion != null && pVersion != null) { + final int max = fVersion.length() > pVersion.length() ? pVersion.length() : fVersion.length(); + int pos; + for (pos = 0; pos < max; pos++) { + if (fVersion.charAt(pos) != pVersion.charAt(pos)) { + break; + } + } + final DependencyVersion fileVersion = DependencyVersionUtil.parseVersion(fVersion, true); + final DependencyVersion productVersion = DependencyVersionUtil.parseVersion(pVersion, true); + if (pos > 0) { + final DependencyVersion matchingVersion = DependencyVersionUtil.parseVersion(fVersion.substring(0, pos), true); + if (fileVersion != null && fileVersion.toString().length() == fVersion.length()) { + if (matchingVersion != null && matchingVersion.getVersionParts().size() > 2) { + dependency.addEvidence(EvidenceType.VERSION, "PE Header", "FilteredVersion", + matchingVersion.toString(), Confidence.HIGHEST); + dependency.setVersion(matchingVersion.toString()); + } + } + } + if (dependency.getVersion() == null) { + if (fVersion.length() >= pVersion.length()) { + if (fileVersion != null && fileVersion.toString().length() == fVersion.length()) { + dependency.setVersion(fileVersion.toString()); + } else if (productVersion != null && productVersion.toString().length() == pVersion.length()) { + dependency.setVersion(productVersion.toString()); + } + } else { + if (productVersion != null && productVersion.toString().length() == pVersion.length()) { + dependency.setVersion(productVersion.toString()); + } else if (fileVersion != null && fileVersion.toString().length() == fVersion.length()) { + dependency.setVersion(fileVersion.toString()); + } + } + } + } else if (pVersion != null) { + final DependencyVersion productVersion = DependencyVersionUtil.parseVersion(pVersion, true); + if (productVersion != null && dependency.getActualFile().getName().contains(productVersion.toString())) { + dependency.setVersion(productVersion.toString()); + } + } else if (fVersion != null) { + final DependencyVersion fileVersion = DependencyVersionUtil.parseVersion(fVersion, true); + if (fileVersion != null && dependency.getActualFile().getName().contains(fileVersion.toString())) { + dependency.setVersion(fileVersion.toString()); + } + } + if (dependency.getName() != null && dependency.getVersion() != null) { + try { + dependency.addSoftwareIdentifier(new PurlIdentifier("generic", dependency.getName(), dependency.getVersion(), Confidence.MEDIUM)); + } catch (MalformedPackageURLException ex) { + LOGGER.debug("Unable to create Package URL Identifier for " + dependency.getName(), ex); + dependency.addSoftwareIdentifier(new GenericIdentifier( + String.format("%s@%s", dependency.getName(), dependency.getVersion()), + Confidence.MEDIUM)); + } + } + if (dependency.getEcosystem() == null) {//this could be an assembly + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); + } + } + } + } catch (IOException ex) { + throw new AnalysisException(ex); + } + } + + private void determineDependencyName(final Dependency dependency, final String value) { + if (dependency.getName() == null && StringUtils.containsIgnoreCase(dependency.getActualFile().getName(), value)) { + final String ext = FileUtils.getFileExtension(value); + if (ext != null) { + dependency.setName(value.substring(0, value.length() - ext.length() - 1)); + } else { + dependency.setName(value); + } + } + } +} diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java b/core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java index 8e5e7080009..3822de40d24 100644 --- a/core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java +++ b/core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java @@ -284,6 +284,18 @@ public synchronized Set getEvidence(EvidenceType type) { return null; } + /** + * Returns the unmodifiable set of evidence. + * + * @return the unmodifiable set of evidence + */ + public synchronized Set getEvidence() { + Set e = new HashSet<>(vendors); + e.addAll(products); + e.addAll(versions); + return Collections.unmodifiableSet(e); + } + /** * Tests if the evidence collection contains the given evidence. * diff --git a/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index aa49988569c..d7dc3f89fa4 100644 --- a/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -1,5 +1,6 @@ org.owasp.dependencycheck.analyzer.ArchiveAnalyzer org.owasp.dependencycheck.analyzer.FileNameAnalyzer +org.owasp.dependencycheck.analyzer.PEAnalyzer org.owasp.dependencycheck.analyzer.JarAnalyzer org.owasp.dependencycheck.analyzer.HintAnalyzer org.owasp.dependencycheck.analyzer.CPEAnalyzer diff --git a/core/src/main/resources/dependencycheck.properties b/core/src/main/resources/dependencycheck.properties index 315ab4a7fc3..f3240d6e64d 100644 --- a/core/src/main/resources/dependencycheck.properties +++ b/core/src/main/resources/dependencycheck.properties @@ -140,6 +140,7 @@ analyzer.dependencybundling.enabled=true analyzer.dependencymerging.enabled=true analyzer.falsepositive.enabled=true analyzer.filename.enabled=true +analyzer.pe.enabled=true analyzer.hint.enabled=true analyzer.nvdcve.enabled=true analyzer.vulnerabilitysuppression.enabled=true diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java index d7c4ed0b549..583643933c2 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java @@ -18,14 +18,9 @@ package org.owasp.dependencycheck.analyzer; import java.io.File; -import java.io.FileInputStream; import java.io.IOException; -import java.io.InputStream; - -import org.apache.commons.io.IOUtils; import org.junit.After; -import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; @@ -42,7 +37,6 @@ import org.owasp.dependencycheck.dependency.Evidence; import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; -import org.owasp.dependencycheck.utils.FileUtils; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -118,7 +112,7 @@ public void testLog4Net() throws Exception { Dependency d = new Dependency(f); analyzer.analyze(d, null); - assertTrue(d.contains(EvidenceType.VERSION, new Evidence("grokassembly", "FileVersion", "1.2.13.0", Confidence.HIGHEST))); + assertTrue(d.contains(EvidenceType.VERSION, new Evidence("grokassembly", "FileVersion", "1.2.13.0", Confidence.HIGH))); assertEquals("1.2.13.0", d.getVersion()); assertTrue(d.contains(EvidenceType.VENDOR, new Evidence("grokassembly", "CompanyName", "The Apache Software Foundation", Confidence.HIGHEST))); assertTrue(d.contains(EvidenceType.PRODUCT, new Evidence("grokassembly", "ProductName", "log4net", Confidence.HIGHEST))); diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PEAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PEAnalyzerTest.java new file mode 100644 index 00000000000..441ff498647 --- /dev/null +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PEAnalyzerTest.java @@ -0,0 +1,99 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2020 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import java.io.File; +import org.junit.After; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; +import org.junit.Before; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.dependency.EvidenceType; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Tests for the PEAnalyzer. + * + * @author Jeremy Long + * + */ +public class PEAnalyzerTest extends BaseTest { + + private static final Logger LOGGER = LoggerFactory.getLogger(PEAnalyzerTest.class); + + private static final String LOG_KEY = "org.slf4j.simpleLogger.org.owasp.dependencycheck.analyzer.PEAnalyzer"; + + private PEAnalyzer analyzer; + + /** + * Sets up the analyzer. + * + * @throws Exception if anything goes sideways + */ + @Before + @Override + public void setUp() throws Exception { + super.setUp(); + analyzer = new PEAnalyzer(); + analyzer.initialize(getSettings()); + analyzer.accept(new File("test.dll")); // trick into "thinking it is active" + analyzer.prepare(null); + } + + /** + * Tests to make sure the name is correct. + */ + @Test + public void testGetName() { + assertEquals("PE Analyzer", analyzer.getName()); + } + + @Test + public void testAnalysis() throws Exception { + File f = BaseTest.getResourceAsFile(this, "log4net.dll"); + + Dependency d = new Dependency(f); + analyzer.analyze(d, null); + assertTrue(d.contains(EvidenceType.VERSION, new Evidence("PE Header", "FileVersion", "1.2.13.0", Confidence.HIGH))); + assertEquals("1.2.13.0", d.getVersion()); + assertTrue(d.contains(EvidenceType.VENDOR, new Evidence("PE Header", "CompanyName", "The Apache Software Foundation", Confidence.HIGHEST))); + assertTrue(d.contains(EvidenceType.PRODUCT, new Evidence("PE Header", "ProductName", "log4net", Confidence.HIGHEST))); + assertEquals("log4net", d.getName()); + } + + @After + @Override + public void tearDown() throws Exception { + try { + analyzer.closeAnalyzer(); + } catch (Exception ex) { + throw new UnexpectedAnalysisException(ex); + } finally { + super.tearDown(); + } + } +} diff --git a/core/src/test/resources/dependencycheck.properties b/core/src/test/resources/dependencycheck.properties index d176bf7a424..f57a75eae1f 100644 --- a/core/src/test/resources/dependencycheck.properties +++ b/core/src/test/resources/dependencycheck.properties @@ -134,6 +134,7 @@ analyzer.dependencybundling.enabled=true analyzer.dependencymerging.enabled=true analyzer.falsepositive.enabled=true analyzer.filename.enabled=true +analyzer.pe.enabled=true analyzer.hint.enabled=true analyzer.nvdcve.enabled=true analyzer.vulnerabilitysuppression.enabled=true diff --git a/pom.xml b/pom.xml index 4ce39e0ef52..a53ff33d424 100644 --- a/pom.xml +++ b/pom.xml @@ -912,6 +912,11 @@ Copyright (c) 2012 - Jeremy Long compile true + + org.whitesource + pecoff4j + 0.0.2.1 + com.vdurmont semver4j diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 2d84200e560..46c96670ade 100644 --- a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -550,6 +550,10 @@ public static final class KEYS { * The key to determine if the File Name analyzer is enabled. */ public static final String ANALYZER_FILE_NAME_ENABLED = "analyzer.filename.enabled"; + /** + * The key to determine if the File Version analyzer is enabled. + */ + public static final String ANALYZER_PE_ENABLED = "analyzer.pe.enabled"; /** * The key to determine if the Hint analyzer is enabled. */ diff --git a/utils/src/test/resources/dependencycheck.properties b/utils/src/test/resources/dependencycheck.properties index 7d32d3101f0..0b192e8eb87 100644 --- a/utils/src/test/resources/dependencycheck.properties +++ b/utils/src/test/resources/dependencycheck.properties @@ -133,6 +133,7 @@ analyzer.dependencybundling.enabled=true analyzer.dependencymerging.enabled=true analyzer.falsepositive.enabled=true analyzer.filename.enabled=true +analyzer.pe.enabled=true analyzer.hint.enabled=true analyzer.nvdcve.enabled=true analyzer.vulnerabilitysuppression.enabled=true