diff --git a/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java b/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java index 24e729649..5f49c8e8f 100644 --- a/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java +++ b/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java @@ -103,7 +103,7 @@ protected final String getToolWithEdition() { */ public String getCpeVendor() { - return ""; + return getTool(); } /** @@ -111,16 +111,15 @@ public String getCpeVendor() { */ public String getCpeProduct() { - return ""; + return getTool(); } /** - * @param urlEdition the {@link UrlEdition} to get the CPE (Common Platform Enumeration) edition for. * @return the edition as specified in the CPE. */ - public String getCpeEdition(String urlEdition) { + public String getCpeEdition() { - return ""; + return getTool(); } /** diff --git a/cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java b/cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java index 8eaca3dfd..dad24b779 100644 --- a/cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java +++ b/cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java @@ -108,8 +108,16 @@ public void updateAll() { */ public AbstractUrlUpdater retrieveUrlUpdater(String tool, String edition) { - return updaters.stream().filter(updater -> updater.getTool().equals(tool) && updater.getEdition().equals(edition)) - .findFirst().orElse(null); + for (AbstractUrlUpdater updater : updaters) { + // TODO: fix this ugly hack for intellij see: https://github.com/devonfw/ide/issues/1378 + if (updater.getTool().equals(tool) && edition.equals("intellij")) { + return updater; + } + if (updater.getTool().equals(tool) && updater.getEdition().equals(edition)) { + return updater; + } + } + return null; } public UrlRepository getUrlRepository() { diff --git a/security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFiles.java b/security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFiles.java index 5640adf4a..2aaf37854 100644 --- a/security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFiles.java +++ b/security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFiles.java @@ -5,6 +5,7 @@ import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; +import java.util.Arrays; import java.util.HashSet; import java.util.List; import java.util.Locale; @@ -111,7 +112,7 @@ private static void run() { initCvesToIgnore(); UpdateManager updateManager = new UpdateManager(context.getUrlsPath(), null); - Dependency[] dependencies = getDependenciesWithVulnerabilities(updateManager); + List dependencies = getDependenciesWithVulnerabilities(updateManager); Set> foundToolsAndEditions = new HashSet<>(); for (Dependency dependency : dependencies) { String filePath = dependency.getFilePath(); @@ -119,6 +120,9 @@ private static void run() { String tool = parent.getParent().getParent().getFileName().toString(); String edition = parent.getParent().getFileName().toString(); AbstractUrlUpdater urlUpdater = updateManager.retrieveUrlUpdater(tool, edition); + if (urlUpdater == null) { + continue; + } UrlSecurityJsonFile securityFile = context.getUrls().getEdition(tool, edition).getSecurityJsonFile(); boolean newlyAdded = foundToolsAndEditions.add(new Pair<>(tool, edition)); if (newlyAdded) { // to assure that the file is cleared only once per tool and edition @@ -153,6 +157,7 @@ private static Map buildCpeToUrlVersionMap(String tool, String e List sortedVersions = context.getUrls().getSortedVersions(tool, edition).stream() .map(VersionIdentifier::toString).toList(); + List sortedCpeVersions = sortedVersions.stream().map(urlUpdater::mapUrlVersionToCpeVersion) .collect(Collectors.toList()); Map cpeToUrlVersion = MapUtil.createMapfromLists(sortedCpeVersions, sortedVersions); @@ -163,13 +168,13 @@ private static Map buildCpeToUrlVersionMap(String tool, String e * Uses the {@link Engine OWASP engine} to scan the {@link AbstractIdeContext#getUrlsPath() ide-url} folder for * dependencies and then runs {@link Engine#analyzeDependencies() analyzes} them to get the {@link Vulnerability * vulnerabilities}. - * + * * @param updateManager the {@link UpdateManager} to use to get the {@link AbstractUrlUpdater} of the tool to get CPE * Vendor, CPE Product and CPE edition of the tool, as well as the * {@link AbstractUrlUpdater#mapCpeVersionToUrlVersion(String) CPE naming of its version} * @return the {@link Dependency dependencies} with associated {@link Vulnerability vulnerabilities}. */ - private static Dependency[] getDependenciesWithVulnerabilities(UpdateManager updateManager) { + private static List getDependenciesWithVulnerabilities(UpdateManager updateManager) { Settings settings = new Settings(); Engine engine = new Engine(settings); @@ -189,8 +194,11 @@ private static Dependency[] getDependenciesWithVulnerabilities(UpdateManager upd throw new RuntimeException(e); } Dependency[] dependencies = engine.getDependencies(); + // remove dependencies without vulnerabilities + List dependenciesFiltered = Arrays.stream(dependencies) + .filter(dependency -> !dependency.getVulnerabilities().isEmpty()).toList(); engine.close(); - return dependencies; + return dependenciesFiltered; } /** diff --git a/security/src/main/java/com/devonfw/tools/security/UrlAnalyzer.java b/security/src/main/java/com/devonfw/tools/security/UrlAnalyzer.java index 58aaf1dea..58ecb5c1f 100644 --- a/security/src/main/java/com/devonfw/tools/security/UrlAnalyzer.java +++ b/security/src/main/java/com/devonfw/tools/security/UrlAnalyzer.java @@ -1,7 +1,9 @@ package com.devonfw.tools.security; -import com.devonfw.tools.ide.url.updater.AbstractUrlUpdater; -import com.devonfw.tools.ide.url.updater.UpdateManager; +import java.io.FileFilter; +import java.nio.file.Path; +import java.nio.file.Paths; + import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer; import org.owasp.dependencycheck.analyzer.AnalysisPhase; @@ -11,9 +13,8 @@ import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; -import java.io.FileFilter; -import java.nio.file.Path; -import java.nio.file.Paths; +import com.devonfw.tools.ide.url.updater.AbstractUrlUpdater; +import com.devonfw.tools.ide.url.updater.UpdateManager; /** * Analyzes file paths to detect tool, edition and version of software listed in a directory structure like this: @@ -56,9 +57,13 @@ protected void analyzeDependency(Dependency dependency, Engine engine) { AbstractUrlUpdater urlUpdater = this.updateManager.retrieveUrlUpdater(tool, edition); + if (urlUpdater == null) { + return; + } + String cpeVendor = urlUpdater.getCpeVendor(); String cpeProduct = urlUpdater.getCpeProduct(); - String cpeEdition = urlUpdater.getCpeEdition(edition); + String cpeEdition = urlUpdater.getCpeEdition(); String cpeVersion = urlUpdater.mapUrlVersionToCpeVersion(versionFolder.getFileName().toString()); if (cpeVendor.isBlank() || cpeProduct.isBlank()) {