Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Spring Support #5

Closed
jeremylong opened this issue Feb 17, 2013 · 6 comments
Closed

Improve Spring Support #5

jeremylong opened this issue Feb 17, 2013 · 6 comments
Labels
enhancement

Comments

@jeremylong
Copy link
Owner

The Spring Framework is bad about including vendor information in their manifest. There are a few "a priori" items of evidence added to aid in the detection of the Spring Framework. This is currently in the JAR Analyzer and should be moved to a PRE_IDENTIFIER_ANALYSIS Analyzer.

Additionally, the SpringCleaner Analyzer should be cleaned up to use regular expressions rather then the two hard-coded partial CPE Strings.
@jeremylong
Copy link
Owner Author

The hints regarding the spring framework have been removed from the JarAnalyzer and have been placed into the HintAnalyzer.

The SpringCleanerAnalyzer has been cleaned up, made generic, and is now the DependencyBundlingAnalyzer and FalsePositiveAnalyzer.

@CorduroyCordova
Copy link

I seem to have an issue where Spring Security Core is being mis-identified as Spring Core and generating false positives, for Jenkins plugin v1.2.1:

Example:
...
spring-aop-3.2.8.RELEASE.jar
spring-beans-3.2.8.RELEASE.jar
spring-context-3.2.8.RELEASE.jar
spring-context-support-3.2.8.RELEASE.jar
spring-core-3.2.8.RELEASE.jar
spring-expression-3.2.8.RELEASE.jar
spring-jdbc-3.2.8.RELEASE.jar
spring-jms-3.2.8.RELEASE.jar
spring-security-core-3.2.3.RELEASE.jar

spring-security-acl-3.2.3.RELEASE.jar
spring-security-config-3.2.3.RELEASE.jar
spring-security-taglibs-3.2.3.RELEASE.jar

spring-security-web-3.2.3.RELEASE.jar
spring-tx-3.2.8.RELEASE.jar
spring-web-3.2.8.RELEASE.jar
spring-webmvc-3.2.8.RELEASE.jar
...
jenkins/workspace/xxxxxx_test/runtime-libraries/spring-security-core-3.2.3.RELEASE.jar
cpe: cpe:/a:springsource:spring_framework:3.2.3 Confidence:HIGHEST

Is this an artifact of the way this issue was closed? Should I create a new issue?

New to GitHub and DependencyCheck, please advise.

@jeremylong
Copy link
Owner Author

Thanks for pointing this out. A new issue should be opened for this so that
it doesn't get lost (and it is different from the original Spring issue.
The best fix for this will need to happen after issue #124 has been fixed.
I just opened issue #130 to track this.

--Jeremy

On Mon, Jun 9, 2014 at 1:05 PM, CorduroyCordova notifications@github.com
wrote:

I seem to have an issue where Spring Security Core is being mis-identified
as Spring Core and generating false positives, for Jenkins plugin v1.2.1:

Example:
...
spring-aop-3.2.8.RELEASE.jar
spring-beans-3.2.8.RELEASE.jar
spring-context-3.2.8.RELEASE.jar
spring-context-support-3.2.8.RELEASE.jar
spring-core-3.2.8.RELEASE.jar
spring-expression-3.2.8.RELEASE.jar
spring-jdbc-3.2.8.RELEASE.jar
spring-jms-3.2.8.RELEASE.jar
spring-security-core-3.2.3.RELEASE.jar

spring-security-acl-3.2.3.RELEASE.jar
spring-security-config-3.2.3.RELEASE.jar
spring-security-taglibs-3.2.3.RELEASE.jar

spring-security-web-3.2.3.RELEASE.jar
spring-tx-3.2.8.RELEASE.jar
spring-web-3.2.8.RELEASE.jar
spring-webmvc-3.2.8.RELEASE.jar
...

jenkins/workspace/xxxxxx_test/runtime-libraries/spring-security-core-3.2.3.RELEASE.jar
cpe: cpe:/a:springsource:spring_framework:3.2.3 Confidence:HIGHEST

Is this an artifact of the way this issue was closed? Should I create a
new issue?

New to GitHub and DependencyCheck, please advise.


Reply to this email directly or view it on GitHub
#5 (comment)
.

@CorduroyCordova
Copy link

Jeremy,

Thank you. I will open a new issue today. I appreciate the quick response.

Be well,

EK

From: Jeremy Long [mailto:notifications@github.com]
Sent: Tuesday, June 10, 2014 6:16 AM
To: jeremylong/DependencyCheck
Cc: Emmanuel Koutsourais
Subject: Re: [DependencyCheck] Improve Spring Support (#5)

Thanks for pointing this out. A new issue should be opened for this so that
it doesn't get lost (and it is different from the original Spring issue.
The best fix for this will need to happen after issue #124 has been fixed.
I just opened issue #130 to track this.

--Jeremy

On Mon, Jun 9, 2014 at 1:05 PM, CorduroyCordova <notifications@github.commailto:notifications@github.com>
wrote:

I seem to have an issue where Spring Security Core is being mis-identified
as Spring Core and generating false positives, for Jenkins plugin v1.2.1:

Example:
...
spring-aop-3.2.8.RELEASE.jar
spring-beans-3.2.8.RELEASE.jar
spring-context-3.2.8.RELEASE.jar
spring-context-support-3.2.8.RELEASE.jar
spring-core-3.2.8.RELEASE.jar
spring-expression-3.2.8.RELEASE.jar
spring-jdbc-3.2.8.RELEASE.jar
spring-jms-3.2.8.RELEASE.jar
spring-security-core-3.2.3.RELEASE.jar

spring-security-acl-3.2.3.RELEASE.jar
spring-security-config-3.2.3.RELEASE.jar
spring-security-taglibs-3.2.3.RELEASE.jar

spring-security-web-3.2.3.RELEASE.jar
spring-tx-3.2.8.RELEASE.jar
spring-web-3.2.8.RELEASE.jar
spring-webmvc-3.2.8.RELEASE.jar
...

jenkins/workspace/xxxxxx_test/runtime-libraries/spring-security-core-3.2.3.RELEASE.jar
cpe: cpe:/a:springsource:spring_framework:3.2.3 Confidence:HIGHEST

Is this an artifact of the way this issue was closed? Should I create a
new issue?

New to GitHub and DependencyCheck, please advise.


Reply to this email directly or view it on GitHub
#5 (comment)
.


Reply to this email directly or view it on GitHubhttps://github.com//issues/5#issuecomment-45596329.

@jeremylong
Copy link
Owner Author

I already opened issue #130 to track this.

Thanks,

Jeremy

On Tue, Jun 10, 2014 at 10:04 AM, CorduroyCordova notifications@github.com
wrote:

Jeremy,

Thank you. I will open a new issue today. I appreciate the quick response.

Be well,

EK

From: Jeremy Long [mailto:notifications@github.com]
Sent: Tuesday, June 10, 2014 6:16 AM
To: jeremylong/DependencyCheck
Cc: Emmanuel Koutsourais
Subject: Re: [DependencyCheck] Improve Spring Support (#5)

Thanks for pointing this out. A new issue should be opened for this so
that
it doesn't get lost (and it is different from the original Spring issue.
The best fix for this will need to happen after issue #124 has been fixed.
I just opened issue #130 to track this.

--Jeremy

On Mon, Jun 9, 2014 at 1:05 PM, CorduroyCordova <notifications@github.com
mailto:notifications@github.com>
wrote:

I seem to have an issue where Spring Security Core is being
mis-identified
as Spring Core and generating false positives, for Jenkins plugin
v1.2.1:

Example:
...
spring-aop-3.2.8.RELEASE.jar
spring-beans-3.2.8.RELEASE.jar
spring-context-3.2.8.RELEASE.jar
spring-context-support-3.2.8.RELEASE.jar
spring-core-3.2.8.RELEASE.jar
spring-expression-3.2.8.RELEASE.jar
spring-jdbc-3.2.8.RELEASE.jar
spring-jms-3.2.8.RELEASE.jar
spring-security-core-3.2.3.RELEASE.jar

spring-security-acl-3.2.3.RELEASE.jar
spring-security-config-3.2.3.RELEASE.jar
spring-security-taglibs-3.2.3.RELEASE.jar

spring-security-web-3.2.3.RELEASE.jar
spring-tx-3.2.8.RELEASE.jar
spring-web-3.2.8.RELEASE.jar
spring-webmvc-3.2.8.RELEASE.jar
...

jenkins/workspace/xxxxxx_test/runtime-libraries/spring-security-core-3.2.3.RELEASE.jar

cpe: cpe:/a:springsource:spring_framework:3.2.3 Confidence:HIGHEST

Is this an artifact of the way this issue was closed? Should I create a
new issue?

New to GitHub and DependencyCheck, please advise.


Reply to this email directly or view it on GitHub
<
https://github.com/jeremylong/DependencyCheck/issues/5#issuecomment-45515882>

.


Reply to this email directly or view it on GitHub<
https://github.com/jeremylong/DependencyCheck/issues/5#issuecomment-45596329>.


Reply to this email directly or view it on GitHub
#5 (comment)
.

@lock
Copy link

lock bot commented Sep 28, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 28, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremylong @CorduroyCordova