More alias

Author: Prabhu Subramanian

depscan/cli.py

@@ -254,8 +254,13 @@ def main():
             ".json", "-risk.{}.json".format(project_type)
         )
         LOG.info("=" * 80)
-        bom_file = os.path.join(reports_dir, "bom-" + project_type + ".json")
-        creation_status = create_bom(project_type, bom_file, src_dir)
+        creation_status = False
+        if args.bom and os.path.exists(args.bom):
+            bom_file = args.bom
+            creation_status = True
+        else:
+            bom_file = os.path.join(reports_dir, "bom-" + project_type + ".json")
+            creation_status = create_bom(project_type, bom_file, src_dir)
         if not creation_status:
             LOG.debug("Bom file {} was not created successfully".format(bom_file))
             continue

depscan/lib/config.py

@@ -12,6 +12,7 @@
 
 # CPE Vendor aliases
 vendor_alias = {
+    "org.apache.tomcat.embed": "apache",
     "org.apache.tomcat": "apache_tomcat",
     "org.apache.commons.io": "commons-io",
     "org.apache.logging.log4j": "log4j",
@@ -41,6 +42,7 @@
     "ca.uhn.hapi.fhir": "fhir",
     "tensorflow": "google",
     "ansible": "redhat",
+    "io.springfox": "smartbear",
 }
 
 # Package aliases
@@ -53,7 +55,9 @@
     "tomcat_native": "tomcat",
     "tomcat_connectors": "tomcat",
     "tomcat_jk_connector": "tomcat",
+    "tomcat-embed-core": "tomcat",
     "spring-security-core": "spring_security",
+    "spring-security-crypto": "spring_security",
     "asciidoctorj": "asciidoctor",
     "postgresql": "postgresql_jdbc_driver",
     "itextpdf": "itext",
@@ -98,6 +102,11 @@
     "hawkbit-boot-starter": "hawkbit",
     "software_development_kit": "splunk-sdk",
     "jira_software_data_center": "jira",
+    "springfox-swagger2": "swagger_ui",
+    "spring-web": "spring_framework",
+    "springfox-swagger-ui": "swagger_ui",
+    "hibernate-core": "hibernate_orm",
+    "json-smart": "json-smart-v2"
 }
 
 # Default ignore list

depscan/lib/normalize.py

@@ -50,7 +50,7 @@ def create_pkg_variations(pkg_dict):
         ):
             tmpA = vendor.split(".")
             # Automatically add short vendor forms
-            if len(tmpA) > 2 and len(tmpA[1]) > 3:
+            if len(tmpA) > 1 and len(tmpA[1]) > 3:
                 if tmpA[1] != name:
                     vendor_aliases.add(tmpA[1])
     # Add some common vendor aliases
@@ -97,7 +97,7 @@ def create_pkg_variations(pkg_dict):
         if name.endswith(suffix):
             name_aliases.add(name.replace(suffix, ""))
     for k, v in config.package_alias.items():
-        if name.startswith(k) or k.startswith(name):
+        if name.startswith(k) or k.startswith(name) or v.startswith(name):
             name_aliases.add(k)
             name_aliases.add(v)
     if len(vendor_aliases):

setup.py

@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="appthreat-depscan",
-    version="1.11.3",
+    version="1.11.4",
     author="Team AppThreat",
     author_email="[email protected]",
     description="Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.",

test/test_norm.py

@@ -86,3 +86,19 @@ def test_pkg_variations():
         }
     )
     assert len(pkg_list) > 1
+    pkg_list = create_pkg_variations(
+        {
+            "vendor": "org.hibernate",
+            "name": "hibernate-core",
+            "version": "5.4.18.Final",
+        }
+    )
+    assert len(pkg_list) > 1
+    pkg_list = create_pkg_variations(
+        {
+            "vendor": "org.springframework.security",
+            "name": "spring-security-crypto",
+            "version": "5.3.3.RELEASE",
+        }
+    )
+    assert len(pkg_list) > 1