package org.owasp.dependencycheck.analyzer;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.FileFilter;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.ListIterator;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import javax.annotation.concurrent.ThreadSafe;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.dependency.EvidenceType;
import org.owasp.dependencycheck.dependency.naming.CpeIdentifier;
import org.owasp.dependencycheck.dependency.naming.Identifier;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import us.springett.parsers.cpe.Cpe;
import us.springett.parsers.cpe.CpeBuilder;
import us.springett.parsers.cpe.exceptions.CpeValidationException;
import us.springett.parsers.cpe.values.Part;

@ThreadSafe
/* loaded from: input_file:org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.class */
public class FalsePositiveAnalyzer extends AbstractAnalyzer {
    private static final String ANALYZER_NAME = "False Positive Analyzer";
    private static final Logger LOGGER = LoggerFactory.getLogger(FalsePositiveAnalyzer.class);
    private static final FileFilter DLL_EXE_FILTER = FileFilterBuilder.newInstance().addExtensions("dll", "exe").build();
    public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|jdk|jre|jsse)($|:.*)");
    public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
    public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
    public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public String getName() {
        return ANALYZER_NAME;
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected String getAnalyzerEnabledSettingKey() {
        return "analyzer.falsepositive.enabled";
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
        removeJreEntries(dependency);
        removeBadMatches(dependency);
        removeBadSpringMatches(dependency);
        removeWrongVersionMatches(dependency);
        removeSpuriousCPE(dependency);
        removeDuplicativeEntriesFromJar(dependency, engine);
        addFalseNegativeCPEs(dependency);
    }

    private void removeBadSpringMatches(Dependency dependency) {
        int indexOf;
        String str = null;
        Iterator<Identifier> it = dependency.getSoftwareIdentifiers().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Identifier next = it.next();
            if (next.getValue() != null && next.getValue().startsWith("org.springframework.") && (indexOf = next.getValue().indexOf(58, 19)) >= 0) {
                str = next.getValue().substring(19, indexOf).toLowerCase();
                break;
            }
        }
        if (str != null) {
            HashSet hashSet = new HashSet();
            for (Identifier identifier : dependency.getVulnerableSoftwareIdentifiers()) {
                if (identifier.getValue() != null && identifier.getValue().startsWith("cpe:/a:springsource:") && !identifier.getValue().toLowerCase().contains(str)) {
                    hashSet.add(identifier);
                }
            }
            dependency.getClass();
            hashSet.forEach(dependency::removeVulnerableSoftwareIdentifier);
        }
    }

    @SuppressFBWarnings(justification = "null checks are working correctly to prevent NPE", value = {"NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE"})
    private void removeSpuriousCPE(Dependency dependency) {
        ArrayList arrayList = new ArrayList(dependency.getVulnerableSoftwareIdentifiers());
        Collections.sort(arrayList);
        ListIterator listIterator = arrayList.listIterator();
        while (listIterator.hasNext()) {
            Identifier identifier = (Identifier) listIterator.next();
            if (identifier instanceof CpeIdentifier) {
                CpeIdentifier cpeIdentifier = (CpeIdentifier) identifier;
                Cpe cpe = cpeIdentifier.getCpe();
                ListIterator listIterator2 = arrayList.listIterator(listIterator.nextIndex());
                while (listIterator2.hasNext()) {
                    Identifier identifier2 = (Identifier) listIterator2.next();
                    if (identifier2 instanceof CpeIdentifier) {
                        Cpe cpe2 = ((CpeIdentifier) identifier2).getCpe();
                        if (cpe.getVendor().equals(cpe2.getVendor()) && cpe.getProduct().equals(cpe2.getProduct())) {
                            String version = cpe.getVersion();
                            String version2 = cpe2.getVersion();
                            if (version == null && version2 == null) {
                                LOGGER.debug("currentVersion and nextVersion are both null?");
                            } else if (version == null && version2 != null) {
                                dependency.removeVulnerableSoftwareIdentifier(cpeIdentifier);
                            } else if (version2 == null && version != null) {
                                dependency.removeVulnerableSoftwareIdentifier(identifier2);
                            } else if (version.length() < version2.length()) {
                                if (version2.startsWith(version) || "-".equals(version)) {
                                    dependency.removeVulnerableSoftwareIdentifier(cpeIdentifier);
                                }
                            } else if (version.startsWith(version2) || "-".equals(version2)) {
                                dependency.removeVulnerableSoftwareIdentifier(identifier2);
                            }
                        }
                    }
                }
            }
        }
    }

    private void removeJreEntries(Dependency dependency) {
        HashSet hashSet = new HashSet();
        dependency.getVulnerableSoftwareIdentifiers().forEach(identifier -> {
            Matcher matcher = CORE_JAVA.matcher(identifier.getValue());
            Matcher matcher2 = CORE_FILES.matcher(dependency.getFileName());
            Matcher matcher3 = CORE_JAVA_JSF.matcher(identifier.getValue());
            Matcher matcher4 = CORE_JSF_FILES.matcher(dependency.getFileName());
            if ((!matcher.matches() || matcher2.matches()) && (!matcher3.matches() || matcher4.matches())) {
                return;
            }
            hashSet.add(identifier);
        });
        hashSet.forEach(identifier2 -> {
            dependency.removeVulnerableSoftwareIdentifier(identifier2);
        });
    }

    protected void removeBadMatches(Dependency dependency) {
        HashSet hashSet = new HashSet();
        for (Identifier identifier : dependency.getVulnerableSoftwareIdentifiers()) {
            if (identifier instanceof CpeIdentifier) {
                Cpe cpe = ((CpeIdentifier) identifier).getCpe();
                if ((cpe.getProduct().matches(".*c\\+\\+.*") || (("file".equals(cpe.getVendor()) && "file".equals(cpe.getProduct())) || (("mozilla".equals(cpe.getVendor()) && "mozilla".equals(cpe.getProduct())) || (("cvs".equals(cpe.getVendor()) && "cvs".equals(cpe.getProduct())) || (("ftp".equals(cpe.getVendor()) && "ftp".equals(cpe.getProduct())) || (("tcp".equals(cpe.getVendor()) && "tcp".equals(cpe.getProduct())) || (("ssh".equals(cpe.getVendor()) && "ssh".equals(cpe.getProduct())) || ("lookup".equals(cpe.getVendor()) && "lookup".equals(cpe.getProduct()))))))))) && (dependency.getFileName().toLowerCase().endsWith(".jar") || dependency.getFileName().toLowerCase().endsWith("pom.xml") || dependency.getFileName().toLowerCase().endsWith(".dll") || dependency.getFileName().toLowerCase().endsWith(".exe") || dependency.getFileName().toLowerCase().endsWith(".nuspec") || dependency.getFileName().toLowerCase().endsWith(".zip") || dependency.getFileName().toLowerCase().endsWith(".sar") || dependency.getFileName().toLowerCase().endsWith(".apk") || dependency.getFileName().toLowerCase().endsWith(".tar") || dependency.getFileName().toLowerCase().endsWith(".gz") || dependency.getFileName().toLowerCase().endsWith(".tgz") || dependency.getFileName().toLowerCase().endsWith(".rpm") || dependency.getFileName().toLowerCase().endsWith(".ear") || dependency.getFileName().toLowerCase().endsWith(".war"))) {
                    hashSet.add(identifier);
                } else if ((("jquery".equals(cpe.getVendor()) && "jquery".equals(cpe.getProduct())) || (("prototypejs".equals(cpe.getVendor()) && "prototype".equals(cpe.getProduct())) || ("yahoo".equals(cpe.getVendor()) && "yui".equals(cpe.getProduct())))) && (dependency.getFileName().toLowerCase().endsWith(".jar") || dependency.getFileName().toLowerCase().endsWith("pom.xml") || dependency.getFileName().toLowerCase().endsWith(".dll") || dependency.getFileName().toLowerCase().endsWith(".exe"))) {
                    hashSet.add(identifier);
                } else if ((("microsoft".equals(cpe.getVendor()) && "excel".equals(cpe.getProduct())) || (("microsoft".equals(cpe.getVendor()) && "word".equals(cpe.getProduct())) || (("microsoft".equals(cpe.getVendor()) && "visio".equals(cpe.getProduct())) || (("microsoft".equals(cpe.getVendor()) && "powerpoint".equals(cpe.getProduct())) || (("microsoft".equals(cpe.getVendor()) && "office".equals(cpe.getProduct())) || ("core_ftp".equals(cpe.getVendor()) && "core_ftp".equals(cpe.getProduct()))))))) && (dependency.getFileName().toLowerCase().endsWith(".jar") || dependency.getFileName().toLowerCase().endsWith(".ear") || dependency.getFileName().toLowerCase().endsWith(".war") || dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
                    hashSet.add(identifier);
                } else if ("apache".equals(cpe.getVendor()) && "maven".equals(cpe.getProduct()) && !dependency.getFileName().toLowerCase().matches("maven-core-[\\d.]+\\.jar")) {
                    hashSet.add(identifier);
                } else if ("m-core".equals(cpe.getVendor()) && "m-core".equals(cpe.getProduct())) {
                    boolean z = false;
                    Iterator it = dependency.getEvidence(EvidenceType.PRODUCT).iterator();
                    while (true) {
                        if (it.hasNext()) {
                            if ("m-core".equalsIgnoreCase(((Evidence) it.next()).getValue())) {
                                z = true;
                                break;
                            }
                        } else {
                            break;
                        }
                    }
                    if (!z) {
                        Iterator it2 = dependency.getEvidence(EvidenceType.VENDOR).iterator();
                        while (true) {
                            if (it2.hasNext()) {
                                if ("m-core".equalsIgnoreCase(((Evidence) it2.next()).getValue())) {
                                    z = true;
                                    break;
                                }
                            } else {
                                break;
                            }
                        }
                    }
                    if (!z) {
                        hashSet.add(identifier);
                    }
                } else if ("jboss".equals(cpe.getVendor()) && "jboss".equals(cpe.getProduct()) && !dependency.getFileName().toLowerCase().matches("jboss-?[\\d.-]+(GA)?\\.jar")) {
                    hashSet.add(identifier);
                } else if ("java-websocket_project".equals(cpe.getVendor()) && "java-websocket".equals(cpe.getProduct())) {
                    boolean z2 = false;
                    Iterator<Identifier> it3 = dependency.getSoftwareIdentifiers().iterator();
                    while (true) {
                        if (it3.hasNext()) {
                            if (it3.next().getValue().toLowerCase().contains("org.java-websocket/java-websocket")) {
                                z2 = true;
                                break;
                            }
                        } else {
                            break;
                        }
                    }
                    if (!z2) {
                        hashSet.add(identifier);
                    }
                }
            }
        }
        Stream stream = hashSet.stream();
        dependency.getClass();
        stream.forEach(dependency::removeVulnerableSoftwareIdentifier);
    }

    private void removeWrongVersionMatches(Dependency dependency) {
        HashSet hashSet = new HashSet();
        String fileName = dependency.getFileName();
        if (fileName != null && fileName.contains("axis2")) {
            dependency.getVulnerableSoftwareIdentifiers().stream().filter(identifier -> {
                return identifier instanceof CpeIdentifier;
            }).map(identifier2 -> {
                return (CpeIdentifier) identifier2;
            }).forEach(cpeIdentifier -> {
                Cpe cpe = cpeIdentifier.getCpe();
                if ("apache".equals(cpe.getVendor()) && "axis".equals(cpe.getProduct())) {
                    hashSet.add(cpeIdentifier);
                }
            });
        } else if (fileName != null && fileName.contains("axis")) {
            dependency.getVulnerableSoftwareIdentifiers().stream().filter(identifier3 -> {
                return identifier3 instanceof CpeIdentifier;
            }).map(identifier4 -> {
                return (CpeIdentifier) identifier4;
            }).forEach(cpeIdentifier2 -> {
                Cpe cpe = cpeIdentifier2.getCpe();
                if ("apache".equals(cpe.getVendor()) && "axis2".equals(cpe.getProduct())) {
                    hashSet.add(cpeIdentifier2);
                }
            });
        }
        dependency.getClass();
        hashSet.forEach(dependency::removeVulnerableSoftwareIdentifier);
    }

    private void addFalseNegativeCPEs(Dependency dependency) {
        CpeBuilder cpeBuilder = new CpeBuilder();
        dependency.getVulnerableSoftwareIdentifiers().stream().filter(identifier -> {
            return identifier instanceof CpeIdentifier;
        }).map(identifier2 -> {
            return (CpeIdentifier) identifier2;
        }).forEach(cpeIdentifier -> {
            Cpe cpe = cpeIdentifier.getCpe();
            if (("oracle".equals(cpe.getVendor()) && ("opensso".equals(cpe.getProduct()) || "opensso_enterprise".equals(cpe.getProduct()))) || ("sun".equals(cpe.getVendor()) && ("opensso".equals(cpe.getProduct()) || "opensso_enterprise".equals(cpe.getProduct())))) {
                try {
                    Cpe build = cpeBuilder.part(Part.APPLICATION).vendor("sun").product("opensso_enterprise").version(cpe.getVersion()).build();
                    Cpe build2 = cpeBuilder.part(Part.APPLICATION).vendor("oracle").product("opensso_enterprise").version(cpe.getVersion()).build();
                    Cpe build3 = cpeBuilder.part(Part.APPLICATION).vendor("sun").product("opensso").version(cpe.getVersion()).build();
                    Cpe build4 = cpeBuilder.part(Part.APPLICATION).vendor("oracle").product("opensso").version(cpe.getVersion()).build();
                    CpeIdentifier cpeIdentifier = new CpeIdentifier(build, cpeIdentifier.getConfidence());
                    CpeIdentifier cpeIdentifier2 = new CpeIdentifier(build2, cpeIdentifier.getConfidence());
                    CpeIdentifier cpeIdentifier3 = new CpeIdentifier(build3, cpeIdentifier.getConfidence());
                    CpeIdentifier cpeIdentifier4 = new CpeIdentifier(build4, cpeIdentifier.getConfidence());
                    dependency.addVulnerableSoftwareIdentifier(cpeIdentifier);
                    dependency.addVulnerableSoftwareIdentifier(cpeIdentifier2);
                    dependency.addVulnerableSoftwareIdentifier(cpeIdentifier3);
                    dependency.addVulnerableSoftwareIdentifier(cpeIdentifier4);
                } catch (CpeValidationException e) {
                    LOGGER.warn("Unable to add oracle and sun CPEs", e);
                }
            }
            if ("apache".equals(cpe.getVendor()) && "santuario_xml_security_for_java".equals(cpe.getProduct())) {
                try {
                    dependency.addVulnerableSoftwareIdentifier(new CpeIdentifier(cpeBuilder.part(Part.APPLICATION).vendor("apache").product("xml_security_for_java").version(cpe.getVersion()).build(), cpeIdentifier.getConfidence()));
                } catch (CpeValidationException e2) {
                    LOGGER.warn("Unable to add apache xml_security_for_java CPE", e2);
                }
            }
        });
    }

    private synchronized void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) {
    }

    private Dependency findDependency(String str, Dependency[] dependencyArr) {
        for (Dependency dependency : dependencyArr) {
            if (dependency.getFilePath().equalsIgnoreCase(str)) {
                return dependency;
            }
        }
        return null;
    }
}
