package org.owasp.dependencycheck.analyzer;

import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.suppression.SuppressionHandler;

/* loaded from: input_file:WEB-INF/lib/dependency-check-core-1.2.9.jar:org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.class */
public class FalsePositiveAnalyzer extends AbstractAnalyzer {
    private static final String ANALYZER_NAME = "False Positive Analyzer";
    private static final Logger LOGGER = Logger.getLogger(FalsePositiveAnalyzer.class.getName());
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
    public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|jdk|jre|jsse)($|:.*)");
    public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
    public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
    public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public String getName() {
        return ANALYZER_NAME;
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        removeJreEntries(dependency);
        removeBadMatches(dependency);
        removeBadSpringMatches(dependency);
        removeWrongVersionMatches(dependency);
        removeSpuriousCPE(dependency);
        removeDuplicativeEntriesFromJar(dependency, engine);
        addFalseNegativeCPEs(dependency);
    }

    private void removeBadSpringMatches(Dependency dependency) {
        int indexOf;
        String str = null;
        Iterator<Identifier> it = dependency.getIdentifiers().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Identifier next = it.next();
            if ("maven".contains(next.getType()) && next.getValue() != null && next.getValue().startsWith("org.springframework.") && (indexOf = next.getValue().indexOf(":", 19)) >= 0) {
                str = next.getValue().substring(19, indexOf).toLowerCase();
                break;
            }
        }
        if (str != null) {
            Iterator<Identifier> it2 = dependency.getIdentifiers().iterator();
            while (it2.hasNext()) {
                Identifier next2 = it2.next();
                if (SuppressionHandler.CPE.contains(next2.getType()) && next2.getValue() != null && next2.getValue().startsWith("cpe:/a:springsource:") && !next2.getValue().toLowerCase().contains(str)) {
                    it2.remove();
                }
            }
        }
    }

    private void removeSpuriousCPE(Dependency dependency) {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(dependency.getIdentifiers());
        Collections.sort(arrayList);
        ListIterator listIterator = arrayList.listIterator();
        while (listIterator.hasNext()) {
            Identifier identifier = (Identifier) listIterator.next();
            VulnerableSoftware parseCpe = parseCpe(identifier.getType(), identifier.getValue());
            if (parseCpe != null) {
                ListIterator listIterator2 = arrayList.listIterator(listIterator.nextIndex());
                while (listIterator2.hasNext()) {
                    Identifier identifier2 = (Identifier) listIterator2.next();
                    VulnerableSoftware parseCpe2 = parseCpe(identifier2.getType(), identifier2.getValue());
                    if (parseCpe2 != null && parseCpe.getVendor().equals(parseCpe2.getVendor()) && parseCpe.getProduct().equals(parseCpe2.getProduct())) {
                        String version = parseCpe.getVersion();
                        String version2 = parseCpe2.getVersion();
                        if (version == null && version2 == null) {
                            LOGGER.log(Level.FINE, "currentVersion and nextVersion are both null?");
                        } else if (version == null && version2 != null) {
                            dependency.getIdentifiers().remove(identifier);
                        } else if (version2 == null && version != null) {
                            dependency.getIdentifiers().remove(identifier2);
                        } else if (version.length() < version2.length()) {
                            if (version2.startsWith(version) || "-".equals(version)) {
                                dependency.getIdentifiers().remove(identifier);
                            }
                        } else if (version.startsWith(version2) || "-".equals(version2)) {
                            dependency.getIdentifiers().remove(identifier2);
                        }
                    }
                }
            }
        }
    }

    private void removeJreEntries(Dependency dependency) {
        Iterator<Identifier> it = dependency.getIdentifiers().iterator();
        while (it.hasNext()) {
            Identifier next = it.next();
            Matcher matcher = CORE_JAVA.matcher(next.getValue());
            Matcher matcher2 = CORE_FILES.matcher(dependency.getFileName());
            if (matcher.matches() && !matcher2.matches()) {
                it.remove();
            }
            Matcher matcher3 = CORE_JAVA_JSF.matcher(next.getValue());
            Matcher matcher4 = CORE_JSF_FILES.matcher(dependency.getFileName());
            if (matcher3.matches() && !matcher4.matches()) {
                it.remove();
            }
        }
    }

    private VulnerableSoftware parseCpe(String str, String str2) {
        if (!SuppressionHandler.CPE.equals(str)) {
            return null;
        }
        VulnerableSoftware vulnerableSoftware = new VulnerableSoftware();
        try {
            vulnerableSoftware.parseName(str2);
            return vulnerableSoftware;
        } catch (UnsupportedEncodingException e) {
            LOGGER.log(Level.FINEST, (String) null, (Throwable) e);
            return null;
        }
    }

    private void removeBadMatches(Dependency dependency) {
        Iterator<Identifier> it = dependency.getIdentifiers().iterator();
        while (it.hasNext()) {
            Identifier next = it.next();
            if (SuppressionHandler.CPE.equals(next.getType())) {
                if ((next.getValue().matches(".*c\\+\\+.*") || next.getValue().startsWith("cpe:/a:file:file") || next.getValue().startsWith("cpe:/a:mozilla:mozilla") || next.getValue().startsWith("cpe:/a:cvs:cvs") || next.getValue().startsWith("cpe:/a:ftp:ftp") || next.getValue().startsWith("cpe:/a:tcp:tcp") || next.getValue().startsWith("cpe:/a:ssh:ssh") || next.getValue().startsWith("cpe:/a:lookup:lookup")) && (dependency.getFileName().toLowerCase().endsWith(".jar") || dependency.getFileName().toLowerCase().endsWith("pom.xml") || dependency.getFileName().toLowerCase().endsWith(".dll") || dependency.getFileName().toLowerCase().endsWith(".exe") || dependency.getFileName().toLowerCase().endsWith(".nuspec") || dependency.getFileName().toLowerCase().endsWith(".nupkg"))) {
                    it.remove();
                } else if ((next.getValue().startsWith("cpe:/a:jquery:jquery") || next.getValue().startsWith("cpe:/a:prototypejs:prototype") || next.getValue().startsWith("cpe:/a:yahoo:yui")) && (dependency.getFileName().toLowerCase().endsWith(".jar") || dependency.getFileName().toLowerCase().endsWith("pom.xml") || dependency.getFileName().toLowerCase().endsWith(".dll") || dependency.getFileName().toLowerCase().endsWith(".exe"))) {
                    it.remove();
                } else if ((next.getValue().startsWith("cpe:/a:microsoft:excel") || next.getValue().startsWith("cpe:/a:microsoft:word") || next.getValue().startsWith("cpe:/a:microsoft:visio") || next.getValue().startsWith("cpe:/a:microsoft:powerpoint") || next.getValue().startsWith("cpe:/a:microsoft:office")) && (dependency.getFileName().toLowerCase().endsWith(".jar") || dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
                    it.remove();
                } else if (next.getValue().startsWith("cpe:/a:apache:maven") && !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
                    it.remove();
                } else if (next.getValue().startsWith("cpe:/a:m-core:m-core") && !dependency.getEvidenceUsed().containsUsedString("m-core")) {
                    it.remove();
                } else if (next.getValue().startsWith("cpe:/a:jboss:jboss") && !dependency.getFileName().toLowerCase().matches("jboss-?[\\d\\.-]+(GA)?\\.jar")) {
                    it.remove();
                }
            }
        }
    }

    private void removeWrongVersionMatches(Dependency dependency) {
        String value;
        String value2;
        Iterator<Identifier> it = dependency.getIdentifiers().iterator();
        String fileName = dependency.getFileName();
        if (fileName != null && fileName.contains("axis2")) {
            while (it.hasNext()) {
                Identifier next = it.next();
                if (SuppressionHandler.CPE.equals(next.getType()) && (value2 = next.getValue()) != null && (value2.startsWith("cpe:/a:apache:axis:") || "cpe:/a:apache:axis".equals(value2))) {
                    it.remove();
                }
            }
            return;
        }
        if (fileName == null || !fileName.contains("axis")) {
            return;
        }
        while (it.hasNext()) {
            Identifier next2 = it.next();
            if (SuppressionHandler.CPE.equals(next2.getType()) && (value = next2.getValue()) != null && (value.startsWith("cpe:/a:apache:axis2:") || "cpe:/a:apache:axis2".equals(value))) {
                it.remove();
            }
        }
    }

    private void addFalseNegativeCPEs(Dependency dependency) {
        for (Identifier identifier : dependency.getIdentifiers()) {
            if (SuppressionHandler.CPE.equals(identifier.getType()) && identifier.getValue() != null && (identifier.getValue().startsWith("cpe:/a:oracle:opensso:") || identifier.getValue().startsWith("cpe:/a:oracle:opensso_enterprise:") || identifier.getValue().startsWith("cpe:/a:sun:opensso_enterprise:") || identifier.getValue().startsWith("cpe:/a:sun:opensso:"))) {
                String format = String.format("cpe:/a:sun:opensso_enterprise:%s", identifier.getValue().substring(22));
                String format2 = String.format("cpe:/a:oracle:opensso_enterprise:%s", identifier.getValue().substring(22));
                String format3 = String.format("cpe:/a:sun:opensso:%s", identifier.getValue().substring(22));
                String format4 = String.format("cpe:/a:oracle:opensso:%s", identifier.getValue().substring(22));
                try {
                    dependency.addIdentifier(SuppressionHandler.CPE, format, String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(format, "UTF-8")));
                    dependency.addIdentifier(SuppressionHandler.CPE, format2, String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(format2, "UTF-8")));
                    dependency.addIdentifier(SuppressionHandler.CPE, format3, String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(format3, "UTF-8")));
                    dependency.addIdentifier(SuppressionHandler.CPE, format4, String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(format4, "UTF-8")));
                } catch (UnsupportedEncodingException e) {
                    LOGGER.log(Level.FINE, (String) null, (Throwable) e);
                }
            }
        }
    }

    private void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) {
        Dependency findDependency;
        if (dependency.getFileName().toLowerCase().endsWith("pom.xml") || "dll".equals(dependency.getFileExtension()) || "exe".equals(dependency.getFileExtension())) {
            String lowerCase = dependency.getFilePath().toLowerCase();
            if (!lowerCase.contains(".jar") || (findDependency = findDependency(lowerCase.substring(0, lowerCase.indexOf(".jar") + 4), engine.getDependencies())) == null) {
                return;
            }
            boolean z = false;
            for (Identifier identifier : dependency.getIdentifiers()) {
                if (SuppressionHandler.CPE.equals(identifier.getType())) {
                    String trimCpeToVendor = trimCpeToVendor(identifier.getValue());
                    for (Identifier identifier2 : findDependency.getIdentifiers()) {
                        if (SuppressionHandler.CPE.equals(identifier2.getType()) && identifier2.getValue().startsWith(trimCpeToVendor)) {
                            z |= true;
                        }
                    }
                }
                if (!z) {
                    return;
                }
            }
            if (z) {
                engine.getDependencies().remove(dependency);
            }
        }
    }

    private Dependency findDependency(String str, List<Dependency> list) {
        for (Dependency dependency : list) {
            if (dependency.getFilePath().equalsIgnoreCase(str)) {
                return dependency;
            }
        }
        return null;
    }

    private String trimCpeToVendor(String str) {
        int indexOf = str.indexOf(":", str.indexOf(":", 7) + 1);
        return indexOf < 0 ? str : str.substring(0, indexOf);
    }
}
