fix: add product evidence as vendor to reduce FN (#7295)

jeremylong · web-flow · commit b51921fc64c4 · 2025-01-11T08:32:12.000-05:00
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -284,20 +284,24 @@ private void updateDependency(final AssemblyData data, Dependency dependency) {
 
         if (!StringUtils.isBlank(data.getCompanyName())) {
             dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "CompanyName", data.getCompanyName(), Confidence.HIGHEST);
+            dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "CompanyName", data.getCompanyName(), Confidence.LOW);
             addMatchingValues(data.getNamespaces(), data.getCompanyName(), dependency, EvidenceType.VENDOR);
         }
         if (!StringUtils.isBlank(data.getProductName())) {
             dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "ProductName", data.getProductName(), Confidence.HIGHEST);
+            dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "ProductName", data.getProductName(), Confidence.MEDIUM);
             addMatchingValues(data.getNamespaces(), data.getProductName(), dependency, EvidenceType.PRODUCT);
         }
         if (!StringUtils.isBlank(data.getFileDescription())) {
             dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "FileDescription", data.getFileDescription(), Confidence.HIGH);
+            dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "FileDescription", data.getFileDescription(), Confidence.LOW);
             addMatchingValues(data.getNamespaces(), data.getFileDescription(), dependency, EvidenceType.PRODUCT);
         }
 
         final String internalName = data.getInternalName();
         if (!StringUtils.isBlank(internalName)) {
             dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "InternalName", internalName, Confidence.MEDIUM);
+            dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "InternalName", internalName, Confidence.LOW);
             addMatchingValues(data.getNamespaces(), internalName, dependency, EvidenceType.PRODUCT);
             addMatchingValues(data.getNamespaces(), internalName, dependency, EvidenceType.VENDOR);
             if (dependency.getName() == null && StringUtils.containsIgnoreCase(dependency.getActualFile().getName(), internalName)) {
@@ -313,6 +317,7 @@ private void updateDependency(final AssemblyData data, Dependency dependency) {
         final String originalFilename = data.getOriginalFilename();
         if (!StringUtils.isBlank(originalFilename)) {
             dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "OriginalFilename", originalFilename, Confidence.MEDIUM);
+            dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "OriginalFilename", originalFilename, Confidence.LOW);
             addMatchingValues(data.getNamespaces(), originalFilename, dependency, EvidenceType.PRODUCT);
             if (dependency.getName() == null && StringUtils.containsIgnoreCase(dependency.getActualFile().getName(), originalFilename)) {
                 final String ext = FileUtils.getFileExtension(originalFilename);
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
@@ -195,12 +195,15 @@ private void extractConfigureScriptEvidence(Dependency dependency,
             if (!value.isEmpty()) {
                 if (variable.endsWith("NAME")) {
                     dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.HIGHEST);
+                    dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.MEDIUM);
                 } else if ("VERSION".equals(variable)) {
                     dependency.addEvidence(EvidenceType.VERSION, name, variable, value, Confidence.HIGHEST);
                 } else if ("BUGREPORT".equals(variable)) {
                     dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH);
+                    dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.MEDIUM);
                 } else if ("URL".equals(variable)) {
                     dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH);
+                    dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.MEDIUM);
                 }
             }
         }
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java
@@ -260,6 +260,7 @@ private void analyzePodspecDependency(Dependency dependency)
             final String summary = determineEvidence(contents, blockVariable, "summary");
             if (!summary.isEmpty()) {
                 dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "summary", summary, Confidence.HIGHEST);
+                dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "summary", summary, Confidence.MEDIUM);
             }
 
             final String author = determineEvidence(contents, blockVariable, "authors?");
@@ -269,6 +270,7 @@ private void analyzePodspecDependency(Dependency dependency)
             final String homepage = determineEvidence(contents, blockVariable, "homepage");
             if (!homepage.isEmpty()) {
                 dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "homepage", homepage, Confidence.HIGHEST);
+                dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "homepage", homepage, Confidence.LOW);
             }
             final String license = determineEvidence(contents, blockVariable, "licen[cs]es?");
             if (!license.isEmpty()) {
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
@@ -133,7 +133,9 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
                 d.setSha256sum(Checksum.getSHA256Checksum(filePath));
                 d.setMd5sum(Checksum.getMD5Checksum(filePath));
                 d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.MEDIUM);
                 d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGH);
                 d.addEvidence(EvidenceType.VERSION, COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
                 return d;
             }).forEach((d) -> {
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzer.java
@@ -208,8 +208,10 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
                 child.setName(name);
                 child.setVersion(version);
 
-                child.addEvidence(EvidenceType.VENDOR, FILE_NAME, "vendor", (vendor != null ? vendor : name),
-                        Confidence.HIGHEST);
+                if (vendor != null) {
+                    child.addEvidence(EvidenceType.VENDOR, FILE_NAME, "vendor", vendor, Confidence.HIGHEST);    
+                }
+                child.addEvidence(EvidenceType.VENDOR, FILE_NAME, "name", name, Confidence.HIGH);
                 child.addEvidence(EvidenceType.PRODUCT, FILE_NAME, "name", name, Confidence.HIGHEST);
                 child.addEvidence(EvidenceType.VERSION, FILE_NAME, "version", version, Confidence.HIGHEST);
 
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzer.java
@@ -185,6 +185,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
                 child.setMd5sum(Checksum.getMD5Checksum(String.format("%s:%s", id, version)));
 
                 child.addEvidence(EvidenceType.PRODUCT, "msbuild", "id", id, Confidence.HIGHEST);
+                child.addEvidence(EvidenceType.VENDOR, "msbuild", "id", id, Confidence.MEDIUM);
                 child.addEvidence(EvidenceType.VERSION, "msbuild", "version", version, Confidence.HIGHEST);
 
                 if (id.indexOf('.') > 0) {
@@ -193,10 +194,12 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
                     // example: Microsoft.EntityFrameworkCore
                     child.addEvidence(EvidenceType.VENDOR, "msbuild", "id", parts[0], Confidence.MEDIUM);
                     child.addEvidence(EvidenceType.PRODUCT, "msbuild", "id", parts[1], Confidence.MEDIUM);
+                    child.addEvidence(EvidenceType.VENDOR, "msbuild", "id", parts[1], Confidence.LOW);
 
                     if (parts.length > 2) {
                         final String rest = id.substring(id.indexOf('.') + 1);
                         child.addEvidence(EvidenceType.PRODUCT, "msbuild", "id", rest, Confidence.MEDIUM);
+                        child.addEvidence(EvidenceType.VENDOR, "msbuild", "id", rest, Confidence.LOW);
                     }
                 } else {
                     // example: jQuery
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java
@@ -182,6 +182,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
                 child.setMd5sum(Checksum.getMD5Checksum(String.format("%s:%s", id, version)));
                 child.addEvidence(EvidenceType.VERSION, "packages.config", "version", np.getVersion(), Confidence.HIGHEST);
                 child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", np.getId(), Confidence.HIGHEST);
+                child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", np.getId(), Confidence.MEDIUM);
 
                 // handle package names the same way as the MSBuild analyzer
                 if (id.indexOf('.') > 0) {
@@ -190,10 +191,12 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
                     // example: Microsoft.EntityFrameworkCore
                     child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", parts[0], Confidence.MEDIUM);
                     child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", parts[1], Confidence.MEDIUM);
+                    child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", parts[1], Confidence.LOW);
 
                     if (parts.length > 2) {
                         final String rest = id.substring(id.indexOf('.') + 1);
                         child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", rest, Confidence.MEDIUM);
+                        child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", rest, Confidence.LOW);
                     }
                 } else {
                     // example: jQuery
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
@@ -158,6 +158,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
             dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "authors", np.getAuthors(), Confidence.HIGH);
             dependency.addEvidence(EvidenceType.VERSION, "nuspec", "version", np.getVersion(), Confidence.HIGHEST);
             dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "id", np.getId(), Confidence.HIGHEST);
+            dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "id", np.getId(), Confidence.HIGH);
             dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "description", np.getDescription(), Confidence.LOW);
             dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "description", np.getDescription(), Confidence.LOW);
             dependency.setName(np.getId());
@@ -178,6 +179,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
             }
             if (np.getTitle() != null) {
                 dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "title", np.getTitle(), Confidence.MEDIUM);
+                dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "title", np.getTitle(), Confidence.LOW);
             }
         } catch (Throwable e) {
             throw new AnalysisException(e);
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PEAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PEAnalyzer.java
@@ -185,6 +185,7 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin
                             break;
                         case "InternalName":
                             dependency.addEvidence(EvidenceType.PRODUCT, "PE Header", "InternalName", value, Confidence.MEDIUM);
+                            dependency.addEvidence(EvidenceType.VENDOR, "PE Header", "InternalName", value, Confidence.LOW);
                             determineDependencyName(dependency, value);
                             break;
                         case "LegalCopyright":
@@ -201,6 +202,7 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin
                             break;
                         case "ProductName":
                             dependency.addEvidence(EvidenceType.PRODUCT, "PE Header", "ProductName", value, Confidence.HIGHEST);
+                            dependency.addEvidence(EvidenceType.VENDOR, "PE Header", "ProductName", value, Confidence.MEDIUM);
                             determineDependencyName(dependency, value);
                             break;
                         default:
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java
@@ -207,6 +207,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
             d.setEcosystem(Ecosystem.JAVA);
             d.addEvidence(EvidenceType.VENDOR, "project", "groupid", group, Confidence.HIGHEST);
             d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", artifact, Confidence.HIGHEST);
+            d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", artifact, Confidence.HIGH);
             d.addEvidence(EvidenceType.VERSION, "project", "version", version, Confidence.HIGHEST);
             d.setName(String.format("%s:%s", group, artifact));
             d.setFilePath(String.format("%s>>%s", dependency.getActualFile(), dep.getCoord()));
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
@@ -211,6 +211,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine)
             //"The __init__.py files are required to make Python treat the directories as containing packages"
             //see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html;
             dependency.addEvidence(EvidenceType.PRODUCT, file.getName(), "PackageName", parentName, Confidence.HIGHEST);
+            dependency.addEvidence(EvidenceType.VENDOR, file.getName(), "PackageName", parentName, Confidence.MEDIUM);
             dependency.setName(parentName);
 
             final File[] fileList = parent.listFiles(PY_FILTER);
diff --git a/core/src/main/java/org/owasp/dependencycheck/processing/BundlerAuditProcessor.java b/core/src/main/java/org/owasp/dependencycheck/processing/BundlerAuditProcessor.java
@@ -319,6 +319,7 @@ private Dependency createDependencyForGem(Engine engine, File gemFile, String pa
         dependency.setSha1sum(Checksum.getSHA1Checksum(displayFileName));
         dependency.setEcosystem(DEPENDENCY_ECOSYSTEM);
         dependency.addEvidence(EvidenceType.PRODUCT, "bundler-audit", "Name", gem, Confidence.HIGHEST);
+        dependency.addEvidence(EvidenceType.VENDOR, "bundler-audit", "Name", gem, Confidence.HIGH);
         //TODO add package URL - note, this may require parsing the gemfile.lock and getting the version for each entry
 
         dependency.setDisplayFileName(displayFileName);
diff --git a/core/src/main/java/org/owasp/dependencycheck/processing/MixAuditProcessor.java b/core/src/main/java/org/owasp/dependencycheck/processing/MixAuditProcessor.java
@@ -166,6 +166,7 @@ private Dependency createDependency(Dependency parentDependency, String packageN
 
         dep.addEvidence(EvidenceType.VERSION, "mix_audit", "Version", version, Confidence.HIGHEST);
         dep.addEvidence(EvidenceType.PRODUCT, "mix_audit", "Package", packageName, Confidence.HIGHEST);
+        dep.addEvidence(EvidenceType.VENDOR, "mix_audit", "Package", packageName, Confidence.HIGH);
 
         try {
             final PackageURL purl = PackageURLBuilder.aPackageURL().withType("hex").withName(packageName)
diff --git a/core/src/test/java/org/owasp/dependencycheck/EngineIT.java b/core/src/test/java/org/owasp/dependencycheck/EngineIT.java
@@ -120,6 +120,7 @@ public void testEngine() throws IOException, InvalidSettingException, DatabaseEx
                 allowedMessages.add("../tmp/evil.txt");
                 allowedMessages.add("malformed input off : 5, length : 1");
                 allowedMessages.add("Python `pyproject.toml` found and there is not a `poetry.lock` or `requirements.txt`");
+                allowedMessages.add("file from the NPM Audit API (PnpmAuditAnalyzer)");
                 for (Throwable t : ex.getExceptions()) {
                     boolean isOk = false;
                     if (t.getMessage() != null) {
diff --git a/core/src/test/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgentIT.java b/core/src/test/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgentIT.java
@@ -80,6 +80,7 @@ private Dependency createDependency(final String vendor, final String name, fina
         }
         if (name != null) {
             dependency.addEvidence(EvidenceType.PRODUCT, "dependency-track", "name", name, Confidence.HIGHEST);
+            dependency.addEvidence(EvidenceType.VENDOR, "dependency-track", "name", name, Confidence.HIGH);
             dependency.addProductWeighting(name);
         }
         if (version != null) {

Original file line number	Diff line number	Diff line change
`@@ -195,12 +195,15 @@ private void extractConfigureScriptEvidence(Dependency dependency,`
`195`	`195`	`if (!value.isEmpty()) {`
`196`	`196`	`if (variable.endsWith("NAME")) {`
`197`	`197`	`dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.HIGHEST);`
	`198`	`+ dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.MEDIUM);`
`198`	`199`	`} else if ("VERSION".equals(variable)) {`
`199`	`200`	`dependency.addEvidence(EvidenceType.VERSION, name, variable, value, Confidence.HIGHEST);`
`200`	`201`	`} else if ("BUGREPORT".equals(variable)) {`
`201`	`202`	`dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH);`
	`203`	`+ dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.MEDIUM);`
`202`	`204`	`} else if ("URL".equals(variable)) {`
`203`	`205`	`dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH);`
	`206`	`+ dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.MEDIUM);`
`204`	`207`	`}`
`205`	`208`	`}`
`206`	`209`	`}`
Original file line number	Diff line number	Diff line change
`@@ -260,6 +260,7 @@ private void analyzePodspecDependency(Dependency dependency)`
`260`	`260`	`final String summary = determineEvidence(contents, blockVariable, "summary");`
`261`	`261`	`if (!summary.isEmpty()) {`
`262`	`262`	`dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "summary", summary, Confidence.HIGHEST);`
	`263`	`+ dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "summary", summary, Confidence.MEDIUM);`
`263`	`264`	`}`
`264`	`265`
`265`	`266`	`final String author = determineEvidence(contents, blockVariable, "authors?");`
`@@ -269,6 +270,7 @@ private void analyzePodspecDependency(Dependency dependency)`
`269`	`270`	`final String homepage = determineEvidence(contents, blockVariable, "homepage");`
`270`	`271`	`if (!homepage.isEmpty()) {`
`271`	`272`	`dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "homepage", homepage, Confidence.HIGHEST);`
	`273`	`+ dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "homepage", homepage, Confidence.LOW);`
`272`	`274`	`}`
`273`	`275`	`final String license = determineEvidence(contents, blockVariable, "licen[cs]es?");`
`274`	`276`	`if (!license.isEmpty()) {`