fix(fp): allow stricter matching of suppression CPE 2.2 URI prefixes to only whole parts (#8548)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>

Author: chadlwilson

core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java

@@ -17,16 +17,17 @@
  */
 package org.owasp.dependencycheck.xml.hints;
 
-import java.util.ArrayList;
-import java.util.List;
-import javax.annotation.concurrent.NotThreadSafe;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.utils.XmlUtils;
 import org.owasp.dependencycheck.xml.suppression.PropertyType;
 import org.xml.sax.Attributes;
 import org.xml.sax.SAXException;
 import org.xml.sax.helpers.DefaultHandler;
 
+import javax.annotation.concurrent.NotThreadSafe;
+import java.util.ArrayList;
+import java.util.List;
+
 /**
  * A handler to load hint rules.
  *
@@ -268,19 +269,19 @@ public void startElement(String uri, String localName, String qName, Attributes
                     }
                     break;
                 case FILE_NAME:
-                    final PropertyType pt = new PropertyType();
-                    pt.setValue(attr.getValue(CONTAINS));
+                    boolean isRegex = false;
+                    boolean isCaseSensitive = false;
                     if (attr.getLength() > 0) {
                         final String regex = attr.getValue(REGEX);
                         if (regex != null) {
-                            pt.setRegex(Boolean.parseBoolean(regex));
+                            isRegex = Boolean.parseBoolean(regex);
                         }
                         final String caseSensitive = attr.getValue(CASE_SENSITIVE);
                         if (caseSensitive != null) {
-                            pt.setCaseSensitive(Boolean.parseBoolean(caseSensitive));
+                            isCaseSensitive = Boolean.parseBoolean(caseSensitive);
                         }
                     }
-                    rule.addFilename(pt);
+                    rule.addFilename(new PropertyType(attr.getValue(CONTAINS), isRegex, isCaseSensitive));
                     break;
                 case VENDOR_DUPLICATING_RULE:
                     vendorDuplicatingHintRules.add(new VendorDuplicatingHintRule(attr.getValue(VALUE), attr.getValue(DUPLICATE)));

core/src/main/java/org/owasp/dependencycheck/xml/suppression/PropertyType.java

@@ -17,11 +17,13 @@
  */
 package org.owasp.dependencycheck.xml.suppression;
 
+import com.google.common.base.Suppliers;
 import org.apache.commons.lang3.builder.EqualsBuilder;
 import org.apache.commons.lang3.builder.HashCodeBuilder;
 
-import java.util.regex.Pattern;
 import javax.annotation.concurrent.ThreadSafe;
+import java.util.function.Supplier;
+import java.util.regex.Pattern;
 
 /**
  * A simple PropertyType used to represent a string value that could be used as
@@ -37,32 +39,53 @@ public class PropertyType {
     /**
      * The value.
      */
-    private String value;
+    private final String value;
     /**
      * Whether or not the expression is a regex.
      */
-    private boolean regex = false;
+    private final boolean regex;
     /**
      * Indicates case sensitivity.
      */
-    private boolean caseSensitive = false;
+    private final boolean caseSensitive;
+
+    private final Supplier<Pattern> compiledRegex = Suppliers
+            .memoize(() -> isRegex() ? Pattern.compile(getValue(), isCaseSensitive() ? 0 : Pattern.CASE_INSENSITIVE) : null);
 
     /**
-     * Gets the value of the value property.
-     *
-     * @return the value of the value property
+     * @param value the value of the value property
+     * @param regex whether the value is a regex
+     * @param caseSensitive whether the value is case-sensitive
      */
-    public String getValue() {
-        return value;
+    public PropertyType(String value, boolean regex, boolean caseSensitive) {
+        this.value = value;
+        this.regex = regex;
+        this.caseSensitive = caseSensitive;
+    }
+
+    public static PropertyType of(String value) {
+        return new PropertyType(value, false, false);
+    }
+
+    public static PropertyType regex(String value) {
+        return new PropertyType(value, true, false);
+    }
+
+    public static PropertyType caseSensitive(String value) {
+        return new PropertyType(value, false, true);
+    }
+
+    public static PropertyType regexCaseSensitive(String value) {
+        return new PropertyType(value, true, true);
     }
 
     /**
-     * Sets the value of the value property.
+     * Gets the value of the value property.
      *
-     * @param value the value of the value property
+     * @return the value of the value property
      */
-    public void setValue(String value) {
-        this.value = value;
+    public String getValue() {
+        return value;
     }
 
     /**
@@ -74,32 +97,14 @@ public boolean isRegex() {
         return regex;
     }
 
-    /**
-     * Sets whether the value property is a regex.
-     *
-     * @param value true if the value is a regex, otherwise false
-     */
-    public void setRegex(boolean value) {
-        this.regex = value;
-    }
-
     /**
      * Gets the value of the caseSensitive property.
      *
-     * @return true if the value is case sensitive
+     * @return true if the value is case-sensitive
      */
     public boolean isCaseSensitive() {
         return caseSensitive;
     }
-
-    /**
-     * Sets the value of the caseSensitive property.
-     *
-     * @param value whether the value is case sensitive
-     */
-    public void setCaseSensitive(boolean value) {
-        this.caseSensitive = value;
-    }
     //</editor-fold>
 
     /**
@@ -114,13 +119,7 @@ public boolean matches(String text) {
             return false;
         }
         if (this.regex) {
-            final Pattern rx;
-            if (this.caseSensitive) {
-                rx = Pattern.compile(this.value);
-            } else {
-                rx = Pattern.compile(this.value, Pattern.CASE_INSENSITIVE);
-            }
-            return rx.matcher(text).matches();
+            return compiledRegex.get().matcher(text).matches();
         } else {
             if (this.caseSensitive) {
                 return value.equals(text);

core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java

@@ -17,11 +17,6 @@
  */
 package org.owasp.dependencycheck.xml.suppression;
 
-import java.util.ArrayList;
-import java.util.Calendar;
-import java.util.List;
-import java.util.Optional;
-import javax.annotation.concurrent.NotThreadSafe;
 import org.owasp.dependencycheck.exception.ParseException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.slf4j.Logger;
@@ -30,6 +25,12 @@
 import org.xml.sax.SAXException;
 import org.xml.sax.helpers.DefaultHandler;
 
+import javax.annotation.concurrent.NotThreadSafe;
+import java.util.ArrayList;
+import java.util.Calendar;
+import java.util.List;
+import java.util.Optional;
+
 /**
  * A handler to load suppression rules. In the input xml a suppression rule can be part of a {@code suppressionGroup}. In that
  * case the attributes set on group element will act as default values for child suppressions.
@@ -282,18 +283,18 @@ public void characters(char[] ch, int start, int length) throws SAXException {
      * @return a PropertyType object
      */
     private PropertyType processPropertyType() {
-        final PropertyType pt = new PropertyType();
-        pt.setValue(currentText.toString().trim());
+        boolean isRegex = false;
+        boolean isCaseSensitive = false;
         if (currentAttributes != null && currentAttributes.getLength() > 0) {
             final String regex = currentAttributes.getValue("regex");
             if (regex != null) {
-                pt.setRegex(Boolean.parseBoolean(regex));
+                isRegex = Boolean.parseBoolean(regex);
             }
             final String caseSensitive = currentAttributes.getValue("caseSensitive");
             if (caseSensitive != null) {
-                pt.setCaseSensitive(Boolean.parseBoolean(caseSensitive));
+                isCaseSensitive = Boolean.parseBoolean(caseSensitive);
             }
         }
-        return pt;
+        return new PropertyType(currentText.toString().trim(), isRegex, isCaseSensitive);
     }
 }