endency-check-core.10.0.1.source-code.dependencycheck-base-hint.xml Maven / Gradle / Ivy
<?xml version="1.0" encoding="UTF-8"?>
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.3.xsd">
<hint>
<given><!-- NOTE: these are OR conditions -->
<evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
<evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/>
<evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/>
<evidence type="vendor" source="pom" name="groupid" value="org.springframework" confidence="HIGHEST"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal software" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
<fileName contains="spring"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal software" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="pom" name="groupid" value="org\.springframework\.amqp" confidence="HIGHEST"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="spring_advanced_message_queuing_protocol" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal software" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="pom" name="groupid" value="org\.springframework.*" confidence="HIGHEST"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal software" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="gradle" name="groupid" value="org\.springframework.*" confidence="HIGHEST"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal software" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="pom" name="groupid" value="org\.hibernate.*" confidence="HIGHEST"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="redhat" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="pom" name="groupid" value="org\.hibernate" />
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="orm" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="pom" name="name" value=".*\bO/RM\b.*" />
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="orm" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="pom" name="groupid" value="org\.hornetq" confidence="HIGHEST"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="redhat" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="pom" name="groupid" value="org\.fusesource\.hawtjni" confidence="HIGHEST"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="redhat" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="pom" name="groupid" value="org\.wildfly(\..*)?" confidence="HIGHEST"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="redhat" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal software" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" source="Manifest" name="Implementation-Title" regex="true" value="spring-.*" confidence="HIGH"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal software" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="vendor" source="composer.lock" name="vendor" value="symfony" confidence="HIGHEST"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="sensiolabs" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="vendor" source="composer.lock" name="vendor" value="zendframework" confidence="HIGHEST"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="zend" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" source="composer.lock" name="product" value="zendframework" confidence="HIGHEST"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="zend_framework" confidence="HIGHEST"/>
</add>
</hint>
<!-- creating a spring boot starter project can cause your app to incorrectly be flagged as spring-->
<hint>
<given>
<evidence type="product" source="pom" name="parent-artifactid" value="spring-boot-starter-parent" confidence="HIGHEST"/>
<evidence type="product" source="pom" name="parent-artifactid" value="spring-boot-starter-parent" confidence="HIGH"/>
<evidence type="product" source="pom" name="parent-artifactid" value="spring-boot-starter-parent" confidence="MEDIUM"/>
<evidence type="product" source="pom" name="parent-artifactid" value="spring-boot-starter-parent" confidence="LOW"/>
</given>
<remove>
<evidence type="product" source="pom" name="parent-artifactid" value="spring-boot-starter-parent" confidence="HIGHEST"/>
<evidence type="product" source="pom" name="parent-artifactid" value="spring-boot-starter-parent" confidence="HIGH"/>
<evidence type="product" source="pom" name="parent-artifactid" value="spring-boot-starter-parent" confidence="MEDIUM"/>
<evidence type="product" source="pom" name="parent-artifactid" value="spring-boot-starter-parent" confidence="LOW"/>
</remove>
</hint>
<hint>
<given>
<evidence type="vendor" source="pom" name="parent-groupid" value="org.springframework.boot" confidence="HIGHEST"/>
<evidence type="vendor" source="pom" name="parent-groupid" value="org.springframework.boot" confidence="HIGH"/>
<evidence type="vendor" source="pom" name="parent-groupid" value="org.springframework.boot" confidence="MEDIUM"/>
<evidence type="vendor" source="pom" name="parent-groupid" value="org.springframework.boot" confidence="LOW"/>
</given>
<remove>
<evidence type="vendor" source="pom" name="parent-groupid" value="org.springframework.boot" confidence="HIGHEST"/>
<evidence type="vendor" source="pom" name="parent-groupid" value="org.springframework.boot" confidence="HIGH"/>
<evidence type="vendor" source="pom" name="parent-groupid" value="org.springframework.boot" confidence="MEDIUM"/>
<evidence type="vendor" source="pom" name="parent-groupid" value="org.springframework.boot" confidence="LOW"/>
</remove>
</hint>
<!--
The following hint is from the google group discussion found here: https://mail.google.com/mail/u/0/?zx=trb89qxxa4e5#inbox/15defe7b224506a2
-->
<hint>
<given>
<fileName contains="mysql-connector.*" regex="true"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="mysql_connectors" confidence="HIGHEST"/>
<evidence type="product" source="hint analyzer" name="product" value="mysql_connector_j" confidence="HIGHEST"/>
<evidence type="product" source="hint analyzer" name="product" value="mysql_connector/j" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="oracle" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" name="artifactId" value="icu4j"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="international_components_for_unicode"
confidence="HIGHEST"/>
</add>
</hint>
<vendorDuplicatingHint value="sun" duplicate="oracle"/>
<vendorDuplicatingHint value="oracle" duplicate="sun"/>
<vendorDuplicatingHint value="icu4j" duplicate="unicode"/>
<vendorDuplicatingHint value="icu4j" duplicate="icu-project"/>
<vendorDuplicatingHint value="unicode" duplicate="icu-project"/>
<vendorDuplicatingHint value="icu-project" duplicate="unicode"/>
<!--additional hints from community-->
<hint>
<given>
<fileName contains="bsh-.*" regex="true"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="beanshell" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="beanshell_project" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<fileName contains="opensaml-.*" regex="true"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="opensaml" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="shibboleth" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<fileName contains="jenkins.*\.war" regex="true"/>
</given>
<remove>
<evidence type="version" name="hudson-version" value=".*" regex="true"/>
</remove>
</hint>
<hint>
<given>
<fileName contains="htmlcleaner-.*" regex="true"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="htmlcleaner" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="htmlcleaner_project" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" source="Manifest" name="bundle-symbolicname" value="cq.quickstart.quickstart.jar.global.apis" />
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="experience manager" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="adobe" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<fileName contains="not-yet-commons-ssl-.*" regex="true"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="not_yet_commons_ssl" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="not_yet_commons_ssl_project" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="pom" name="url" value=".*wordpress.*" confidence="HIGHEST"/>
<evidence regex="true" type="product" source="pom" name="url" value=".*wordpress.*" confidence="HIGHEST"/>
</given>
<remove>
<evidence regex="true" type="vendor" source="pom" name="url" value=".*wordpress.*" confidence="HIGHEST"/>
<evidence regex="true" type="product" source="pom" name="url" value=".*wordpress.*" confidence="HIGHEST"/>
</remove>
</hint>
<hint>
<given>
<evidence type="vendor" source="Manifest" name="Implementation-Vendor-Id" value="org.primefaces" confidence="MEDIUM"/>
<evidence type="vendor" source="pom" name="groupid" value="org.primefaces" confidence="HIGHEST"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="primetek" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="vendor" source="Manifest" name="Implementation-Vendor" value="JBoss Inc." confidence="HIGH"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="redhat" confidence="HIGH"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" source="Manifest" name="extension-name" value="org.bouncycastle.bcprovider" confidence="MEDIUM"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="legion-of-the-bouncy-castle-java-crytography-api" confidence="HIGH"/>
<evidence type="product" source="hint analyzer" name="product" value="the_bouncy_castle_crypto_package_for_java" confidence="HIGH"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="vendor" source="pom" name="groupid" value="^.*[\.-]ws([\.-].*)?$"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="web services" confidence="MEDIUM"/>
<evidence type="product" source="hint analyzer" name="product" value="web services" confidence="MEDIUM"/>
</add>
</hint>
<hint>
<given>
<evidence regex="true" type="product" source="pom" name="artifactid" value="^.*[\.-]ws([\.-].*)?$"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="web services" confidence="MEDIUM"/>
<evidence type="product" source="hint analyzer" name="product" value="web services" confidence="MEDIUM"/>
</add>
</hint>
<hint>
<given>
<evidence type="vendor" source="pom" name="groupid" value="com.zeroturnaround"/>
<evidence type="vendor" source="pom" name="groupid" value="org.zeroturnaround"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="jrebel" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="vendor" source="Manifest" name="Implementation-Vendor" value="JBoss by Red Hat"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="redhat" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="vendor" source="pom" name="groupid" value="com.datomic"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="cognitect" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="vendor" source="pom" name="groupid" value="io.projectreactor.netty"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" source="grokassembly" name="FileDescription" value="Telerik.Web.UI"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="Progress" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="Telerik" confidence="HIGHEST"/>
<evidence type="product" source="hint analyzer" name="product" value="ASP.NET AJAX" confidence="HIGHEST"/>
<evidence type="product" source="hint analyzer" name="product" value="UI For ASP.NET AJAX" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="vendor" source="pom" name="groupid" value="org.quartz-scheduler"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="softwareag" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" source="pom" name="groupid" value="com.fasterxml.jackson.core"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="modules" confidence="HIGHEST"/>
<evidence type="product" source="hint analyzer" name="product" value="java8" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="vendor" source="pom" name="groupid" value="org.cryptacular"/>
<evidence type="vendor" source="jar" name="package name" value="cryptacular"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="Virginia Tech" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="vt" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="vendor" source="pom" name="url" value="https://www.bouncycastle.org/fips-java"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="legion-of-the-bouncy-castle-fips-java" confidence="HIGHEST"/>
<evidence type="product" source="hint analyzer" name="product" value="legion-of-the-bouncy-castle-fips-java-api" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" source="pom" name="name" value="PostgreSQL JDBC Driver"/>
<evidence type="product" source="Manifest" name="Implementation-Title" value="PostgreSQL JDBC Driver"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="postgresql_jdbc_driver" confidence="HIGHEST"/>
<evidence type="product" source="hint analyzer" name="product" value="pgjdbc" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<!-- false negative per issue #4389, NVD has two CPE products in active use for Apache Xerces: xerces2_java and xerces-j -->
<given>
<evidence type="product" source="pom" name="artifactId" value="xercesImpl"/>
<evidence type="product" source="file" name="name" value="xercesImpl"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="xerces-j" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<!-- false negative per issue #4930 -->
<given>
<evidence type="product" source="pom" name="parent-artifactid" value="parquet"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="parquet-mr" confidence="HIGH"/>
</add>
</hint>
<hint>
<!-- false negative per issue #1387 -->
<given>
<evidence type="product" source="composer.lock" name="product" value="yii2"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="yiiframework" confidence="HIGH"/>
<evidence type="product" source="hint analyzer" name="product" value="yiiframework" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="framework" confidence="HIGH"/>
<evidence type="product" source="hint analyzer" name="product" value="framework" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="yii" confidence="HIGH"/>
<evidence type="product" source="hint analyzer" name="product" value="yii" confidence="HIGH"/>
</add>
</hint>
<hint>
<!-- false negative per issue #5525 -->
<given>
<evidence type="vendor" source="pom" name="groupid" value="com.lowagie"/>
</given>
<add>
<evidence type="vendor" source="hint analyzer" name="vendor" value="itextpdf" confidence="HIGH"/>
</add>
</hint>
</hints>