package org.owasp.dependencycheck.analyzer;

import com.github.packageurl.MalformedPackageURLException;
import java.io.File;
import java.util.Collection;
import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.annotation.concurrent.ThreadSafe;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.naming.Identifier;
import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
import org.owasp.dependencycheck.xml.pom.PomHandler;
import org.semver4j.Semver;
import org.semver4j.SemverException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.class */
public class DependencyBundlingAnalyzer extends AbstractDependencyComparingAnalyzer {
    private static final String ANALYZER_NAME = "Dependency Bundling Analyzer";
    private static final Logger LOGGER = LoggerFactory.getLogger(DependencyBundlingAnalyzer.class);
    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z0-9]*");
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.FINAL;

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public String getName() {
        return ANALYZER_NAME;
    }

    @Override // org.owasp.dependencycheck.analyzer.Analyzer
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractAnalyzer
    protected String getAnalyzerEnabledSettingKey() {
        return "analyzer.dependencybundling.enabled";
    }

    @Override // org.owasp.dependencycheck.analyzer.AbstractDependencyComparingAnalyzer
    protected boolean evaluateDependencies(Dependency dependency, Dependency dependency2, Set<Dependency> set) {
        if (hashesMatch(dependency, dependency2)) {
            if (containedInWar(dependency.getFilePath()) || containedInWar(dependency2.getFilePath())) {
                return false;
            }
            if (firstPathIsShortest(dependency.getFilePath(), dependency2.getFilePath())) {
                mergeDependencies(dependency, dependency2, set);
                return false;
            }
            mergeDependencies(dependency2, dependency, set);
            return true;
        }
        if (isShadedJar(dependency, dependency2)) {
            if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
                mergeDependencies(dependency2, dependency, set);
                dependency2.removeRelatedDependencies(dependency);
                return true;
            }
            mergeDependencies(dependency, dependency2, set);
            dependency.removeRelatedDependencies(dependency2);
            return false;
        }
        if (isWebJar(dependency, dependency2)) {
            if (dependency.getFileName().toLowerCase().endsWith(".js")) {
                mergeDependencies(dependency2, dependency, set, true);
                dependency2.removeRelatedDependencies(dependency);
                return true;
            }
            mergeDependencies(dependency, dependency2, set, true);
            dependency.removeRelatedDependencies(dependency2);
            return false;
        }
        if (cpeIdentifiersMatch(dependency, dependency2) && hasSameBasePath(dependency, dependency2) && vulnerabilitiesMatch(dependency, dependency2) && fileNameMatch(dependency, dependency2)) {
            if (isCore(dependency, dependency2)) {
                mergeDependencies(dependency, dependency2, set);
                return false;
            }
            mergeDependencies(dependency2, dependency, set);
            return true;
        }
        if (!ecosystemIs("nodejs", dependency, dependency2) || !namesAreEqual(dependency, dependency2) || !npmVersionsMatch(dependency.getVersion(), dependency2.getVersion())) {
            return false;
        }
        if (dependency.isVirtual()) {
            DependencyMergingAnalyzer.mergeDependencies(dependency2, dependency, set);
            return true;
        }
        DependencyMergingAnalyzer.mergeDependencies(dependency, dependency2, set);
        return false;
    }

    public static void mergeDependencies(Dependency dependency, Dependency dependency2, Set<Dependency> set) {
        mergeDependencies(dependency, dependency2, set, false);
    }

    public static void mergeDependencies(Dependency dependency, Dependency dependency2, Set<Dependency> set, boolean z) {
        dependency.addRelatedDependency(dependency2);
        Set<Dependency> relatedDependencies = dependency2.getRelatedDependencies();
        Objects.requireNonNull(dependency);
        relatedDependencies.forEach(dependency::addRelatedDependency);
        dependency2.clearRelatedDependencies();
        if (z) {
            Set<Identifier> softwareIdentifiers = dependency2.getSoftwareIdentifiers();
            Objects.requireNonNull(dependency);
            softwareIdentifiers.forEach(dependency::addSoftwareIdentifier);
            Set<Identifier> vulnerableSoftwareIdentifiers = dependency2.getVulnerableSoftwareIdentifiers();
            Objects.requireNonNull(dependency);
            vulnerableSoftwareIdentifiers.forEach(dependency::addVulnerableSoftwareIdentifier);
            Set<Vulnerability> vulnerabilities = dependency2.getVulnerabilities();
            Objects.requireNonNull(dependency);
            vulnerabilities.forEach(dependency::addVulnerability);
        }
        if (dependency.getSha1sum() != null && dependency.getSha1sum().equals(dependency2.getSha1sum())) {
            dependency.addAllProjectReferences(dependency2.getProjectReferences());
            dependency.addAllIncludedBy(dependency2.getIncludedBy());
        }
        if (set != null) {
            set.add(dependency2);
        }
    }

    private String getBaseRepoPath(String str, String str2) {
        int indexOf;
        int indexOf2 = str.indexOf(str2 + File.separator) + str2.length() + 1;
        if (indexOf2 >= str2.length() + 1 && (indexOf = str.indexOf(File.separator, indexOf2)) > 0) {
            int i = indexOf + 1;
            int indexOf3 = str.indexOf(File.separator, i);
            if (indexOf3 > 0) {
                i = indexOf3 + 1;
            }
            return str.substring(0, i);
        }
        return str;
    }

    private boolean fileNameMatch(Dependency dependency, Dependency dependency2) {
        if (dependency == null || dependency.getFileName() == null || dependency2 == null || dependency2.getFileName() == null) {
            return false;
        }
        String name = dependency.getActualFile().getName();
        String name2 = dependency2.getActualFile().getName();
        DependencyVersion parseVersion = DependencyVersionUtil.parseVersion(name);
        DependencyVersion parseVersion2 = DependencyVersionUtil.parseVersion(name2);
        if (parseVersion != null && parseVersion2 != null && !parseVersion.equals(parseVersion2)) {
            return false;
        }
        Matcher matcher = STARTING_TEXT_PATTERN.matcher(name);
        Matcher matcher2 = STARTING_TEXT_PATTERN.matcher(name2);
        if (matcher.find() && matcher2.find()) {
            return matcher.group().equals(matcher2.group());
        }
        return false;
    }

    private boolean cpeIdentifiersMatch(Dependency dependency, Dependency dependency2) {
        if (dependency == null || dependency.getVulnerableSoftwareIdentifiers() == null || dependency2 == null || dependency2.getVulnerableSoftwareIdentifiers() == null) {
            return false;
        }
        boolean z = false;
        int size = dependency.getVulnerableSoftwareIdentifiers().size();
        int size2 = dependency2.getVulnerableSoftwareIdentifiers().size();
        if (size > 0 && size == size2) {
            Iterator<Identifier> it = dependency.getVulnerableSoftwareIdentifiers().iterator();
            while (it.hasNext()) {
                z |= dependency2.getVulnerableSoftwareIdentifiers().contains(it.next());
                if (!z) {
                    break;
                }
            }
        }
        LOGGER.trace("IdentifiersMatch={} ({}, {})", new Object[]{Boolean.valueOf(z), dependency.getFileName(), dependency2.getFileName()});
        return z;
    }

    private boolean vulnerabilitiesMatch(Dependency dependency, Dependency dependency2) {
        Set<Vulnerability> vulnerabilities = dependency.getVulnerabilities();
        Set<Vulnerability> vulnerabilities2 = dependency2.getVulnerabilities();
        return vulnerabilities != null && vulnerabilities2 != null && vulnerabilities.size() == vulnerabilities2.size() && vulnerabilities.containsAll(vulnerabilities2);
    }

    private boolean hasSameBasePath(Dependency dependency, Dependency dependency2) {
        if (dependency == null || dependency2 == null) {
            return false;
        }
        String parent = new File(dependency.getFilePath()).getParent();
        String parent2 = new File(dependency2.getFilePath()).getParent();
        if (parent == null) {
            return parent2 == null;
        }
        if (parent2 == null) {
            return false;
        }
        if (parent.equalsIgnoreCase(parent2)) {
            return true;
        }
        String string = getSettings().getString("odc.maven.local.repo");
        Pattern compile = string == null ? Pattern.compile(".*[/\\\\](?<repo>repository|local-repo)[/\\\\].*") : Pattern.compile(".*[/\\\\](?<repo>repository|local-repo|" + Pattern.quote(new File(string).getName()) + ")[/\\\\].*");
        Matcher matcher = compile.matcher(parent);
        Matcher matcher2 = compile.matcher(parent2);
        if (matcher.find() && matcher2.find()) {
            parent = getBaseRepoPath(parent, matcher.group("repo"));
            parent2 = getBaseRepoPath(parent2, matcher2.group("repo"));
        }
        if (parent.equalsIgnoreCase(parent2)) {
            return true;
        }
        Iterator<Dependency> it = dependency2.getRelatedDependencies().iterator();
        while (it.hasNext()) {
            if (hasSameBasePath(it.next(), dependency)) {
                return true;
            }
        }
        return false;
    }

    protected boolean isCore(Dependency dependency, Dependency dependency2) {
        boolean z;
        String lowerCase = dependency.getFileName().toLowerCase();
        String lowerCase2 = dependency2.getFileName().toLowerCase();
        if (dependency.isVirtual() && !dependency2.isVirtual()) {
            z = true;
        } else if (!dependency.isVirtual() && dependency2.isVirtual()) {
            z = false;
        } else if ((!lowerCase2.matches(".*\\.(tar|tgz|gz|zip|ear|war|rpm).+") && lowerCase.matches(".*\\.(tar|tgz|gz|zip|ear|war|rpm).+")) || ((lowerCase2.contains("core") && !lowerCase.contains("core")) || ((lowerCase2.contains("kernel") && !lowerCase.contains("kernel")) || ((lowerCase2.contains("server") && !lowerCase.contains("server")) || ((lowerCase2.contains(PomHandler.PROJECT) && !lowerCase.contains(PomHandler.PROJECT)) || ((lowerCase2.contains("engine") && !lowerCase.contains("engine")) || ((lowerCase2.contains("akka-stream") && !lowerCase.contains("akka-stream")) || (lowerCase2.contains("netty-transport") && !lowerCase.contains("netty-transport"))))))))) {
            z = false;
        } else if ((!lowerCase2.matches(".*\\.(tar|tgz|gz|zip|ear|war|rpm).+") || lowerCase.matches(".*\\.(tar|tgz|gz|zip|ear|war|rpm).+")) && ((lowerCase2.contains("core") || !lowerCase.contains("core")) && ((lowerCase2.contains("kernel") || !lowerCase.contains("kernel")) && ((lowerCase2.contains("server") || !lowerCase.contains("server")) && ((lowerCase2.contains(PomHandler.PROJECT) || !lowerCase.contains(PomHandler.PROJECT)) && ((lowerCase2.contains("engine") || !lowerCase.contains("engine")) && ((lowerCase2.contains("akka-stream") || !lowerCase.contains("akka-stream")) && (lowerCase2.contains("netty-transport") || !lowerCase.contains("netty-transport"))))))))) {
            z = lowerCase.length() <= lowerCase2.length();
        } else {
            z = true;
        }
        LOGGER.debug("IsCore={} ({}, {})", new Object[]{Boolean.valueOf(z), dependency.getFileName(), dependency2.getFileName()});
        return z;
    }

    private boolean hashesMatch(Dependency dependency, Dependency dependency2) {
        if (dependency == null || dependency2 == null || dependency.getSha1sum() == null || dependency2.getSha1sum() == null) {
            return false;
        }
        return dependency.getSha1sum().equals(dependency2.getSha1sum());
    }

    protected boolean isWebJar(Dependency dependency, Dependency dependency2) {
        if (dependency == null || dependency.getFileName() == null || dependency2 == null || dependency2.getFileName() == null || dependency.getSoftwareIdentifiers().isEmpty() || dependency2.getSoftwareIdentifiers().isEmpty()) {
            return false;
        }
        String lowerCase = dependency.getFileName().toLowerCase();
        String lowerCase2 = dependency2.getFileName().toLowerCase();
        if (lowerCase.endsWith(".jar") && lowerCase2.endsWith(".js") && lowerCase2.startsWith(lowerCase)) {
            return ((Set) dependency.getSoftwareIdentifiers().stream().map((v0) -> {
                return v0.getValue();
            }).collect(Collectors.toSet())).containsAll((Collection) dependency2.getSoftwareIdentifiers().stream().map(this::identifierToWebJarForComparison).collect(Collectors.toSet()));
        }
        if (lowerCase2.endsWith(".jar") && lowerCase.endsWith("js") && lowerCase.startsWith(lowerCase2)) {
            return ((Set) dependency2.getSoftwareIdentifiers().stream().map((v0) -> {
                return v0.getValue();
            }).collect(Collectors.toSet())).containsAll((Collection) dependency.getSoftwareIdentifiers().stream().map(this::identifierToWebJarForComparison).collect(Collectors.toSet()));
        }
        return false;
    }

    private String identifierToWebJarForComparison(Identifier identifier) {
        if (!(identifier instanceof PurlIdentifier)) {
            return identifier == null ? "" : identifier.getValue();
        }
        PurlIdentifier purlIdentifier = (PurlIdentifier) identifier;
        try {
            return new PurlIdentifier("maven", "org.webjars", purlIdentifier.getName(), purlIdentifier.getVersion(), purlIdentifier.getConfidence()).getValue();
        } catch (MalformedPackageURLException e) {
            LOGGER.debug("Unable to build webjar purl id", e);
            return identifier.getValue();
        }
    }

    protected boolean isShadedJar(Dependency dependency, Dependency dependency2) {
        if (dependency == null || dependency.getFileName() == null || dependency2 == null || dependency2.getFileName() == null || dependency.getSoftwareIdentifiers().isEmpty() || dependency2.getSoftwareIdentifiers().isEmpty()) {
            return false;
        }
        String lowerCase = dependency.getFileName().toLowerCase();
        String lowerCase2 = dependency2.getFileName().toLowerCase();
        if (lowerCase.endsWith(".jar") && lowerCase2.endsWith("pom.xml")) {
            return dependency.getSoftwareIdentifiers().containsAll(dependency2.getSoftwareIdentifiers());
        }
        if (lowerCase2.endsWith(".jar") && lowerCase.endsWith("pom.xml")) {
            return dependency2.getSoftwareIdentifiers().containsAll(dependency.getSoftwareIdentifiers());
        }
        return false;
    }

    public static boolean firstPathIsShortest(String str, String str2) {
        if (str.contains("dctemp") && !str2.contains("dctemp")) {
            return false;
        }
        String replace = str.replace('\\', '/');
        String replace2 = str2.replace('\\', '/');
        int countChar = countChar(replace, '/');
        int countChar2 = countChar(replace2, '/');
        return countChar == countChar2 ? replace.compareTo(replace2) <= 0 : countChar < countChar2;
    }

    private static int countChar(String str, char c) {
        int i = 0;
        int length = str.length();
        for (int i2 = 0; i2 < length; i2++) {
            if (c == str.charAt(i2)) {
                i++;
            }
        }
        return i;
    }

    private boolean containedInWar(String str) {
        return str != null && str.matches(".*\\.(ear|war)[\\\\/].*");
    }

    private boolean ecosystemIs(String str, Dependency dependency, Dependency dependency2) {
        return str.equals(dependency.getEcosystem()) && str.equals(dependency2.getEcosystem());
    }

    private boolean namesAreEqual(Dependency dependency, Dependency dependency2) {
        return dependency.getName() != null && dependency.getName().equals(dependency2.getName());
    }

    public static boolean npmVersionsMatch(String str, String str2) {
        String str3 = str;
        String str4 = str2;
        if (str3 == null || str4 == null) {
            return false;
        }
        if (str3.equals(str4) || "*".equals(str3) || "*".equals(str4)) {
            return true;
        }
        if (str3.contains(" ")) {
            if (str4.contains(" ")) {
                return false;
            }
            if (!str4.matches("^\\d.*$")) {
                str4 = stripLeadingNonNumeric(str4);
                if (str4 == null) {
                    return false;
                }
            }
            try {
                return new Semver(str4).satisfies(str3);
            } catch (SemverException e) {
                LOGGER.trace("ignore", e);
                return false;
            }
        }
        if (!str3.matches("^\\d.*$")) {
            str3 = stripLeadingNonNumeric(str3);
            if (str3 == null || str3.isEmpty()) {
                return false;
            }
        }
        try {
            Semver semver = new Semver(str3);
            if (!str4.isEmpty() && semver.satisfies(str4)) {
                return true;
            }
            if (str4.contains(" ")) {
                return false;
            }
            str3 = str;
            str4 = stripLeadingNonNumeric(str4);
            if (str4 != null) {
                return new Semver(str4).satisfies(str3);
            }
            return false;
        } catch (SemverException e2) {
            LOGGER.trace("ignore", e2);
            return false;
        } catch (NullPointerException e3) {
            LOGGER.error("SemVer comparison error: left:\"{}\", right:\"{}\"", str3, str4);
            LOGGER.debug("SemVer comparison resulted in NPE", e3);
            return false;
        }
    }

    private static String stripLeadingNonNumeric(String str) {
        for (int i = 0; i < str.length(); i++) {
            if (Character.isDigit(str.codePointAt(i))) {
                return str.substring(i);
            }
        }
        return null;
    }
}
