Added license information

Fixed generation of FoD filter query parameter
Fixed FoD returning incorrect vulnerability list (added limit request
parameter)
Refactored Spring utilities for better re-usability
Refactored Spring expression initialization; eager initialization and
only parsed once

LICENSE.TXT

@@ -0,0 +1,8 @@
+The MIT License (MIT)
+Copyright (c) 2016 Hewlett Packard Enterprise
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

fortify-util/rest-util/pom.xml

@@ -7,7 +7,24 @@
 		<artifactId>fortify-util</artifactId>
 		<version>1.0</version>
 	</parent>
-	<!-- TODO Add description, developers, license, ... -->
+	<organization>
+		<name>HPE Security Fortify</name>
+		<url>http://www8.hp.com/us/en/software-solutions/application-security/</url>
+	</organization>
+	<licenses>
+		<license>
+			<name>MIT License</name>
+			<url>http://www.opensource.org/licenses/mit-license.php</url>
+			<distribution>repo</distribution>
+		</license>
+	</licenses>
+	<developers>
+		<developer>
+			<id>rsenden</id>
+			<name>Ruud Senden</name>
+			<organization>HPE Security Fortify</organization>
+		</developer>
+	</developers>
 	<inceptionYear>2016</inceptionYear>
 	<dependencyManagement>
 		<dependencies>

fortify-util/rest-util/src/main/java/com/fortify/util/json/ondemand/IOnDemandJSONData.java

@@ -3,13 +3,13 @@
 import org.codehaus.jettison.json.JSONObject;
 import org.springframework.expression.EvaluationContext;
 
-import com.fortify.util.json.JsonPropertyAccessor;
+import com.fortify.util.spring.propertyaccessor.JsonObjectPropertyAccessor;
 
 /**
  * This interface allows for on-demand loading of JSON data. 
  * Any objects in a JSONObject that implement this interface
  * will automatically be replaced with the corresponding
- * on-demand data whenever accessed via {@link JsonPropertyAccessor}
+ * on-demand data whenever accessed via {@link JsonObjectPropertyAccessor}
  */
 public interface IOnDemandJSONData {
 	public Object replaceOnDemandJSONData(EvaluationContext evaluationContext, JSONObject target, String name);

fortify-util/rest-util/src/main/java/com/fortify/util/json/JsonPropertyAccessor.java → fortify-util/rest-util/src/main/java/com/fortify/util/spring/propertyaccessor/JsonObjectPropertyAccessor.java

@@ -1,6 +1,5 @@
-package com.fortify.util.json;
+package com.fortify.util.spring.propertyaccessor;
 
-import org.codehaus.jettison.json.JSONArray;
 import org.codehaus.jettison.json.JSONObject;
 import org.springframework.expression.AccessException;
 import org.springframework.expression.EvaluationContext;
@@ -9,25 +8,18 @@
 import org.springframework.stereotype.Component;
 
 import com.fortify.util.json.ondemand.IOnDemandJSONData;
-import com.fortify.util.spring.SpringExpressionUtil;
 
 /**
- * A SpEL {@link PropertyAccessor} that knows how to read on Jettison JSON objects.
+ * A SpEL {@link PropertyAccessor} that knows how to read on {@link JSONObject} instances.
  * It can optionally gather additional data when a given property value implements 
  * the {@link IOnDemandJSONData}.
- * TODO: Fix support for indexed JSONArray properties (if possible)
  */
 @Component
-public class JsonPropertyAccessor implements PropertyAccessor {
-	public JsonPropertyAccessor() {
-		// Register ourselves with the standard evaluation context in SpringUtil
-		SpringExpressionUtil.getStandardEvaluationContext().addPropertyAccessor(this);
-	}
-
+public class JsonObjectPropertyAccessor implements PropertyAccessor {
 	/**
 	 * The kind of types this can work with.
 	 */
-	private static final Class<?>[] SUPPORTED_CLASSES = new Class[] { JSONObject.class, JSONArray.class };
+	private static final Class<?>[] SUPPORTED_CLASSES = new Class[] { JSONObject.class };
 
 	/**
 	 * Return the types that are supported by this {@link PropertyAccessor}
@@ -40,21 +32,7 @@ public Class<?>[] getSpecificTargetClasses() {
 	 * Indicate whether the given property name can be read from the given target object.
 	 */
 	public boolean canRead(EvaluationContext context, Object target, String name) throws AccessException {
-		Integer index = getIndex(name);
-		return (target instanceof JSONObject) || 
-			   (target instanceof JSONArray && index != null && ((JSONArray)target).length() > index);
-	}
-
-	/**
-	 * Return an integer if the String property name can be parsed as an int, or null otherwise.
-	 */
-	private Integer getIndex(String name) {
-		try {
-			return Integer.valueOf(name);
-		}
-		catch (NumberFormatException e) {
-			return null;
-		}
+		return (target instanceof JSONObject);
 	}
 
 	/**
@@ -70,14 +48,8 @@ public TypedValue read(EvaluationContext context, Object target, String name) th
 					value = ((IOnDemandJSONData)value).replaceOnDemandJSONData(context, targetJSONObject, name);
 				}
 			}
-		} else if ( target instanceof JSONArray && getIndex(name) != null ) {
-			JSONArray targetJSONArray = (JSONArray)target;
-			int index = getIndex(name);
-			if ( !targetJSONArray.isNull(index) ) {
-				value = targetJSONArray.opt(index);
-			}
 		}
-		// For some reason the JSONObject|JSONArray.isNull() checks do not work, so we manually compare the class name
+		// For some reason the JSONObject.isNull() checks do not work, so we manually compare the class name
 		value = value!=null && value.getClass().getName().equals("org.codehaus.jettison.json.JSONObject$Null") ? null : value; 
 		return new TypedValue(value);
 	}

fortify-util/spring-util/pom.xml

@@ -7,7 +7,25 @@
 		<artifactId>fortify-util</artifactId>
 		<version>1.0</version>
 	</parent>
-	<!-- TODO Add description, developers, license, ... -->
+	<description>This module defines various utility classes for working with Spring.</description>
+	<organization>
+		<name>HPE Security Fortify</name>
+		<url>http://www8.hp.com/us/en/software-solutions/application-security/</url>
+	</organization>
+	<licenses>
+		<license>
+			<name>MIT License</name>
+			<url>http://www.opensource.org/licenses/mit-license.php</url>
+			<distribution>repo</distribution>
+		</license>
+	</licenses>
+	<developers>
+		<developer>
+			<id>rsenden</id>
+			<name>Ruud Senden</name>
+			<organization>HPE Security Fortify</organization>
+		</developer>
+	</developers>
 	<inceptionYear>2016</inceptionYear>
 	<dependencyManagement>
 		<dependencies>

fortify-util/spring-util/src/main/java/com/fortify/util/spring/SpringContextUtil.java

@@ -0,0 +1,149 @@
+package com.fortify.util.spring;
+
+import java.beans.PropertyEditor;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.beans.factory.config.CustomEditorConfigurer;
+import org.springframework.beans.factory.support.BeanDefinitionReader;
+import org.springframework.beans.factory.support.BeanDefinitionRegistry;
+import org.springframework.beans.factory.xml.XmlBeanDefinitionReader;
+import org.springframework.context.annotation.AnnotationConfigApplicationContext;
+import org.springframework.context.support.GenericApplicationContext;
+import org.springframework.core.io.DefaultResourceLoader;
+import org.springframework.core.io.FileSystemResource;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+import org.springframework.stereotype.Component;
+
+public final class SpringContextUtil {
+	private static final Log LOG = LogFactory.getLog(SpringContextUtil.class);
+	private static final Map<Class<?>, Class<? extends PropertyEditor>> PROPERTY_EDITORS = getPropertyEditors();
+
+	private SpringContextUtil() {}
+
+	/**
+	 * Automatically load all {@link PropertyEditorWithTargetClass} implementations
+	 * (annotated with {@link Component}) from 
+	 * com.fortify.util.spring.propertyeditor (sub-)packages. 
+	 * @return
+	 */
+	private static final Map<Class<?>, Class<? extends PropertyEditor>> getPropertyEditors() {
+		AnnotationConfigApplicationContext ctx = new AnnotationConfigApplicationContext("com.fortify.util.spring.propertyeditor");
+		try {
+			Map<Class<?>, Class<? extends PropertyEditor>> result = new HashMap<Class<?>, Class<? extends PropertyEditor>>();
+			Map<String, PropertyEditorWithTargetClass> beans = ctx.getBeansOfType(PropertyEditorWithTargetClass.class);
+			for ( Map.Entry<String, PropertyEditorWithTargetClass> entry : beans.entrySet() ) {
+				Class<?> targetClass = entry.getValue().getTargetClass();
+				Class<? extends PropertyEditor> propertyEditorClass = entry.getValue().getClass();
+				result.put(targetClass, propertyEditorClass);
+			}
+			LOG.info("Loaded PropertyEditors for classes: "+result);
+			return result;
+		} finally {
+			ctx.close();
+		}
+	}
+
+	/**
+	 * Get a basic Spring {@link GenericApplicationContext} with additional 
+	 * custom editors registered. The additional custom editors are automatically
+	 * loaded from com.fortify.util.spring.propertyeditor (sub-)packages
+	 * if they have the {@link Component} annotation.
+	 * @return Basic Spring ApplicationContext with custom editors registered.
+	 */
+	public static final GenericApplicationContext getBaseContext() {
+		GenericApplicationContext context = new GenericApplicationContext();
+		context.setClassLoader(SpringContextUtil.class.getClassLoader());
+
+		CustomEditorConfigurer cec = new CustomEditorConfigurer();
+		cec.setCustomEditors(PROPERTY_EDITORS);
+		context.addBeanFactoryPostProcessor(cec);
+		return context;
+	}
+
+	/**
+	 * Add XML-based configuration from the given resource names to the given context.
+	 * See {@link DefaultResourceLoader} for a description on how to format the
+	 * resource names.
+	 * After all resources have been added to the context, the context may need to
+	 * be refreshed in order to process all bean definitions.
+	 * @param context
+	 * @param resourceNames
+	 */
+	public static final void addConfigurationFromXmlResources(BeanDefinitionRegistry context, boolean errorOnMissingResource, String... resourceNames) {
+		ResourceLoader resourceLoader = new DefaultResourceLoader(); 
+		for ( String resourceName : resourceNames ) {
+			Resource resource = resourceLoader.getResource(resourceName);
+			addConfigurationFromXmlResource(context, resource, errorOnMissingResource);
+		}
+	}
+
+	/**
+	 * Add XML-based configuration from the given file names to the given context.
+	 * After all files have been added to the context, the context may need to
+	 * be refreshed in order to process all bean definitions.
+	 * @param context
+	 * @param fileNames
+	 */
+	public static final void addConfigurationFromXmlFiles(BeanDefinitionRegistry context, boolean errorOnMissingResource, String... fileNames) {
+		for ( String fileName : fileNames ) {
+			Resource resource = new FileSystemResource(fileName);
+			addConfigurationFromXmlResource(context, resource, errorOnMissingResource);
+		}
+	}
+
+	public static void addConfigurationFromXmlResource(BeanDefinitionRegistry context, Resource resource, boolean errorOnMissingResource) {
+		BeanDefinitionReader reader = new XmlBeanDefinitionReader(context);
+		if ( !resource.exists() ) {
+			if ( errorOnMissingResource ) {
+				throw new RuntimeException("Resource "+resource.getFilename()+" does not exist");
+			} else {
+				LOG.info("Resource "+resource.getFilename()+" does not exist; no bean definitions will be added");
+			}
+		} else {
+			LOG.info("Loading bean definitions from resource "+resource.getFilename());
+			reader.loadBeanDefinitions(resource);
+		}
+	}
+
+	/**
+	 * <p>Load a Spring {@link GenericApplicationContext} from the given resource names.
+	 * See {@link DefaultResourceLoader} for a description on how to format the
+	 * resource names.</p>
+	 * 
+	 * <p>This method will refresh the context after loading all resources, this
+	 * means that no more resources can be added to the returned context.</p>
+	 * 
+	 * @param fileNames
+	 * @return
+	 */
+	public static final GenericApplicationContext loadApplicationContextFromResources(boolean errorOnMissingResource, String... resourceNames) {
+		GenericApplicationContext result = getBaseContext();
+		addConfigurationFromXmlResources(result, errorOnMissingResource, resourceNames);
+		result.refresh();
+		return result;
+	}
+
+	/**
+	 * <p>Load a Spring {@link GenericApplicationContext} from the given file names.</p>
+	 * 
+	 * <p>This method will refresh the context after loading all resources, this
+	 * means that no more resources can be added to the returned context.</p>
+	 * 
+	 * @param fileNames
+	 * @return
+	 */
+	public static final GenericApplicationContext loadApplicationContextFromFiles(boolean errorOnMissingResource, String... fileNames) {
+		GenericApplicationContext result = getBaseContext();
+		addConfigurationFromXmlFiles(result, errorOnMissingResource, fileNames);
+		result.refresh();
+		return result;
+	}
+
+	public static interface PropertyEditorWithTargetClass extends PropertyEditor {
+		public Class<?> getTargetClass();
+	}
+}