github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-25 10:32:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

updated code to better handle TLS errors

Browse Source
This commit is contained in:
Jeremy Long
2017-05-21 18:04:26 -04:00
parent d457fd1452
commit 122c78648a
4 changed files with 108 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java
View File

@@ -50,10 +50,11 @@ import javax.json.JsonReader;
import javax.json.JsonString; import javax.json.JsonString;
import javax.json.JsonValue; import javax.json.JsonValue;
import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
/** /**
* Used to analyze Node Package Manager (npm) package.json files via * Used to analyze Node Package Manager (npm) package.json files via Node
* Node Security Platform (nsp). * Security Platform (nsp).
* *
* @author Steve Springett * @author Steve Springett
*/ */
@@ -247,17 +248,21 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
addToEvidence(packageJson, vendorEvidence, "author"); addToEvidence(packageJson, vendorEvidence, "author");
addToEvidence(packageJson, dependency.getVersionEvidence(), "version"); addToEvidence(packageJson, dependency.getVersionEvidence(), "version");
dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName())); dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName()));
} catch (URLConnectionFailureException e) {
this.setEnabled(false);
throw new AnalysisException(e.getMessage(), e);
} catch (IOException e) { } catch (IOException e) {
LOGGER.debug("Error reading dependency or connecting to Node Security Platform /check API", e); LOGGER.debug("Error reading dependency or connecting to Node Security Platform - check API", e);
this.setEnabled(false);
throw new AnalysisException(e.getMessage(), e);
} catch (JsonException e) { } catch (JsonException e) {
LOGGER.warn("Failed to parse package.json file.", e); throw new AnalysisException(String.format("Failed to parse %s file.", file.getPath()), e);
} }
} }
/** /**
* Processes a part of package.json (as defined by JsobObject) and * Processes a part of package.json (as defined by JsobObject) and update
* update the specified dependency with relevant info. * the specified dependency with relevant info.
* *
* @param dependency the Dependency to update * @param dependency the Dependency to update
* @param jsonObject the jsonObject to parse * @param jsonObject the jsonObject to parse

15
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java
View File

@@ -35,6 +35,7 @@ import javax.json.Json;
import javax.json.JsonArray; import javax.json.JsonArray;
import javax.json.JsonObject; import javax.json.JsonObject;
import javax.json.JsonReader; import javax.json.JsonReader;
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
/** /**
* Class of methods to search via Node Security Platform. * Class of methods to search via Node Security Platform.
@@ -75,14 +76,15 @@ public class NspSearch {
} }
/** /**
* Submits the package.json file to the NSP public /check API and returns * Submits the package.json file to the NSP public /check API and returns a
* a list of zero or more Advisories. * list of zero or more Advisories.
* *
* @param packageJson the package.json file retrieved from the Dependency * @param packageJson the package.json file retrieved from the Dependency
* @return a List of zero or more Advisory object * @return a List of zero or more Advisory object
* @throws IOException if it's unable to connect to Node Security Platform * @throws IOException if it's unable to connect to Node Security Platform
*/ */
public List<Advisory> submitPackage(JsonObject packageJson) throws IOException { public List<Advisory> submitPackage(JsonObject packageJson) throws IOException {
try {
List<Advisory> result = new ArrayList<>(); List<Advisory> result = new ArrayList<>();
byte[] packageDatabytes = packageJson.toString().getBytes(StandardCharsets.UTF_8); byte[] packageDatabytes = packageJson.toString().getBytes(StandardCharsets.UTF_8);
@@ -140,5 +142,14 @@ public class NspSearch {
throw new IOException("Could not connect to Node Security Platform"); throw new IOException("Could not connect to Node Security Platform");
} }
return result; return result;
} catch (IOException ex) {
if (ex instanceof javax.net.ssl.SSLHandshakeException
&& ex.getMessage().contains("unable to find valid certification path to requested target")) {
final String msg = String.format("Unable to connect to '%s' - the Java trust store does not contain a trusted root for the cert. "
+ " Please see https://github.com/jeremylong/InstallCert for one method of updating the trusted certificates.", nspCheckUrl);
throw new URLConnectionFailureException(msg, ex);
}
throw ex;
}
} }
} }

29
dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java
View File

@@ -18,6 +18,8 @@
package org.owasp.dependencycheck; package org.owasp.dependencycheck;
import java.io.IOException; import java.io.IOException;
import java.util.HashSet;
import java.util.Set;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import org.junit.Test; import org.junit.Test;
@@ -58,20 +60,25 @@ public class EngineIT extends BaseDBTestCase {
try { try {
instance.analyzeDependencies(); instance.analyzeDependencies();
} catch (ExceptionCollection ex) { } catch (ExceptionCollection ex) {
if (ex.getExceptions().size() == 1 Set<String> allowedMessages = new HashSet<>();
&& (ex.getExceptions().get(0).getMessage().contains("bundle-audit") allowedMessages.add("bundle-audit");
|| ex.getExceptions().get(0).getMessage().contains("AssemblyAnalyzer"))) { allowedMessages.add("AssemblyAnalyzer");
//this is fine to ignore //allowedMessages.add("Unable to connect to");
} else if (ex.getExceptions().size() == 2 for (Throwable t : ex.getExceptions()) {
&& ((ex.getExceptions().get(0).getMessage().contains("bundle-audit") boolean isOk = false;
&& ex.getExceptions().get(1).getMessage().contains("AssemblyAnalyzer")) if (t.getMessage()!=null) {
|| (ex.getExceptions().get(1).getMessage().contains("bundle-audit") for (String msg : allowedMessages) {
&& ex.getExceptions().get(0).getMessage().contains("AssemblyAnalyzer")))) { if (t.getMessage().contains(msg)) {
//this is fine to ignore isOk=true;
} else { break;
}
}
}
if (!isOk) {
throw ex; throw ex;
} }
} }
}
DatabaseProperties prop = null; DatabaseProperties prop = null;
try (CveDB cve = CveDB.getInstance()) { try (CveDB cve = CveDB.getInstance()) {
prop = cve.getDatabaseProperties(); prop = cve.getDatabaseProperties();

17
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java
View File

@@ -32,6 +32,9 @@ import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.net.URL; import java.net.URL;
import java.util.List; import java.util.List;
import static org.junit.Assume.assumeFalse;
import static org.junit.Assume.assumeTrue;
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
public class NspSearchTest extends BaseTest { public class NspSearchTest extends BaseTest {
@@ -45,8 +48,7 @@ public class NspSearchTest extends BaseTest {
searcher = new NspSearch(new URL(url)); searcher = new NspSearch(new URL(url));
} }
//@Test @Test
//todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET
public void testNspSearchPositive() throws Exception { public void testNspSearchPositive() throws Exception {
InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json"); InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json");
try (JsonReader jsonReader = Json.createReader(in)) { try (JsonReader jsonReader = Json.createReader(in)) {
@@ -56,17 +58,24 @@ public class NspSearchTest extends BaseTest {
final JsonObject nspPayload = builder.add("package", sanitizedJson).build(); final JsonObject nspPayload = builder.add("package", sanitizedJson).build();
final List<Advisory> advisories = searcher.submitPackage(nspPayload); final List<Advisory> advisories = searcher.submitPackage(nspPayload);
Assert.assertTrue(advisories.size() > 0); Assert.assertTrue(advisories.size() > 0);
} catch (Exception ex) {
assumeFalse(ex instanceof URLConnectionFailureException
&& ex.getMessage().contains("Unable to connect to "));
throw ex;
} }
} }
//@Test(expected = IOException.class) @Test
//todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET
public void testNspSearchNegative() throws Exception { public void testNspSearchNegative() throws Exception {
InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json"); InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json");
try (JsonReader jsonReader = Json.createReader(in)) { try (JsonReader jsonReader = Json.createReader(in)) {
final JsonObject packageJson = jsonReader.readObject(); final JsonObject packageJson = jsonReader.readObject();
final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson); final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson);
searcher.submitPackage(sanitizedJson); searcher.submitPackage(sanitizedJson);
} catch (Exception ex) {
assumeFalse(ex instanceof URLConnectionFailureException
&& ex.getMessage().contains("Unable to connect to "));
throw ex;
} }
} }