mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-04-24 01:08:48 +02:00
updated code to better handle TLS errors
This commit is contained in:
Jeremy Long
@@ -50,10 +50,11 @@ import javax.json.JsonReader;
|
||||
import javax.json.JsonString;
|
||||
import javax.json.JsonValue;
|
||||
import org.owasp.dependencycheck.exception.InitializationException;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
|
||||
|
||||
/**
|
||||
* Used to analyze Node Package Manager (npm) package.json files via
|
||||
* Node Security Platform (nsp).
|
||||
* Used to analyze Node Package Manager (npm) package.json files via Node
|
||||
* Security Platform (nsp).
|
||||
*
|
||||
* @author Steve Springett
|
||||
*/
|
||||
@@ -247,17 +248,21 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
addToEvidence(packageJson, vendorEvidence, "author");
|
||||
addToEvidence(packageJson, dependency.getVersionEvidence(), "version");
|
||||
dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName()));
|
||||
|
||||
} catch (URLConnectionFailureException e) {
|
||||
this.setEnabled(false);
|
||||
throw new AnalysisException(e.getMessage(), e);
|
||||
} catch (IOException e) {
|
||||
LOGGER.debug("Error reading dependency or connecting to Node Security Platform /check API", e);
|
||||
LOGGER.debug("Error reading dependency or connecting to Node Security Platform - check API", e);
|
||||
this.setEnabled(false);
|
||||
throw new AnalysisException(e.getMessage(), e);
|
||||
} catch (JsonException e) {
|
||||
LOGGER.warn("Failed to parse package.json file.", e);
|
||||
throw new AnalysisException(String.format("Failed to parse %s file.", file.getPath()), e);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Processes a part of package.json (as defined by JsobObject) and
|
||||
* update the specified dependency with relevant info.
|
||||
* Processes a part of package.json (as defined by JsobObject) and update
|
||||
* the specified dependency with relevant info.
|
||||
*
|
||||
* @param dependency the Dependency to update
|
||||
* @param jsonObject the jsonObject to parse
|
||||
|
||||
@@ -35,6 +35,7 @@ import javax.json.Json;
|
||||
import javax.json.JsonArray;
|
||||
import javax.json.JsonObject;
|
||||
import javax.json.JsonReader;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
|
||||
|
||||
/**
|
||||
* Class of methods to search via Node Security Platform.
|
||||
@@ -75,14 +76,15 @@ public class NspSearch {
|
||||
}
|
||||
|
||||
/**
|
||||
* Submits the package.json file to the NSP public /check API and returns
|
||||
* a list of zero or more Advisories.
|
||||
* Submits the package.json file to the NSP public /check API and returns a
|
||||
* list of zero or more Advisories.
|
||||
*
|
||||
* @param packageJson the package.json file retrieved from the Dependency
|
||||
* @return a List of zero or more Advisory object
|
||||
* @throws IOException if it's unable to connect to Node Security Platform
|
||||
*/
|
||||
public List<Advisory> submitPackage(JsonObject packageJson) throws IOException {
|
||||
try {
|
||||
List<Advisory> result = new ArrayList<>();
|
||||
byte[] packageDatabytes = packageJson.toString().getBytes(StandardCharsets.UTF_8);
|
||||
|
||||
@@ -140,5 +142,14 @@ public class NspSearch {
|
||||
throw new IOException("Could not connect to Node Security Platform");
|
||||
}
|
||||
return result;
|
||||
} catch (IOException ex) {
|
||||
if (ex instanceof javax.net.ssl.SSLHandshakeException
|
||||
&& ex.getMessage().contains("unable to find valid certification path to requested target")) {
|
||||
final String msg = String.format("Unable to connect to '%s' - the Java trust store does not contain a trusted root for the cert. "
|
||||
+ " Please see https://github.com/jeremylong/InstallCert for one method of updating the trusted certificates.", nspCheckUrl);
|
||||
throw new URLConnectionFailureException(msg, ex);
|
||||
}
|
||||
throw ex;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,6 +18,8 @@
|
||||
package org.owasp.dependencycheck;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import org.junit.Test;
|
||||
@@ -58,20 +60,25 @@ public class EngineIT extends BaseDBTestCase {
|
||||
try {
|
||||
instance.analyzeDependencies();
|
||||
} catch (ExceptionCollection ex) {
|
||||
if (ex.getExceptions().size() == 1
|
||||
&& (ex.getExceptions().get(0).getMessage().contains("bundle-audit")
|
||||
|| ex.getExceptions().get(0).getMessage().contains("AssemblyAnalyzer"))) {
|
||||
//this is fine to ignore
|
||||
} else if (ex.getExceptions().size() == 2
|
||||
&& ((ex.getExceptions().get(0).getMessage().contains("bundle-audit")
|
||||
&& ex.getExceptions().get(1).getMessage().contains("AssemblyAnalyzer"))
|
||||
|| (ex.getExceptions().get(1).getMessage().contains("bundle-audit")
|
||||
&& ex.getExceptions().get(0).getMessage().contains("AssemblyAnalyzer")))) {
|
||||
//this is fine to ignore
|
||||
} else {
|
||||
Set<String> allowedMessages = new HashSet<>();
|
||||
allowedMessages.add("bundle-audit");
|
||||
allowedMessages.add("AssemblyAnalyzer");
|
||||
//allowedMessages.add("Unable to connect to");
|
||||
for (Throwable t : ex.getExceptions()) {
|
||||
boolean isOk = false;
|
||||
if (t.getMessage()!=null) {
|
||||
for (String msg : allowedMessages) {
|
||||
if (t.getMessage().contains(msg)) {
|
||||
isOk=true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!isOk) {
|
||||
throw ex;
|
||||
}
|
||||
}
|
||||
}
|
||||
DatabaseProperties prop = null;
|
||||
try (CveDB cve = CveDB.getInstance()) {
|
||||
prop = cve.getDatabaseProperties();
|
||||
|
||||
@@ -32,6 +32,9 @@ import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.net.URL;
|
||||
import java.util.List;
|
||||
import static org.junit.Assume.assumeFalse;
|
||||
import static org.junit.Assume.assumeTrue;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
|
||||
|
||||
public class NspSearchTest extends BaseTest {
|
||||
|
||||
@@ -45,8 +48,7 @@ public class NspSearchTest extends BaseTest {
|
||||
searcher = new NspSearch(new URL(url));
|
||||
}
|
||||
|
||||
//@Test
|
||||
//todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET
|
||||
@Test
|
||||
public void testNspSearchPositive() throws Exception {
|
||||
InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json");
|
||||
try (JsonReader jsonReader = Json.createReader(in)) {
|
||||
@@ -56,17 +58,24 @@ public class NspSearchTest extends BaseTest {
|
||||
final JsonObject nspPayload = builder.add("package", sanitizedJson).build();
|
||||
final List<Advisory> advisories = searcher.submitPackage(nspPayload);
|
||||
Assert.assertTrue(advisories.size() > 0);
|
||||
} catch (Exception ex) {
|
||||
assumeFalse(ex instanceof URLConnectionFailureException
|
||||
&& ex.getMessage().contains("Unable to connect to "));
|
||||
throw ex;
|
||||
}
|
||||
}
|
||||
|
||||
//@Test(expected = IOException.class)
|
||||
//todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET
|
||||
@Test
|
||||
public void testNspSearchNegative() throws Exception {
|
||||
InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json");
|
||||
try (JsonReader jsonReader = Json.createReader(in)) {
|
||||
final JsonObject packageJson = jsonReader.readObject();
|
||||
final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson);
|
||||
searcher.submitPackage(sanitizedJson);
|
||||
} catch (Exception ex) {
|
||||
assumeFalse(ex instanceof URLConnectionFailureException
|
||||
&& ex.getMessage().contains("Unable to connect to "));
|
||||
throw ex;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user