mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 15:53:36 +01:00
general code cleanup/fixes
This commit is contained in:
Jeremy Long
@@ -25,6 +25,7 @@ import java.io.InputStream;
|
||||
import java.io.InputStreamReader;
|
||||
import java.io.OutputStream;
|
||||
import java.io.Reader;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Enumeration;
|
||||
import java.util.HashMap;
|
||||
@@ -261,79 +262,70 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
*/
|
||||
protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
|
||||
boolean foundSomething = false;
|
||||
final JarFile jar;
|
||||
JarFile jar = null;
|
||||
List<String> pomEntries = null;
|
||||
try {
|
||||
jar = new JarFile(dependency.getActualFilePath());
|
||||
pomEntries = retrievePomListing(jar);
|
||||
} catch (IOException ex) {
|
||||
LOGGER.warn("Unable to read JarFile '{}'.", dependency.getActualFilePath());
|
||||
LOGGER.trace("", ex);
|
||||
if (jar != null) {
|
||||
try {
|
||||
jar.close();
|
||||
} catch (IOException ex1) {
|
||||
LOGGER.trace("", ex1);
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
List<String> pomEntries;
|
||||
try {
|
||||
pomEntries = retrievePomListing(jar);
|
||||
} catch (IOException ex) {
|
||||
LOGGER.warn("Unable to read Jar file entries in '{}'.", dependency.getActualFilePath());
|
||||
LOGGER.trace("", ex);
|
||||
return false;
|
||||
}
|
||||
File externalPom = null;
|
||||
if (pomEntries.isEmpty()) {
|
||||
if (pomEntries != null && pomEntries.isEmpty()) {
|
||||
final String pomPath = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom";
|
||||
externalPom = new File(pomPath);
|
||||
final File externalPom = new File(pomPath);
|
||||
if (externalPom.isFile()) {
|
||||
pomEntries.add(pomPath);
|
||||
Model pom = PomUtils.readPom(externalPom);
|
||||
if (pom != null) {
|
||||
return setPomEvidence(dependency, pom, classes);
|
||||
}
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
//reported possible null dereference on pomEntries is on a non-feasible path
|
||||
for (String path : pomEntries) {
|
||||
//TODO - one of these is likely the pom for the main JAR we are analyzing
|
||||
LOGGER.debug("Reading pom entry: {}", path);
|
||||
Properties pomProperties = null;
|
||||
try {
|
||||
if (externalPom == null) { //pom in the local repo doesn't have a properties file
|
||||
pomProperties = retrievePomProperties(path, jar);
|
||||
}
|
||||
} catch (IOException ex) {
|
||||
LOGGER.trace("ignore this, failed reading a non-existent pom.properties", ex);
|
||||
}
|
||||
Model pom = null;
|
||||
try {
|
||||
if (pomEntries.size() > 1) {
|
||||
//extract POM to its own directory and add it as its own dependency
|
||||
final Dependency newDependency = new Dependency();
|
||||
pom = extractPom(path, jar, newDependency);
|
||||
//extract POM to its own directory and add it as its own dependency
|
||||
final Properties pomProperties = retrievePomProperties(path, jar);
|
||||
final File pomFile = extractPom(path, jar);
|
||||
final Model pom = PomUtils.readPom(pomFile);
|
||||
pom.processProperties(pomProperties);
|
||||
|
||||
final String displayPath = String.format("%s%s%s",
|
||||
dependency.getFilePath(),
|
||||
File.separator,
|
||||
path);
|
||||
final String displayName = String.format("%s%s%s",
|
||||
dependency.getFileName(),
|
||||
File.separator,
|
||||
path);
|
||||
|
||||
newDependency.setFileName(displayName);
|
||||
newDependency.setFilePath(displayPath);
|
||||
pom.processProperties(pomProperties);
|
||||
setPomEvidence(newDependency, pom, null);
|
||||
engine.getDependencies().add(newDependency);
|
||||
} else {
|
||||
if (externalPom == null) {
|
||||
pom = PomUtils.readPom(path, jar);
|
||||
} else {
|
||||
pom = PomUtils.readPom(externalPom);
|
||||
}
|
||||
if (pom != null) {
|
||||
pom.processProperties(pomProperties);
|
||||
foundSomething |= setPomEvidence(dependency, pom, classes);
|
||||
}
|
||||
}
|
||||
final String displayPath = String.format("%s%s%s",
|
||||
dependency.getFilePath(),
|
||||
File.separator,
|
||||
path);
|
||||
final String displayName = String.format("%s%s%s",
|
||||
dependency.getFileName(),
|
||||
File.separator,
|
||||
path);
|
||||
final Dependency newDependency = new Dependency();
|
||||
newDependency.setActualFilePath(pomFile.getAbsolutePath());
|
||||
newDependency.setFileName(displayName);
|
||||
newDependency.setFilePath(displayPath);
|
||||
setPomEvidence(newDependency, pom, null);
|
||||
engine.getDependencies().add(newDependency);
|
||||
} catch (AnalysisException ex) {
|
||||
LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
|
||||
LOGGER.trace("", ex);
|
||||
}
|
||||
}
|
||||
try {
|
||||
jar.close();
|
||||
} catch (IOException ex) {
|
||||
LOGGER.trace("", ex);
|
||||
}
|
||||
return foundSomething;
|
||||
}
|
||||
|
||||
@@ -347,7 +339,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @throws IOException thrown if there is an exception reading the
|
||||
* pom.properties
|
||||
*/
|
||||
private Properties retrievePomProperties(String path, final JarFile jar) throws IOException {
|
||||
private Properties retrievePomProperties(String path, final JarFile jar) {
|
||||
Properties pomProperties = null;
|
||||
final String propPath = path.substring(0, path.length() - 7) + "pom.properies";
|
||||
final ZipEntry propEntry = jar.getEntry(propPath);
|
||||
@@ -358,6 +350,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
pomProperties = new Properties();
|
||||
pomProperties.load(reader);
|
||||
LOGGER.debug("Read pom.properties: {}", propPath);
|
||||
} catch (UnsupportedEncodingException ex) {
|
||||
LOGGER.trace("UTF-8 is not supported", ex);
|
||||
} catch (IOException ex) {
|
||||
LOGGER.trace("Unable to read the POM properties", ex);
|
||||
} finally {
|
||||
if (reader != null) {
|
||||
try {
|
||||
@@ -394,16 +390,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieves the specified POM from a jar file and converts it to a Model.
|
||||
* Retrieves the specified POM from a jar.
|
||||
*
|
||||
* @param path the path to the pom.xml file within the jar file
|
||||
* @param jar the jar file to extract the pom from
|
||||
* @param dependency the dependency being analyzed
|
||||
* @return returns the POM object
|
||||
* @return returns the POM file
|
||||
* @throws AnalysisException is thrown if there is an exception extracting
|
||||
* or parsing the POM {@link org.owasp.dependencycheck.xml.pom.Model} object
|
||||
* the file
|
||||
*/
|
||||
private Model extractPom(String path, JarFile jar, Dependency dependency) throws AnalysisException {
|
||||
private File extractPom(String path, JarFile jar) throws AnalysisException {
|
||||
InputStream input = null;
|
||||
FileOutputStream fos = null;
|
||||
final File tmpDir = getNextTempDirectory();
|
||||
@@ -416,15 +411,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
input = jar.getInputStream(entry);
|
||||
fos = new FileOutputStream(file);
|
||||
IOUtils.copy(input, fos);
|
||||
dependency.setActualFilePath(file.getAbsolutePath());
|
||||
} catch (IOException ex) {
|
||||
LOGGER.warn("An error occurred reading '{}' from '{}'.", path, dependency.getFilePath());
|
||||
LOGGER.warn("An error occurred reading '{}' from '{}'.", path, jar.getName());
|
||||
LOGGER.error("", ex);
|
||||
} finally {
|
||||
closeStream(fos);
|
||||
closeStream(input);
|
||||
}
|
||||
return PomUtils.readPom(file);
|
||||
return file;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -738,7 +732,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
value = value.substring(0, pos - 1);
|
||||
}
|
||||
pos = value.indexOf('[');
|
||||
if (pos > 0 ) {
|
||||
if (pos > 0) {
|
||||
value = value.substring(0, pos - 1);
|
||||
}
|
||||
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
|
||||
Reference in New Issue
Block a user