From 1610f14c47b1dec6bf5d7b47ae20b6fd80000dba Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 22 Nov 2016 05:46:35 -0500 Subject: [PATCH] general code cleanup/fixes --- .../dependencycheck/analyzer/JarAnalyzer.java | 116 +++++++++--------- 1 file changed, 55 insertions(+), 61 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index b4b1b831b..1ebbdea36 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -25,6 +25,7 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.io.OutputStream; import java.io.Reader; +import java.io.UnsupportedEncodingException; import java.util.ArrayList; import java.util.Enumeration; import java.util.HashMap; @@ -261,79 +262,70 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { */ protected boolean analyzePOM(Dependency dependency, List classes, Engine engine) throws AnalysisException { boolean foundSomething = false; - final JarFile jar; + JarFile jar = null; + List pomEntries = null; try { jar = new JarFile(dependency.getActualFilePath()); + pomEntries = retrievePomListing(jar); } catch (IOException ex) { LOGGER.warn("Unable to read JarFile '{}'.", dependency.getActualFilePath()); LOGGER.trace("", ex); + if (jar != null) { + try { + jar.close(); + } catch (IOException ex1) { + LOGGER.trace("", ex1); + } + } return false; } - List pomEntries; - try { - pomEntries = retrievePomListing(jar); - } catch (IOException ex) { - LOGGER.warn("Unable to read Jar file entries in '{}'.", dependency.getActualFilePath()); - LOGGER.trace("", ex); - return false; - } - File externalPom = null; - if (pomEntries.isEmpty()) { + if (pomEntries != null && pomEntries.isEmpty()) { final String pomPath = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom"; - externalPom = new File(pomPath); + final File externalPom = new File(pomPath); if (externalPom.isFile()) { - pomEntries.add(pomPath); + Model pom = PomUtils.readPom(externalPom); + if (pom != null) { + return setPomEvidence(dependency, pom, classes); + } } else { return false; } } + //reported possible null dereference on pomEntries is on a non-feasible path for (String path : pomEntries) { + //TODO - one of these is likely the pom for the main JAR we are analyzing LOGGER.debug("Reading pom entry: {}", path); - Properties pomProperties = null; try { - if (externalPom == null) { //pom in the local repo doesn't have a properties file - pomProperties = retrievePomProperties(path, jar); - } - } catch (IOException ex) { - LOGGER.trace("ignore this, failed reading a non-existent pom.properties", ex); - } - Model pom = null; - try { - if (pomEntries.size() > 1) { - //extract POM to its own directory and add it as its own dependency - final Dependency newDependency = new Dependency(); - pom = extractPom(path, jar, newDependency); + //extract POM to its own directory and add it as its own dependency + final Properties pomProperties = retrievePomProperties(path, jar); + final File pomFile = extractPom(path, jar); + final Model pom = PomUtils.readPom(pomFile); + pom.processProperties(pomProperties); - final String displayPath = String.format("%s%s%s", - dependency.getFilePath(), - File.separator, - path); - final String displayName = String.format("%s%s%s", - dependency.getFileName(), - File.separator, - path); - - newDependency.setFileName(displayName); - newDependency.setFilePath(displayPath); - pom.processProperties(pomProperties); - setPomEvidence(newDependency, pom, null); - engine.getDependencies().add(newDependency); - } else { - if (externalPom == null) { - pom = PomUtils.readPom(path, jar); - } else { - pom = PomUtils.readPom(externalPom); - } - if (pom != null) { - pom.processProperties(pomProperties); - foundSomething |= setPomEvidence(dependency, pom, classes); - } - } + final String displayPath = String.format("%s%s%s", + dependency.getFilePath(), + File.separator, + path); + final String displayName = String.format("%s%s%s", + dependency.getFileName(), + File.separator, + path); + final Dependency newDependency = new Dependency(); + newDependency.setActualFilePath(pomFile.getAbsolutePath()); + newDependency.setFileName(displayName); + newDependency.setFilePath(displayPath); + setPomEvidence(newDependency, pom, null); + engine.getDependencies().add(newDependency); } catch (AnalysisException ex) { LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath()); LOGGER.trace("", ex); } } + try { + jar.close(); + } catch (IOException ex) { + LOGGER.trace("", ex); + } return foundSomething; } @@ -347,7 +339,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * @throws IOException thrown if there is an exception reading the * pom.properties */ - private Properties retrievePomProperties(String path, final JarFile jar) throws IOException { + private Properties retrievePomProperties(String path, final JarFile jar) { Properties pomProperties = null; final String propPath = path.substring(0, path.length() - 7) + "pom.properies"; final ZipEntry propEntry = jar.getEntry(propPath); @@ -358,6 +350,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { pomProperties = new Properties(); pomProperties.load(reader); LOGGER.debug("Read pom.properties: {}", propPath); + } catch (UnsupportedEncodingException ex) { + LOGGER.trace("UTF-8 is not supported", ex); + } catch (IOException ex) { + LOGGER.trace("Unable to read the POM properties", ex); } finally { if (reader != null) { try { @@ -394,16 +390,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Retrieves the specified POM from a jar file and converts it to a Model. + * Retrieves the specified POM from a jar. * * @param path the path to the pom.xml file within the jar file * @param jar the jar file to extract the pom from - * @param dependency the dependency being analyzed - * @return returns the POM object + * @return returns the POM file * @throws AnalysisException is thrown if there is an exception extracting - * or parsing the POM {@link org.owasp.dependencycheck.xml.pom.Model} object + * the file */ - private Model extractPom(String path, JarFile jar, Dependency dependency) throws AnalysisException { + private File extractPom(String path, JarFile jar) throws AnalysisException { InputStream input = null; FileOutputStream fos = null; final File tmpDir = getNextTempDirectory(); @@ -416,15 +411,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { input = jar.getInputStream(entry); fos = new FileOutputStream(file); IOUtils.copy(input, fos); - dependency.setActualFilePath(file.getAbsolutePath()); } catch (IOException ex) { - LOGGER.warn("An error occurred reading '{}' from '{}'.", path, dependency.getFilePath()); + LOGGER.warn("An error occurred reading '{}' from '{}'.", path, jar.getName()); LOGGER.error("", ex); } finally { closeStream(fos); closeStream(input); } - return PomUtils.readPom(file); + return file; } /** @@ -738,7 +732,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { value = value.substring(0, pos - 1); } pos = value.indexOf('['); - if (pos > 0 ) { + if (pos > 0) { value = value.substring(0, pos - 1); } versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);