github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-23 17:41:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

general code cleanup/fixes

Browse Source
This commit is contained in:
Jeremy Long
2016-11-22 05:46:35 -05:00
parent 85ab894b94
commit 1610f14c47
1 changed files with 55 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -25,6 +25,7 @@ import java.io.InputStream;
import java.io.InputStreamReader; import java.io.InputStreamReader;
import java.io.OutputStream; import java.io.OutputStream;
import java.io.Reader; import java.io.Reader;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Enumeration; import java.util.Enumeration;
import java.util.HashMap; import java.util.HashMap;
@@ -261,79 +262,70 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
*/ */
protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException { protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
boolean foundSomething = false; boolean foundSomething = false;
final JarFile jar; JarFile jar = null;
List<String> pomEntries = null;
try { try {
jar = new JarFile(dependency.getActualFilePath()); jar = new JarFile(dependency.getActualFilePath());
pomEntries = retrievePomListing(jar);
} catch (IOException ex) { } catch (IOException ex) {
LOGGER.warn("Unable to read JarFile '{}'.", dependency.getActualFilePath()); LOGGER.warn("Unable to read JarFile '{}'.", dependency.getActualFilePath());
LOGGER.trace("", ex); LOGGER.trace("", ex);
if (jar != null) {
try {
jar.close();
} catch (IOException ex1) {
LOGGER.trace("", ex1);
}
}
return false; return false;
} }
List<String> pomEntries; if (pomEntries != null && pomEntries.isEmpty()) {
try {
pomEntries = retrievePomListing(jar);
} catch (IOException ex) {
LOGGER.warn("Unable to read Jar file entries in '{}'.", dependency.getActualFilePath());
LOGGER.trace("", ex);
return false;
}
File externalPom = null;
if (pomEntries.isEmpty()) {
final String pomPath = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom"; final String pomPath = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom";
externalPom = new File(pomPath); final File externalPom = new File(pomPath);
if (externalPom.isFile()) { if (externalPom.isFile()) {
pomEntries.add(pomPath); Model pom = PomUtils.readPom(externalPom);
if (pom != null) {
return setPomEvidence(dependency, pom, classes);
}
} else { } else {
return false; return false;
} }
} }
//reported possible null dereference on pomEntries is on a non-feasible path
for (String path : pomEntries) { for (String path : pomEntries) {
//TODO - one of these is likely the pom for the main JAR we are analyzing
LOGGER.debug("Reading pom entry: {}", path); LOGGER.debug("Reading pom entry: {}", path);
Properties pomProperties = null;
try { try {
if (externalPom == null) { //pom in the local repo doesn't have a properties file //extract POM to its own directory and add it as its own dependency
pomProperties = retrievePomProperties(path, jar); final Properties pomProperties = retrievePomProperties(path, jar);
} final File pomFile = extractPom(path, jar);
} catch (IOException ex) { final Model pom = PomUtils.readPom(pomFile);
LOGGER.trace("ignore this, failed reading a non-existent pom.properties", ex); pom.processProperties(pomProperties);
}
Model pom = null;
try {
if (pomEntries.size() > 1) {
//extract POM to its own directory and add it as its own dependency
final Dependency newDependency = new Dependency();
pom = extractPom(path, jar, newDependency);
final String displayPath = String.format("%s%s%s", final String displayPath = String.format("%s%s%s",
dependency.getFilePath(), dependency.getFilePath(),
File.separator, File.separator,
path); path);
final String displayName = String.format("%s%s%s", final String displayName = String.format("%s%s%s",
dependency.getFileName(), dependency.getFileName(),
File.separator, File.separator,
path); path);
final Dependency newDependency = new Dependency();
newDependency.setFileName(displayName); newDependency.setActualFilePath(pomFile.getAbsolutePath());
newDependency.setFilePath(displayPath); newDependency.setFileName(displayName);
pom.processProperties(pomProperties); newDependency.setFilePath(displayPath);
setPomEvidence(newDependency, pom, null); setPomEvidence(newDependency, pom, null);
engine.getDependencies().add(newDependency); engine.getDependencies().add(newDependency);
} else {
if (externalPom == null) {
pom = PomUtils.readPom(path, jar);
} else {
pom = PomUtils.readPom(externalPom);
}
if (pom != null) {
pom.processProperties(pomProperties);
foundSomething |= setPomEvidence(dependency, pom, classes);
}
}
} catch (AnalysisException ex) { } catch (AnalysisException ex) {
LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath()); LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
LOGGER.trace("", ex); LOGGER.trace("", ex);
} }
} }
try {
jar.close();
} catch (IOException ex) {
LOGGER.trace("", ex);
}
return foundSomething; return foundSomething;
} }
@@ -347,7 +339,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @throws IOException thrown if there is an exception reading the * @throws IOException thrown if there is an exception reading the
* pom.properties * pom.properties
*/ */
private Properties retrievePomProperties(String path, final JarFile jar) throws IOException { private Properties retrievePomProperties(String path, final JarFile jar) {
Properties pomProperties = null; Properties pomProperties = null;
final String propPath = path.substring(0, path.length() - 7) + "pom.properies"; final String propPath = path.substring(0, path.length() - 7) + "pom.properies";
final ZipEntry propEntry = jar.getEntry(propPath); final ZipEntry propEntry = jar.getEntry(propPath);
@@ -358,6 +350,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
pomProperties = new Properties(); pomProperties = new Properties();
pomProperties.load(reader); pomProperties.load(reader);
LOGGER.debug("Read pom.properties: {}", propPath); LOGGER.debug("Read pom.properties: {}", propPath);
} catch (UnsupportedEncodingException ex) {
LOGGER.trace("UTF-8 is not supported", ex);
} catch (IOException ex) {
LOGGER.trace("Unable to read the POM properties", ex);
} finally { } finally {
if (reader != null) { if (reader != null) {
try { try {
@@ -394,16 +390,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
} }
/** /**
* Retrieves the specified POM from a jar file and converts it to a Model. * Retrieves the specified POM from a jar.
* *
* @param path the path to the pom.xml file within the jar file * @param path the path to the pom.xml file within the jar file
* @param jar the jar file to extract the pom from * @param jar the jar file to extract the pom from
* @param dependency the dependency being analyzed * @return returns the POM file
* @return returns the POM object
* @throws AnalysisException is thrown if there is an exception extracting * @throws AnalysisException is thrown if there is an exception extracting
* or parsing the POM {@link org.owasp.dependencycheck.xml.pom.Model} object * the file
*/ */
private Model extractPom(String path, JarFile jar, Dependency dependency) throws AnalysisException { private File extractPom(String path, JarFile jar) throws AnalysisException {
InputStream input = null; InputStream input = null;
FileOutputStream fos = null; FileOutputStream fos = null;
final File tmpDir = getNextTempDirectory(); final File tmpDir = getNextTempDirectory();
@@ -416,15 +411,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
input = jar.getInputStream(entry); input = jar.getInputStream(entry);
fos = new FileOutputStream(file); fos = new FileOutputStream(file);
IOUtils.copy(input, fos); IOUtils.copy(input, fos);
dependency.setActualFilePath(file.getAbsolutePath());
} catch (IOException ex) { } catch (IOException ex) {
LOGGER.warn("An error occurred reading '{}' from '{}'.", path, dependency.getFilePath()); LOGGER.warn("An error occurred reading '{}' from '{}'.", path, jar.getName());
LOGGER.error("", ex); LOGGER.error("", ex);
} finally { } finally {
closeStream(fos); closeStream(fos);
closeStream(input); closeStream(input);
} }
return PomUtils.readPom(file); return file;
} }
/** /**
@@ -738,7 +732,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
value = value.substring(0, pos - 1); value = value.substring(0, pos - 1);
} }
pos = value.indexOf('['); pos = value.indexOf('[');
if (pos > 0 ) { if (pos > 0) {
value = value.substring(0, pos - 1); value = value.substring(0, pos - 1);
} }
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM); versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);