patch to resolve issue #547

2026-01-16 08:36:55 +01:00 · 2016-08-28 07:46:42 -04:00
parent 4f95af0864
commit 1f254997e1
1 changed files with 50 additions and 3 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -17,6 +17,7 @@
 */
 package org.owasp.dependencycheck.analyzer;

+import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileOutputStream;
@@ -35,6 +36,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.xml.sax.SAXException;
+import java.io.InputStreamReader;
+import java.nio.file.Path;
+import java.nio.file.Paths;

 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -45,6 +49,7 @@ import java.util.ArrayList;
 import java.util.List;
 import javax.xml.parsers.ParserConfigurationException;
 import org.owasp.dependencycheck.exception.InitializationException;
+import org.apache.commons.lang3.SystemUtils;

 /**
 * Analyzer for getting company, product, and version information from a .NET
@@ -88,15 +93,16 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
    private List<String> buildArgumentList() {
        // Use file.separator as a wild guess as to whether this is Windows
        final List<String> args = new ArrayList<String>();
-        if (!"\\".equals(System.getProperty("file.separator"))) {
+        if (!SystemUtils.IS_OS_WINDOWS) {
            if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
                args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
-            } else {
+            } else if (isInPath("mono")) {
                args.add("mono");
+            } else {
+                return null;
            }
        }
        args.add(grokAssemblyExe.getPath());
-
        return args;
    }

@@ -229,6 +235,21 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {

        // Now, need to see if GrokAssembly actually runs from this location.
        final List<String> args = buildArgumentList();
+        //TODO this creaes an "unreported" error - if someone doesn't look
+        // at the command output this could easily be missed (especially in an
+        // Ant or Mmaven build. 
+        //
+        // We need to create a non-fatal warning error type that will
+        // get added to the report.
+        //TOOD this idea needs to get replicated to the bundle audit analyzer.
+        if (args == null) {
+            setEnabled(false);
+            LOGGER.error("----------------------------------------------------");
+            LOGGER.error(".NET Assembly Analyzer could not be initialized and at least one "
+                    + "'exe' or 'dll' was scanned. The 'mono' executale could not be found on "
+                    + "the path; either disable the Assembly Analyzer or configure the path mono.");
+            LOGGER.error("----------------------------------------------------");
+        }
        try {
            final ProcessBuilder pb = new ProcessBuilder(args);
            final Process p = pb.start();
@@ -246,6 +267,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                throw new InitializationException("Could not execute .NET AssemblyAnalyzer");
            }
        } catch (InitializationException e) {
+            setEnabled(false);
            throw e;
        } catch (Throwable e) {
            LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
@@ -320,4 +342,29 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED;
    }
+
+    /**
+     * Tests to see if a file is in the system path. <b>Note</b> - the current
+     * implementation only works on non-windows platforms. For purposes of the
+     * AssemblyAnalyzer this is okay as this is only needed on Mac/*nix.
+     *
+     * @param file the executable to look for
+     * @return <code>true</code> if the file exists; otherwise
+     * <code>false</code>
+     */
+    private boolean isInPath(String file) {
+        ProcessBuilder pb = new ProcessBuilder("which", file);
+        try {
+            Process proc = pb.start();
+            int retCode = proc.waitFor();
+            if (retCode == 0) {
+                return true;
+            }
+        } catch (IOException ex) {
+            LOGGER.debug("Path seach failed for " + file);
+        } catch (InterruptedException ex) {
+            LOGGER.debug("Path seach failed for " + file);
+        }
+        return false;
+    }
 }