diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index e8eaea495..016d2d84b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -17,6 +17,7 @@ */ package org.owasp.dependencycheck.analyzer; +import java.io.BufferedReader; import java.io.File; import java.io.FileFilter; import java.io.FileOutputStream; @@ -35,6 +36,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.w3c.dom.Document; import org.xml.sax.SAXException; +import java.io.InputStreamReader; +import java.nio.file.Path; +import java.nio.file.Paths; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -45,6 +49,7 @@ import java.util.ArrayList; import java.util.List; import javax.xml.parsers.ParserConfigurationException; import org.owasp.dependencycheck.exception.InitializationException; +import org.apache.commons.lang3.SystemUtils; /** * Analyzer for getting company, product, and version information from a .NET @@ -88,15 +93,16 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { private List buildArgumentList() { // Use file.separator as a wild guess as to whether this is Windows final List args = new ArrayList(); - if (!"\\".equals(System.getProperty("file.separator"))) { + if (!SystemUtils.IS_OS_WINDOWS) { if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) { args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH)); - } else { + } else if (isInPath("mono")) { args.add("mono"); + } else { + return null; } } args.add(grokAssemblyExe.getPath()); - return args; } @@ -229,6 +235,21 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { // Now, need to see if GrokAssembly actually runs from this location. final List args = buildArgumentList(); + //TODO this creaes an "unreported" error - if someone doesn't look + // at the command output this could easily be missed (especially in an + // Ant or Mmaven build. + // + // We need to create a non-fatal warning error type that will + // get added to the report. + //TOOD this idea needs to get replicated to the bundle audit analyzer. + if (args == null) { + setEnabled(false); + LOGGER.error("----------------------------------------------------"); + LOGGER.error(".NET Assembly Analyzer could not be initialized and at least one " + + "'exe' or 'dll' was scanned. The 'mono' executale could not be found on " + + "the path; either disable the Assembly Analyzer or configure the path mono."); + LOGGER.error("----------------------------------------------------"); + } try { final ProcessBuilder pb = new ProcessBuilder(args); final Process p = pb.start(); @@ -246,6 +267,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { throw new InitializationException("Could not execute .NET AssemblyAnalyzer"); } } catch (InitializationException e) { + setEnabled(false); throw e; } catch (Throwable e) { LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n" @@ -320,4 +342,29 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { protected String getAnalyzerEnabledSettingKey() { return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED; } + + /** + * Tests to see if a file is in the system path. Note - the current + * implementation only works on non-windows platforms. For purposes of the + * AssemblyAnalyzer this is okay as this is only needed on Mac/*nix. + * + * @param file the executable to look for + * @return true if the file exists; otherwise + * false + */ + private boolean isInPath(String file) { + ProcessBuilder pb = new ProcessBuilder("which", file); + try { + Process proc = pb.start(); + int retCode = proc.waitFor(); + if (retCode == 0) { + return true; + } + } catch (IOException ex) { + LOGGER.debug("Path seach failed for " + file); + } catch (InterruptedException ex) { + LOGGER.debug("Path seach failed for " + file); + } + return false; + } }