github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-31 14:13:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

patch to resolve issue #547

Browse Source
This commit is contained in:
Jeremy Long
2016-08-28 07:46:42 -04:00
parent 4f95af0864
commit 1f254997e1
1 changed files with 50 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -17,6 +17,7 @@
*/ */
package org.owasp.dependencycheck.analyzer; package org.owasp.dependencycheck.analyzer;
import java.io.BufferedReader;
import java.io.File; import java.io.File;
import java.io.FileFilter; import java.io.FileFilter;
import java.io.FileOutputStream; import java.io.FileOutputStream;
@@ -35,6 +36,9 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.w3c.dom.Document; import org.w3c.dom.Document;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
import java.io.InputStreamReader;
import java.nio.file.Path;
import java.nio.file.Paths;
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilderFactory;
@@ -45,6 +49,7 @@ import java.util.ArrayList;
import java.util.List; import java.util.List;
import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.ParserConfigurationException;
import org.owasp.dependencycheck.exception.InitializationException; import org.owasp.dependencycheck.exception.InitializationException;
import org.apache.commons.lang3.SystemUtils;
/** /**
* Analyzer for getting company, product, and version information from a .NET * Analyzer for getting company, product, and version information from a .NET
@@ -88,15 +93,16 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
private List<String> buildArgumentList() { private List<String> buildArgumentList() {
// Use file.separator as a wild guess as to whether this is Windows // Use file.separator as a wild guess as to whether this is Windows
final List<String> args = new ArrayList<String>(); final List<String> args = new ArrayList<String>();
if (!"\\".equals(System.getProperty("file.separator"))) { if (!SystemUtils.IS_OS_WINDOWS) {
if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) { if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH)); args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
} else { } else if (isInPath("mono")) {
args.add("mono"); args.add("mono");
} else {
return null;
} }
} }
args.add(grokAssemblyExe.getPath()); args.add(grokAssemblyExe.getPath());
return args; return args;
} }
@@ -229,6 +235,21 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
// Now, need to see if GrokAssembly actually runs from this location. // Now, need to see if GrokAssembly actually runs from this location.
final List<String> args = buildArgumentList(); final List<String> args = buildArgumentList();
//TODO this creaes an "unreported" error - if someone doesn't look
// at the command output this could easily be missed (especially in an
// Ant or Mmaven build.
//
// We need to create a non-fatal warning error type that will
// get added to the report.
//TOOD this idea needs to get replicated to the bundle audit analyzer.
if (args == null) {
setEnabled(false);
LOGGER.error("----------------------------------------------------");
LOGGER.error(".NET Assembly Analyzer could not be initialized and at least one "
+ "'exe' or 'dll' was scanned. The 'mono' executale could not be found on "
+ "the path; either disable the Assembly Analyzer or configure the path mono.");
LOGGER.error("----------------------------------------------------");
}
try { try {
final ProcessBuilder pb = new ProcessBuilder(args); final ProcessBuilder pb = new ProcessBuilder(args);
final Process p = pb.start(); final Process p = pb.start();
@@ -246,6 +267,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
throw new InitializationException("Could not execute .NET AssemblyAnalyzer"); throw new InitializationException("Could not execute .NET AssemblyAnalyzer");
} }
} catch (InitializationException e) { } catch (InitializationException e) {
setEnabled(false);
throw e; throw e;
} catch (Throwable e) { } catch (Throwable e) {
LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n" LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
@@ -320,4 +342,29 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
protected String getAnalyzerEnabledSettingKey() { protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED; return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED;
} }
/**
* Tests to see if a file is in the system path. <b>Note</b> - the current
* implementation only works on non-windows platforms. For purposes of the
* AssemblyAnalyzer this is okay as this is only needed on Mac/*nix.
*
* @param file the executable to look for
* @return <code>true</code> if the file exists; otherwise
* <code>false</code>
*/
private boolean isInPath(String file) {
ProcessBuilder pb = new ProcessBuilder("which", file);
try {
Process proc = pb.start();
int retCode = proc.waitFor();
if (retCode == 0) {
return true;
}
} catch (IOException ex) {
LOGGER.debug("Path seach failed for " + file);
} catch (InterruptedException ex) {
LOGGER.debug("Path seach failed for " + file);
}
return false;
}
} }