upgraded to use apache commons compress instead of core java zip api to accomodate UTF-8

Former-commit-id: 9a681b87ad8f53a909939360733f04b1e552f481
2026-01-15 00:03:43 +01:00 · 2013-08-14 20:06:26 -04:00
parent f22cabc32a
commit 1fd633a23b
3 changed files with 54 additions and 7 deletions
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -461,6 +461,11 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
            <version>1.7.2</version>
            <type>jar</type>
        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.5</version>
+        </dependency>
        <!-- The following dependencies are only scanned during integration testing -->
        <!--<dependency>
            <groupId>org.springframework</groupId>
@@ -468,5 +473,11 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
            <version>2.5.5</version>
            <scope>test</scope>
        </dependency>-->
+        <dependency>
+            <groupId>com.hazelcast</groupId>
+            <artifactId>hazelcast</artifactId>
+            <version>2.5</version>
+            <scope>test</scope>
+        </dependency>
    </dependencies>
 </project>
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
@@ -32,8 +32,11 @@ import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import java.util.zip.ZipEntry;
-import java.util.zip.ZipInputStream;
+//import java.util.zip.ZipEntry;
+//import java.util.zip.ZipException;
+//import java.util.zip.ZipInputStream;
+import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
+import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
 import org.h2.store.fs.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -243,7 +246,8 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
        }

        FileInputStream fis = null;
-        ZipInputStream zis = null;
+        //ZipInputStream zis = null;
+        ZipArchiveInputStream zis = null;

        try {
            fis = new FileInputStream(archive);
@@ -251,10 +255,11 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.INFO, null, ex);
            throw new AnalysisException("Archive file was not found.", ex);
        }
-        zis = new ZipInputStream(new BufferedInputStream(fis));
-        ZipEntry entry;
+        zis = new ZipArchiveInputStream(new BufferedInputStream(fis));
+        ZipArchiveEntry entry;
+
        try {
-            while ((entry = zis.getNextEntry()) != null) {
+            while ((entry = zis.getNextZipEntry()) != null) {
                if (entry.isDirectory()) {
                    final File d = new File(extractTo, entry.getName());
                    if (!d.mkdirs()) {
@@ -295,7 +300,13 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
            }
        } catch (IOException ex) {
            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, msg, ex);
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            throw new AnalysisException(msg, ex);
+        } catch (Throwable ex) {
+            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, null, ex);
            throw new AnalysisException(msg, ex);
        } finally {
            try {
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java
@@ -154,4 +154,29 @@ public class ArchiveAnalyzerTest {
            instance.close();
        }
    }
+
+    /**
+     * Test of analyze method, of class ArchiveAnalyzer.
+     */
+    @Test
+    public void testAnalyze_badZip() throws Exception {
+        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+        try {
+            instance.initialize();
+
+            File file = new File(this.getClass().getClassLoader().getResource("test.zip").getPath());
+            Dependency dependency = new Dependency(file);
+            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+            Engine engine = new Engine();
+
+            int initial_size = engine.getDependencies().size();
+            instance.analyze(dependency, engine);
+            int ending_size = engine.getDependencies().size();
+
+            assertTrue(initial_size == ending_size);
+
+        } finally {
+            instance.close();
+        }
+    }
 }