added synchronization per issue #785

2026-03-24 10:01:35 +01:00 · 2017-07-26 11:48:50 -04:00
parent 9c744211d7
commit 2753bb97c8
4 changed files with 40 additions and 78 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -22,9 +22,13 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.xml.suppression.SuppressionParseException;
 import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
@@ -49,8 +53,20 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
     * The Logger for use throughout the class
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractSuppressionAnalyzer.class);
    /**
     * The list of suppression rules
     */
    private List<SuppressionRule> rules;
    /**
     * Get the number of suppression rules.
     *
     * @return the number of suppression rules
     */
    protected synchronized int getRuleCount() {
        return rules.size();
    }
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * Returns a list of file EXTENSIONS supported by this analyzer.
     *
@@ -60,7 +76,6 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
        return null;
    }
    //</editor-fold>
    /**
     * The initialize method loads the suppression XML file.
     *
@@ -75,39 +90,27 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
        }
    }
-    /**
+    @Override
-     * The list of suppression rules
+    protected synchronized void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
-     */
+        if (rules == null || rules.size() <= 0) {
-    private List<SuppressionRule> rules;
+            return;
-
+        }
-    /**
+        for (final SuppressionRule rule : rules) {
-     * Get the value of rules.
+            rule.process(dependency);
-     *
+        }
     * @return the value of rules
     */
    public List<SuppressionRule> getRules() {
        return rules;
    }
    /**
-     * Set the value of rules.
+     * Loads all the suppression rules files configured in the {@link Settings}
-     *
+     * singleton.
     * @param rules new value of rules
     */
    public void setRules(List<SuppressionRule> rules) {
        this.rules = rules;
    }
    /**
     * Loads all the suppression rules files configured in the {@link Settings} singleton.
     *
     * @throws SuppressionParseException thrown if the XML cannot be parsed.
     */
-    private void loadSuppressionData() throws SuppressionParseException {
+    private synchronized void loadSuppressionData() throws SuppressionParseException {
        final SuppressionParser parser = new SuppressionParser();
        try {
            final InputStream in = FileUtils.getResourceAsStream("dependencycheck-base-suppression.xml");
-            rules = parser.parseSuppressionRules(in);
+            rules = Collections.synchronizedList(parser.parseSuppressionRules(in));
        } catch (SAXException ex) {
            throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
        }
@@ -124,13 +127,15 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
    }
    /**
-     * Load a single suppression rules file from the path provided using the parser provided.
+     * Load a single suppression rules file from the path provided using the
     * parser provided.
     *
     * @param parser the parser to use for loading the file.
     * @param suppressionFilePath the path to load.
-     * @throws SuppressionParseException thrown if the suppression file cannot be loaded and parsed.
+     * @throws SuppressionParseException thrown if the suppression file cannot
     * be loaded and parsed.
     */
-    private void loadSuppressionFile(final SuppressionParser parser, final String suppressionFilePath) throws SuppressionParseException {
+    private synchronized void loadSuppressionFile(final SuppressionParser parser, final String suppressionFilePath) throws SuppressionParseException {
        LOGGER.debug("Loading suppression rules from '{}'", suppressionFilePath);
        File file = null;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
@@ -17,21 +17,17 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 /**
- * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
+ * The suppression analyzer processes an externally defined XML document that
- * Any identified CPE entries within the dependencies that match will be removed.
+ * complies with the suppressions.xsd schema. Any identified CPE entries within
 * the dependencies that match will be removed.
 *
 * @author Jeremy Long
 */
 public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -60,19 +56,6 @@ public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    //</editor-fold>
    @Override
    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
        if (getRules() == null || getRules().size() <= 0) {
            return;
        }
        for (final SuppressionRule rule : getRules()) {
            rule.process(dependency);
        }
    }
    /**
     * <p>
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java
@@ -17,11 +17,7 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 /**
 * The suppression analyzer processes an externally defined XML document that
@@ -32,7 +28,6 @@ import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 */
 public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyzer {
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -72,25 +67,4 @@ public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyze
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED;
    }
    //</editor-fold>
    /**
     * Analyzes a dependency's vulnerabilities against the configured CVE
     * suppressions.
     *
     * @param dependency the dependency being analyzed
     * @param engine a reference to the engine orchestrating the analysis
     * @throws AnalysisException thrown if there is an error during analysis
     */
    @Override
    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
        if (getRules() == null || getRules().size() <= 0) {
            return;
        }
        for (final SuppressionRule rule : getRules()) {
            rule.process(dependency);
        }
    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
@@ -103,7 +103,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
        // THEN rules from both files were loaded
        final int expectedSize = rulesInFirstFile + rulesInSecondFile + rulesInCoreFile;
-        assertThat("Expected suppressions from both files", instance.getRules().size(), is(expectedSize));
+        assertThat("Expected suppressions from both files", instance.getRuleCount(), is(expectedSize));
    }
    @Test(expected = InitializationException.class)
@@ -123,7 +123,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
        final AbstractSuppressionAnalyzerImpl coreFileAnalyzer = new AbstractSuppressionAnalyzerImpl();
        coreFileAnalyzer.initialize();
-        return coreFileAnalyzer.getRules().size();
+        return coreFileAnalyzer.getRuleCount();
    }
    /**
@@ -138,7 +138,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
        final AbstractSuppressionAnalyzerImpl fileAnalyzer = new AbstractSuppressionAnalyzerImpl();
        fileAnalyzer.initialize();
-        return fileAnalyzer.getRules().size();
+        return fileAnalyzer.getRuleCount();
    }
    public class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer {