github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-13 23:33:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

added find bugs and fixed some bugs

Browse Source 
Former-commit-id: 2266d86317f4fb20b7d3262b41b14d962916078f
This commit is contained in:
Jeremy Long
2012-12-22 06:15:39 -05:00
parent 566f36e577
commit 283dcae297
15 changed files with 133 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pom.xml
View File

@@ -372,6 +372,11 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses/>.
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.2</version>
</plugin>
</reportPlugins>
</configuration>
</plugin>

2
src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -229,7 +229,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
}
} else if (!entry.isDirectory() && "pom.properties".equals(entryName)) {
if (pomProperties == null) {
Reader reader = new InputStreamReader(zin);
Reader reader = new InputStreamReader(zin, "UTF-8");
pomProperties = new Properties();
pomProperties.load(reader);
zin.closeEntry();

6
src/main/java/org/codesecure/dependencycheck/data/cpe/Entry.java
View File

@@ -128,7 +128,7 @@ public class Entry {
* The modification date of the CPE Entry.
* @deprecated This field is no longer used
*/
protected Date modificationDate;
private Date modificationDate;
/**
* Get the value of modificationDate
@@ -137,7 +137,7 @@ public class Entry {
* @deprecated This field is no longer used
*/
public Date getModificationDate() {
return modificationDate;
return (Date) modificationDate.clone();
}
/**
@@ -147,7 +147,7 @@ public class Entry {
* @deprecated This field is no longer used
*/
public void setModificationDate(Date modificationDate) {
this.modificationDate = modificationDate;
this.modificationDate = (Date) modificationDate.clone();
}
/**

31
src/main/java/org/codesecure/dependencycheck/data/cpe/Index.java
View File

@@ -197,24 +197,27 @@ public class Index extends AbstractIndex implements CachedWebDataSource {
Properties prop = new Properties();
prop.put(Index.LAST_UPDATED, String.valueOf(timeStamp));
OutputStream os = null;
OutputStreamWriter out = null;
try {
os = new FileOutputStream(cpeProp);
OutputStreamWriter out = new OutputStreamWriter(os);
out = new OutputStreamWriter(os, "UTF-8");
prop.store(out, dir);
} catch (FileNotFoundException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
} catch (IOException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
} finally {
try {
os.flush();
} catch (IOException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
}
try {
os.close();
} catch (IOException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
if (os != null) {
try {
os.flush();
} catch (IOException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
}
try {
os.close();
} catch (IOException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
}
}
}
}
@@ -277,6 +280,14 @@ public class Index extends AbstractIndex implements CachedWebDataSource {
Logger.getLogger(Index.class.getName()).log(Level.FINEST, null, ex);
} catch (NumberFormatException ex) {
Logger.getLogger(Index.class.getName()).log(Level.FINEST, null, ex);
} finally {
if (is != null) {
try {
is.close();
} catch (IOException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
}
}
}
if (currentlyPublishedDate > lastUpdated) {
retVal = currentlyPublishedDate;

34
src/main/java/org/codesecure/dependencycheck/data/nvdcve/Index.java
View File

@@ -49,11 +49,11 @@ import org.codesecure.dependencycheck.utils.Settings;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class Index extends AbstractIndex implements CachedWebDataSource {
/**
* The current version of Lucene used to build the index.
*/
public static final String INDEX_VERSION = "4.0";
/**
* The current version of the index
*/
public static final String INDEX_VERSION = "1.0";
/**
* The name of the properties file containing the timestamp of the last
* update.
@@ -216,7 +216,7 @@ public class Index extends AbstractIndex implements CachedWebDataSource {
OutputStream os = null;
try {
os = new FileOutputStream(cveProp);
OutputStreamWriter out = new OutputStreamWriter(os);
OutputStreamWriter out = new OutputStreamWriter(os, "UTF-8");
prop.store(out, dir);
} catch (FileNotFoundException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
@@ -225,15 +225,17 @@ public class Index extends AbstractIndex implements CachedWebDataSource {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
throw new UpdateException("Unable to update last updated properties file.", ex);
} finally {
try {
os.flush();
} catch (IOException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
}
try {
os.close();
} catch (IOException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
if (os != null) {
try {
os.flush();
} catch (IOException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
}
try {
os.close();
} catch (IOException ex) {
Logger.getLogger(Index.class.getName()).log(Level.SEVERE, null, ex);
}
}
}
}
@@ -473,7 +475,7 @@ public class Index extends AbstractIndex implements CachedWebDataSource {
* @throws IOException is thrown if an IOExcpetion occurs.
*/
private String readFile(File file) throws IOException {
FileReader stream = new FileReader(file);
InputStreamReader stream = new InputStreamReader(new FileInputStream(file), "UTF-8");
StringBuilder str = new StringBuilder((int) file.length());
try {
char[] buf = new char[8096];
@@ -486,8 +488,6 @@ public class Index extends AbstractIndex implements CachedWebDataSource {
stream.close();
}
return str.toString();
}
/**

8
src/main/java/org/codesecure/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
View File

@@ -20,6 +20,7 @@ package org.codesecure.dependencycheck.data.nvdcve;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -142,6 +143,9 @@ public class NvdCveAnalyzer implements org.codesecure.dependencycheck.analyzer.A
} catch (JAXBException ex) {
Logger.getLogger(NvdCveAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
dependency.addAnalysisException(new AnalysisException("Unable to retrieve vulnerability data", ex));
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(NvdCveAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
dependency.addAnalysisException(new AnalysisException("Unable to retrieve vulnerability data - utf-8", ex));
}
}
} catch (IOException ex) {
@@ -198,11 +202,11 @@ public class NvdCveAnalyzer implements org.codesecure.dependencycheck.analyzer.A
this.open();
}
private Vulnerability parseVulnerability(String xml) throws JAXBException {
private Vulnerability parseVulnerability(String xml) throws JAXBException, UnsupportedEncodingException {
JAXBContext jaxbContext = JAXBContext.newInstance(VulnerabilityType.class);
Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
ByteArrayInputStream input = new ByteArrayInputStream(xml.getBytes());
ByteArrayInputStream input = new ByteArrayInputStream(xml.getBytes("UTF-8"));
VulnerabilityType cvedata = (VulnerabilityType) unmarshaller.unmarshal(input);
if (cvedata == null) {
return null;

13
src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/Indexer.java
View File

@@ -20,6 +20,7 @@ package org.codesecure.dependencycheck.data.nvdcve.xml;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.bind.JAXBContext;
@@ -56,7 +57,12 @@ public class Indexer extends Index implements EntrySaveDelegate {
*/
public void saveEntry(VulnerabilityType vulnerability) throws CorruptIndexException, IOException {
try {
Document doc = convertEntryToDoc(vulnerability);
Document doc = null;
try {
doc = convertEntryToDoc(vulnerability);
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(Indexer.class.getName()).log(Level.SEVERE, null, ex);
}
if (doc == null) {
return;
@@ -75,8 +81,9 @@ public class Indexer extends Index implements EntrySaveDelegate {
* @param vulnerability a VULNERABLE_CPE Entry.
* @return a Lucene Document containing a VULNERABLE_CPE Entry.
* @throws JAXBException is thrown when there is a JAXBException.
* @throws UnsupportedEncodingException if the system doesn't support utf-8
*/
protected Document convertEntryToDoc(VulnerabilityType vulnerability) throws JAXBException {
protected Document convertEntryToDoc(VulnerabilityType vulnerability) throws JAXBException, UnsupportedEncodingException {
boolean hasApplication = false;
Document doc = new Document();
@@ -117,7 +124,7 @@ public class Indexer extends Index implements EntrySaveDelegate {
m.marshal(vulnerability, out);
Field xml = new StoredField(Fields.XML, out.toString());
Field xml = new StoredField(Fields.XML, out.toString("UTF-8"));
doc.add(xml);
return doc;

14
src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCveParser.java
View File

@@ -20,9 +20,10 @@ package org.codesecure.dependencycheck.data.nvdcve.xml;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -66,14 +67,15 @@ public class NvdCveParser extends Index {
* @param file the reference to the NVD CVE file
*/
public void parse(File file) {
FileReader fr = null;
InputStreamReader fr = null;
BufferedReader br = null;
Pattern rxEntry = Pattern.compile("^\\s*<entry\\s*id\\=\\\"([^\\\"]+)\\\".*$");
Pattern rxEntryEnd = Pattern.compile("^\\s*</entry>.*$");
Pattern rxFact = Pattern.compile("^\\s*<cpe\\-lang\\:fact\\-ref name=\\\"([^\\\"]+).*$");
Pattern rxSummary = Pattern.compile("^\\s*<vuln:summary>([^\\<]+).*$");
//Pattern rxSummary = Pattern.compile("^\\s*<vuln:summary>([^\\<]+).*$");
try {
fr = new FileReader(file);
fr = new InputStreamReader(new FileInputStream(file), "UTF-8");
br = new BufferedReader(fr);
StringBuilder sb = new StringBuilder(7000);
String str = null;
@@ -161,7 +163,9 @@ public class NvdCveParser extends Index {
Logger.getLogger(NvdCveParser.class.getName()).log(Level.SEVERE, null, ex);
} finally {
try {
fr.close();
if (fr != null) {
fr.close();
}
} catch (IOException ex) {
Logger.getLogger(NvdCveParser.class.getName()).log(Level.SEVERE, null, ex);
}

4
src/main/java/org/codesecure/dependencycheck/dependency/Dependency.java
View File

@@ -19,7 +19,7 @@ package org.codesecure.dependencycheck.dependency;
*/
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.List;
@@ -418,7 +418,7 @@ public class Dependency {
try {
md5 = Checksum.getMD5Checksum(file);
sha1 = Checksum.getSHA1Checksum(file);
} catch (FileNotFoundException ex) {
} catch (IOException ex) {
Logger.getLogger(Dependency.class.getName()).log(Level.SEVERE, null, ex);
} catch (NoSuchAlgorithmException ex) {
Logger.getLogger(Dependency.class.getName()).log(Level.SEVERE, null, ex);

35
src/main/java/org/codesecure/dependencycheck/reporting/ReportGenerator.java
View File

@@ -19,13 +19,14 @@ package org.codesecure.dependencycheck.reporting;
*/
import java.io.FileInputStream;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileWriter;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -94,9 +95,7 @@ public class ReportGenerator {
Context c = manager.createContext();
EasyFactoryConfiguration config = new EasyFactoryConfiguration();
config.addDefaultTools();
config.toolbox("application")
.tool("esc", "org.apache.velocity.tools.generic.EscapeTool")
.tool("org.apache.velocity.tools.generic.DateTool");
config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool");
manager.configure(config);
return c;
}
@@ -143,21 +142,33 @@ public class ReportGenerator {
throw new IOException("Template file doesn't exist");
}
InputStreamReader reader = new InputStreamReader(input);
BufferedWriter writer = null;
InputStreamReader reader = new InputStreamReader(input, "UTF-8");
OutputStreamWriter writer = null;
OutputStream outputStream = null;
try {
writer = new BufferedWriter(new FileWriter(new File(outFileName)));
outputStream = new FileOutputStream(outFileName);
writer = new OutputStreamWriter(outputStream, "UTF-8");
//writer = new BufferedWriter(oswriter);
if (!engine.evaluate(context, writer, templatePath, reader)) {
throw new Exception("Failed to convert the template into html.");
}
writer.flush();
} finally {
try {
writer.close();
} catch (Exception ex) {
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
if (writer != null) {
try {
writer.close();
} catch (Exception ex) {
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
}
}
if (outputStream != null) {
try {
outputStream.close();
} catch (Exception ex) {
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
}
}
try {
reader.close();

28
src/main/java/org/codesecure/dependencycheck/utils/Checksum.java
View File

@@ -2,7 +2,6 @@ package org.codesecure.dependencycheck.utils;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.MessageDigest;
@@ -30,29 +29,30 @@ public class Checksum {
* @param algorithm the algorithm to use to calculate the checksum
* @param file the file to calculate the checksum for
* @return the checksum
* @throws FileNotFoundException when the file does not exist
* @throws IOException when the file does not exist
* @throws NoSuchAlgorithmException when an algorithm is specified that does
* not exist
*/
public static byte[] getChecksum(String algorithm, File file) throws FileNotFoundException, NoSuchAlgorithmException {
InputStream fis = new FileInputStream(file);
public static byte[] getChecksum(String algorithm, File file) throws NoSuchAlgorithmException, IOException {
InputStream fis = null;
byte[] buffer = new byte[1024];
MessageDigest complete = MessageDigest.getInstance(algorithm);
int numRead;
try {
fis = new FileInputStream(file);
do {
numRead = fis.read(buffer);
if (numRead > 0) {
complete.update(buffer, 0, numRead);
}
} while (numRead != -1);
} catch (IOException ex) {
Logger.getLogger(Checksum.class.getName()).log(Level.SEVERE, null, ex);
} finally {
try {
fis.close();
} catch (IOException ex) {
Logger.getLogger(Checksum.class.getName()).log(Level.SEVERE, null, ex);
if (fis != null) {
try {
fis.close();
} catch (IOException ex) {
Logger.getLogger(Checksum.class.getName()).log(Level.SEVERE, null, ex);
}
}
}
return complete.digest();
@@ -63,10 +63,10 @@ public class Checksum {
*
* @param file the file to generate the MD5 checksum
* @return the hex representation of the MD5 hash
* @throws FileNotFoundException when the file passed in does not exist
* @throws IOException when the file passed in does not exist
* @throws NoSuchAlgorithmException when the MD5 algorithm is not available
*/
public static String getMD5Checksum(File file) throws FileNotFoundException, NoSuchAlgorithmException {
public static String getMD5Checksum(File file) throws IOException, NoSuchAlgorithmException {
byte[] b = getChecksum("MD5", file);
return getHex(b);
}
@@ -76,10 +76,10 @@ public class Checksum {
*
* @param file the file to generate the MD5 checksum
* @return the hex representation of the SHA1 hash
* @throws FileNotFoundException when the file passed in does not exist
* @throws IOException when the file passed in does not exist
* @throws NoSuchAlgorithmException when the SHA1 algorithm is not available
*/
public static String getSHA1Checksum(File file) throws FileNotFoundException, NoSuchAlgorithmException {
public static String getSHA1Checksum(File file) throws IOException, NoSuchAlgorithmException {
byte[] b = getChecksum("SHA1", file);
return getHex(b);
}

14
src/main/java/org/codesecure/dependencycheck/utils/Downloader.java
View File

@@ -128,8 +128,8 @@ public class Downloader {
String encoding = conn.getContentEncoding();
BufferedOutputStream writer = null;
InputStream reader = null;
try {
InputStream reader;
if (unzip || (encoding != null && "gzip".equalsIgnoreCase(encoding))) {
reader = new GZIPInputStream(conn.getInputStream());
} else if (encoding != null && "deflate".equalsIgnoreCase(encoding)) {
@@ -147,6 +147,7 @@ public class Downloader {
} catch (Exception ex) {
throw new DownloadFailedException("Error saving downloaded file.", ex);
} finally {
if (writer != null) {
try {
writer.close();
writer = null;
@@ -154,6 +155,17 @@ public class Downloader {
Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
"Error closing the writter in Downloader.", ex);
}
}
if (reader != null) {
try {
reader.close();
reader = null;
} catch (Exception ex) {
Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
"Error closing the reader in Downloader.", ex);
}
}
try {
conn.disconnect();
} finally {

2
src/main/java/org/codesecure/dependencycheck/utils/FileUtils.java
View File

@@ -55,7 +55,7 @@ public class FileUtils {
* the contents.
*
* @param file the File to delete
* @throws IOException
* @throws IOException is thrown if the file could not be deleted
*/
public static void delete(File file) throws IOException {
if (file.isDirectory()) {

10
src/test/java/org/codesecure/dependencycheck/data/cpe/IndexIntegrationTest.java
View File

@@ -46,8 +46,9 @@ public class IndexIntegrationTest extends BaseIndexTestCase {
@Test
public void testUpdate() throws Exception {
System.out.println("update");
Index instance = new Index();
instance.update();
//deprecated
//Index instance = new Index();
//instance.update();
}
/**
@@ -56,8 +57,9 @@ public class IndexIntegrationTest extends BaseIndexTestCase {
@Test
public void testUpdateNeeded() throws Exception {
System.out.println("updateNeeded");
Index instance = new Index();
instance.updateNeeded();
//deprecated
//Index instance = new Index();
//instance.updateNeeded();
//if an exception is thrown this test fails. However, because it depends on the
// order of the tests what this will return I am just testing for the exception.
//assertTrue(expResult < result);

4
src/test/java/org/codesecure/dependencycheck/utils/ChecksumTest.java
View File

@@ -5,7 +5,7 @@
package org.codesecure.dependencycheck.utils;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import junit.framework.TestCase;
import org.junit.Test;
@@ -66,7 +66,7 @@ public class ChecksumTest extends TestCase {
boolean exceptionThrown = false;
try {
byte[] result = Checksum.getChecksum(algorithm, file);
} catch (FileNotFoundException ex) {
} catch (IOException ex) {
exceptionThrown = true;
}
assertTrue(exceptionThrown);