mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 07:43:40 +01:00
correct fix for issue #660; correctly handle organization from the pom
This commit is contained in:
Jeremy Long
@@ -166,9 +166,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
*/
|
||||
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
|
||||
|
||||
|
||||
//</editor-fold>
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
|
||||
/**
|
||||
* Returns the FileFilter.
|
||||
@@ -541,6 +539,12 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
addMatchingValues(classes, org, dependency.getVendorEvidence());
|
||||
addMatchingValues(classes, org, dependency.getProductEvidence());
|
||||
}
|
||||
// org name
|
||||
final String orgUrl = pom.getOrganizationUrl();
|
||||
if (orgUrl != null && !orgUrl.isEmpty()) {
|
||||
dependency.getVendorEvidence().addEvidence("pom", "organization url", orgUrl, Confidence.MEDIUM);
|
||||
dependency.getProductEvidence().addEvidence("pom", "organization url", orgUrl, Confidence.LOW);
|
||||
}
|
||||
//pom name
|
||||
final String pomName = pom.getName();
|
||||
if (pomName
|
||||
@@ -1110,6 +1114,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* Stores information about a class name.
|
||||
*/
|
||||
protected static class ClassNameInformation {
|
||||
|
||||
/**
|
||||
* The fully qualified class name.
|
||||
*/
|
||||
@@ -1180,6 +1185,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
public void setName(String name) {
|
||||
this.name = name;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the value of packageStructure
|
||||
*
|
||||
|
||||
@@ -39,6 +39,10 @@ public class Model {
|
||||
* The organization name.
|
||||
*/
|
||||
private String organization;
|
||||
/**
|
||||
* The organization URL.
|
||||
*/
|
||||
private String organizationUrl;
|
||||
/**
|
||||
* The description.
|
||||
*/
|
||||
@@ -112,6 +116,24 @@ public class Model {
|
||||
this.organization = organization;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the value of organizationUrl.
|
||||
*
|
||||
* @return the value of organizationUrl
|
||||
*/
|
||||
public String getOrganizationUrl() {
|
||||
return organizationUrl;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of organizationUrl.
|
||||
*
|
||||
* @param organizationUrl new value of organizationUrl
|
||||
*/
|
||||
public void setOrganizationUrl(String organizationUrl) {
|
||||
this.organizationUrl = organizationUrl;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the value of description.
|
||||
*
|
||||
|
||||
@@ -101,7 +101,7 @@ public class PomHandler extends DefaultHandler {
|
||||
* The current node text being extracted from the element.
|
||||
*/
|
||||
private StringBuilder currentText;
|
||||
|
||||
|
||||
/**
|
||||
* Handles the start element event.
|
||||
*
|
||||
@@ -132,48 +132,66 @@ public class PomHandler extends DefaultHandler {
|
||||
public void endElement(String uri, String localName, String qName) throws SAXException {
|
||||
stack.pop();
|
||||
final String parentNode = stack.peek();
|
||||
if (PROJECT.equals(parentNode)) {
|
||||
if (GROUPID.equals(qName)) {
|
||||
model.setGroupId(currentText.toString());
|
||||
} else if (ARTIFACTID.equals(qName)) {
|
||||
model.setArtifactId(currentText.toString());
|
||||
} else if (VERSION.equals(qName)) {
|
||||
model.setVersion(currentText.toString());
|
||||
} else if (NAME.equals(qName)) {
|
||||
model.setName(currentText.toString());
|
||||
} else if (ORGANIZATION.equals(qName)) {
|
||||
model.setOrganization(currentText.toString());
|
||||
} else if (DESCRIPTION.equals(qName)) {
|
||||
model.setDescription(currentText.toString());
|
||||
} else if (URL.equals(qName)) {
|
||||
model.setProjectURL(currentText.toString());
|
||||
}
|
||||
} else if (PARENT.equals(parentNode)) {
|
||||
if (GROUPID.equals(qName)) {
|
||||
model.setParentGroupId(currentText.toString());
|
||||
} else if (ARTIFACTID.equals(qName)) {
|
||||
model.setParentArtifactId(currentText.toString());
|
||||
} else if (VERSION.equals(qName)) {
|
||||
model.setParentVersion(currentText.toString());
|
||||
}
|
||||
} else if (LICENSE.equals(parentNode)) {
|
||||
if (license != null) {
|
||||
if (null != parentNode) switch (parentNode) {
|
||||
case PROJECT:
|
||||
if (null != qName) switch (qName) {
|
||||
case GROUPID:
|
||||
model.setGroupId(currentText.toString());
|
||||
break;
|
||||
case ARTIFACTID:
|
||||
model.setArtifactId(currentText.toString());
|
||||
break;
|
||||
case VERSION:
|
||||
model.setVersion(currentText.toString());
|
||||
break;
|
||||
case NAME:
|
||||
model.setName(currentText.toString());
|
||||
break;
|
||||
case DESCRIPTION:
|
||||
model.setDescription(currentText.toString());
|
||||
break;
|
||||
case URL:
|
||||
model.setProjectURL(currentText.toString());
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
} break;
|
||||
case ORGANIZATION:
|
||||
if (NAME.equals(qName)) {
|
||||
license.setName(currentText.toString());
|
||||
model.setOrganization(currentText.toString());
|
||||
} else if (URL.equals(qName)) {
|
||||
license.setUrl(currentText.toString());
|
||||
}
|
||||
//} else {
|
||||
//TODO add error logging
|
||||
}
|
||||
} else if (LICENSES.equals(parentNode)) {
|
||||
if (LICENSE.equals(qName)) {
|
||||
model.setOrganizationUrl(currentText.toString());
|
||||
} break;
|
||||
case PARENT:
|
||||
if (null != qName) switch (qName) {
|
||||
case GROUPID:
|
||||
model.setParentGroupId(currentText.toString());
|
||||
break;
|
||||
case ARTIFACTID:
|
||||
model.setParentArtifactId(currentText.toString());
|
||||
break;
|
||||
case VERSION:
|
||||
model.setParentVersion(currentText.toString());
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
} break;
|
||||
case LICENSE:
|
||||
if (license != null) {
|
||||
model.addLicense(license);
|
||||
//} else {
|
||||
//TODO add error logging
|
||||
}
|
||||
}
|
||||
if (NAME.equals(qName)) {
|
||||
license.setName(currentText.toString());
|
||||
} else if (URL.equals(qName)) {
|
||||
license.setUrl(currentText.toString());
|
||||
}
|
||||
} break;
|
||||
case LICENSES:
|
||||
if (LICENSE.equals(qName)) {
|
||||
if (license != null) {
|
||||
model.addLicense(license);
|
||||
}
|
||||
} break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -47,7 +47,7 @@ public final class PomUtils {
|
||||
* Reads in the specified POM and converts it to a Model.
|
||||
*
|
||||
* @param file the pom.xml file
|
||||
* @return returns a
|
||||
* @return returns an object representation of the POM
|
||||
* @throws AnalysisException is thrown if there is an exception extracting
|
||||
* or parsing the POM {@link Model} object
|
||||
*/
|
||||
@@ -59,14 +59,12 @@ public final class PomUtils {
|
||||
throw new AnalysisException(String.format("Unable to parse pom '%s'", file.getPath()));
|
||||
}
|
||||
return model;
|
||||
} catch (AnalysisException ex) {
|
||||
throw ex;
|
||||
} catch (PomParseException ex) {
|
||||
LOGGER.warn("Unable to parse pom '{}'", file.getPath());
|
||||
LOGGER.debug("", ex);
|
||||
throw new AnalysisException(ex);
|
||||
} catch (IOException ex) {
|
||||
LOGGER.warn("Unable to parse pom '{}'(IO Exception)", file.getPath());
|
||||
LOGGER.debug("", ex);
|
||||
throw new AnalysisException(ex);
|
||||
} catch (Throwable ex) {
|
||||
LOGGER.warn("Unexpected error during parsing of the pom '{}'", file.getPath());
|
||||
LOGGER.debug("", ex);
|
||||
@@ -79,7 +77,7 @@ public final class PomUtils {
|
||||
*
|
||||
* @param path the path to the pom.xml file within the jar file
|
||||
* @param jar the jar file to extract the pom from
|
||||
* @return returns a
|
||||
* @return returns an object representation of the POM
|
||||
* @throws AnalysisException is thrown if there is an exception extracting
|
||||
* or parsing the POM {@link Model} object
|
||||
*/
|
||||
@@ -93,6 +91,8 @@ public final class PomUtils {
|
||||
if (model == null) {
|
||||
throw new AnalysisException(String.format("Unable to parse pom '%s/%s'", jar.getName(), path));
|
||||
}
|
||||
} catch (AnalysisException ex) {
|
||||
throw ex;
|
||||
} catch (SecurityException ex) {
|
||||
LOGGER.warn("Unable to parse pom '{}' in jar '{}'; invalid signature", path, jar.getName());
|
||||
LOGGER.debug("", ex);
|
||||
|
||||
@@ -507,12 +507,4 @@
|
||||
<gav regex="true">^io\.jsonwebtoken:jjwt:.*$</gav>
|
||||
<cpe>cpe:/a:sonatype:nexus</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
False positive suppression per issue #660 - the organization name contains http:// so it gets flagged as http server.
|
||||
]]></notes>
|
||||
<gav regex="true">^commons-validator:commons-validator:.*$</gav>
|
||||
<cpe>cpe:/a:apache:http_server</cpe>
|
||||
<cpe>cpe:/a:apache:apache_http_server</cpe>
|
||||
</suppress>
|
||||
</suppressions>
|
||||
|
||||
@@ -24,13 +24,17 @@ import static org.junit.Assert.*;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
|
||||
/**
|
||||
* Test the PomUtils object.
|
||||
*
|
||||
* @author jeremy
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
public class PomUtilsTest extends BaseTest {
|
||||
|
||||
/**
|
||||
* Test of readPom method, of class PomUtils.
|
||||
*
|
||||
* @throws java.lang.Exception thrown when the test fails due to an
|
||||
* exception
|
||||
*/
|
||||
@Test
|
||||
public void testReadPom_File() throws Exception {
|
||||
@@ -38,7 +42,12 @@ public class PomUtilsTest extends BaseTest {
|
||||
String expResult = "Direct Web Remoting";
|
||||
Model result = PomUtils.readPom(file);
|
||||
assertEquals(expResult, result.getName());
|
||||
|
||||
|
||||
expResult = "get ahead";
|
||||
assertEquals(expResult, result.getOrganization());
|
||||
expResult = "http://getahead.ltd.uk/dwr";
|
||||
assertEquals(expResult, result.getOrganizationUrl());
|
||||
|
||||
file = BaseTest.getResourceAsFile(this, "jmockit-1.26.pom");
|
||||
expResult = "Main";
|
||||
result = PomUtils.readPom(file);
|
||||
|
||||
Reference in New Issue
Block a user