coverity suggested corrections

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -309,10 +309,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         String right = rFile.getParent();
         if (left == null) {
             return right == null;
+        } else if (right == null) {
+            return false;
         }
         if (left.equalsIgnoreCase(right)) {
             return true;
         }
+
         if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
             left = getBaseRepoPath(left);
             right = getBaseRepoPath(right);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -409,6 +409,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         final File file = new File(tmpDir, "pom.xml");
         try {
             final ZipEntry entry = jar.getEntry(path);
+            if (entry == null) {
+                throw new AnalysisException(String.format("Pom (%s)does not exist in %s", path, jar.getName()));
+            }
             input = jar.getInputStream(entry);
             fos = new FileOutputStream(file);
             IOUtils.copy(input, fos);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java

@@ -34,8 +34,9 @@ import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * This analyzer is used to analyze the SWIFT Package Manager (https://swift.org/package-manager/).
- * It collects information about a package from Package.swift files.
+ * This analyzer is used to analyze the SWIFT Package Manager
+ * (https://swift.org/package-manager/). It collects information about a package
+ * from Package.swift files.
  *
  * @author Bianca Jiang (https://twitter.com/biancajiang)
  */
@@ -56,22 +57,18 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
      * The file name to scan.
      */
     public static final String SPM_FILE_NAME = "Package.swift";
-    
+
     /**
      * Filter that detects files named "package.json".
      */
     private static final FileFilter SPM_FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(SPM_FILE_NAME).build();
 
     /**
-     * The capture group #1 is the block variable.  
-     * e.g. 
-     * "import PackageDescription
-     * let package = Package(
-     *     name: "Gloss"
-     *     )"
+     * The capture group #1 is the block variable. e.g. "import
+     * PackageDescription let package = Package( name: "Gloss" )"
      */
     private static final Pattern SPM_BLOCK_PATTERN = Pattern.compile("let[^=]+=\\s*Package\\s*\\(\\s*([^)]*)\\s*\\)", Pattern.DOTALL);
-    
+
     /**
      * Returns the FileFilter
      *
@@ -108,7 +105,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -120,8 +118,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
     @Override
     protected void analyzeFileType(Dependency dependency, Engine engine)
             throws AnalysisException {
-    	
-    	String contents;
+
+        String contents;
         try {
             contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset());
         } catch (IOException e) {
@@ -132,12 +130,13 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
         if (matcher.find()) {
             contents = contents.substring(matcher.end());
             final String packageDescription = matcher.group(1);
-            if(packageDescription.isEmpty())
-            	return;
+            if (packageDescription.isEmpty()) {
+                return;
+            }
 
             final EvidenceCollection product = dependency.getProductEvidence();
             final EvidenceCollection vendor = dependency.getVendorEvidence();
-            
+
             //SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies.
             //Future interesting metadata: version, license, homepage, author, summary, etc.
             final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST);
@@ -147,30 +146,32 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
         }
         setPackagePath(dependency);
     }
-    
+
     private String addStringEvidence(EvidenceCollection evidences,
             String packageDescription, String field, String fieldPattern, Confidence confidence) {
         String value = "";
-        
-    	final Matcher matcher = Pattern.compile(
+
+        final Matcher matcher = Pattern.compile(
                 String.format("%s *:\\s*\"([^\"]*)", fieldPattern), Pattern.DOTALL).matcher(packageDescription);
-    	if(matcher.find()) {
-    		value = matcher.group(1);
-    	}
-    	
-    	if(value != null) {
-    		value = value.trim();
-    		if(value.length() > 0)
-    			evidences.addEvidence (SPM_FILE_NAME, field, value, confidence);
-    	}
-    	
+        if (matcher.find()) {
+            value = matcher.group(1);
+        }
+
+        if (value != null) {
+            value = value.trim();
+            if (value.length() > 0) {
+                evidences.addEvidence(SPM_FILE_NAME, field, value, confidence);
+            }
+        }
+
         return value;
     }
 
     private void setPackagePath(Dependency dep) {
-    	File file = new File(dep.getFilePath());
-    	String parent = file.getParent();
-    	if(parent != null)
-    		dep.setPackagePath(parent);
+        final File file = new File(dep.getFilePath());
+        final String parent = file.getParent();
+        if (parent != null) {
+            dep.setPackagePath(parent);
+        }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java

@@ -61,8 +61,8 @@ public class CentralSearch {
     /**
      * Creates a NexusSearch for the given repository URL.
      *
-     * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should
-     * end in /select)
+     * @param rootURL the URL of the repository on which searches should
+     * execute. Only parameters are added to this (so it should end in /select)
      */
     public CentralSearch(URL rootURL) {
         this.rootURL = rootURL;
@@ -76,18 +76,20 @@ public class CentralSearch {
     }
 
     /**
-     * Searches the configured Central URL for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
-     * populated with the GAV.
+     * Searches the configured Central URL for the given sha1 hash. If the
+     * artifact is found, a <code>MavenArtifact</code> is populated with the
+     * GAV.
      *
      * @param sha1 the SHA-1 hash string for which to search
      * @return the populated Maven GAV.
-     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
+     * @throws IOException if it's unable to connect to the specified repository
+     * or if the specified artifact is not found.
      */
     public List<MavenArtifact> searchSha1(String sha1) throws IOException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
             throw new IllegalArgumentException("Invalid SHA1 format");
         }
-
+        List<MavenArtifact> result = null;
         final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
 
         LOGGER.debug("Searching Central url {}", url);
@@ -116,7 +118,7 @@ public class CentralSearch {
                 if ("0".equals(numFound)) {
                     missing = true;
                 } else {
-                    final List<MavenArtifact> result = new ArrayList<MavenArtifact>();
+                    result = new ArrayList<MavenArtifact>();
                     final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
                     for (int i = 0; i < docs.getLength(); i++) {
                         final String g = xpath.evaluate("./str[@name='g']", docs.item(i));
@@ -144,16 +146,12 @@ public class CentralSearch {
                                 useHTTPS = true;
                             }
                         }
-
                         LOGGER.trace("Version: {}", v);
                         result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable, useHTTPS));
                     }
-
-                    return result;
                 }
             } catch (Throwable e) {
-                // Anything else is jacked up XML stuff that we really can't recover
-                // from well
+                // Anything else is jacked up XML stuff that we really can't recover from well
                 throw new IOException(e.getMessage(), e);
             }
 
@@ -162,10 +160,9 @@ public class CentralSearch {
             }
         } else {
             LOGGER.debug("Could not connect to Central received response code: {} {}",
-                conn.getResponseCode(), conn.getResponseMessage());
+                    conn.getResponseCode(), conn.getResponseMessage());
             throw new IOException("Could not connect to Central");
         }
-
-        return null;
+        return result;
     }
 }