diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
index 3e4507379..7febee2e3 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
@@ -309,10 +309,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
String right = rFile.getParent();
if (left == null) {
return right == null;
+ } else if (right == null) {
+ return false;
}
if (left.equalsIgnoreCase(right)) {
return true;
}
+
if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
left = getBaseRepoPath(left);
right = getBaseRepoPath(right);
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
index 33d57e690..b4e179abd 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -409,6 +409,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
final File file = new File(tmpDir, "pom.xml");
try {
final ZipEntry entry = jar.getEntry(path);
+ if (entry == null) {
+ throw new AnalysisException(String.format("Pom (%s)does not exist in %s", path, jar.getName()));
+ }
input = jar.getInputStream(entry);
fos = new FileOutputStream(file);
IOUtils.copy(input, fos);
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java
index 9daee5428..ef41cfe6e 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java
@@ -34,8 +34,9 @@ import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
/**
- * This analyzer is used to analyze the SWIFT Package Manager (https://swift.org/package-manager/).
- * It collects information about a package from Package.swift files.
+ * This analyzer is used to analyze the SWIFT Package Manager
+ * (https://swift.org/package-manager/). It collects information about a package
+ * from Package.swift files.
*
* @author Bianca Jiang (https://twitter.com/biancajiang)
*/
@@ -56,22 +57,18 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
* The file name to scan.
*/
public static final String SPM_FILE_NAME = "Package.swift";
-
+
/**
* Filter that detects files named "package.json".
*/
private static final FileFilter SPM_FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(SPM_FILE_NAME).build();
/**
- * The capture group #1 is the block variable.
- * e.g.
- * "import PackageDescription
- * let package = Package(
- * name: "Gloss"
- * )"
+ * The capture group #1 is the block variable. e.g. "import
+ * PackageDescription let package = Package( name: "Gloss" )"
*/
private static final Pattern SPM_BLOCK_PATTERN = Pattern.compile("let[^=]+=\\s*Package\\s*\\(\\s*([^)]*)\\s*\\)", Pattern.DOTALL);
-
+
/**
* Returns the FileFilter
*
@@ -108,7 +105,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
- * Returns the key used in the properties file to reference the analyzer's enabled property.
+ * Returns the key used in the properties file to reference the analyzer's
+ * enabled property.
*
* @return the analyzer's enabled property setting key
*/
@@ -120,8 +118,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
throws AnalysisException {
-
- String contents;
+
+ String contents;
try {
contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset());
} catch (IOException e) {
@@ -132,12 +130,13 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
if (matcher.find()) {
contents = contents.substring(matcher.end());
final String packageDescription = matcher.group(1);
- if(packageDescription.isEmpty())
- return;
+ if (packageDescription.isEmpty()) {
+ return;
+ }
final EvidenceCollection product = dependency.getProductEvidence();
final EvidenceCollection vendor = dependency.getVendorEvidence();
-
+
//SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies.
//Future interesting metadata: version, license, homepage, author, summary, etc.
final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST);
@@ -147,30 +146,32 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
}
setPackagePath(dependency);
}
-
+
private String addStringEvidence(EvidenceCollection evidences,
String packageDescription, String field, String fieldPattern, Confidence confidence) {
String value = "";
-
- final Matcher matcher = Pattern.compile(
+
+ final Matcher matcher = Pattern.compile(
String.format("%s *:\\s*\"([^\"]*)", fieldPattern), Pattern.DOTALL).matcher(packageDescription);
- if(matcher.find()) {
- value = matcher.group(1);
- }
-
- if(value != null) {
- value = value.trim();
- if(value.length() > 0)
- evidences.addEvidence (SPM_FILE_NAME, field, value, confidence);
- }
-
+ if (matcher.find()) {
+ value = matcher.group(1);
+ }
+
+ if (value != null) {
+ value = value.trim();
+ if (value.length() > 0) {
+ evidences.addEvidence(SPM_FILE_NAME, field, value, confidence);
+ }
+ }
+
return value;
}
private void setPackagePath(Dependency dep) {
- File file = new File(dep.getFilePath());
- String parent = file.getParent();
- if(parent != null)
- dep.setPackagePath(parent);
+ final File file = new File(dep.getFilePath());
+ final String parent = file.getParent();
+ if (parent != null) {
+ dep.setPackagePath(parent);
+ }
}
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
index d4ba768c1..5a9641dd4 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
@@ -61,8 +61,8 @@ public class CentralSearch {
/**
* Creates a NexusSearch for the given repository URL.
*
- * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should
- * end in /select)
+ * @param rootURL the URL of the repository on which searches should
+ * execute. Only parameters are added to this (so it should end in /select)
*/
public CentralSearch(URL rootURL) {
this.rootURL = rootURL;
@@ -76,18 +76,20 @@ public class CentralSearch {
}
/**
- * Searches the configured Central URL for the given sha1 hash. If the artifact is found, a MavenArtifact is
- * populated with the GAV.
+ * Searches the configured Central URL for the given sha1 hash. If the
+ * artifact is found, a MavenArtifact is populated with the
+ * GAV.
*
* @param sha1 the SHA-1 hash string for which to search
* @return the populated Maven GAV.
- * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
+ * @throws IOException if it's unable to connect to the specified repository
+ * or if the specified artifact is not found.
*/
public List searchSha1(String sha1) throws IOException {
if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
throw new IllegalArgumentException("Invalid SHA1 format");
}
-
+ List result = null;
final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
LOGGER.debug("Searching Central url {}", url);
@@ -116,7 +118,7 @@ public class CentralSearch {
if ("0".equals(numFound)) {
missing = true;
} else {
- final List result = new ArrayList();
+ result = new ArrayList();
final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
for (int i = 0; i < docs.getLength(); i++) {
final String g = xpath.evaluate("./str[@name='g']", docs.item(i));
@@ -144,16 +146,12 @@ public class CentralSearch {
useHTTPS = true;
}
}
-
LOGGER.trace("Version: {}", v);
result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable, useHTTPS));
}
-
- return result;
}
} catch (Throwable e) {
- // Anything else is jacked up XML stuff that we really can't recover
- // from well
+ // Anything else is jacked up XML stuff that we really can't recover from well
throw new IOException(e.getMessage(), e);
}
@@ -162,10 +160,9 @@ public class CentralSearch {
}
} else {
LOGGER.debug("Could not connect to Central received response code: {} {}",
- conn.getResponseCode(), conn.getResponseMessage());
+ conn.getResponseCode(), conn.getResponseMessage());
throw new IOException("Could not connect to Central");
}
-
- return null;
+ return result;
}
}