From 39c2234e387da121cd0081b12d9686408041388d Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 21 Aug 2016 16:51:09 -0400 Subject: [PATCH] coverity suggested corrections --- .../analyzer/DependencyBundlingAnalyzer.java | 3 + .../dependencycheck/analyzer/JarAnalyzer.java | 3 + .../analyzer/SwiftPackageManagerAnalyzer.java | 67 ++++++++++--------- .../data/central/CentralSearch.java | 27 ++++---- 4 files changed, 52 insertions(+), 48 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index 3e4507379..7febee2e3 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -309,10 +309,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal String right = rFile.getParent(); if (left == null) { return right == null; + } else if (right == null) { + return false; } if (left.equalsIgnoreCase(right)) { return true; } + if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) { left = getBaseRepoPath(left); right = getBaseRepoPath(right); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 33d57e690..b4e179abd 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -409,6 +409,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { final File file = new File(tmpDir, "pom.xml"); try { final ZipEntry entry = jar.getEntry(path); + if (entry == null) { + throw new AnalysisException(String.format("Pom (%s)does not exist in %s", path, jar.getName())); + } input = jar.getInputStream(entry); fos = new FileOutputStream(file); IOUtils.copy(input, fos); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index 9daee5428..ef41cfe6e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -34,8 +34,9 @@ import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; /** - * This analyzer is used to analyze the SWIFT Package Manager (https://swift.org/package-manager/). - * It collects information about a package from Package.swift files. + * This analyzer is used to analyze the SWIFT Package Manager + * (https://swift.org/package-manager/). It collects information about a package + * from Package.swift files. * * @author Bianca Jiang (https://twitter.com/biancajiang) */ @@ -56,22 +57,18 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { * The file name to scan. */ public static final String SPM_FILE_NAME = "Package.swift"; - + /** * Filter that detects files named "package.json". */ private static final FileFilter SPM_FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(SPM_FILE_NAME).build(); /** - * The capture group #1 is the block variable. - * e.g. - * "import PackageDescription - * let package = Package( - * name: "Gloss" - * )" + * The capture group #1 is the block variable. e.g. "import + * PackageDescription let package = Package( name: "Gloss" )" */ private static final Pattern SPM_BLOCK_PATTERN = Pattern.compile("let[^=]+=\\s*Package\\s*\\(\\s*([^)]*)\\s*\\)", Pattern.DOTALL); - + /** * Returns the FileFilter * @@ -108,7 +105,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Returns the key used in the properties file to reference the analyzer's enabled property. + * Returns the key used in the properties file to reference the analyzer's + * enabled property. * * @return the analyzer's enabled property setting key */ @@ -120,8 +118,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { - - String contents; + + String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); } catch (IOException e) { @@ -132,12 +130,13 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { if (matcher.find()) { contents = contents.substring(matcher.end()); final String packageDescription = matcher.group(1); - if(packageDescription.isEmpty()) - return; + if (packageDescription.isEmpty()) { + return; + } final EvidenceCollection product = dependency.getProductEvidence(); final EvidenceCollection vendor = dependency.getVendorEvidence(); - + //SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies. //Future interesting metadata: version, license, homepage, author, summary, etc. final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST); @@ -147,30 +146,32 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { } setPackagePath(dependency); } - + private String addStringEvidence(EvidenceCollection evidences, String packageDescription, String field, String fieldPattern, Confidence confidence) { String value = ""; - - final Matcher matcher = Pattern.compile( + + final Matcher matcher = Pattern.compile( String.format("%s *:\\s*\"([^\"]*)", fieldPattern), Pattern.DOTALL).matcher(packageDescription); - if(matcher.find()) { - value = matcher.group(1); - } - - if(value != null) { - value = value.trim(); - if(value.length() > 0) - evidences.addEvidence (SPM_FILE_NAME, field, value, confidence); - } - + if (matcher.find()) { + value = matcher.group(1); + } + + if (value != null) { + value = value.trim(); + if (value.length() > 0) { + evidences.addEvidence(SPM_FILE_NAME, field, value, confidence); + } + } + return value; } private void setPackagePath(Dependency dep) { - File file = new File(dep.getFilePath()); - String parent = file.getParent(); - if(parent != null) - dep.setPackagePath(parent); + final File file = new File(dep.getFilePath()); + final String parent = file.getParent(); + if (parent != null) { + dep.setPackagePath(parent); + } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java index d4ba768c1..5a9641dd4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java @@ -61,8 +61,8 @@ public class CentralSearch { /** * Creates a NexusSearch for the given repository URL. * - * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should - * end in /select) + * @param rootURL the URL of the repository on which searches should + * execute. Only parameters are added to this (so it should end in /select) */ public CentralSearch(URL rootURL) { this.rootURL = rootURL; @@ -76,18 +76,20 @@ public class CentralSearch { } /** - * Searches the configured Central URL for the given sha1 hash. If the artifact is found, a MavenArtifact is - * populated with the GAV. + * Searches the configured Central URL for the given sha1 hash. If the + * artifact is found, a MavenArtifact is populated with the + * GAV. * * @param sha1 the SHA-1 hash string for which to search * @return the populated Maven GAV. - * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found. + * @throws IOException if it's unable to connect to the specified repository + * or if the specified artifact is not found. */ public List searchSha1(String sha1) throws IOException { if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) { throw new IllegalArgumentException("Invalid SHA1 format"); } - + List result = null; final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1)); LOGGER.debug("Searching Central url {}", url); @@ -116,7 +118,7 @@ public class CentralSearch { if ("0".equals(numFound)) { missing = true; } else { - final List result = new ArrayList(); + result = new ArrayList(); final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET); for (int i = 0; i < docs.getLength(); i++) { final String g = xpath.evaluate("./str[@name='g']", docs.item(i)); @@ -144,16 +146,12 @@ public class CentralSearch { useHTTPS = true; } } - LOGGER.trace("Version: {}", v); result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable, useHTTPS)); } - - return result; } } catch (Throwable e) { - // Anything else is jacked up XML stuff that we really can't recover - // from well + // Anything else is jacked up XML stuff that we really can't recover from well throw new IOException(e.getMessage(), e); } @@ -162,10 +160,9 @@ public class CentralSearch { } } else { LOGGER.debug("Could not connect to Central received response code: {} {}", - conn.getResponseCode(), conn.getResponseMessage()); + conn.getResponseCode(), conn.getResponseMessage()); throw new IOException("Could not connect to Central"); } - - return null; + return result; } }