github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-26 02:51:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

coverity suggested corrections

Browse Source
This commit is contained in:
Jeremy Long
2016-08-21 16:51:09 -04:00
parent f4fff5d9cb
commit 39c2234e38
4 changed files with 52 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View File

@@ -309,10 +309,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
String right = rFile.getParent(); String right = rFile.getParent();
if (left == null) { if (left == null) {
return right == null; return right == null;
} else if (right == null) {
return false;
} }
if (left.equalsIgnoreCase(right)) { if (left.equalsIgnoreCase(right)) {
return true; return true;
} }
if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) { if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
left = getBaseRepoPath(left); left = getBaseRepoPath(left);
right = getBaseRepoPath(right); right = getBaseRepoPath(right);

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -409,6 +409,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
final File file = new File(tmpDir, "pom.xml"); final File file = new File(tmpDir, "pom.xml");
try { try {
final ZipEntry entry = jar.getEntry(path); final ZipEntry entry = jar.getEntry(path);
if (entry == null) {
throw new AnalysisException(String.format("Pom (%s)does not exist in %s", path, jar.getName()));
}
input = jar.getInputStream(entry); input = jar.getInputStream(entry);
fos = new FileOutputStream(file); fos = new FileOutputStream(file);
IOUtils.copy(input, fos); IOUtils.copy(input, fos);

67
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java
View File

@@ -34,8 +34,9 @@ import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.Settings;
/** /**
* This analyzer is used to analyze the SWIFT Package Manager (https://swift.org/package-manager/). * This analyzer is used to analyze the SWIFT Package Manager
* It collects information about a package from Package.swift files. * (https://swift.org/package-manager/). It collects information about a package
* from Package.swift files.
* *
* @author Bianca Jiang (https://twitter.com/biancajiang) * @author Bianca Jiang (https://twitter.com/biancajiang)
*/ */
@@ -56,22 +57,18 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
* The file name to scan. * The file name to scan.
*/ */
public static final String SPM_FILE_NAME = "Package.swift"; public static final String SPM_FILE_NAME = "Package.swift";
/** /**
* Filter that detects files named "package.json". * Filter that detects files named "package.json".
*/ */
private static final FileFilter SPM_FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(SPM_FILE_NAME).build(); private static final FileFilter SPM_FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(SPM_FILE_NAME).build();
/** /**
* The capture group #1 is the block variable. * The capture group #1 is the block variable. e.g. "import
* e.g. * PackageDescription let package = Package( name: "Gloss" )"
* "import PackageDescription
* let package = Package(
* name: "Gloss"
* )"
*/ */
private static final Pattern SPM_BLOCK_PATTERN = Pattern.compile("let[^=]+=\\s*Package\\s*\\(\\s*([^)]*)\\s*\\)", Pattern.DOTALL); private static final Pattern SPM_BLOCK_PATTERN = Pattern.compile("let[^=]+=\\s*Package\\s*\\(\\s*([^)]*)\\s*\\)", Pattern.DOTALL);
/** /**
* Returns the FileFilter * Returns the FileFilter
* *
@@ -108,7 +105,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
} }
/** /**
* Returns the key used in the properties file to reference the analyzer's enabled property. * Returns the key used in the properties file to reference the analyzer's
* enabled property.
* *
* @return the analyzer's enabled property setting key * @return the analyzer's enabled property setting key
*/ */
@@ -120,8 +118,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
@Override @Override
protected void analyzeFileType(Dependency dependency, Engine engine) protected void analyzeFileType(Dependency dependency, Engine engine)
throws AnalysisException { throws AnalysisException {
String contents; String contents;
try { try {
contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset());
} catch (IOException e) { } catch (IOException e) {
@@ -132,12 +130,13 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
if (matcher.find()) { if (matcher.find()) {
contents = contents.substring(matcher.end()); contents = contents.substring(matcher.end());
final String packageDescription = matcher.group(1); final String packageDescription = matcher.group(1);
if(packageDescription.isEmpty()) if (packageDescription.isEmpty()) {
return; return;
}
final EvidenceCollection product = dependency.getProductEvidence(); final EvidenceCollection product = dependency.getProductEvidence();
final EvidenceCollection vendor = dependency.getVendorEvidence(); final EvidenceCollection vendor = dependency.getVendorEvidence();
//SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies. //SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies.
//Future interesting metadata: version, license, homepage, author, summary, etc. //Future interesting metadata: version, license, homepage, author, summary, etc.
final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST); final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST);
@@ -147,30 +146,32 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
} }
setPackagePath(dependency); setPackagePath(dependency);
} }
private String addStringEvidence(EvidenceCollection evidences, private String addStringEvidence(EvidenceCollection evidences,
String packageDescription, String field, String fieldPattern, Confidence confidence) { String packageDescription, String field, String fieldPattern, Confidence confidence) {
String value = ""; String value = "";
final Matcher matcher = Pattern.compile( final Matcher matcher = Pattern.compile(
String.format("%s *:\\s*\"([^\"]*)", fieldPattern), Pattern.DOTALL).matcher(packageDescription); String.format("%s *:\\s*\"([^\"]*)", fieldPattern), Pattern.DOTALL).matcher(packageDescription);
if(matcher.find()) { if (matcher.find()) {
value = matcher.group(1); value = matcher.group(1);
} }
if(value != null) { if (value != null) {
value = value.trim(); value = value.trim();
if(value.length() > 0) if (value.length() > 0) {
evidences.addEvidence (SPM_FILE_NAME, field, value, confidence); evidences.addEvidence(SPM_FILE_NAME, field, value, confidence);
} }
}
return value; return value;
} }
private void setPackagePath(Dependency dep) { private void setPackagePath(Dependency dep) {
File file = new File(dep.getFilePath()); final File file = new File(dep.getFilePath());
String parent = file.getParent(); final String parent = file.getParent();
if(parent != null) if (parent != null) {
dep.setPackagePath(parent); dep.setPackagePath(parent);
}
} }
} }

27
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
View File

@@ -61,8 +61,8 @@ public class CentralSearch {
/** /**
* Creates a NexusSearch for the given repository URL. * Creates a NexusSearch for the given repository URL.
* *
* @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should * @param rootURL the URL of the repository on which searches should
* end in /select) * execute. Only parameters are added to this (so it should end in /select)
*/ */
public CentralSearch(URL rootURL) { public CentralSearch(URL rootURL) {
this.rootURL = rootURL; this.rootURL = rootURL;
@@ -76,18 +76,20 @@ public class CentralSearch {
} }
/** /**
* Searches the configured Central URL for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is * Searches the configured Central URL for the given sha1 hash. If the
* populated with the GAV. * artifact is found, a <code>MavenArtifact</code> is populated with the
* GAV.
* *
* @param sha1 the SHA-1 hash string for which to search * @param sha1 the SHA-1 hash string for which to search
* @return the populated Maven GAV. * @return the populated Maven GAV.
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found. * @throws IOException if it's unable to connect to the specified repository
* or if the specified artifact is not found.
*/ */
public List<MavenArtifact> searchSha1(String sha1) throws IOException { public List<MavenArtifact> searchSha1(String sha1) throws IOException {
if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) { if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
throw new IllegalArgumentException("Invalid SHA1 format"); throw new IllegalArgumentException("Invalid SHA1 format");
} }
List<MavenArtifact> result = null;
final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1)); final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
LOGGER.debug("Searching Central url {}", url); LOGGER.debug("Searching Central url {}", url);
@@ -116,7 +118,7 @@ public class CentralSearch {
if ("0".equals(numFound)) { if ("0".equals(numFound)) {
missing = true; missing = true;
} else { } else {
final List<MavenArtifact> result = new ArrayList<MavenArtifact>(); result = new ArrayList<MavenArtifact>();
final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET); final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
for (int i = 0; i < docs.getLength(); i++) { for (int i = 0; i < docs.getLength(); i++) {
final String g = xpath.evaluate("./str[@name='g']", docs.item(i)); final String g = xpath.evaluate("./str[@name='g']", docs.item(i));
@@ -144,16 +146,12 @@ public class CentralSearch {
useHTTPS = true; useHTTPS = true;
} }
} }
LOGGER.trace("Version: {}", v); LOGGER.trace("Version: {}", v);
result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable, useHTTPS)); result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable, useHTTPS));
} }
return result;
} }
} catch (Throwable e) { } catch (Throwable e) {
// Anything else is jacked up XML stuff that we really can't recover // Anything else is jacked up XML stuff that we really can't recover from well
// from well
throw new IOException(e.getMessage(), e); throw new IOException(e.getMessage(), e);
} }
@@ -162,10 +160,9 @@ public class CentralSearch {
} }
} else { } else {
LOGGER.debug("Could not connect to Central received response code: {} {}", LOGGER.debug("Could not connect to Central received response code: {} {}",
conn.getResponseCode(), conn.getResponseMessage()); conn.getResponseCode(), conn.getResponseMessage());
throw new IOException("Could not connect to Central"); throw new IOException("Could not connect to Central");
} }
return result;
return null;
} }
} }