diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index 12b562c94..c3504b6e2 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -288,7 +288,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. ${reporting.pmd-plugin.version} 1.6 - true + true utf-8 **/generated/*.java diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index 83b344907..c68fefdb8 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -69,9 +69,8 @@ public class Check extends Update { * Whether the CMake analyzer should be enabled. */ private Boolean cmakeAnalyzerEnabled; - /** - * Whether or not the openssl analyzer is enabled. + * Whether or not the Open SSL analyzer is enabled. */ private Boolean opensslAnalyzerEnabled; /** @@ -90,7 +89,6 @@ public class Check extends Update { * Whether or not the nexus analyzer is enabled. */ private Boolean nexusAnalyzerEnabled; - /** * The URL of a Nexus server's REST API end point * (http://domain/nexus/service/local). @@ -109,7 +107,7 @@ public class Check extends Update { * The path to Mono for .NET assembly analysis on non-windows systems. */ private String pathToMono; - + /** * The application name for the report. * @@ -121,7 +119,6 @@ public class Check extends Update { * The name of the project being analyzed. */ private String projectName = "dependency-check"; - /** * Specifies the destination directory for the generated Dependency-Check * report. @@ -189,7 +186,8 @@ public class Check extends Update { /** * Whether or not the .NET Assembly Analyzer is enabled. */ - private Boolean assemblyAnalyzerEnabled; /** + private Boolean assemblyAnalyzerEnabled; + /** * Whether the autoconf analyzer should be enabled. */ private Boolean autoconfAnalyzerEnabled; @@ -213,9 +211,9 @@ public class Check extends Update { */ private Resources path = null; /** - * Reference to path/fileset to convert + * Reference to path/file set to convert */ - private Reference refid = null; + private Reference refId = null; /** * Add an arbitrary ResourceCollection. @@ -225,7 +223,7 @@ public class Check extends Update { */ public void add(ResourceCollection rc) { if (isReference()) { - throw new BuildException("Nested elements are not allowed when using the refid attribute."); + throw new BuildException("Nested elements are not allowed when using the refId attribute."); } getPath().add(rc); } @@ -245,12 +243,12 @@ public class Check extends Update { } /** - * Learn whether the refid attribute of this element been set. + * Learn whether the refId attribute of this element been set. * - * @return true if refid is valid. + * @return true if refId is valid. */ public boolean isReference() { - return refid != null; + return refId != null; } /** @@ -259,11 +257,11 @@ public class Check extends Update { * * @param r the reference to a path, fileset, dirset or filelist. */ - public void setRefid(Reference r) { + public synchronized void setRefId(Reference r) { if (path != null) { - throw new BuildException("Nested elements are not allowed when using the refid attribute."); + throw new BuildException("Nested elements are not allowed when using the refId attribute."); } - refid = r; + refId = r; } /** @@ -274,9 +272,9 @@ public class Check extends Update { */ private void dealWithReferences() throws BuildException { if (isReference()) { - final Object o = refid.getReferencedObject(getProject()); + final Object o = refId.getReferencedObject(getProject()); if (!(o instanceof ResourceCollection)) { - throw new BuildException("refid '" + refid.getRefId() + throw new BuildException("refId '" + refId.getRefId() + "' does not refer to a resource collection."); } getPath().add((ResourceCollection) o); @@ -284,7 +282,6 @@ public class Check extends Update { } // END COPY from org.apache.tools.ant.taskdefs - /** * Construct a new DependencyCheckTask. */ @@ -317,6 +314,7 @@ public class Check extends Update { public void setApplicationName(String applicationName) { this.applicationName = applicationName; } + /** * Get the value of projectName. * @@ -470,6 +468,7 @@ public class Check extends Update { public void setHintsFile(String hintsFile) { this.hintsFile = hintsFile; } + /** * Get the value of showSummary. * @@ -670,9 +669,9 @@ public class Check extends Update { } /** - * Returns if the cocoapods analyyzer is enabled. + * Returns if the cocoapods analyzer is enabled. * - * @return if the cocoapods analyyzer is enabled + * @return if the cocoapods analyzer is enabled */ public boolean isCocoapodsAnalyzerEnabled() { return cocoapodsAnalyzerEnabled; @@ -924,7 +923,7 @@ public class Check extends Update { log(ex.getMessage(), Project.MSG_ERR); } } else { - for (Resource resource : path) { + for (Resource resource : getPath()) { final FileProvider provider = resource.as(FileProvider.class); if (provider != null) { final File file = provider.getFile(); @@ -942,7 +941,7 @@ public class Check extends Update { } } DatabaseProperties prop = null; - CveDB cve = null; + CveDB cve; try { cve = CveDB.getInstance(); prop = cve.getDatabaseProperties(); @@ -950,7 +949,7 @@ public class Check extends Update { //TODO shouldn't this be a fatal exception log("Unable to retrieve DB Properties", ex, Project.MSG_DEBUG); } - + final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop); reporter.generateReports(reportOutputDirectory, reportFormat); @@ -988,7 +987,7 @@ public class Check extends Update { * @throws BuildException if the task was not configured correctly. */ private void validateConfiguration() throws BuildException { - if (path == null) { + if (getPath() == null) { throw new BuildException("No project dependencies have been defined to analyze."); } if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) { diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java index 3bc335fb0..23f520f35 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java @@ -95,6 +95,12 @@ public class Purge extends Task { this.failOnError = failOnError; } + /** + * Executes the dependency-check purge to delete the existing local copy of + * the NVD CVE data. + * + * @throws BuildException thrown if there is a problem deleting the file(s) + */ @Override public void execute() throws BuildException { populateSettings(); @@ -138,9 +144,7 @@ public class Purge extends Task { */ protected void populateSettings() throws BuildException { Settings.initialize(); - InputStream taskProperties = null; - try { - taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE); + try (InputStream taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE)) { Settings.mergeProperties(taskProperties); } catch (IOException ex) { final String msg = "Unable to load the dependency-check ant task.properties file."; @@ -148,14 +152,6 @@ public class Purge extends Task { throw new BuildException(msg, ex); } log(msg, ex, Project.MSG_WARN); - } finally { - if (taskProperties != null) { - try { - taskProperties.close(); - } catch (IOException ex) { - log("", ex, Project.MSG_DEBUG); - } - } } if (dataDirectory != null) { Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory); diff --git a/dependency-check-ant/src/test/resources/build.xml b/dependency-check-ant/src/test/resources/build.xml index 4cc90e346..11808a5b9 100644 --- a/dependency-check-ant/src/test/resources/build.xml +++ b/dependency-check-ant/src/test/resources/build.xml @@ -61,11 +61,14 @@ + failBuildOnCVSS="3"> + + + diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index 90052b41b..e62681f64 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -196,7 +196,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. ${reporting.pmd-plugin.version} 1.6 - true + true utf-8 **/generated/*.java diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 7b6d8d354..506ae0cac 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -223,13 +223,13 @@ public class App { int retCode = 0; try { engine = new Engine(); - final List antStylePaths = new ArrayList(); + final List antStylePaths = new ArrayList<>(); for (String file : files) { final String antPath = ensureCanonicalPath(file); antStylePaths.add(antPath); } - final Set paths = new HashSet(); + final Set paths = new HashSet<>(); for (String file : antStylePaths) { LOGGER.debug("Scanning {}", file); final DirectoryScanner scanner = new DirectoryScanner(); @@ -282,10 +282,8 @@ public class App { exCol = ex; } final List dependencies = engine.getDependencies(); - DatabaseProperties prop = null; - CveDB cve = null; - cve = CveDB.getInstance(); - prop = cve.getDatabaseProperties(); + final CveDB cve = CveDB.getInstance(); + final DatabaseProperties prop = cve.getDatabaseProperties(); final ReportGenerator report = new ReportGenerator(applicationName, dependencies, engine.getAnalyzers(), prop); try { report.generateReports(reportDirectory, outputFormat); @@ -461,7 +459,7 @@ public class App { encoder.setPattern("%d %C:%L%n%-5level - %msg%n"); encoder.setContext(context); encoder.start(); - final FileAppender fa = new FileAppender(); + final FileAppender fa = new FileAppender<>(); fa.setAppend(true); fa.setEncoder(encoder); fa.setContext(context); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 9a488719d..5be1c2d92 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -249,7 +249,7 @@ public final class CliParser { final Option excludes = Option.builder().argName("pattern").hasArg().longOpt(ARGUMENT.EXCLUDE) .desc("Specify and exclusion pattern. This option can be specified multiple times" - + " and it accepts Ant style excludsions.") + + " and it accepts Ant style exclusions.") .build(); final Option props = Option.builder(ARGUMENT.PROP_SHORT).argName("file").hasArg().longOpt(ARGUMENT.PROP) @@ -286,7 +286,7 @@ public final class CliParser { .build(); final Option experimentalEnabled = Option.builder().longOpt(ARGUMENT.EXPERIMENTAL) - .desc("Enables the experimental analzers.") + .desc("Enables the experimental analyzers.") .build(); final Option failOnCVSS = Option.builder().argName("score").hasArg().longOpt(ARGUMENT.FAIL_ON_CVSS) diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 8aadf06da..dc7590c6c 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -244,7 +244,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. ${reporting.pmd-plugin.version} 1.6 - true + true utf-8 **/generated/*.java diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java index ef1e00372..7f96e269c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java @@ -86,7 +86,6 @@ public class AnalysisTask implements Callable { * Executes the analysis task. * * @return null - * @throws Exception thrown if unable to execute the analysis task */ @Override public Void call() { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index f39e345ef..14c9a4e2a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -76,7 +76,7 @@ public class Engine implements FileFilter { /** * A Map of analyzers grouped by Analysis phase. */ - private final Set fileTypeAnalyzers = new HashSet(); + private final Set fileTypeAnalyzers = new HashSet<>(); /** * The ClassLoader to use when dynamically loading Analyzer and Update @@ -145,7 +145,7 @@ public class Engine implements FileFilter { for (AnalysisPhase phase : AnalysisPhase.values()) { analyzers.put(phase, new ArrayList()); } - + final AnalyzerService service = new AnalyzerService(serviceClassLoader); final List iterator = service.getAnalyzers(); for (Analyzer a : iterator) { @@ -281,7 +281,7 @@ public class Engine implements FileFilter { * @since v1.4.4 */ public List scan(File[] files, String projectReference) { - final List deps = new ArrayList(); + final List deps = new ArrayList<>(); for (File file : files) { final List d = scan(file, projectReference); if (d != null) { @@ -316,7 +316,7 @@ public class Engine implements FileFilter { * @since v1.4.4 */ public List scan(Collection files, String projectReference) { - final List deps = new ArrayList(); + final List deps = new ArrayList<>(); for (File file : files) { final List d = scan(file, projectReference); if (d != null) { @@ -357,7 +357,7 @@ public class Engine implements FileFilter { } else { final Dependency d = scanFile(file, projectReference); if (d != null) { - final List deps = new ArrayList(); + final List deps = new ArrayList<>(); deps.add(d); return deps; } @@ -509,7 +509,7 @@ public class Engine implements FileFilter { } catch (DatabaseException ex) { throwFatalExceptionCollection("Unable to connect to the dependency-check database.", ex, exceptions); } - + LOGGER.debug("\n----------------------------------------------------\nBEGIN ANALYSIS\n----------------------------------------------------"); LOGGER.info("Analysis Started"); final long analysisStart = System.currentTimeMillis(); @@ -517,7 +517,7 @@ public class Engine implements FileFilter { // analysis phases for (AnalysisPhase phase : AnalysisPhase.values()) { final List analyzerList = analyzers.get(phase); - + for (final Analyzer analyzer : analyzerList) { final long analyzerStart = System.currentTimeMillis(); try { @@ -526,10 +526,10 @@ public class Engine implements FileFilter { exceptions.add(ex); continue; } - + if (analyzer.isEnabled()) { executeAnalysisTasks(analyzer, exceptions); - + final long analyzerDurationMillis = System.currentTimeMillis() - analyzerStart; final long analyzerDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(analyzerDurationMillis); LOGGER.info("Finished {} ({} seconds)", analyzer.getName(), analyzerDurationSeconds); @@ -540,12 +540,12 @@ public class Engine implements FileFilter { } for (AnalysisPhase phase : AnalysisPhase.values()) { final List analyzerList = analyzers.get(phase); - + for (Analyzer a : analyzerList) { closeAnalyzer(a); } } - + LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------"); final long analysisDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - analysisStart); LOGGER.info("Analysis Complete ({} seconds)", analysisDurationSeconds); @@ -566,7 +566,7 @@ public class Engine implements FileFilter { LOGGER.debug("Starting {}", analyzer.getName()); final List analysisTasks = getAnalysisTasks(analyzer, exceptions); final ExecutorService executorService = getExecutorService(analyzer); - + try { final List> results = executorService.invokeAll(analysisTasks, 10, TimeUnit.MINUTES); @@ -626,11 +626,10 @@ public class Engine implements FileFilter { * Initializes the given analyzer. * * @param analyzer the analyzer to initialize - * @return the initialized analyzer * @throws InitializationException thrown when there is a problem * initializing the analyzer */ - protected Analyzer initializeAnalyzer(Analyzer analyzer) throws InitializationException { + protected void initializeAnalyzer(Analyzer analyzer) throws InitializationException { try { LOGGER.debug("Initializing {}", analyzer.getName()); analyzer.initialize(); @@ -653,7 +652,6 @@ public class Engine implements FileFilter { } throw new InitializationException("Unexpected Exception", ex); } - return analyzer; } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java index 1cc6cf539..eafdb7b1e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java @@ -28,6 +28,7 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.exception.ExceptionCollection; +import org.owasp.dependencycheck.exception.ReportException; import org.owasp.dependencycheck.exception.ScanAgentException; import org.owasp.dependencycheck.reporting.ReportGenerator; import org.owasp.dependencycheck.utils.Settings; @@ -842,7 +843,7 @@ public class DependencyCheckScanAgent { */ private void generateExternalReports(Engine engine, File outDirectory) { DatabaseProperties prop = null; - CveDB cve = null; + CveDB cve; try { cve = CveDB.getInstance(); prop = cve.getDatabaseProperties(); @@ -853,13 +854,9 @@ public class DependencyCheckScanAgent { final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop); try { r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name()); - } catch (IOException ex) { + } catch (IOException | ReportException ex) { LOGGER.error("Unexpected exception occurred during analysis; please see the verbose error log for more details."); LOGGER.debug("", ex); - } catch (Throwable ex) { - LOGGER.error( - "Unexpected exception occurred during analysis; please see the verbose error log for more details."); - LOGGER.debug("", ex); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java index e55cf0307..74e87bd0e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java @@ -141,7 +141,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen * @return a Set of strings. */ protected static Set newHashSet(String... strings) { - final Set set = new HashSet(strings.length); + final Set set = new HashSet<>(strings.length); Collections.addAll(set, strings); return set; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java index 450e8f5ae..b5a74171a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java @@ -130,10 +130,9 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { } } else { file = new File(suppressionFilePath); - InputStream suppressionsFromClasspath = null; + if (!file.exists()) { - try { - suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath); + try (InputStream suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath)) { if (suppressionsFromClasspath != null) { deleteTempFile = true; file = FileUtils.getTempFile("suppression", "xml"); @@ -143,14 +142,6 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { throwSuppressionParseException("Unable to locate suppressions file in classpath", ex); } } - } finally { - if (suppressionsFromClasspath != null) { - try { - suppressionsFromClasspath.close(); - } catch (IOException ex) { - LOGGER.debug("Failed to close stream", ex); - } - } } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java index e27f95649..7c2c18d2f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java @@ -57,13 +57,13 @@ public class AnalyzerService { * @return a list of Analyzers. */ public List getAnalyzers() { - final List analyzers = new ArrayList(); + final List analyzers = new ArrayList<>(); final Iterator iterator = service.iterator(); boolean experimentalEnabled = false; try { experimentalEnabled = Settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false); } catch (InvalidSettingException ex) { - LOGGER.error("invalide experimental setting", ex); + LOGGER.error("invalid experimental setting", ex); } while (iterator.hasNext()) { final Analyzer a = iterator.next(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 4298ec5ff..ffd2bc2c2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -98,20 +98,21 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { /** * The set of things we can handle with Zip methods */ - private static final Set ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg"); + private static final Set KNOWN_ZIP_EXT = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg"); /** * The set of file extensions supported by this analyzer. Note for * developers, any additions to this list will need to be explicitly handled * in {@link #extractFiles(File, File, Engine)}. */ private static final Set EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2"); + static { final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS); if (additionalZipExt != null) { final String[] ext = additionalZipExt.split("\\s*,\\s*"); - Collections.addAll(ZIPPABLES, ext); + Collections.addAll(KNOWN_ZIP_EXT, ext); } - EXTENSIONS.addAll(ZIPPABLES); + EXTENSIONS.addAll(KNOWN_ZIP_EXT); } /** @@ -220,6 +221,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * Does not support parallel processing as it both modifies and iterates * over the engine's list of dependencies. * + * @return true if the analyzer supports parallel processing; + * otherwise false * @see #analyzeDependency(Dependency, Engine) * @see #findMoreDependencies(Engine, File) */ @@ -300,11 +303,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { */ private void addDisguisedJarsToDependencies(Dependency dependency, Engine engine) throws AnalysisException { if (ZIP_FILTER.accept(dependency.getActualFile()) && isZipFileActuallyJarFile(dependency)) { - final File tdir = getNextTempDirectory(); + final File tempDir = getNextTempDirectory(); final String fileName = dependency.getFileName(); LOGGER.info("The zip file '{}' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName); - final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar"); + final File tmpLoc = new File(tempDir, fileName.substring(0, fileName.length() - 3) + "jar"); //store the archives sha1 and change it so that the engine doesn't think the zip and jar file are the same // and add it is a related dependency. final String archiveSha1 = dependency.getSha1sum(); @@ -344,8 +347,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * @return any dependencies that weren't known to the engine before */ private static List findMoreDependencies(Engine engine, File file) { - final List added = engine.scan(file); - return added; + return engine.scan(file); } /** @@ -397,7 +399,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { GzipCompressorInputStream gin = null; BZip2CompressorInputStream bzin = null; try { - if (ZIPPABLES.contains(archiveExt)) { + if (KNOWN_ZIP_EXT.contains(archiveExt)) { in = new BufferedInputStream(fis); ensureReadableJar(archiveExt, in); zin = new ZipArchiveInputStream(in); @@ -517,7 +519,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { extractAcceptedFile(input, file); } } - } catch (Throwable ex) { + } catch (IOException | AnalysisException ex) { throw new ArchiveExtractionException(ex); } finally { FileUtils.close(input); @@ -533,14 +535,12 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { */ private static void extractAcceptedFile(ArchiveInputStream input, File file) throws AnalysisException { LOGGER.debug("Extracting '{}'", file.getPath()); - FileOutputStream fos = null; - try { - final File parent = file.getParentFile(); - if (!parent.isDirectory() && !parent.mkdirs()) { - final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath()); - throw new AnalysisException(msg); - } - fos = new FileOutputStream(file); + final File parent = file.getParentFile(); + if (!parent.isDirectory() && !parent.mkdirs()) { + final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath()); + throw new AnalysisException(msg); + } + try (FileOutputStream fos = new FileOutputStream(file)) { IOUtils.copy(input, fos); } catch (FileNotFoundException ex) { LOGGER.debug("", ex); @@ -550,8 +550,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.debug("", ex); final String msg = String.format("IO Exception while parsing file '%s'.", file.getName()); throw new AnalysisException(msg, ex); - } finally { - FileUtils.close(fos); } } @@ -565,18 +563,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { */ private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException { LOGGER.debug("Decompressing '{}'", outputFile.getPath()); - FileOutputStream out = null; - try { - out = new FileOutputStream(outputFile); + try (FileOutputStream out = new FileOutputStream(outputFile)) { IOUtils.copy(inputStream, out); - } catch (FileNotFoundException ex) { - LOGGER.debug("", ex); - throw new ArchiveExtractionException(ex); } catch (IOException ex) { LOGGER.debug("", ex); throw new ArchiveExtractionException(ex); - } finally { - FileUtils.close(out); } } @@ -610,7 +601,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { } finally { ZipFile.closeQuietly(zip); } - return isJar; } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 348dd6f6c..f87cb425f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -84,7 +84,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { */ protected List buildArgumentList() { // Use file.separator as a wild guess as to whether this is Windows - final List args = new ArrayList(); + final List args = new ArrayList<>(); if (!SystemUtils.IS_OS_WINDOWS) { if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) { args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH)); @@ -144,7 +144,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { dependency.getActualFilePath()); return; } else if (rc != 0) { - LOGGER.debug("Return code {} from GrokAssembly; dependency-check is unable to analyze the library: {}", rc, dependency.getActualFilePath()); + LOGGER.debug("Return code {} from GrokAssembly; dependency-check is unable to analyze the library: {}", + rc, dependency.getActualFilePath()); return; } @@ -176,18 +177,17 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { } catch (ParserConfigurationException pce) { throw new AnalysisException("Error initializing the assembly analyzer", pce); - } catch (IOException ioe) { + } catch (IOException | XPathExpressionException ioe) { throw new AnalysisException(ioe); } catch (SAXException saxe) { LOGGER.error("----------------------------------------------------"); LOGGER.error("Failed to read the Assembly Analyzer results. " + "On some systems mono-runtime and mono-devel need to be installed."); LOGGER.error("----------------------------------------------------"); - throw new AnalysisException("Couldn't parse Assembly Analzyzer results (GrokAssembly)", saxe); - } catch (XPathExpressionException xpe) { - // This shouldn't happen - throw new AnalysisException(xpe); + throw new AnalysisException("Couldn't parse Assembly Analyzer results (GrokAssembly)", saxe); } + // This shouldn't happen + } /** @@ -199,46 +199,27 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { @Override public void initializeFileTypeAnalyzer() throws InitializationException { final File tempFile; + final String cfg; try { tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory()); + cfg = tempFile.getPath() + ".config"; } catch (IOException ex) { setEnabled(false); - throw new InitializationException("Unable to create temporary file for the assembly analyzerr", ex); + throw new InitializationException("Unable to create temporary file for the assembly analyzer", ex); } - FileOutputStream fos = null; - InputStream is = null; - try { - fos = new FileOutputStream(tempFile); - is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe"); + try (FileOutputStream fos = new FileOutputStream(tempFile); + InputStream is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe"); + FileOutputStream fosCfg = new FileOutputStream(cfg); + InputStream isCfg = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe.config")) { IOUtils.copy(is, fos); - grokAssemblyExe = tempFile; LOGGER.debug("Extracted GrokAssembly.exe to {}", grokAssemblyExe.getPath()); - - String cfg = grokAssemblyExe.getPath() + ".config"; - fos = new FileOutputStream(cfg); - is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe.config"); - IOUtils.copy(is, fos); + IOUtils.copy(isCfg, fosCfg); LOGGER.debug("Extracted GrokAssembly.exe.config to {}", cfg); } catch (IOException ioe) { this.setEnabled(false); LOGGER.warn("Could not extract GrokAssembly.exe: {}", ioe.getMessage()); throw new InitializationException("Could not extract GrokAssembly.exe", ioe); - } finally { - if (fos != null) { - try { - fos.close(); - } catch (Throwable e) { - LOGGER.debug("Error closing output stream"); - } - } - if (is != null) { - try { - is.close(); - } catch (Throwable e) { - LOGGER.debug("Error closing input stream"); - } - } } // Now, need to see if GrokAssembly actually runs from this location. @@ -249,7 +230,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { // // We need to create a non-fatal warning error type that will // get added to the report. - //TOOD this idea needs to get replicated to the bundle audit analyzer. + //TODO this idea needs to get replicated to the bundle audit analyzer. if (args == null) { setEnabled(false); LOGGER.error("----------------------------------------------------"); @@ -280,7 +261,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { } catch (InitializationException e) { setEnabled(false); throw e; - } catch (Throwable e) { + } catch (IOException | ParserConfigurationException | SAXException | XPathExpressionException | InterruptedException e) { LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n" + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details."); LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage()); @@ -366,10 +347,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { if (retCode == 0) { return true; } - } catch (IOException ex) { - LOGGER.debug("Path seach failed for " + file); - } catch (InterruptedException ex) { - LOGGER.debug("Path seach failed for " + file); + } catch (IOException | InterruptedException ex) { + LOGGER.debug("Path search failed for " + file, ex); } return false; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index c88f8c102..455e6689c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -188,6 +188,11 @@ public class CPEAnalyzer extends AbstractAnalyzer { } } + /** + * Returns whether or not the analyzer is open. + * + * @return true if the analyzer is open + */ public boolean isOpen() { return cpe != null && cpe.isOpen(); } @@ -203,7 +208,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { * @throws ParseException is thrown when the Lucene query cannot be parsed. */ protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException { - //TODO test dojo-war against this. we shold get dojo-toolkit:dojo-toolkit AND dojo-toolkit:toolkit + //TODO test dojo-war against this. we should get dojo-toolkit:dojo-toolkit AND dojo-toolkit:toolkit String vendors = ""; String products = ""; for (Confidence confidence : Confidence.values()) { @@ -291,7 +296,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { protected List searchCPE(String vendor, String product, Set vendorWeightings, Set productWeightings) { - final List ret = new ArrayList(MAX_QUERY_RESULTS); + final List ret = new ArrayList<>(MAX_QUERY_RESULTS); final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings); if (searchString == null) { @@ -477,7 +482,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { return false; } final String[] words = text.split("[\\s_-]"); - final List list = new ArrayList(); + final List list = new ArrayList<>(); String tempWord = null; for (String word : words) { /* @@ -555,7 +560,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { DependencyVersion bestGuess = new DependencyVersion("-"); Confidence bestGuessConf = null; boolean hasBroadMatch = false; - final List collected = new ArrayList(); + final List collected = new ArrayList<>(); //TODO the following algorithm incorrectly identifies things as a lower version // if there lower confidence evidence when the current (highest) version number diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index d0f92469c..c38070e30 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -103,14 +103,14 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { * false */ private boolean checkEnabled() { - boolean retval = false; + boolean retVal = false; try { if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) { if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED) || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) { LOGGER.debug("Enabling the Central analyzer"); - retval = true; + retVal = true; } else { LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer"); } @@ -120,7 +120,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { } catch (InvalidSettingException ise) { LOGGER.warn("Invalid setting. Disabling the Central analyzer"); } - return retval; + return retVal; } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index 57c8bf791..cccfeb010 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -33,7 +33,7 @@ import org.slf4j.LoggerFactory; import java.io.FileFilter; import java.io.FileInputStream; -import java.io.FileNotFoundException; +import java.io.IOException; import java.nio.charset.Charset; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -101,9 +101,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { */ @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - FileInputStream fis = null; - try { - fis = new FileInputStream(dependency.getActualFile()); + try (FileInputStream fis = new FileInputStream(dependency.getActualFile())) { final ComposerLockParser clp = new ComposerLockParser(fis); LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath()); clp.process(); @@ -120,18 +118,10 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.info("Adding dependency {}", d); engine.getDependencies().add(d); } - } catch (FileNotFoundException fnfe) { + } catch (IOException ex) { LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath()); } catch (ComposerException ce) { LOGGER.warn("Error parsing composer.json {}", dependency.getActualFilePath(), ce); - } finally { - if (fis != null) { - try { - fis.close(); - } catch (Exception e) { - LOGGER.debug("Unable to close file", e); - } - } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index 72c8e95ea..bf16a2e23 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -145,7 +145,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { protected synchronized void analyzeDependency(Dependency ignore, Engine engine) throws AnalysisException { if (!analyzed) { analyzed = true; - final Set dependenciesToRemove = new HashSet(); + final Set dependenciesToRemove = new HashSet<>(); final ListIterator mainIterator = engine.getDependencies().listIterator(); //for (Dependency nextDependency : engine.getDependencies()) { while (mainIterator.hasNext()) { @@ -499,7 +499,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { * @return true if the path contains '.war\' or '.ear\'. */ private boolean containedInWar(String filePath) { - return filePath == null ? false : filePath.matches(".*\\.(ear|war)[\\\\/].*"); + return filePath != null && filePath.matches(".*\\.(ear|war)[\\\\/].*"); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java index 3328a8602..a2f88542e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java @@ -129,7 +129,7 @@ public class DependencyMergingAnalyzer extends AbstractAnalyzer { protected synchronized void analyzeDependency(Dependency ignore, Engine engine) throws AnalysisException { if (!analyzed) { analyzed = true; - final Set dependenciesToRemove = new HashSet(); + final Set dependenciesToRemove = new HashSet<>(); final ListIterator mainIterator = engine.getDependencies().listIterator(); //for (Dependency nextDependency : engine.getDependencies()) { while (mainIterator.hasNext()) { @@ -138,7 +138,7 @@ public class DependencyMergingAnalyzer extends AbstractAnalyzer { final ListIterator subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex()); while (subIterator.hasNext()) { final Dependency nextDependency = subIterator.next(); - Dependency main = null; + Dependency main; if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) { if (main == dependency) { mergeDependencies(dependency, nextDependency, dependenciesToRemove); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index 1b9dbe43f..588536842 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -173,7 +173,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { */ @SuppressWarnings("null") private void removeSpuriousCPE(Dependency dependency) { - final List ids = new ArrayList(dependency.getIdentifiers()); + final List ids = new ArrayList<>(dependency.getIdentifiers()); Collections.sort(ids); final ListIterator mainItr = ids.listIterator(); while (mainItr.hasNext()) { @@ -440,34 +440,32 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { * @param dependency the dependency that might be a duplicate * @param engine the engine used to scan all dependencies */ - private void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) { + private synchronized void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) { if (dependency.getFileName().toLowerCase().endsWith("pom.xml") || DLL_EXE_FILTER.accept(dependency.getActualFile())) { String parentPath = dependency.getFilePath().toLowerCase(); if (parentPath.contains(".jar")) { parentPath = parentPath.substring(0, parentPath.indexOf(".jar") + 4); final List dependencies = engine.getDependencies(); - synchronized (dependencies) { - final Dependency parent = findDependency(parentPath, dependencies); - if (parent != null) { - boolean remove = false; - for (Identifier i : dependency.getIdentifiers()) { - if ("cpe".equals(i.getType())) { - final String trimmedCPE = trimCpeToVendor(i.getValue()); - for (Identifier parentId : parent.getIdentifiers()) { - if ("cpe".equals(parentId.getType()) && parentId.getValue().startsWith(trimmedCPE)) { - remove |= true; - } + final Dependency parent = findDependency(parentPath, dependencies); + if (parent != null) { + boolean remove = false; + for (Identifier i : dependency.getIdentifiers()) { + if ("cpe".equals(i.getType())) { + final String trimmedCPE = trimCpeToVendor(i.getValue()); + for (Identifier parentId : parent.getIdentifiers()) { + if ("cpe".equals(parentId.getType()) && parentId.getValue().startsWith(trimmedCPE)) { + remove |= true; } } - if (!remove) { //we can escape early - return; - } } - if (remove) { - dependencies.remove(dependency); + if (!remove) { //we can escape early + return; } } + if (remove) { + dependencies.remove(dependency); + } } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java index 900474f1f..01a7dc699 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java @@ -52,7 +52,8 @@ import org.xml.sax.SAXException; * @author Jeremy Long */ public class HintAnalyzer extends AbstractAnalyzer { - /** + + /** * The Logger for use throughout the class */ private static final Logger LOGGER = LoggerFactory.getLogger(HintAnalyzer.class); @@ -121,7 +122,7 @@ public class HintAnalyzer extends AbstractAnalyzer { } } // - + /** * The HintAnalyzer uses knowledge about a dependency to add additional * information to help in identification of identifiers or vulnerabilities. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 4374aa80d..851ed70ba 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -26,6 +26,7 @@ import java.io.InputStreamReader; import java.io.Reader; import java.io.UnsupportedEncodingException; import java.util.ArrayList; +import java.util.Arrays; import java.util.Enumeration; import java.util.HashMap; import java.util.List; @@ -254,28 +255,12 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * @return whether or not evidence was added to the dependency */ protected boolean analyzePOM(Dependency dependency, List classes, Engine engine) throws AnalysisException { - JarFile jar = null; - List pomEntries = null; - try { - jar = new JarFile(dependency.getActualFilePath()); - pomEntries = retrievePomListing(jar); - } catch (IOException ex) { - LOGGER.warn("Unable to read JarFile '{}'.", dependency.getActualFilePath()); - LOGGER.trace("", ex); - if (jar != null) { - try { - jar.close(); - } catch (IOException ex1) { - LOGGER.trace("", ex1); - } - } - return false; - } - if (pomEntries != null && pomEntries.size() <= 1) { - try { - String path = null; + try (JarFile jar = new JarFile(dependency.getActualFilePath())) { + final List pomEntries = retrievePomListing(jar); + if (pomEntries != null && pomEntries.size() <= 1) { + String path; + File pomFile; Properties pomProperties = null; - File pomFile = null; if (pomEntries.size() == 1) { path = pomEntries.get(0); pomFile = extractPom(path, jar); @@ -289,55 +274,44 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { if (pom != null && pomProperties != null) { pom.processProperties(pomProperties); } - if (pom != null) { - return setPomEvidence(dependency, pom, classes); - } - return false; + return pom != null && setPomEvidence(dependency, pom, classes); } else { return false; } - } finally { + } + + //reported possible null dereference on pomEntries is on a non-feasible path + for (String path : pomEntries) { + //TODO - one of these is likely the pom for the main JAR we are analyzing + LOGGER.debug("Reading pom entry: {}", path); try { - jar.close(); - } catch (IOException ex) { + //extract POM to its own directory and add it as its own dependency + final Properties pomProperties = retrievePomProperties(path, jar); + final File pomFile = extractPom(path, jar); + final Model pom = PomUtils.readPom(pomFile); + pom.processProperties(pomProperties); + + final String displayPath = String.format("%s%s%s", + dependency.getFilePath(), + File.separator, + path); + final String displayName = String.format("%s%s%s", + dependency.getFileName(), + File.separator, + path); + final Dependency newDependency = new Dependency(); + newDependency.setActualFilePath(pomFile.getAbsolutePath()); + newDependency.setFileName(displayName); + newDependency.setFilePath(displayPath); + setPomEvidence(newDependency, pom, null); + engine.getDependencies().add(newDependency); + } catch (AnalysisException ex) { + LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath()); LOGGER.trace("", ex); } } - } - - //reported possible null dereference on pomEntries is on a non-feasible path - for (String path : pomEntries) { - //TODO - one of these is likely the pom for the main JAR we are analyzing - LOGGER.debug("Reading pom entry: {}", path); - try { - //extract POM to its own directory and add it as its own dependency - final Properties pomProperties = retrievePomProperties(path, jar); - final File pomFile = extractPom(path, jar); - final Model pom = PomUtils.readPom(pomFile); - pom.processProperties(pomProperties); - - final String displayPath = String.format("%s%s%s", - dependency.getFilePath(), - File.separator, - path); - final String displayName = String.format("%s%s%s", - dependency.getFileName(), - File.separator, - path); - final Dependency newDependency = new Dependency(); - newDependency.setActualFilePath(pomFile.getAbsolutePath()); - newDependency.setFileName(displayName); - newDependency.setFilePath(displayPath); - setPomEvidence(newDependency, pom, null); - engine.getDependencies().add(newDependency); - } catch (AnalysisException ex) { - LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath()); - LOGGER.trace("", ex); - } - } - try { - jar.close(); } catch (IOException ex) { + LOGGER.warn("Unable to read JarFile '{}'.", dependency.getActualFilePath()); LOGGER.trace("", ex); } return false; @@ -350,17 +324,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * @param path the path to the pom.xml within the JarFile * @param jar the JarFile to load the pom.properties from * @return a Properties object or null if no pom.properties was found - * @throws IOException thrown if there is an exception reading the - * pom.properties */ private Properties retrievePomProperties(String path, final JarFile jar) { Properties pomProperties = null; final String propPath = path.substring(0, path.length() - 7) + "pom.properies"; final ZipEntry propEntry = jar.getEntry(propPath); if (propEntry != null) { - Reader reader = null; - try { - reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8"); + try (Reader reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8")) { pomProperties = new Properties(); pomProperties.load(reader); LOGGER.debug("Read pom.properties: {}", propPath); @@ -368,14 +338,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.trace("UTF-8 is not supported", ex); } catch (IOException ex) { LOGGER.trace("Unable to read the POM properties", ex); - } finally { - if (reader != null) { - try { - reader.close(); - } catch (IOException ex) { - LOGGER.trace("close error", ex); - } - } } } return pomProperties; @@ -413,24 +375,18 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * the file */ private File extractPom(String path, JarFile jar) throws AnalysisException { - InputStream input = null; - FileOutputStream fos = null; final File tmpDir = getNextTempDirectory(); final File file = new File(tmpDir, "pom.xml"); - try { - final ZipEntry entry = jar.getEntry(path); - if (entry == null) { - throw new AnalysisException(String.format("Pom (%s)does not exist in %s", path, jar.getName())); - } - input = jar.getInputStream(entry); - fos = new FileOutputStream(file); + final ZipEntry entry = jar.getEntry(path); + if (entry == null) { + throw new AnalysisException(String.format("Pom (%s) does not exist in %s", path, jar.getName())); + } + try (InputStream input = jar.getInputStream(entry); + FileOutputStream fos = new FileOutputStream(file)) { IOUtils.copy(input, fos); } catch (IOException ex) { LOGGER.warn("An error occurred reading '{}' from '{}'.", path, jar.getName()); LOGGER.error("", ex); - } finally { - FileUtils.close(fos); - FileUtils.close(input); } return file; } @@ -446,11 +402,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * otherwise false */ public static boolean setPomEvidence(Dependency dependency, Model pom, List classes) { + if (pom == null) { + return false; + } boolean foundSomething = false; boolean addAsIdentifier = true; - if (pom == null) { - return foundSomething; - } String groupid = pom.getGroupId(); String parentGroupId = pom.getParentGroupId(); String artifactid = pom.getArtifactId(); @@ -636,9 +592,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { protected boolean parseManifest(Dependency dependency, List classInformation) throws IOException { boolean foundSomething = false; - JarFile jar = null; - try { - jar = new JarFile(dependency.getActualFilePath()); + try (JarFile jar = new JarFile(dependency.getActualFilePath())) { final Manifest manifest = jar.getManifest(); if (manifest == null) { if (!dependency.getFileName().toLowerCase().endsWith("-sources.jar") @@ -793,10 +747,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { foundSomething = true; versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH); } - } finally { - if (jar != null) { - jar.close(); - } } return foundSomething; } @@ -950,9 +900,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { */ private List collectClassNames(Dependency dependency) { final List classNames = new ArrayList<>(); - JarFile jar = null; - try { - jar = new JarFile(dependency.getActualFilePath()); + try (JarFile jar = new JarFile(dependency.getActualFilePath())) { final Enumeration entries = jar.entries(); while (entries.hasMoreElements()) { final JarEntry entry = entries.nextElement(); @@ -966,14 +914,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } catch (IOException ex) { LOGGER.warn("Unable to open jar file '{}'.", dependency.getFileName()); LOGGER.debug("", ex); - } finally { - if (jar != null) { - try { - jar.close(); - } catch (IOException ex) { - LOGGER.trace("", ex); - } - } } return classNames; } @@ -1124,7 +1064,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * Up to the first four levels of the package structure, excluding a * leading "org" or "com". */ - private final ArrayList packageStructure = new ArrayList(); + private final ArrayList packageStructure = new ArrayList<>(); /** *

@@ -1133,7 +1073,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * package structure. Up to the first four levels of the package * structure are stored, excluding a leading "org" or "com". * Example:

- * ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer"); + * ClassNameInformation obj = new ClassNameInformation("org/owasp/dependencycheck/analyzer/JarAnalyzer"); * System.out.println(obj.getName()); * for (String p : obj.getPackageStructure()) * System.out.println(p); @@ -1161,9 +1101,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { if (tmp.length <= end) { end = tmp.length - 1; } - for (int i = start; i <= end; i++) { - packageStructure.add(tmp[i]); - } + packageStructure.addAll(Arrays.asList(tmp).subList(start, end + 1)); } else { packageStructure.add(name); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index 8dff9242d..b6eae2a1d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -87,10 +87,6 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { */ private static final String SUPPORTED_EXTENSIONS = "jar"; - /** - * Whether or not the Nexus analyzer should use a proxy if configured. - */ - private boolean useProxy; /** * The Nexus Search to be set up for this analyzer. */ @@ -148,7 +144,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.debug("Initializing Nexus Analyzer"); LOGGER.debug("Nexus Analyzer enabled: {}", isEnabled()); if (isEnabled()) { - useProxy = useProxy(); + final boolean useProxy = useProxy(); final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL); LOGGER.debug("Nexus Analyzer URL: {}", searchUrl); try { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index 15f7e6d37..8f9685c41 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -121,17 +121,9 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { } @Override - protected void analyzeDependency(Dependency dependency, Engine engine) - throws AnalysisException { + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { final File file = dependency.getActualFile(); - JsonReader jsonReader; - try { - jsonReader = Json.createReader(FileUtils.openInputStream(file)); - } catch (IOException e) { - throw new AnalysisException( - "Problem occurred while reading dependency file.", e); - } - try { + try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(file))) { final JsonObject json = jsonReader.readObject(); final EvidenceCollection productEvidence = dependency.getProductEvidence(); final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); @@ -151,8 +143,8 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName())); } catch (JsonException e) { LOGGER.warn("Failed to parse package.json file.", e); - } finally { - jsonReader.close(); + } catch (IOException e) { + throw new AnalysisException("Problem occurred while reading dependency file.", e); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 2d6fd1993..20e46663a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -33,7 +33,6 @@ import org.slf4j.LoggerFactory; import java.io.FileFilter; import java.io.FileInputStream; import java.io.FileNotFoundException; -import java.io.IOException; import org.owasp.dependencycheck.exception.InitializationException; /** @@ -132,22 +131,10 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { try { final NuspecParser parser = new XPathNuspecParser(); NugetPackage np = null; - FileInputStream fis = null; - try { - fis = new FileInputStream(dependency.getActualFilePath()); + try (FileInputStream fis = new FileInputStream(dependency.getActualFilePath())) { np = parser.parse(fis); - } catch (NuspecParseException ex) { + } catch (NuspecParseException | FileNotFoundException ex) { throw new AnalysisException(ex); - } catch (FileNotFoundException ex) { - throw new AnalysisException(ex); - } finally { - if (fis != null) { - try { - fis.close(); - } catch (IOException e) { - LOGGER.debug("Error closing input stream"); - } - } } if (np.getOwners() != null) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 578c8d8f4..551279eb7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -360,22 +360,12 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { if (null == manifest) { LOGGER.debug("Manifest file not found."); } else { - InputStream in = null; - try { - in = new BufferedInputStream(new FileInputStream(manifest)); + try (InputStream in = new BufferedInputStream(new FileInputStream(manifest))) { result.load(in); - } catch (MessagingException e) { + } catch (MessagingException | FileNotFoundException e) { LOGGER.warn(e.getMessage(), e); - } catch (FileNotFoundException e) { - LOGGER.warn(e.getMessage(), e); - } finally { - if (in != null) { - try { - in.close(); - } catch (IOException ex) { - LOGGER.debug("failed to close input stream", ex); - } - } + } catch (IOException ex) { + LOGGER.warn(ex.getMessage(), ex); } } return result; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index e44aa6b45..f8239eadf 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -113,7 +113,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { if (!folder.isDirectory()) { throw new AnalysisException(String.format("%s should have been a directory.", folder.getAbsolutePath())); } - final List args = new ArrayList(); + final List args = new ArrayList<>(); final String bundleAuditPath = Settings.getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH); File bundleAudit = null; if (bundleAuditPath != null) { @@ -172,7 +172,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { exitValue = process.waitFor(); } catch (InterruptedException ex) { setEnabled(false); - final String msg = String.format("Bundle-audit process was interupted. Disabling %s", ANALYZER_NAME); + final String msg = String.format("Bundle-audit process was interrupted. Disabling %s", ANALYZER_NAME); throw new InitializationException(msg); } if (0 == exitValue) { @@ -180,9 +180,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { final String msg = String.format("Unexpected exit code from bundle-audit process. Disabling %s: %s", ANALYZER_NAME, exitValue); throw new InitializationException(msg); } else { - BufferedReader reader = null; - try { - reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8")); + try (BufferedReader reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"))) { if (!reader.ready()) { LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling " + ANALYZER_NAME); setEnabled(false); @@ -201,14 +199,6 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { } catch (IOException ex) { setEnabled(false); throw new InitializationException("Unable to read bundle-audit output.", ex); - } finally { - if (null != reader) { - try { - reader.close(); - } catch (IOException ex) { - LOGGER.debug("Error closing reader", ex); - } - } } } @@ -296,35 +286,19 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { final String msg = String.format("Unexpected exit code from bundle-audit process; exit code: %s", exitValue); throw new AnalysisException(msg); } - BufferedReader rdr = null; - BufferedReader errReader = null; try { - errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8")); - while (errReader.ready()) { - final String error = errReader.readLine(); - LOGGER.warn(error); + try (BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"))) { + while (errReader.ready()) { + final String error = errReader.readLine(); + LOGGER.warn(error); + } + } + try (BufferedReader rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"))) { + processBundlerAuditOutput(dependency, engine, rdr); } - rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8")); - processBundlerAuditOutput(dependency, engine, rdr); } catch (IOException ioe) { LOGGER.warn("bundle-audit failure", ioe); - } finally { - if (errReader != null) { - try { - errReader.close(); - } catch (IOException ioe) { - LOGGER.warn("bundle-audit close failure", ioe); - } - } - if (null != rdr) { - try { - rdr.close(); - } catch (IOException ioe) { - LOGGER.warn("bundle-audit close failure", ioe); - } - } } - } /** @@ -342,7 +316,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { Dependency dependency = null; Vulnerability vulnerability = null; String gem = null; - final Map map = new HashMap(); + final Map map = new HashMap<>(); boolean appendToDescription = false; while (rdr.ready()) { final String nextLine = rdr.readLine(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java index 7098149f1..3c1c1526b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java @@ -39,7 +39,7 @@ import org.slf4j.LoggerFactory; */ public class VersionFilterAnalyzer extends AbstractAnalyzer { - // + // /** * Evidence source. */ @@ -126,7 +126,7 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer { * the dependency. */ @Override - protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + protected synchronized void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { String fileVersion = null; String pomVersion = null; String manifestVersion = null; @@ -151,16 +151,14 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer { if (fileMatch || manifestMatch || pomMatch) { LOGGER.debug("filtering evidence from {}", dependency.getFileName()); final EvidenceCollection versionEvidence = dependency.getVersionEvidence(); - synchronized (versionEvidence) { - final Iterator itr = versionEvidence.iterator(); - while (itr.hasNext()) { - final Evidence e = itr.next(); - if (!(pomMatch && VERSION.equals(e.getName()) - && (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource()))) - && !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource())) - && !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) { - itr.remove(); - } + final Iterator itr = versionEvidence.iterator(); + while (itr.hasNext()) { + final Evidence e = itr.next(); + if (!(pomMatch && VERSION.equals(e.getName()) + && (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource()))) + && !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource())) + && !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) { + itr.remove(); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java index 5f3cfc420..314e321fb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java @@ -24,8 +24,10 @@ import java.net.URL; import java.util.ArrayList; import java.util.List; import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.xpath.XPath; import javax.xml.xpath.XPathConstants; +import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.utils.Settings; @@ -35,6 +37,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.w3c.dom.Document; import org.w3c.dom.NodeList; +import org.xml.sax.SAXException; /** * Class of methods to search Maven Central via Central. @@ -117,7 +120,7 @@ public class CentralSearch { if ("0".equals(numFound)) { missing = true; } else { - result = new ArrayList(); + result = new ArrayList<>(); final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET); for (int i = 0; i < docs.getLength(); i++) { final String g = xpath.evaluate("./str[@name='g']", docs.item(i)); @@ -125,11 +128,11 @@ public class CentralSearch { final String a = xpath.evaluate("./str[@name='a']", docs.item(i)); LOGGER.trace("ArtifactId: {}", a); final String v = xpath.evaluate("./str[@name='v']", docs.item(i)); - NodeList atts = (NodeList) xpath.evaluate("./arr[@name='ec']/str", docs.item(i), XPathConstants.NODESET); + NodeList attributes = (NodeList) xpath.evaluate("./arr[@name='ec']/str", docs.item(i), XPathConstants.NODESET); boolean pomAvailable = false; boolean jarAvailable = false; - for (int x = 0; x < atts.getLength(); x++) { - final String tmp = xpath.evaluate(".", atts.item(x)); + for (int x = 0; x < attributes.getLength(); x++) { + final String tmp = xpath.evaluate(".", attributes.item(x)); if (".pom".equals(tmp)) { pomAvailable = true; } else if (".jar".equals(tmp)) { @@ -137,10 +140,10 @@ public class CentralSearch { } } - atts = (NodeList) xpath.evaluate("./arr[@name='tags']/str", docs.item(i), XPathConstants.NODESET); + attributes = (NodeList) xpath.evaluate("./arr[@name='tags']/str", docs.item(i), XPathConstants.NODESET); boolean useHTTPS = false; - for (int x = 0; x < atts.getLength(); x++) { - final String tmp = xpath.evaluate(".", atts.item(x)); + for (int x = 0; x < attributes.getLength(); x++) { + final String tmp = xpath.evaluate(".", attributes.item(x)); if ("https".equals(tmp)) { useHTTPS = true; } @@ -149,7 +152,7 @@ public class CentralSearch { result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable, useHTTPS)); } } - } catch (Throwable e) { + } catch (ParserConfigurationException | IOException | SAXException | XPathExpressionException e) { // Anything else is jacked up XML stuff that we really can't recover from well throw new IOException(e.getMessage(), e); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerDependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerDependency.java index 09dd97d9a..2ab329abe 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerDependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerDependency.java @@ -18,7 +18,7 @@ package org.owasp.dependencycheck.data.composer; /** - * Reperesents a dependency (GAV, right now) from a Composer dependency. + * Represents a dependency (GAV, right now) from a Composer dependency. * * @author colezlaw */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java index 289163763..0803276d1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java @@ -42,11 +42,6 @@ public class ComposerLockParser { */ private final JsonReader jsonReader; - /** - * The input stream we'll read - */ - private final InputStream inputStream; // NOPMD - it gets set in the constructor, read later - /** * The List of ComposerDependencies found */ @@ -58,15 +53,14 @@ public class ComposerLockParser { private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockParser.class); /** - * Createas a ComposerLockParser from a JsonReader and an InputStream. + * Creates a ComposerLockParser from a JsonReader and an InputStream. * * @param inputStream the InputStream to parse */ public ComposerLockParser(InputStream inputStream) { LOGGER.info("Creating a ComposerLockParser"); - this.inputStream = inputStream; this.jsonReader = Json.createReader(inputStream); - this.composerDependencies = new ArrayList(); + this.composerDependencies = new ArrayList<>(); } /** @@ -87,7 +81,7 @@ public class ComposerLockParser { final String group = groupName.substring(0, groupName.indexOf('/')); final String project = groupName.substring(groupName.indexOf('/') + 1); String version = pkg.getString("version"); - // Some version nubmers begin with v - which doesn't end up matching CPE's + // Some version numbers begin with v - which doesn't end up matching CPE's if (version.startsWith("v")) { version = version.substring(1); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java index 3100c5ebc..fd2437d2b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java @@ -149,7 +149,7 @@ public final class CpeMemoryIndex { * @return the CPE Analyzer. */ private Analyzer createSearchingAnalyzer() { - final Map fieldAnalyzers = new HashMap(); + final Map fieldAnalyzers = new HashMap<>(); fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer()); productFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); vendorFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); @@ -191,57 +191,35 @@ public final class CpeMemoryIndex { * @throws IndexException thrown if there is an issue creating the index */ private void buildIndex(CveDB cve) throws IndexException { - Analyzer analyzer = null; - IndexWriter indexWriter = null; - try { - analyzer = createSearchingAnalyzer(); - final IndexWriterConfig conf = new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer); - indexWriter = new IndexWriter(index, conf); - try { - // Tip: reuse the Document and Fields for performance... - // See "Re-use Document and Field instances" from - // http://wiki.apache.org/lucene-java/ImproveIndexingSpeed - final Document doc = new Document(); - final Field v = new TextField(Fields.VENDOR, Fields.VENDOR, Field.Store.YES); - final Field p = new TextField(Fields.PRODUCT, Fields.PRODUCT, Field.Store.YES); - doc.add(v); - doc.add(p); + try (Analyzer analyzer = createSearchingAnalyzer(); + IndexWriter indexWriter = new IndexWriter(index, new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer))) { + // Tip: reuse the Document and Fields for performance... + // See "Re-use Document and Field instances" from + // http://wiki.apache.org/lucene-java/ImproveIndexingSpeed + final Document doc = new Document(); + final Field v = new TextField(Fields.VENDOR, Fields.VENDOR, Field.Store.YES); + final Field p = new TextField(Fields.PRODUCT, Fields.PRODUCT, Field.Store.YES); + doc.add(v); + doc.add(p); - final Set> data = cve.getVendorProductList(); - for (Pair pair : data) { - //todo figure out why there are null products - if (pair.getLeft() != null && pair.getRight() != null) { - v.setStringValue(pair.getLeft()); - p.setStringValue(pair.getRight()); - indexWriter.addDocument(doc); - resetFieldAnalyzer(); - } + final Set> data = cve.getVendorProductList(); + for (Pair pair : data) { + if (pair.getLeft() != null && pair.getRight() != null) { + v.setStringValue(pair.getLeft()); + p.setStringValue(pair.getRight()); + indexWriter.addDocument(doc); + resetFieldAnalyzer(); } - } catch (DatabaseException ex) { - LOGGER.debug("", ex); - throw new IndexException("Error reading CPE data", ex); } + indexWriter.commit(); + indexWriter.close(true); + } catch (DatabaseException ex) { + LOGGER.debug("", ex); + throw new IndexException("Error reading CPE data", ex); } catch (CorruptIndexException ex) { throw new IndexException("Unable to close an in-memory index", ex); } catch (IOException ex) { throw new IndexException("Unable to close an in-memory index", ex); - } finally { - if (indexWriter != null) { - try { - try { - indexWriter.commit(); - } finally { - indexWriter.close(true); - } - } catch (CorruptIndexException ex) { - throw new IndexException("Unable to close an in-memory index", ex); - } catch (IOException ex) { - throw new IndexException("Unable to close an in-memory index", ex); - } - if (analyzer != null) { - analyzer.close(); - } - } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java index 30c50ab78..38aefd09e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java @@ -54,12 +54,10 @@ public final class CweDB { * @return a HashMap of CWE data */ private static Map loadData() { - ObjectInputStream oin = null; - try { - final String filePath = "data/cwe.hashmap.serialized"; - final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath); - oin = new ObjectInputStream(input); - @SuppressWarnings("unchecked") + final String filePath = "data/cwe.hashmap.serialized"; + try (InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath); + ObjectInputStream oin = new ObjectInputStream(input)) { + final Map ret = (HashMap) oin.readObject(); return ret; } catch (ClassNotFoundException ex) { @@ -68,14 +66,6 @@ public final class CweDB { } catch (IOException ex) { LOGGER.warn("Unable to load CWE data due to an IO Error. This should not be an issue."); LOGGER.debug("", ex); - } finally { - if (oin != null) { - try { - oin.close(); - } catch (IOException ex) { - LOGGER.trace("", ex); - } - } } return null; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java index e0d948b57..894aed93a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java @@ -32,7 +32,7 @@ public class CweHandler extends DefaultHandler { /** * a HashMap containing the CWE data. */ - private final HashMap cwe = new HashMap(); + private final HashMap cwe = new HashMap<>(); /** * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name). diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java index 2a0b20d6a..25e943378 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java @@ -63,7 +63,7 @@ public abstract class AbstractTokenizingFilter extends TokenFilter { */ public AbstractTokenizingFilter(TokenStream stream) { super(stream); - tokens = new LinkedList(); + tokens = new LinkedList<>(); } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java index 4b36d3e01..22f6f369a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java @@ -71,7 +71,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter { */ public TokenPairConcatenatingFilter(TokenStream stream) { super(stream); - words = new LinkedList(); + words = new LinkedList<>(); } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java index c7f6b790b..09567475f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java @@ -22,7 +22,9 @@ import java.io.IOException; import java.net.HttpURLConnection; import java.net.URL; import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; import org.owasp.dependencycheck.utils.URLConnectionFactory; @@ -30,6 +32,7 @@ import org.owasp.dependencycheck.utils.XmlUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.w3c.dom.Document; +import org.xml.sax.SAXException; /** * Class of methods to search Nexus repositories. @@ -132,7 +135,7 @@ public class NexusSearch { ma.setPomUrl(pomLink); } return ma; - } catch (Throwable e) { + } catch (ParserConfigurationException | IOException | SAXException | XPathExpressionException e) { // Anything else is jacked-up XML stuff that we really can't recover // from well throw new IOException(e.getMessage(), e); @@ -170,7 +173,7 @@ public class NexusSearch { LOGGER.warn("Expected root node name of status, got {}", doc.getDocumentElement().getNodeName()); return false; } - } catch (Throwable e) { + } catch (IOException | ParserConfigurationException | SAXException e) { return false; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java index bbf2ecd1d..fa91cb73f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java @@ -17,14 +17,18 @@ */ package org.owasp.dependencycheck.data.nuget; +import java.io.IOException; import java.io.InputStream; import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.xpath.XPath; import javax.xml.xpath.XPathConstants; +import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; import org.owasp.dependencycheck.utils.XmlUtils; import org.w3c.dom.Document; import org.w3c.dom.Node; +import org.xml.sax.SAXException; /** * Parse a Nuspec file using XPath. @@ -78,7 +82,7 @@ public class XPathNuspecParser implements NuspecParser { nuspec.setLicenseUrl(getOrNull((Node) xpath.evaluate("/package/metadata/licenseUrl", d, XPathConstants.NODE))); nuspec.setTitle(getOrNull((Node) xpath.evaluate("/package/metadata/title", d, XPathConstants.NODE))); return nuspec; - } catch (Throwable e) { + } catch (ParserConfigurationException | SAXException | IOException | XPathExpressionException | NuspecParseException e) { throw new NuspecParseException("Unable to parse nuspec", e); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java index a5918ca47..b901231b4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java @@ -342,7 +342,7 @@ public final class ConnectionFactory { LOGGER.warn("A new version of dependency-check is available; consider upgrading"); Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false); } else if (e0 == c0 && e1 == c1) { - //do nothing - not sure how we got here, but just incase... + //do nothing - not sure how we got here, but just in case... } else { LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.", UPGRADE_HELP_URL); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index 650f84a34..0a966a24b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -63,7 +63,7 @@ public final class CveDB { /** * Singleton instance of the CveDB. */ - private static CveDB INSTANCE = null; + private static CveDB instance = null; /** * The logger. */ @@ -81,11 +81,6 @@ public final class CveDB { * table. */ private DatabaseProperties databaseProperties; - /** - * Does the underlying connection support batch operations? Currently we do - * not support batch execution. - */ - private final boolean batchSupported = false; /** * The prepared statements. */ @@ -96,27 +91,93 @@ public final class CveDB { * statement bundles "dbStatements*.properties". */ enum PreparedStatementCveDb { + /** + * Key for SQL Statement. + */ CLEANUP_ORPHANS, + /** + * Key for SQL Statement. + */ COUNT_CPE, + /** + * Key for SQL Statement. + */ DELETE_REFERENCE, + /** + * Key for SQL Statement. + */ DELETE_SOFTWARE, + /** + * Key for SQL Statement. + */ DELETE_VULNERABILITY, + /** + * Key for SQL Statement. + */ INSERT_CPE, + /** + * Key for SQL Statement. + */ INSERT_PROPERTY, + /** + * Key for SQL Statement. + */ INSERT_REFERENCE, + /** + * Key for SQL Statement. + */ INSERT_SOFTWARE, + /** + * Key for SQL Statement. + */ INSERT_VULNERABILITY, + /** + * Key for SQL Statement. + */ MERGE_PROPERTY, + /** + * Key for SQL Statement. + */ SELECT_CPE_ENTRIES, + /** + * Key for SQL Statement. + */ SELECT_CPE_ID, + /** + * Key for SQL Statement. + */ SELECT_CVE_FROM_SOFTWARE, + /** + * Key for SQL Statement. + */ SELECT_PROPERTIES, + /** + * Key for SQL Statement. + */ SELECT_REFERENCES, + /** + * Key for SQL Statement. + */ SELECT_SOFTWARE, + /** + * Key for SQL Statement. + */ SELECT_VENDOR_PRODUCT_LIST, + /** + * Key for SQL Statement. + */ SELECT_VULNERABILITY, + /** + * Key for SQL Statement. + */ SELECT_VULNERABILITY_ID, + /** + * Key for SQL Statement. + */ UPDATE_PROPERTY, + /** + * Key for SQL Statement. + */ UPDATE_VULNERABILITY } @@ -126,11 +187,11 @@ public final class CveDB { * @return the CveDB singleton * @throws DatabaseException thrown if there is a database error */ - public synchronized static CveDB getInstance() throws DatabaseException { - if (INSTANCE == null) { - INSTANCE = new CveDB(); + public static synchronized CveDB getInstance() throws DatabaseException { + if (instance == null) { + instance = new CveDB(); } - return INSTANCE; + return instance; } /** @@ -155,9 +216,9 @@ public final class CveDB { * * @return the product name of the database if successful, {@code null} else */ - private String determineDatabaseProductName() { + private synchronized String determineDatabaseProductName() { try { - final String databaseProductName = getConnection().getMetaData().getDatabaseProductName(); + final String databaseProductName = connection.getMetaData().getDatabaseProductName(); LOGGER.debug("Database product: {}", databaseProductName); return databaseProductName; } catch (SQLException se) { @@ -166,15 +227,6 @@ public final class CveDB { } } - /** - * Returns the database connection. - * - * @return the database connection - */ - private Connection getConnection() { - return connection; - } - /** * Opens the database connection. If the database does not exist, it will * create a new one. @@ -196,7 +248,7 @@ public final class CveDB { if (isOpen()) { closeStatements(); try { - getConnection().close(); + connection.close(); } catch (SQLException ex) { LOGGER.error("There was an error attempting to close the CveDB, see the log for more details."); LOGGER.debug("", ex); @@ -205,7 +257,7 @@ public final class CveDB { LOGGER.debug("", ex); } connection = null; - INSTANCE = null; + instance = null; } } @@ -215,7 +267,7 @@ public final class CveDB { * @return whether the database connection is open or closed */ private boolean isOpen() { - return getConnection() != null; + return connection != null; } /** @@ -228,15 +280,15 @@ public final class CveDB { private EnumMap prepareStatements() throws DatabaseException { - final EnumMap result = new EnumMap(PreparedStatementCveDb.class); + final EnumMap result = new EnumMap<>(PreparedStatementCveDb.class); for (PreparedStatementCveDb key : values()) { final String statementString = statementBundle.getString(key.name()); final PreparedStatement preparedStatement; try { if (key == INSERT_VULNERABILITY || key == INSERT_CPE) { - preparedStatement = getConnection().prepareStatement(statementString, new String[]{"id"}); + preparedStatement = connection.prepareStatement(statementString, new String[]{"id"}); } else { - preparedStatement = getConnection().prepareStatement(statementString); + preparedStatement = connection.prepareStatement(statementString); } } catch (SQLException exception) { throw new DatabaseException(exception); @@ -277,7 +329,7 @@ public final class CveDB { public synchronized void commit() throws SQLException { //temporary remove this as autocommit is on. //if (isOpen()) { - // getConnection().commit(); + // connection.commit(); //} } @@ -623,30 +675,15 @@ public final class CveDB { } final PreparedStatement insertReference = getPreparedStatement(INSERT_REFERENCE); - if (batchSupported) { - insertReference.clearBatch(); - } for (Reference r : vuln.getReferences()) { insertReference.setInt(1, vulnerabilityId); insertReference.setString(2, r.getName()); insertReference.setString(3, r.getUrl()); insertReference.setString(4, r.getSource()); - - if (batchSupported) { - insertReference.addBatch(); - } else { - insertReference.execute(); - } - } - - if (batchSupported) { - insertReference.executeBatch(); + insertReference.execute(); } final PreparedStatement insertSoftware = getPreparedStatement(INSERT_SOFTWARE); - if (batchSupported) { - insertSoftware.clearBatch(); - } for (VulnerableSoftware s : vuln.getVulnerableSoftware()) { int cpeProductId = 0; final PreparedStatement selectCpeId = getPreparedStatement(SELECT_CPE_ID); @@ -682,23 +719,17 @@ public final class CveDB { } else { insertSoftware.setString(3, s.getPreviousVersion()); } - if (batchSupported) { - insertSoftware.addBatch(); - } else { - try { - insertSoftware.execute(); - } catch (SQLException ex) { - if (ex.getMessage().contains("Duplicate entry")) { - final String msg = String.format("Duplicate software key identified in '%s:%s'", vuln.getName(), s.getName()); - LOGGER.info(msg, ex); - } else { - throw ex; - } + try { + insertSoftware.execute(); + } catch (SQLException ex) { + if (ex.getMessage().contains("Duplicate entry")) { + final String msg = String.format("Duplicate software key identified in '%s:%s'", vuln.getName(), s.getName()); + LOGGER.info(msg, ex); + } else { + throw ex; } } - } - if (batchSupported) { - insertSoftware.executeBatch(); + } } catch (SQLException ex) { final String msg = String.format("Error updating '%s'", vuln.getName()); @@ -777,7 +808,7 @@ public final class CveDB { final boolean isVersionTwoADifferentProduct = "apache".equals(vendor) && "struts".equals(product); - final Set majorVersionsAffectingAllPrevious = new HashSet(); + final Set majorVersionsAffectingAllPrevious = new HashSet<>(); final boolean matchesAnyPrevious = identifiedVersion == null || "-".equals(identifiedVersion.toString()); String majorVersionMatch = null; for (Entry entry : vulnerableSoftware.entrySet()) { @@ -806,12 +837,12 @@ public final class CveDB { if (!entry.getValue()) { final DependencyVersion v = parseDependencyVersion(entry.getKey()); //this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this. - if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) { + if (canSkipVersions && majorVersionMatch != null && !majorVersionMatch.equals(v.getVersionParts().get(0))) { continue; } //this can't dereference a null 'identifiedVersion' because if it was null we would have exited //in the above loop or just after loop (if matchesAnyPrevious return null). - if (identifiedVersion.equals(v)) { + if (identifiedVersion != null && identifiedVersion.equals(v)) { return entry; } } @@ -820,12 +851,12 @@ public final class CveDB { if (entry.getValue()) { final DependencyVersion v = parseDependencyVersion(entry.getKey()); //this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this. - if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) { + if (canSkipVersions && majorVersionMatch != null && !majorVersionMatch.equals(v.getVersionParts().get(0))) { continue; } //this can't dereference a null 'identifiedVersion' because if it was null we would have exited //in the above loop or just after loop (if matchesAnyPrevious return null). - if (entry.getValue() && identifiedVersion.compareTo(v) <= 0) { + if (entry.getValue() && identifiedVersion != null && identifiedVersion.compareTo(v) <= 0) { if (!(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) { return entry; } @@ -884,10 +915,11 @@ public final class CveDB { public synchronized void deleteUnusedCpe() { PreparedStatement ps = null; try { - ps = getConnection().prepareStatement(statementBundle.getString("DELETE_UNUSED_DICT_CPE")); + ps = connection.prepareStatement(statementBundle.getString("DELETE_UNUSED_DICT_CPE")); ps.executeUpdate(); } catch (SQLException ex) { LOGGER.error("Unable to delete CPE dictionary entries", ex); + } finally { DBUtils.closeStatement(ps); } } @@ -905,13 +937,14 @@ public final class CveDB { public synchronized void addCpe(String cpe, String vendor, String product) { PreparedStatement ps = null; try { - ps = getConnection().prepareStatement(statementBundle.getString("ADD_DICT_CPE")); + ps = connection.prepareStatement(statementBundle.getString("ADD_DICT_CPE")); ps.setString(1, cpe); ps.setString(2, vendor); ps.setString(3, product); ps.executeUpdate(); } catch (SQLException ex) { LOGGER.error("Unable to add CPE dictionary entry", ex); + } finally { DBUtils.closeStatement(ps); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java index a3b2aa86c..ea690ba75 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java @@ -166,7 +166,7 @@ public class DatabaseProperties { * @return a map of the database meta data */ public Map getMetaData() { - final Map map = new TreeMap(); + final Map map = new TreeMap<>(); for (Entry entry : properties.entrySet()) { final String key = (String) entry.getKey(); if (!"version".equals(key)) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java index c2f792bc7..1c61fcde9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java @@ -75,7 +75,7 @@ public final class DriverLoader { */ public static Driver load(String className, String pathToDriver) throws DriverLoadException { final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader(); - final List urls = new ArrayList(); + final List urls = new ArrayList<>(); final String[] paths = pathToDriver.split(File.pathSeparator); for (String path : paths) { final File file = new File(path); @@ -129,19 +129,7 @@ public final class DriverLoader { //using the DriverShim to get around the fact that the DriverManager won't register a driver not in the base class path DriverManager.registerDriver(shim); return shim; - } catch (ClassNotFoundException ex) { - final String msg = String.format("Unable to load database driver '%s'", className); - LOGGER.debug(msg, ex); - throw new DriverLoadException(msg, ex); - } catch (InstantiationException ex) { - final String msg = String.format("Unable to load database driver '%s'", className); - LOGGER.debug(msg, ex); - throw new DriverLoadException(msg, ex); - } catch (IllegalAccessException ex) { - final String msg = String.format("Unable to load database driver '%s'", className); - LOGGER.debug(msg, ex); - throw new DriverLoadException(msg, ex); - } catch (SQLException ex) { + } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | SQLException ex) { final String msg = String.format("Unable to load database driver '%s'", className); LOGGER.debug(msg, ex); throw new DriverLoadException(msg, ex); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java index acd289498..9d5f04ff0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java @@ -126,11 +126,7 @@ class DriverShim implements Driver { if (m != null) { try { return (java.util.logging.Logger) m.invoke(m); - } catch (IllegalAccessException ex) { - LOGGER.trace("", ex); - } catch (IllegalArgumentException ex) { - LOGGER.trace("", ex); - } catch (InvocationTargetException ex) { + } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) { LOGGER.trace("", ex); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java index fbca59444..0178e2ffb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java @@ -16,7 +16,7 @@ * Copyright (c) 2015 Jeremy Long. All Rights Reserved. */ package org.owasp.dependencycheck.data.update; - +/* import java.io.File; import java.io.IOException; import java.net.MalformedURLException; @@ -37,7 +37,7 @@ import org.owasp.dependencycheck.utils.XmlUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.xml.sax.SAXException; - +*/ /** * * This class is currently unused and if enabled will likely not work on MySQL @@ -69,7 +69,7 @@ public class CpeUpdater { //extends BaseUpdater implements CachedWebDataSource { // return; // } // } catch (InvalidSettingException ex) { -// LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex); +// LOGGER.trace("invalid setting UPDATE_NVDCVE_ENABLED", ex); // } // */ // diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java index 436e4b89e..ad25e6ae4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java @@ -98,7 +98,7 @@ public class EngineVersionCheck implements CachedWebDataSource { final boolean enabled = Settings.getBoolean(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, true); final String original = Settings.getString(Settings.KEYS.CVE_ORIGINAL_MODIFIED_20_URL); final String current = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL); - /** + /* * Only update if auto-update is enabled, the engine check is * enabled, and the NVD CVE URLs have not been modified (i.e. the * user has not configured them to point to an internal source). diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index caebce05f..80ebb1bf6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -30,6 +30,7 @@ import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.concurrent.Future; import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; @@ -77,7 +78,13 @@ public class NvdCveUpdater implements CachedWebDataSource { */ private ExecutorService downloadExecutorService = null; + /** + * Reference to the DAO. + */ private CveDB cveDb = null; + /** + * The properties obtained from the database. + */ private DatabaseProperties dbProperties = null; /** @@ -135,6 +142,10 @@ public class NvdCveUpdater implements CachedWebDataSource { } } + /** + * Initialize the executor services for download and processing of the NVD + * CVE XML data. + */ protected void initializeExecutorServices() { processingExecutorService = Executors.newFixedThreadPool(PROCESSING_THREAD_POOL_SIZE); downloadExecutorService = Executors.newFixedThreadPool(DOWNLOAD_THREAD_POOL_SIZE); @@ -142,6 +153,9 @@ public class NvdCveUpdater implements CachedWebDataSource { LOGGER.debug("#processing threads: {}", PROCESSING_THREAD_POOL_SIZE); } + /** + * Shutdown and cleanup of resources used by the executor services. + */ private void shutdownExecutorServices() { if (processingExecutorService != null) { processingExecutorService.shutdownNow(); @@ -426,7 +440,7 @@ public class NvdCveUpdater implements CachedWebDataSource { final long timestamp; try { timestamp = timestampFuture.get(60, TimeUnit.SECONDS); - } catch (Exception e) { + } catch (InterruptedException | ExecutionException | TimeoutException e) { throw new DownloadFailedException(e); } lastModifiedDates.put(url, timestamp); @@ -440,8 +454,16 @@ public class NvdCveUpdater implements CachedWebDataSource { */ private static class TimestampRetriever implements Callable { - private String url; + /** + * The URL to obtain the timestamp from. + */ + private final String url; + /** + * Instantiates a new timestamp retriever object. + * + * @param url the URL to hit + */ TimestampRetriever(String url) { this.url = url; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java index 4c778e7b2..123d326cc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java @@ -30,7 +30,7 @@ import org.xml.sax.SAXException; import org.xml.sax.helpers.DefaultHandler; /** - * A SAX Handler that will parse the CPE XML and load it into the databse. + * A SAX Handler that will parse the CPE XML and load it into the database. * * @author Jeremy Long */ @@ -60,7 +60,7 @@ public class CPEHandler extends DefaultHandler { /** * The list of CPE values. */ - private final List data = new ArrayList(); + private final List data = new ArrayList<>(); /** * Returns the list of CPE values. @@ -154,35 +154,10 @@ public class CPEHandler extends DefaultHandler { public void endElement(String uri, String localName, String qName) throws SAXException { current.setNode(qName); if (current.isSchemaVersionNode() && !CURRENT_SCHEMA_VERSION.equals(nodeText.toString())) { - throw new SAXException("ERROR: Unexpecgted CPE Schema Version, expected: " + throw new SAXException("ERROR: Unexpected CPE Schema Version, expected: " + CURRENT_SCHEMA_VERSION + ", file is: " + nodeText); } -// } else if (current.isCpeItemNode()) { -// //do nothing -// } else if (current.isTitleNode()) { -// //do nothing -// } else if (current.isCpeListNode()) { -// //do nothing -// } else if (current.isMetaNode()) { -// //do nothing -// } else if (current.isNotesNode()) { -// //do nothing -// } else if (current.isNoteNode()) { -// //do nothing -// } else if (current.isCheckNode()) { -// //do nothing -// } else if (current.isGeneratorNode()) { -// //do nothing -// } else if (current.isProductNameNode()) { -// //do nothing -// } else if (current.isProductVersionNode()) { -// //do nothing -// else if (current.isTimestampNode()) { -// //do nothing -// } else { -// throw new SAXException("ERROR STATE: Unexpected qName '" + qName + "'"); -// } } // diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java index 59eb331a4..f291afcd6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java @@ -19,7 +19,6 @@ package org.owasp.dependencycheck.data.update.nvd; import java.io.File; import java.io.FileInputStream; -import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.net.URL; @@ -224,33 +223,19 @@ public class DownloadTask implements Callable> { if (file == null || !file.isFile()) { return false; } - InputStream is = null; - try { - is = new FileInputStream(file); - + try (InputStream is = new FileInputStream(file)) { final byte[] buf = new byte[5]; - int read = 0; - try { - read = is.read(buf); - } catch (IOException ex) { - return false; - } + int read; + read = is.read(buf); return read == 5 && buf[0] == '<' && (buf[1] == '?') && (buf[2] == 'x' || buf[2] == 'X') && (buf[3] == 'm' || buf[3] == 'M') && (buf[4] == 'l' || buf[4] == 'L'); - } catch (FileNotFoundException ex) { + } catch (IOException ex) { + LOGGER.debug("Error checking if file is xml", ex); return false; - } finally { - if (is != null) { - try { - is.close(); - } catch (IOException ex) { - LOGGER.debug("Error closing stream", ex); - } - } } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java index c47d5ddde..7adfbb18c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java @@ -93,7 +93,7 @@ public class NvdCve12Handler extends DefaultHandler { skip = "1".equals(reject); if (!skip) { vulnerability = attributes.getValue("name"); - software = new ArrayList(); + software = new ArrayList<>(); } else { vulnerability = null; software = null; @@ -132,7 +132,7 @@ public class NvdCve12Handler extends DefaultHandler { if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) { throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported"); } - vulnerabilities = new HashMap>(); + vulnerabilities = new HashMap<>(); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java index 96b64de9d..2a5b8bf80 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java @@ -51,7 +51,8 @@ public class NvdCve20Handler extends DefaultHandler { */ private static final String CURRENT_SCHEMA_VERSION = "2.0"; /** - * a possible attribute value of the {@link AttributeValues#XML_LANG} attribute + * a possible attribute value of the {@link AttributeValues#XML_LANG} + * attribute */ private static final String EN = "en"; /** @@ -97,7 +98,8 @@ public class NvdCve20Handler extends DefaultHandler { private CveDB cveDB; /** - * A list of CVE entries and associated VulnerableSoftware entries that contain previous entries. + * A list of CVE entries and associated VulnerableSoftware entries that + * contain previous entries. */ private Map> prevVersionVulnMap; @@ -109,7 +111,7 @@ public class NvdCve20Handler extends DefaultHandler { public int getTotalNumberOfEntries() { return totalNumberOfEntries; } - + /** * Get the value of totalNumberOfApplicationEntries. * @@ -182,9 +184,7 @@ public class NvdCve20Handler extends DefaultHandler { totalNumberOfApplicationEntries += 1; try { saveEntry(vulnerability); - } catch (DatabaseException ex) { - throw new SAXException(ex); - } catch (CorruptIndexException ex) { + } catch (DatabaseException | CorruptIndexException ex) { throw new SAXException(ex); } catch (IOException ex) { throw new SAXException(ex); @@ -251,10 +251,12 @@ public class NvdCve20Handler extends DefaultHandler { public void setCveDB(CveDB db) { cveDB = db; } + /** * Sets the prevVersionVulnMap. * - * @param map the map of vulnerable software with previous versions being vulnerable + * @param map the map of vulnerable software with previous versions being + * vulnerable */ public void setPrevVersionVulnMap(Map> map) { prevVersionVulnMap = map; @@ -264,7 +266,8 @@ public class NvdCve20Handler extends DefaultHandler { * Saves a vulnerability to the CVE Database. * * @param vuln the vulnerability to store in the database - * @throws DatabaseException thrown if there is an error writing to the database + * @throws DatabaseException thrown if there is an error writing to the + * database * @throws CorruptIndexException is thrown if the CPE Index is corrupt * @throws IOException thrown if there is an IOException with the CPE Index */ @@ -283,7 +286,8 @@ public class NvdCve20Handler extends DefaultHandler { // /** - * A simple class to maintain information about the current element while parsing the NVD CVE XML. + * A simple class to maintain information about the current element while + * parsing the NVD CVE XML. */ protected static class Element { @@ -508,7 +512,8 @@ public class NvdCve20Handler extends DefaultHandler { // /** - * A simple class to maintain information about the attribute values encountered while parsing the NVD CVE XML. + * A simple class to maintain information about the attribute values + * encountered while parsing the NVD CVE XML. */ protected static class AttributeValues { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java index 20f64e804..d9c4f26f1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java @@ -18,7 +18,6 @@ package org.owasp.dependencycheck.data.update.nvd; import java.io.File; -import java.io.FileNotFoundException; import java.io.IOException; import java.sql.SQLException; import java.util.List; @@ -167,19 +166,7 @@ public class ProcessTask implements Callable { importXML(filePair.getFirst(), filePair.getSecond()); cveDB.commit(); properties.save(filePair.getNvdCveInfo()); - } catch (FileNotFoundException ex) { - throw new UpdateException(ex); - } catch (ParserConfigurationException ex) { - throw new UpdateException(ex); - } catch (SAXException ex) { - throw new UpdateException(ex); - } catch (IOException ex) { - throw new UpdateException(ex); - } catch (SQLException ex) { - throw new UpdateException(ex); - } catch (DatabaseException ex) { - throw new UpdateException(ex); - } catch (ClassNotFoundException ex) { + } catch (ParserConfigurationException | SAXException | SQLException | DatabaseException | ClassNotFoundException | IOException ex) { throw new UpdateException(ex); } finally { filePair.cleanup(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java index 4287bba4d..e086f2fae 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java @@ -33,7 +33,7 @@ public class UpdateableNvdCve implements Iterable, Iterator collection = new TreeMap(); + private final Map collection = new TreeMap<>(); /** * Returns the collection of NvdCveInfo objects. This method is mainly used for testing. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index fe442ee3a..9d7662ebb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -128,15 +128,15 @@ public class Dependency implements Serializable, Comparable { /** * A collection of related dependencies. */ - private Set relatedDependencies = new TreeSet(); + private Set relatedDependencies = new TreeSet<>(); /** * A list of projects that reference this dependency. */ - private Set projectReferences = new HashSet(); + private Set projectReferences = new HashSet<>(); /** * A list of available versions. */ - private List availableVersions = new ArrayList(); + private List availableVersions = new ArrayList<>(); /** * Returns the package path. @@ -598,7 +598,7 @@ public class Dependency implements Serializable, Comparable { LOGGER.warn("Unable to read '{}' to determine hashes.", file.getName()); LOGGER.debug("", ex); } catch (NoSuchAlgorithmException ex) { - LOGGER.warn("Unable to use MD5 of SHA1 checksums."); + LOGGER.warn("Unable to use MD5 or SHA1 checksums."); LOGGER.debug("", ex); } this.setMd5sum(md5); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java index 2590f0cbb..fb45480b0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java @@ -114,23 +114,27 @@ public class EvidenceCollection implements Serializable, Iterable { * @return Iterable<Evidence> an iterable collection of evidence */ public final Iterable iterator(Confidence confidence) { - if (confidence == Confidence.HIGHEST) { - return EvidenceCollection.HIGHEST_CONFIDENCE.filter(this.list); - } else if (confidence == Confidence.HIGH) { - return EvidenceCollection.HIGH_CONFIDENCE.filter(this.list); - } else if (confidence == Confidence.MEDIUM) { - return EvidenceCollection.MEDIUM_CONFIDENCE.filter(this.list); - } else { - return EvidenceCollection.LOW_CONFIDENCE.filter(this.list); + if (null != confidence) { + switch (confidence) { + case HIGHEST: + return EvidenceCollection.HIGHEST_CONFIDENCE.filter(this.list); + case HIGH: + return EvidenceCollection.HIGH_CONFIDENCE.filter(this.list); + case MEDIUM: + return EvidenceCollection.MEDIUM_CONFIDENCE.filter(this.list); + default: + return EvidenceCollection.LOW_CONFIDENCE.filter(this.list); + } } + return null; } /** * Creates a new EvidenceCollection. */ public EvidenceCollection() { - list = new TreeSet(); - weightedStrings = new HashSet(); + list = new TreeSet<>(); + weightedStrings = new HashSet<>(); } /** @@ -204,7 +208,7 @@ public class EvidenceCollection implements Serializable, Iterable { if (source == null) { return null; } - final Set ret = new HashSet(); + final Set ret = new HashSet<>(); for (Evidence e : list) { if (source.equals(e.getSource())) { ret.add(e); @@ -224,7 +228,7 @@ public class EvidenceCollection implements Serializable, Iterable { if (source == null || name == null) { return null; } - final Set ret = new HashSet(); + final Set ret = new HashSet<>(); for (Evidence e : list) { if (source.equals(e.getSource()) && name.equals(e.getName())) { ret.add(e); @@ -345,7 +349,7 @@ public class EvidenceCollection implements Serializable, Iterable { * collections */ public static Set mergeForDisplay(EvidenceCollection... ec) { - final Set ret = new TreeSet(); + final Set ret = new TreeSet<>(); for (EvidenceCollection col : ec) { for (Evidence e : col) { //if (e.isUsed()) { @@ -393,10 +397,10 @@ public class EvidenceCollection implements Serializable, Iterable { * *

* Example, given the following input:

- * 'Please visit https://www.somedomain.com/path1/path2/file.php?id=439' + * 'Please visit https://www.owasp.com/path1/path2/file.php?id=439' *

* The function would return:

- * 'Please visit somedomain path1 path2 file' + * 'Please visit owasp path1 path2 file' * * @param value the value that may contain a url * @return the modified string diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index b03001a53..8d14cd9b8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -47,11 +47,11 @@ public class Vulnerability implements Serializable, Comparable { /** * References for this vulnerability. */ - private Set references = new HashSet(); + private Set references = new HashSet<>(); /** * A set of vulnerable software. */ - private Set vulnerableSoftware = new HashSet(); + private Set vulnerableSoftware = new HashSet<>(); /** * The CWE for the vulnerability. */ @@ -153,7 +153,7 @@ public class Vulnerability implements Serializable, Comparable { * @return the list of references */ public List getReferences(boolean sorted) { - List sortedRefs = new ArrayList<>(this.references); + final List sortedRefs = new ArrayList<>(this.references); if (sorted) { Collections.sort(sortedRefs); } @@ -210,7 +210,7 @@ public class Vulnerability implements Serializable, Comparable { * @return the list of vulnerable software */ public List getVulnerableSoftware(boolean sorted) { - List sortedVulnerableSoftware = new ArrayList<>(this.vulnerableSoftware); + final List sortedVulnerableSoftware = new ArrayList<>(this.vulnerableSoftware); if (sorted) { Collections.sort(sortedVulnerableSoftware); } @@ -516,4 +516,4 @@ public class Vulnerability implements Serializable, Comparable { public boolean hasMatchedAllPreviousCPE() { return matchedAllPreviousCPE != null; } -} \ No newline at end of file +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java index de8dfbcd8..e7bf7e9dd 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java @@ -35,7 +35,7 @@ public class ExceptionCollection extends Exception { /** * A collection of exceptions. */ - private List exceptions; + private final List exceptions; /** * Flag indicating if a fatal exception occurred that would prevent the * attempt at completing the analysis even if exceptions occurred. @@ -99,7 +99,7 @@ public class ExceptionCollection extends Exception { */ public ExceptionCollection(Throwable exceptions, boolean fatal) { super(); - this.exceptions = new ArrayList(); + this.exceptions = new ArrayList<>(); this.exceptions.add(exceptions); this.fatal = fatal; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java index e56f4fc75..a97aef3fa 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java @@ -240,55 +240,39 @@ public class ReportGenerator { InputStream input = null; String templatePath = null; final File f = new File(templateName); - if (f.exists() && f.isFile()) { - try { - templatePath = templateName; - input = new FileInputStream(f); - } catch (FileNotFoundException ex) { - throw new ReportException("Unable to locate template file: " + templateName, ex); - } - } else { - templatePath = "templates/" + templateName + ".vsl"; - input = this.getClass().getClassLoader().getResourceAsStream(templatePath); - } - if (input == null) { - throw new ReportException("Template file doesn't exist: " + templatePath); - } - - InputStreamReader reader = null; - OutputStreamWriter writer = null; - try { - reader = new InputStreamReader(input, "UTF-8"); - writer = new OutputStreamWriter(outputStream, "UTF-8"); - if (!velocityEngine.evaluate(context, writer, templatePath, reader)) { - throw new ReportException("Failed to convert the template into html."); + if (f.exists() && f.isFile()) { + try { + templatePath = templateName; + input = new FileInputStream(f); + } catch (FileNotFoundException ex) { + throw new ReportException("Unable to locate template file: " + templateName, ex); + } + } else { + templatePath = "templates/" + templateName + ".vsl"; + input = this.getClass().getClassLoader().getResourceAsStream(templatePath); + } + if (input == null) { + throw new ReportException("Template file doesn't exist: " + templatePath); + } + + try (InputStreamReader reader = new InputStreamReader(input, "UTF-8"); + OutputStreamWriter writer = new OutputStreamWriter(outputStream, "UTF-8")) { + if (!velocityEngine.evaluate(context, writer, templatePath, reader)) { + throw new ReportException("Failed to convert the template into html."); + } + writer.flush(); + } catch (UnsupportedEncodingException ex) { + throw new ReportException("Unable to generate the report using UTF-8", ex); + } catch (IOException ex) { + throw new ReportException("Unable to write the report", ex); } - writer.flush(); - } catch (UnsupportedEncodingException ex) { - throw new ReportException("Unable to generate the report using UTF-8", ex); - } catch (IOException ex) { - throw new ReportException("Unable to write the report", ex); } finally { - if (writer != null) { + if (input != null) { try { - writer.close(); + input.close(); } catch (IOException ex) { - LOGGER.trace("", ex); - } - } - if (outputStream != null) { - try { - outputStream.close(); - } catch (IOException ex) { - LOGGER.trace("", ex); - } - } - if (reader != null) { - try { - reader.close(); - } catch (IOException ex) { - LOGGER.trace("", ex); + LOGGER.trace("Error closing input", ex); } } } @@ -315,21 +299,10 @@ public class ReportGenerator { throw new ReportException("Unable to create directory '" + outFile.getParentFile().getAbsolutePath() + "'."); } } - - OutputStream outputSteam = null; - try { - outputSteam = new FileOutputStream(outFile); + try (OutputStream outputSteam = new FileOutputStream(outFile)) { generateReport(templateName, outputSteam); - } catch (FileNotFoundException ex) { + } catch (IOException ex) { throw new ReportException("Unable to write to file: " + outFile, ex); - } finally { - if (outputSteam != null) { - try { - outputSteam.close(); - } catch (IOException ex) { - LOGGER.trace("ignore", ex); - } - } } } -} \ No newline at end of file +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java index c27c4b7d4..3dd1042fc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java @@ -47,7 +47,8 @@ public final class DBUtils { * * @param statement a prepared statement that just executed an insert * @return a primary key - * @throws DatabaseException thrown if there is an exception obtaining the key + * @throws DatabaseException thrown if there is an exception obtaining the + * key */ public static int getGeneratedKey(PreparedStatement statement) throws DatabaseException { ResultSet rs = null; @@ -72,27 +73,29 @@ public final class DBUtils { * @param statement a Statement object */ public static void closeStatement(Statement statement) { - if (statement != null) { - try { + try { + if (statement != null && !statement.isClosed()) { + statement.close(); - } catch (SQLException ex) { - LOGGER.trace(statement.toString(), ex); } + } catch (SQLException ex) { + LOGGER.trace(statement.toString(), ex); } } /** - * Closes the result set capturing and ignoring any SQLExceptions that occur. + * Closes the result set capturing and ignoring any SQLExceptions that + * occur. * * @param rs a ResultSet to close */ public static void closeResultSet(ResultSet rs) { - if (rs != null) { - try { + try { + if (rs != null && !rs.isClosed()) { rs.close(); - } catch (SQLException ex) { - LOGGER.trace(rs.toString(), ex); } + } catch (SQLException ex) { + LOGGER.trace(rs.toString(), ex); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java index f25c76a24..ff8bf15c8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java @@ -66,7 +66,7 @@ public class DependencyVersion implements Iterable, Comparable(); + versionParts = new ArrayList<>(); if (version != null) { final Pattern rx = Pattern.compile("(\\d+[a-z]{1,3}$|[a-z]+\\d+|\\d+|(release|beta|alpha)$)"); final Matcher matcher = rx.matcher(version.toLowerCase()); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java index 61e88a820..b4ac9cbd6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java @@ -74,7 +74,7 @@ public final class DependencyVersionUtil { //'-' is a special case used within the CVE entries, just include it as the version. if ("-".equals(text)) { final DependencyVersion dv = new DependencyVersion(); - final List list = new ArrayList(); + final List list = new ArrayList<>(); list.add(text); dv.setVersionParts(list); return dv; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java index 9b137b5f6..fe4b07666 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java @@ -85,18 +85,10 @@ public final class ExtractionUtil { return; } - FileInputStream fis = null; - ZipInputStream zis = null; - - try { - fis = new FileInputStream(archive); - } catch (FileNotFoundException ex) { - LOGGER.debug("", ex); - throw new ExtractionException("Archive file was not found.", ex); - } - zis = new ZipInputStream(new BufferedInputStream(fis)); ZipEntry entry; - try { + try (FileInputStream fis = new FileInputStream(archive); + BufferedInputStream bis = new BufferedInputStream(fis); + ZipInputStream zis = new ZipInputStream(bis)) { while ((entry = zis.getNextEntry()) != null) { if (entry.isDirectory()) { final File d = new File(extractTo, entry.getName()); @@ -107,9 +99,7 @@ public final class ExtractionUtil { } else { final File file = new File(extractTo, entry.getName()); if (engine == null || engine.accept(file)) { - FileOutputStream fos = null; - try { - fos = new FileOutputStream(file); + try (FileOutputStream fos = new FileOutputStream(file)) { IOUtils.copy(zis, fos); } catch (FileNotFoundException ex) { LOGGER.debug("", ex); @@ -119,8 +109,6 @@ public final class ExtractionUtil { LOGGER.debug("", ex); final String msg = String.format("IO Exception while parsing file '%s'.", file.getName()); throw new ExtractionException(msg, ex); - } finally { - FileUtils.close(fos); } } } @@ -129,8 +117,6 @@ public final class ExtractionUtil { final String msg = String.format("Exception reading archive '%s'.", archive.getName()); LOGGER.debug("", ex); throw new ExtractionException(msg, ex); - } finally { - FileUtils.close(zis); } } @@ -142,31 +128,21 @@ public final class ExtractionUtil { * @param filter determines which files get extracted * @throws ExtractionException thrown if the archive is not found */ - public static void extractFilesUsingFilter(File archive, File destination, - FilenameFilter filter) throws ExtractionException { + public static void extractFilesUsingFilter(File archive, File destination, FilenameFilter filter) throws ExtractionException { if (archive == null || destination == null) { return; } - FileInputStream fis = null; - try { - fis = new FileInputStream(archive); + try (FileInputStream fis = new FileInputStream(archive)) { + extractArchive(new ZipArchiveInputStream(new BufferedInputStream( + fis)), destination, filter); } catch (FileNotFoundException ex) { LOGGER.debug("", ex); throw new ExtractionException("Archive file was not found.", ex); - } - try { - extractArchive(new ZipArchiveInputStream(new BufferedInputStream( - fis)), destination, filter); - } catch (ArchiveExtractionException ex) { + } catch (IOException | ArchiveExtractionException ex) { LOGGER.warn("Exception extracting archive '{}'.", archive.getName()); LOGGER.debug("", ex); - } finally { - try { - fis.close(); - } catch (IOException ex) { - LOGGER.debug("", ex); - } + throw new ExtractionException("Unable to extract from archive", ex); } } @@ -197,9 +173,7 @@ public final class ExtractionUtil { extractFile(input, destination, filter, entry); } } - } catch (IOException ex) { - throw new ArchiveExtractionException(ex); - } catch (Throwable ex) { + } catch (IOException | AnalysisException ex) { throw new ArchiveExtractionException(ex); } finally { FileUtils.close(input); @@ -221,26 +195,19 @@ public final class ExtractionUtil { FilenameFilter filter, ArchiveEntry entry) throws ExtractionException { final File file = new File(destination, entry.getName()); if (filter.accept(file.getParentFile(), file.getName())) { - LOGGER.debug("Extracting '{}'", - file.getPath()); - FileOutputStream fos = null; - try { - createParentFile(file); - fos = new FileOutputStream(file); + LOGGER.debug("Extracting '{}'", file.getPath()); + createParentFile(file); + + try (FileOutputStream fos = new FileOutputStream(file)) { IOUtils.copy(input, fos); } catch (FileNotFoundException ex) { LOGGER.debug("", ex); - final String msg = String.format("Unable to find file '%s'.", - file.getName()); + final String msg = String.format("Unable to find file '%s'.", file.getName()); throw new ExtractionException(msg, ex); } catch (IOException ex) { LOGGER.debug("", ex); - final String msg = String - .format("IO Exception while parsing file '%s'.", - file.getName()); + final String msg = String.format("IO Exception while parsing file '%s'.", file.getName()); throw new ExtractionException(msg, ex); - } finally { - FileUtils.close(fos); } } } @@ -253,8 +220,7 @@ public final class ExtractionUtil { * @throws ExtractionException thrown if the parent paths could not be * created */ - private static void createParentFile(final File file) - throws ExtractionException { + private static void createParentFile(final File file) throws ExtractionException { final File parent = file.getParentFile(); if (!parent.isDirectory() && !parent.mkdirs()) { final String msg = String.format( @@ -282,35 +248,11 @@ public final class ExtractionUtil { if (!file.renameTo(gzip)) { throw new IOException("Unable to rename '" + file.getPath() + "'"); } - final File newfile = new File(originalPath); - - final byte[] buffer = new byte[4096]; - - GZIPInputStream cin = null; - FileOutputStream out = null; - try { - cin = new GZIPInputStream(new FileInputStream(gzip)); - out = new FileOutputStream(newfile); - - int len; - while ((len = cin.read(buffer)) > 0) { - out.write(buffer, 0, len); - } + final File newFile = new File(originalPath); + try (GZIPInputStream cin = new GZIPInputStream(new FileInputStream(gzip)); + FileOutputStream out = new FileOutputStream(newFile)) { + IOUtils.copy(cin, out); } finally { - if (cin != null) { - try { - cin.close(); - } catch (IOException ex) { - LOGGER.trace("ignore", ex); - } - } - if (out != null) { - try { - out.close(); - } catch (IOException ex) { - LOGGER.trace("ignore", ex); - } - } if (gzip.isFile() && !org.apache.commons.io.FileUtils.deleteQuietly(gzip)) { LOGGER.debug("Failed to delete temporary file when extracting 'gz' {}", gzip.toString()); gzip.deleteOnExit(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java index bf3dbb5ae..f320e0604 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java @@ -48,15 +48,15 @@ public class FileFilterBuilder { /** * A set of filenames to filter. */ - private final Set filenames = new HashSet(); + private final Set filenames = new HashSet<>(); /** * A set of extensions to filter. */ - private final Set extensions = new HashSet(); + private final Set extensions = new HashSet<>(); /** * An array list of file filters. */ - private final List fileFilters = new ArrayList(); + private final List fileFilters = new ArrayList<>(); /** * Create a new instance and return it. This method is for convenience in using the builder pattern within a single statement. @@ -125,10 +125,10 @@ public class FileFilterBuilder { } final OrFileFilter filter = new OrFileFilter(); if (!filenames.isEmpty()) { - filter.addFileFilter(new NameFileFilter(new ArrayList(filenames))); + filter.addFileFilter(new NameFileFilter(new ArrayList<>(filenames))); } if (!extensions.isEmpty()) { - filter.addFileFilter(new SuffixFileFilter(new ArrayList(extensions), IOCase.INSENSITIVE)); + filter.addFileFilter(new SuffixFileFilter(new ArrayList<>(extensions), IOCase.INSENSITIVE)); } for (IOFileFilter iof : fileFilters) { filter.addFileFilter(iof); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java index 65c24616e..554a70dc1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java @@ -3,7 +3,7 @@ package org.owasp.dependencycheck.utils; import java.util.Iterator; import java.util.NoSuchElementException; -/* +/** * This is an abstract filter that can be used to filter iterable list. * * This Filter class was copied from: @@ -11,15 +11,35 @@ import java.util.NoSuchElementException; * * Erik Rasmussen - © 2006 - 2012 All Rights Reserved. @author Erik Rasmussen * https://plus.google.com/115403795880834599019/?rel=author + * + * @param the type to filter */ public abstract class Filter { + /** + * Determines whether the object passes the filter. + * + * @param object the object to test + * @return whether or not the object passes the filter + */ public abstract boolean passes(T object); + /** + * Filters a given iterator. + * + * @param iterator the iterator to filter + * @return the filtered iterator + */ public Iterator filter(Iterator iterator) { return new FilterIterator(iterator); } + /** + * Filters a given iterable. + * + * @param iterable the iterable to filter + * @return the filtered iterable + */ public Iterable filter(final Iterable iterable) { return new Iterable() { @@ -71,4 +91,4 @@ public abstract class Filter { } } } -} \ No newline at end of file +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java index 7b0da6864..45308b9e6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java @@ -47,8 +47,8 @@ public final class UrlStringUtils { private static final Pattern IS_URL_TEST = Pattern.compile("^(ht|f)tps?://.*", Pattern.CASE_INSENSITIVE); /** - * Tests if the text provided contains a URL. This is somewhat limited search in that it only looks for - * (ftp|http|https):// + * Tests if the text provided contains a URL. This is somewhat limited + * search in that it only looks for (ftp|http|https):// * * @param text the text to search * @return true if the text contains a url, otherwise false @@ -67,14 +67,16 @@ public final class UrlStringUtils { return IS_URL_TEST.matcher(text).matches(); } /** - * A listing of domain parts that should not be used as evidence. Yes, this is an incomplete list. + * A listing of domain parts that should not be used as evidence. Yes, this + * is an incomplete list. */ - private static final Set IGNORE_LIST = new HashSet( + private static final Set IGNORE_LIST = new HashSet<>( Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx")); /** *

- * Takes a URL, in String format, and adds the important parts of the URL to a list of strings.

+ * Takes a URL, in String format, and adds the important parts of the URL to + * a list of strings.

*

* Example, given the following input:

* "https://www.somedomain.com/path1/path2/file.php?id=439" @@ -87,7 +89,7 @@ public final class UrlStringUtils { * @throws MalformedURLException thrown if the URL is malformed */ public static List extractImportantUrlData(String text) throws MalformedURLException { - final List importantParts = new ArrayList(); + final List importantParts = new ArrayList<>(); final URL url = new URL(text); final String[] domain = url.getHost().split("\\."); //add the domain except www and the tld. @@ -99,14 +101,21 @@ public final class UrlStringUtils { } final String document = url.getPath(); final String[] pathParts = document.split("[\\//]"); - for (int i = 0; i < pathParts.length - 2; i++) { + for (int i = 0; i < pathParts.length - 1; i++) { if (!pathParts[i].isEmpty()) { importantParts.add(pathParts[i]); } } if (pathParts.length > 0 && !pathParts[pathParts.length - 1].isEmpty()) { - final String fileNameNoExt = pathParts[pathParts.length - 1].replaceAll("\\..*{0,5}$", ""); - importantParts.add(fileNameNoExt); + final String tmp = pathParts[pathParts.length - 1]; + final int pos = tmp.lastIndexOf('.'); + if (pos > 1) { + importantParts.add(tmp.substring(0, pos)); + } else if (pos == 0 && tmp.length() > 1) { + importantParts.add(tmp.substring(1)); + } else { + importantParts.add(tmp); + } } return importantParts; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java index c834abf60..676067c5e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java @@ -149,8 +149,17 @@ public class HintHandler extends DefaultHandler { * Internal type to track the parent node state. */ enum ParentType { + /** + * Marks the add node. + */ ADD, + /** + * Marks the given node. + */ GIVEN, + /** + * Marks the remove node. + */ REMOVE } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java index ce881759c..58966d0f8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java @@ -79,38 +79,19 @@ public class HintParser { * @throws HintParseException thrown if the XML file cannot be parsed */ public Hints parseHints(File file) throws HintParseException { - FileInputStream fis = null; + //TODO there must be a better way to determine which schema to use for validation. try { - fis = new FileInputStream(file); - return parseHints(fis); - } catch (IOException ex) { - LOGGER.debug("", ex); - throw new HintParseException(ex); - } catch (SAXException ex) { - try { - if (fis != null) { - try { - fis.close(); - } catch (IOException ex1) { - LOGGER.debug("Unable to close stream", ex1); - } - } - fis = new FileInputStream(file); - } catch (FileNotFoundException ex1) { - throw new HintParseException(ex1); - } - try { - return parseHints(fis, HINT_SCHEMA_OLD); - } catch (SAXException ex1) { + try (FileInputStream fis = new FileInputStream(file)) { + return parseHints(fis); + } catch (IOException ex) { + LOGGER.debug("", ex); throw new HintParseException(ex); } - } finally { - if (fis != null) { - try { - fis.close(); - } catch (IOException ex) { - LOGGER.debug("Unable to close stream", ex); - } + } catch (SAXException ex) { + try (FileInputStream fis = new FileInputStream(file)) { + return parseHints(fis, HINT_SCHEMA_OLD); + } catch (SAXException | IOException ex1) { + throw new HintParseException(ex); } } } @@ -139,24 +120,21 @@ public class HintParser { * @throws SAXException thrown if the XML cannot be parsed */ private Hints parseHints(InputStream inputStream, String schema) throws HintParseException, SAXException { - InputStream schemaStream = null; - try { - schemaStream = this.getClass().getClassLoader().getResourceAsStream(schema); + try (InputStream schemaStream = this.getClass().getClassLoader().getResourceAsStream(schema)) { final HintHandler handler = new HintHandler(); final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream); final XMLReader xmlReader = saxParser.getXMLReader(); xmlReader.setErrorHandler(new HintErrorHandler()); xmlReader.setContentHandler(handler); - - final Reader reader = new InputStreamReader(inputStream, "UTF-8"); - final InputSource in = new InputSource(reader); - - xmlReader.parse(in); - final Hints hints = new Hints(); - hints.setHintRules(handler.getHintRules()); - hints.setVendorDuplicatingHintRules(handler.getVendorDuplicatingHintRules()); - return hints; - } catch (ParserConfigurationException ex) { + try (Reader reader = new InputStreamReader(inputStream, "UTF-8")) { + final InputSource in = new InputSource(reader); + xmlReader.parse(in); + final Hints hints = new Hints(); + hints.setHintRules(handler.getHintRules()); + hints.setVendorDuplicatingHintRules(handler.getVendorDuplicatingHintRules()); + return hints; + } + } catch (ParserConfigurationException | FileNotFoundException ex) { LOGGER.debug("", ex); throw new HintParseException(ex); } catch (SAXException ex) { @@ -166,20 +144,9 @@ public class HintParser { LOGGER.debug("", ex); throw new HintParseException(ex); } - } catch (FileNotFoundException ex) { - LOGGER.debug("", ex); - throw new HintParseException(ex); } catch (IOException ex) { LOGGER.debug("", ex); throw new HintParseException(ex); - } finally { - if (schemaStream != null) { - try { - schemaStream.close(); - } catch (IOException ex) { - LOGGER.debug("Error closing hint file stream", ex); - } - } } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java index ab59344f4..e92cbdda9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintRule.java @@ -255,7 +255,7 @@ public class HintRule { return removeVersion; } /** - * Adds a given version to the list of evidence to matche. + * Adds a given version to the list of evidence to match. * * @param source the source of the evidence * @param name the name of the evidence diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java index 132f10daf..2168ec950 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java @@ -74,7 +74,7 @@ public class Model { /** * The list of licenses. */ - private final List licenses = new ArrayList(); + private final List licenses = new ArrayList<>(); /** * The project URL. */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java index 198ce2e12..014d8043e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java @@ -91,7 +91,7 @@ public class PomHandler extends DefaultHandler { /** * The stack of elements processed; used to determine the parent node. */ - private final Deque stack = new ArrayDeque(); + private final Deque stack = new ArrayDeque<>(); /** * The license object. */ @@ -101,7 +101,7 @@ public class PomHandler extends DefaultHandler { * The current node text being extracted from the element. */ private StringBuilder currentText; - + /** * Handles the start element event. * @@ -132,66 +132,77 @@ public class PomHandler extends DefaultHandler { public void endElement(String uri, String localName, String qName) throws SAXException { stack.pop(); final String parentNode = stack.peek(); - if (null != parentNode) switch (parentNode) { - case PROJECT: - if (null != qName) switch (qName) { - case GROUPID: - model.setGroupId(currentText.toString()); - break; - case ARTIFACTID: - model.setArtifactId(currentText.toString()); - break; - case VERSION: - model.setVersion(currentText.toString()); - break; - case NAME: - model.setName(currentText.toString()); - break; - case DESCRIPTION: - model.setDescription(currentText.toString()); - break; - case URL: - model.setProjectURL(currentText.toString()); - break; - default: - break; - } break; - case ORGANIZATION: - if (NAME.equals(qName)) { - model.setOrganization(currentText.toString()); - } else if (URL.equals(qName)) { - model.setOrganizationUrl(currentText.toString()); - } break; - case PARENT: - if (null != qName) switch (qName) { - case GROUPID: - model.setParentGroupId(currentText.toString()); - break; - case ARTIFACTID: - model.setParentArtifactId(currentText.toString()); - break; - case VERSION: - model.setParentVersion(currentText.toString()); - break; - default: - break; - } break; - case LICENSE: - if (license != null) { + if (null != parentNode) { + switch (parentNode) { + case PROJECT: + if (null != qName) { + switch (qName) { + case GROUPID: + model.setGroupId(currentText.toString()); + break; + case ARTIFACTID: + model.setArtifactId(currentText.toString()); + break; + case VERSION: + model.setVersion(currentText.toString()); + break; + case NAME: + model.setName(currentText.toString()); + break; + case DESCRIPTION: + model.setDescription(currentText.toString()); + break; + case URL: + model.setProjectURL(currentText.toString()); + break; + default: + break; + } + } + break; + case ORGANIZATION: if (NAME.equals(qName)) { - license.setName(currentText.toString()); + model.setOrganization(currentText.toString()); } else if (URL.equals(qName)) { - license.setUrl(currentText.toString()); + model.setOrganizationUrl(currentText.toString()); } - } break; - case LICENSES: - if (LICENSE.equals(qName)) { + break; + case PARENT: + if (null != qName) { + switch (qName) { + case GROUPID: + model.setParentGroupId(currentText.toString()); + break; + case ARTIFACTID: + model.setParentArtifactId(currentText.toString()); + break; + case VERSION: + model.setParentVersion(currentText.toString()); + break; + default: + break; + } + } + break; + case LICENSE: if (license != null) { - model.addLicense(license); + if (NAME.equals(qName)) { + license.setName(currentText.toString()); + } else if (URL.equals(qName)) { + license.setUrl(currentText.toString()); + } } - } break; - default: - break; + break; + case LICENSES: + if (LICENSE.equals(qName)) { + if (license != null) { + model.addLicense(license); + } + } + break; + default: + break; + } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java index 5218e3d7a..3b81e1591 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java @@ -58,21 +58,11 @@ public class PomParser { * @throws PomParseException thrown if the xml file cannot be parsed */ public Model parse(File file) throws PomParseException { - FileInputStream fis = null; - try { - fis = new FileInputStream(file); + try (FileInputStream fis = new FileInputStream(file)) { return parse(fis); } catch (IOException ex) { LOGGER.debug("", ex); throw new PomParseException(ex); - } finally { - if (fis != null) { - try { - fis.close(); - } catch (IOException ex) { - LOGGER.debug("Unable to close stream", ex); - } - } } } @@ -90,18 +80,15 @@ public class PomParser { final SAXParser saxParser = XmlUtils.buildSecureSaxParser(); final XMLReader xmlReader = saxParser.getXMLReader(); xmlReader.setContentHandler(handler); - BOMInputStream bomStream = new BOMInputStream(inputStream); - ByteOrderMark bom = bomStream.getBOM(); - String defaultEncoding = "UTF-8"; - String charsetName = bom == null ? defaultEncoding : bom.getCharsetName(); + final BOMInputStream bomStream = new BOMInputStream(inputStream); + final ByteOrderMark bom = bomStream.getBOM(); + final String defaultEncoding = "UTF-8"; + final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName(); final Reader reader = new InputStreamReader(bomStream, charsetName); final InputSource in = new InputSource(reader); xmlReader.parse(in); return handler.getModel(); - } catch (ParserConfigurationException | SAXException ex) { - LOGGER.debug("", ex); - throw new PomParseException(ex); - } catch (FileNotFoundException ex) { + } catch (ParserConfigurationException | SAXException | FileNotFoundException ex) { LOGGER.debug("", ex); throw new PomParseException(ex); } catch (IOException ex) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionErrorHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionErrorHandler.java index b4801b380..d476f1aaa 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionErrorHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionErrorHandler.java @@ -18,6 +18,8 @@ package org.owasp.dependencycheck.xml.suppression; import org.owasp.dependencycheck.utils.XmlUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.xml.sax.ErrorHandler; import org.xml.sax.SAXException; import org.xml.sax.SAXParseException; @@ -32,7 +34,7 @@ public class SuppressionErrorHandler implements ErrorHandler { /** * The logger. */ - //private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionErrorHandler.class); + private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionErrorHandler.class); /** * Logs warnings. @@ -42,7 +44,7 @@ public class SuppressionErrorHandler implements ErrorHandler { */ @Override public void warning(SAXParseException ex) throws SAXException { - //LOGGER.debug("", ex); + LOGGER.trace("", ex); } /** @@ -60,7 +62,7 @@ public class SuppressionErrorHandler implements ErrorHandler { * Handles fatal exceptions. * * @param ex a fatal exception - * @throws SAXException is always + * @throws SAXException is always thrown */ @Override public void fatalError(SAXParseException ex) throws SAXException { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java index 62c11ffc3..ec1b7b1c2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java @@ -71,7 +71,7 @@ public class SuppressionHandler extends DefaultHandler { /** * A list of suppression rules. */ - private final List suppressionRules = new ArrayList(); + private final List suppressionRules = new ArrayList<>(); /** * Get the value of suppressionRules. @@ -199,4 +199,4 @@ public class SuppressionHandler extends DefaultHandler { } return pt; } -} \ No newline at end of file +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java index 88a37dbe8..4ee98c82a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java @@ -64,39 +64,19 @@ public class SuppressionParser { * @throws SuppressionParseException thrown if the XML file cannot be parsed */ public List parseSuppressionRules(File file) throws SuppressionParseException { - FileInputStream fis = null; try { - fis = new FileInputStream(file); - return parseSuppressionRules(fis); - } catch (IOException ex) { - LOGGER.debug("", ex); - throw new SuppressionParseException(ex); + try (FileInputStream fis = new FileInputStream(file)) { + return parseSuppressionRules(fis); + } catch (IOException ex) { + LOGGER.debug("", ex); + throw new SuppressionParseException(ex); + } } catch (SAXException ex) { - try { - if (fis != null) { - try { - fis.close(); - } catch (IOException ex1) { - LOGGER.debug("Unable to close stream", ex1); - } - } - fis = new FileInputStream(file); - } catch (FileNotFoundException ex1) { - throw new SuppressionParseException(ex); - } - try { + try (FileInputStream fis = new FileInputStream(file)) { return parseSuppressionRules(fis, OLD_SUPPRESSION_SCHEMA); - } catch (SAXException ex1) { + } catch (SAXException | IOException ex1) { throw new SuppressionParseException(ex); } - } finally { - if (fis != null) { - try { - fis.close(); - } catch (IOException ex) { - LOGGER.debug("Unable to close stream", ex); - } - } } } @@ -124,19 +104,18 @@ public class SuppressionParser { * @throws SAXException thrown if the XML cannot be parsed */ private List parseSuppressionRules(InputStream inputStream, String schema) throws SuppressionParseException, SAXException { - InputStream schemaStream = null; - try { - schemaStream = this.getClass().getClassLoader().getResourceAsStream(schema); + try (InputStream schemaStream = this.getClass().getClassLoader().getResourceAsStream(schema)) { final SuppressionHandler handler = new SuppressionHandler(); final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream); final XMLReader xmlReader = saxParser.getXMLReader(); xmlReader.setErrorHandler(new SuppressionErrorHandler()); xmlReader.setContentHandler(handler); - final Reader reader = new InputStreamReader(inputStream, "UTF-8"); - final InputSource in = new InputSource(reader); - xmlReader.parse(in); - return handler.getSuppressionRules(); - } catch (ParserConfigurationException ex) { + try (Reader reader = new InputStreamReader(inputStream, "UTF-8")) { + final InputSource in = new InputSource(reader); + xmlReader.parse(in); + return handler.getSuppressionRules(); + } + } catch (ParserConfigurationException | FileNotFoundException ex) { LOGGER.debug("", ex); throw new SuppressionParseException(ex); } catch (SAXException ex) { @@ -146,20 +125,9 @@ public class SuppressionParser { LOGGER.debug("", ex); throw new SuppressionParseException(ex); } - } catch (FileNotFoundException ex) { - LOGGER.debug("", ex); - throw new SuppressionParseException(ex); } catch (IOException ex) { LOGGER.debug("", ex); throw new SuppressionParseException(ex); - } finally { - if (schemaStream != null) { - try { - schemaStream.close(); - } catch (IOException ex) { - LOGGER.debug("Error closing suppression file stream", ex); - } - } } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index 30313be71..ca6c7ab05 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -529,4 +529,4 @@ public class SuppressionRule { sb.append('}'); return sb.toString(); } -} \ No newline at end of file +} diff --git a/dependency-check-core/src/main/resources/data/dbStatements.properties b/dependency-check-core/src/main/resources/data/dbStatements.properties index d7c4eb276..87098536e 100644 --- a/dependency-check-core/src/main/resources/data/dbStatements.properties +++ b/dependency-check-core/src/main/resources/data/dbStatements.properties @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # -# Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved. +# Copyright (c) 2015 The OWASP Foundation. All Rights Reserved. DELETE_REFERENCE=DELETE FROM reference WHERE cveid = ? DELETE_SOFTWARE=DELETE FROM software WHERE cveid = ? diff --git a/dependency-check-core/src/main/resources/schema/nvdcve/2_0/scap-core_0.1.xsd b/dependency-check-core/src/main/resources/schema/nvdcve/2_0/scap-core_0.1.xsd index 41d1ce5f6..c9a09f82f 100644 --- a/dependency-check-core/src/main/resources/schema/nvdcve/2_0/scap-core_0.1.xsd +++ b/dependency-check-core/src/main/resources/schema/nvdcve/2_0/scap-core_0.1.xsd @@ -133,7 +133,7 @@ - + diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java index 1bb992197..6264b6ebf 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java @@ -24,6 +24,7 @@ import java.io.FileInputStream; import java.io.FileOutputStream; import java.util.zip.ZipEntry; import java.util.zip.ZipInputStream; +import org.apache.commons.compress.utils.IOUtils; import org.junit.AfterClass; import org.junit.Before; import org.owasp.dependencycheck.data.nvdcve.CveDB; @@ -45,7 +46,7 @@ public abstract class BaseDBTestCase extends BaseTest { @Before public void setUpDb() throws Exception { - ensureDBExists(); + ensureDBExists(); } @AfterClass @@ -54,12 +55,10 @@ public abstract class BaseDBTestCase extends BaseTest { } public static void ensureDBExists() throws Exception { - File f = new File("./target/data/dc.h2.db"); if (f.exists() && f.isFile() && f.length() < 71680) { f.delete(); } - File dataPath = Settings.getDataDirectory(); String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME); LOGGER.trace("DB file name {}", fileName); @@ -68,12 +67,9 @@ public abstract class BaseDBTestCase extends BaseTest { if (!dataPath.exists() || !dataFile.exists()) { LOGGER.trace("Extracting database to {}", dataPath.toString()); dataPath.mkdirs(); - FileInputStream fis = null; - ZipInputStream zin = null; - try { - File path = new File(BaseDBTestCase.class.getClassLoader().getResource("data.zip").toURI().getPath()); - fis = new FileInputStream(path); - zin = new ZipInputStream(new BufferedInputStream(fis)); + File path = new File(BaseDBTestCase.class.getClassLoader().getResource("data.zip").toURI().getPath()); + try (FileInputStream fis = new FileInputStream(path); + ZipInputStream zin = new ZipInputStream(new BufferedInputStream(fis))) { ZipEntry entry; while ((entry = zin.getNextEntry()) != null) { if (entry.isDirectory()) { @@ -81,53 +77,15 @@ public abstract class BaseDBTestCase extends BaseTest { d.mkdir(); continue; } - FileOutputStream fos = null; - BufferedOutputStream dest = null; - try { - File o = new File(dataPath, entry.getName()); - o.createNewFile(); - fos = new FileOutputStream(o, false); - dest = new BufferedOutputStream(fos, BUFFER_SIZE); - byte data[] = new byte[BUFFER_SIZE]; - int count; - while ((count = zin.read(data, 0, BUFFER_SIZE)) != -1) { - dest.write(data, 0, count); - } + File o = new File(dataPath, entry.getName()); + o.createNewFile(); + try (FileOutputStream fos = new FileOutputStream(o, false); + BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER_SIZE)) { + IOUtils.copy(zin, dest); } catch (Throwable ex) { LOGGER.error("", ex); - } finally { - try { - if (dest != null) { - dest.flush(); - dest.close(); - } - } catch (Throwable ex) { - LOGGER.trace("", ex); - } - try { - if (fos != null) { - fos.close(); - } - } catch (Throwable ex) { - LOGGER.trace("", ex); - } } } - } finally { - try { - if (zin != null) { - zin.close(); - } - } catch (Throwable ex) { - LOGGER.trace("", ex); - } - try { - if (fis != null) { - fis.close(); - } - } catch (Throwable ex) { - LOGGER.trace("", ex); - } } } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java index 97d11546a..df9931548 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java @@ -22,20 +22,24 @@ import static org.junit.Assert.assertTrue; import java.io.File; import java.util.ArrayList; +import java.util.Arrays; import java.util.List; +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.utils.Settings; /** * @author Jeremy Long */ public class JarAnalyzerTest extends BaseTest { -// private static final Logger LOGGER = LoggerFactory.getLogger(JarAnalyzerTest.class); - /** * Test of inspect method, of class JarAnalyzer. * @@ -51,14 +55,14 @@ public class JarAnalyzerTest extends BaseTest { instance.analyze(result, null); assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache")); assertTrue(result.getVendorEvidence().getWeighting().contains("apache")); - + file = BaseTest.getResourceAsFile(this, "dwr.jar"); result = new Dependency(file); instance.analyze(result, null); boolean found = false; for (Evidence e : result.getVendorEvidence()) { if (e.getName().equals("url")) { - assertEquals("Project url was not as expected in dwr.jar", e.getValue(), "http://getahead.ltd.uk/dwr"); + assertEquals("Project url was not as expected in dwr.jar", e.getValue(), "http://getahead.ltd.uk/dwr"); found = true; break; } @@ -136,9 +140,40 @@ public class JarAnalyzerTest extends BaseTest { File file = BaseTest.getResourceAsFile(this, "xalan-2.7.0.jar"); Dependency result = new Dependency(file); JarAnalyzer instance = new JarAnalyzer(); - List cni = new ArrayList(); + List cni = new ArrayList<>(); instance.parseManifest(result, cni); assertTrue(result.getVersionEvidence().getEvidence("manifest: org/apache/xalan/").size() > 0); } + + /** + * Test of getAnalysisPhase method, of class JarAnalyzer. + */ + @Test + public void testGetAnalysisPhase() { + JarAnalyzer instance = new JarAnalyzer(); + AnalysisPhase expResult = AnalysisPhase.INFORMATION_COLLECTION; + AnalysisPhase result = instance.getAnalysisPhase(); + assertEquals(expResult, result); + } + + /** + * Test of getAnalyzerEnabledSettingKey method, of class JarAnalyzer. + */ + @Test + public void testGetAnalyzerEnabledSettingKey() { + JarAnalyzer instance = new JarAnalyzer(); + String expResult = Settings.KEYS.ANALYZER_JAR_ENABLED; + String result = instance.getAnalyzerEnabledSettingKey(); + assertEquals(expResult, result); + } + + @Test + public void testClassInformation() { + JarAnalyzer.ClassNameInformation instance = new JarAnalyzer.ClassNameInformation("org/owasp/dependencycheck/analyzer/JarAnalyzer"); + assertEquals("org/owasp/dependencycheck/analyzer/JarAnalyzer", instance.getName()); + List expected = Arrays.asList("owasp", "dependencycheck", "analyzer", "jaranalyzer"); + List results = instance.getPackageStructure(); + assertEquals(expected, results); + } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java index 91f72a3ba..ff5a4a9e1 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java @@ -45,6 +45,7 @@ import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import static org.junit.Assert.fail; +import org.owasp.dependencycheck.exception.InitializationException; /** * Unit tests for {@link RubyBundleAuditAnalyzer}. @@ -122,7 +123,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase { assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2")); assertTrue(dependency.getFilePath().endsWith(resource)); assertTrue(dependency.getFileName().equals("Gemfile.lock")); - } catch (Exception e) { + } catch (InitializationException | DatabaseException | AnalysisException e) { LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\"."); Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e); } @@ -145,7 +146,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase { Vulnerability vulnerability = dependency.getVulnerabilities().first(); assertEquals(vulnerability.getCvssScore(), 5.0f, 0.0); - } catch (Exception e) { + } catch (InitializationException | DatabaseException | AnalysisException e) { LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\"."); Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e); } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java index 77c70cb17..f98107ba2 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java @@ -61,19 +61,19 @@ public class FieldAnalyzerTest extends BaseTest { String field2 = "vendor"; String text2 = "springsource"; - IndexWriter w = createIndex(analyzer, index); - addDoc(w, field1, text1, field2, text2); - text1 = "x-stream"; - text2 = "xstream"; - addDoc(w, field1, text1, field2, text2); - w.close(); + try (IndexWriter w = createIndex(analyzer, index)) { + addDoc(w, field1, text1, field2, text2); + text1 = "x-stream"; + text2 = "xstream"; + addDoc(w, field1, text1, field2, text2); + } //Analyzer searchingAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); String querystr = "product:\"(Spring Framework Core)\" vendor:(SpringSource)"; SearchFieldAnalyzer searchAnalyzerProduct = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); SearchFieldAnalyzer searchAnalyzerVendor = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); - HashMap map = new HashMap(); + HashMap map = new HashMap<>(); map.put(field1, searchAnalyzerProduct); map.put(field2, searchAnalyzerVendor); PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(new StandardAnalyzer(LuceneUtils.CURRENT_VERSION), map); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java index 8b902f417..adb7b94ce 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java @@ -31,7 +31,7 @@ import org.apache.lucene.analysis.core.KeywordTokenizer; */ public class UrlTokenizingFilterTest extends BaseTokenStreamTestCase { - private Analyzer analyzer; + private final Analyzer analyzer; public UrlTokenizingFilterTest() { analyzer = new Analyzer() { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactoryTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactoryTest.java index 7768acbdb..4316c7311 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactoryTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactoryTest.java @@ -36,9 +36,9 @@ public class ConnectionFactoryTest extends BaseDBTestCase { @Test public void testInitialize() throws DatabaseException, SQLException { ConnectionFactory.initialize(); - Connection result = ConnectionFactory.getConnection(); - assertNotNull(result); - result.close(); + try (Connection result = ConnectionFactory.getConnection()) { + assertNotNull(result); + } ConnectionFactory.cleanup(); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCveInfoTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCveInfoTest.java index 81250cd52..2b31123e0 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCveInfoTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCveInfoTest.java @@ -17,7 +17,6 @@ */ package org.owasp.dependencycheck.data.update.nvd; -import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo; import static org.junit.Assert.assertEquals; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_1_2_HandlerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_1_2_HandlerTest.java index 4a6684712..01b9662fb 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_1_2_HandlerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_1_2_HandlerTest.java @@ -17,7 +17,6 @@ */ package org.owasp.dependencycheck.data.update.nvd; -import org.owasp.dependencycheck.data.update.nvd.NvdCve12Handler; import java.io.File; import java.util.List; import java.util.Map; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_2_0_HandlerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_2_0_HandlerTest.java index e438239eb..95dcb5255 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_2_0_HandlerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_2_0_HandlerTest.java @@ -17,10 +17,11 @@ */ package org.owasp.dependencycheck.data.update.nvd; -import org.owasp.dependencycheck.data.update.nvd.NvdCve20Handler; import java.io.File; +import java.io.IOException; import java.util.List; import java.util.Map; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; @@ -29,6 +30,7 @@ import static org.junit.Assert.assertTrue; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.dependency.VulnerableSoftware; +import org.xml.sax.SAXException; /** * @@ -49,7 +51,7 @@ public class NvdCve_2_0_HandlerTest extends BaseTest { NvdCve20Handler instance = new NvdCve20Handler(); saxParser.parse(file, instance); - } catch (Throwable ex) { + } catch (ParserConfigurationException | SAXException | IOException ex) { ex.printStackTrace(); results = ex; } @@ -80,7 +82,7 @@ public class NvdCve_2_0_HandlerTest extends BaseTest { saxParser.parse(file20, instance); assertTrue(instance.getTotalNumberOfEntries()==1); - } catch (Throwable ex) { + } catch (ParserConfigurationException | SAXException | IOException ex) { results = ex; } assertTrue("Exception thrown during parse of 2012 CVE version 2.0?", results == null); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/FilterTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/FilterTest.java index dc0290d85..fcdefcd00 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/FilterTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/FilterTest.java @@ -48,12 +48,12 @@ public class FilterTest extends BaseTest { */ @Test public void testFilter_Iterable() { - List testData = new ArrayList(); + List testData = new ArrayList<>(); testData.add("keep"); testData.add("remove"); testData.add("keep"); - List expResults = new ArrayList(); + List expResults = new ArrayList<>(); expResults.add("keep"); expResults.add("keep"); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java new file mode 100644 index 000000000..8107aa31d --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java @@ -0,0 +1,74 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.utils; + +import java.util.Arrays; +import java.util.List; +import org.junit.Test; +import static org.junit.Assert.*; + +/** + * + * @author jeremy long + */ +public class UrlStringUtilsTest { + + /** + * Test of containsUrl method, of class UrlStringUtils. + */ + @Test + public void testContainsUrl() { + String text = "Test of https://github.com"; + assertTrue(UrlStringUtils.containsUrl(text)); + text = "Test of github.com"; + assertFalse(UrlStringUtils.containsUrl(text)); + } + + /** + * Test of isUrl method, of class UrlStringUtils. + */ + @Test + public void testIsUrl() { + String text = "https://github.com"; + assertTrue(UrlStringUtils.isUrl(text)); + text = "simple text"; + assertFalse(UrlStringUtils.isUrl(text)); + } + + /** + * Test of extractImportantUrlData method, of class UrlStringUtils. + */ + @Test + public void testExtractImportantUrlData() throws Exception { + String text = "http://github.com/jeremylong/DependencyCheck/index.html"; + List expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "index");; + List result = UrlStringUtils.extractImportantUrlData(text); + assertEquals(expResult, result); + + text = "http://github.com/jeremylong/DependencyCheck/.gitignore"; + expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "gitignore");; + result = UrlStringUtils.extractImportantUrlData(text); + assertEquals(expResult, result); + + text = "http://github.com/jeremylong/DependencyCheck/something"; + expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "something");; + result = UrlStringUtils.extractImportantUrlData(text); + assertEquals(expResult, result); + } + +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java index 3edb28a01..7d0492f58 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java @@ -248,7 +248,7 @@ public class ModelTest extends BaseTest { public void testGetLicenses() { Model instance = new Model(); instance.addLicense(new License("name", "url")); - List expResult = new ArrayList(); + List expResult = new ArrayList<>(); expResult.add(new License("name", "url")); List result = instance.getLicenses(); assertEquals(expResult, result); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleTest.java index ec38c0eec..c50f00c26 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleTest.java @@ -86,7 +86,7 @@ public class SuppressionRuleTest extends BaseTest { @Test public void testGetCvssBelow() { SuppressionRule instance = new SuppressionRule(); - List cvss = new ArrayList(); + List cvss = new ArrayList<>(); instance.setCvssBelow(cvss); assertFalse(instance.hasCvssBelow()); instance.addCvssBelow(0.7f); @@ -101,7 +101,7 @@ public class SuppressionRuleTest extends BaseTest { @Test public void testCwe() { SuppressionRule instance = new SuppressionRule(); - List cwe = new ArrayList(); + List cwe = new ArrayList<>(); instance.setCwe(cwe); assertFalse(instance.hasCwe()); instance.addCwe("2"); @@ -116,7 +116,7 @@ public class SuppressionRuleTest extends BaseTest { @Test public void testCve() { SuppressionRule instance = new SuppressionRule(); - List cve = new ArrayList(); + List cve = new ArrayList<>(); instance.setCve(cve); assertFalse(instance.hasCve()); instance.addCve("CVE-2013-1337"); diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index ac7b5116e..498bdcb94 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -155,7 +155,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. ${reporting.pmd-plugin.version} 1.6 - true + true utf-8 **/generated/**/*.java diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java index 0a7220daf..62c333efe 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java @@ -64,7 +64,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo { * and generates the subsequent reports. * * @throws MojoExecutionException thrown if there is ane exception running - * the mojo + * the Mojo * @throws MojoFailureException thrown if dependency-check is configured to * fail the build */ @@ -118,7 +118,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo { } File outputDir = getCorrectOutputDirectory(this.getProject()); if (outputDir == null) { - //in some regards we shouldn't be writting this, but we are anyway. + //in some regards we shouldn't be writing this, but we are anyway. //we shouldn't write this because nothing is configured to generate this report. outputDir = new File(this.getProject().getBuild().getDirectory()); } @@ -153,8 +153,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo { if (project == null) { return Collections.emptySet(); } - final Set descendants = new HashSet(); - int size = 0; + final Set descendants = new HashSet<>(); + int size; if (getLog().isDebugEnabled()) { getLog().debug(String.format("Collecting descendants of %s", project.getName())); } @@ -165,7 +165,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo { mpp = mpp.getCanonicalFile(); if (mpp.compareTo(mod.getBasedir()) == 0 && descendants.add(mod) && getLog().isDebugEnabled()) { - getLog().debug(String.format("Decendent module %s added", mod.getName())); + getLog().debug(String.format("Descendant module %s added", mod.getName())); } } catch (IOException ex) { @@ -180,18 +180,18 @@ public class AggregateMojo extends BaseDependencyCheckMojo { for (MavenProject p : getReactorProjects()) { if (project.equals(p.getParent()) || descendants.contains(p.getParent())) { if (descendants.add(p) && getLog().isDebugEnabled()) { - getLog().debug(String.format("Decendent %s added", p.getName())); + getLog().debug(String.format("Descendant %s added", p.getName())); } for (MavenProject modTest : getReactorProjects()) { if (p.getModules() != null && p.getModules().contains(modTest.getName()) && descendants.add(modTest) && getLog().isDebugEnabled()) { - getLog().debug(String.format("Decendent %s added", modTest.getName())); + getLog().debug(String.format("Descendant %s added", modTest.getName())); } } } - final Set addedDescendants = new HashSet(); + final Set addedDescendants = new HashSet<>(); for (MavenProject dec : descendants) { for (String mod : dec.getModules()) { try { @@ -209,7 +209,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo { } for (MavenProject addedDescendant : addedDescendants) { if (descendants.add(addedDescendant) && getLog().isDebugEnabled()) { - getLog().debug(String.format("Decendent module %s added", addedDescendant.getName())); + getLog().debug(String.format("Descendant module %s added", addedDescendant.getName())); } } } @@ -259,7 +259,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo { @Override public boolean canGenerateReport() { - return true; //aggregate always returns true for now - we can look at a more complicated/acurate solution later + return true; //aggregate always returns true for now - we can look at a more complicated/accurate solution later } /** diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index ca767a4b4..d2e95260c 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -17,13 +17,10 @@ */ package org.owasp.dependencycheck.maven; -import java.io.BufferedOutputStream; import java.io.File; import java.io.FileNotFoundException; -import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; -import java.io.ObjectOutputStream; import java.util.List; import java.util.Locale; import org.apache.maven.artifact.Artifact; @@ -109,18 +106,23 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @Parameter(readonly = true, required = true, property = "reactorProjects") private List reactorProjects; /** - * The entry point towards a Maven version independent way of resolving artifacts (handles both Maven 3.0 sonatype and Maven 3.1+ eclipse Aether implementations). + * The entry point towards a Maven version independent way of resolving + * artifacts (handles both Maven 3.0 Sonatype and Maven 3.1+ eclipse Aether + * implementations). */ @Component private ArtifactResolver artifactResolver; - @Parameter( defaultValue = "${session}", readonly = true, required = true ) + /** + * The Maven Session. + */ + @Parameter(defaultValue = "${session}", readonly = true, required = true) protected MavenSession session; - /** + /** * Remote repositories which will be searched for artifacts. */ - @Parameter( defaultValue = "${project.remoteArtifactRepositories}", readonly = true, required = true ) + @Parameter(defaultValue = "${project.remoteArtifactRepositories}", readonly = true, required = true) private List remoteRepositories; /** @@ -457,7 +459,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @Parameter(property = "externalReport") @Deprecated private String externalReport = null; - + // // /** @@ -527,6 +529,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma protected String getConnectionString() { return connectionString; } + /** * Returns if the mojo should fail the build if an exception occurs. * @@ -591,29 +594,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma return target; } - /** - * Returns the correct output directory depending on if a site is being - * executed or not. - * - * @param current the Maven project to get the output directory from - * @return the directory to write the report(s) - */ - protected File getDataFile(MavenProject current) { - if (getLog().isDebugEnabled()) { - getLog().debug(String.format("Getting data filefor %s using key '%s'", current.getName(), getDataFileContextKey())); - } - final Object obj = current.getContextValue(getDataFileContextKey()); - if (obj != null) { - if (obj instanceof String) { - final File f = new File((String) obj); - return f; - } - } else if (getLog().isDebugEnabled()) { - getLog().debug("Context value not found"); - } - return null; - } - /** * Scans the project's artifacts and adds them to the engine's dependency * list. @@ -643,6 +623,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma * @param project the project being scanned * @param nodes the list of dependency nodes, generally obtained via the * DependencyGraphBuilder + * @param buildingRequest the Maven project building request * @return a collection of exceptions that may have occurred while resolving * and scanning the dependencies */ @@ -655,8 +636,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma } try { final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact()); - final Artifact result = artifactResolver.resolveArtifact( buildingRequest, coordinate ).getArtifact(); - if (result.isResolved() && result.getFile()!= null) { + final Artifact result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact(); + if (result.isResolved() && result.getFile() != null) { final List deps = engine.scan(result.getFile().getAbsoluteFile(), project.getName() + ":" + dependencyNode.getArtifact().getScope()); if (deps != null) { @@ -702,21 +683,18 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma } /** - * @return Returns a new ProjectBuildingRequest populated from the current session and the current project remote - * repositories, used to resolve artifacts. + * @return Returns a new ProjectBuildingRequest populated from the current + * session and the current project remote repositories, used to resolve + * artifacts. */ - public ProjectBuildingRequest newResolveArtifactProjectBuildingRequest() - { - ProjectBuildingRequest buildingRequest = - new DefaultProjectBuildingRequest( session.getProjectBuildingRequest() ); - - buildingRequest.setRemoteRepositories( remoteRepositories ); - + public ProjectBuildingRequest newResolveArtifactProjectBuildingRequest() { + final ProjectBuildingRequest buildingRequest = new DefaultProjectBuildingRequest(session.getProjectBuildingRequest()); + buildingRequest.setRemoteRepositories(remoteRepositories); return buildingRequest; } /** - * Executes the dependency-check scan and generates the necassary report. + * Executes the dependency-check scan and generates the necessary report. * * @throws MojoExecutionException thrown if there is an exception running * the scan @@ -1079,8 +1057,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities: %n%s%n%n" + "See the dependency-check report for more details.%n%n", ids.toString()); } else { - msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater than '%.1f': %n%s%n%n" - + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString()); + msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater than '%.1f': " + + "%n%s%n%nSee the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString()); } throw new MojoFailureException(msg); @@ -1154,60 +1132,5 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma return "dependency-output-dir-" + dataFileName; } - /** - * Writes the scan data to disk. This is used to serialize the scan data - * between the "check" and "aggregate" phase. - * - * @param mp the mMven project for which the data file was created - * @param writeTo the directory to write the data file - * @param dependencies the list of dependencies to serialize - */ - protected void writeDataFile(MavenProject mp, File writeTo, List dependencies) { - File file; - //check to see if this was already written out - if (mp.getContextValue(this.getDataFileContextKey()) == null) { - if (writeTo == null) { - file = new File(mp.getBuild().getDirectory()); - file = new File(file, dataFileName); - } else { - file = new File(writeTo, dataFileName); - } - final File parent = file.getParentFile(); - if (!parent.isDirectory() && !parent.mkdirs()) { - getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.", - parent.getAbsolutePath())); - } - - ObjectOutputStream out = null; - try { - if (dependencies != null) { - out = new ObjectOutputStream(new BufferedOutputStream(new FileOutputStream(file))); - out.writeObject(dependencies); - } - if (getLog().isDebugEnabled()) { - getLog().debug(String.format("Serialized data file written to '%s' for %s, referenced by key %s", - file.getAbsolutePath(), mp.getName(), this.getDataFileContextKey())); - } - mp.setContextValue(this.getDataFileContextKey(), file.getAbsolutePath()); - } catch (IOException ex) { - getLog().warn("Unable to create data file used for report aggregation; " - + "if report aggregation is being used the results may be incomplete."); - if (getLog().isDebugEnabled()) { - getLog().debug(ex.getMessage(), ex); - } - } finally { - if (out != null) { - try { - out.close(); - } catch (IOException ex) { - if (getLog().isDebugEnabled()) { - getLog().debug("ignore", ex); - } - } - } - } - } - } // - } diff --git a/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojoTest.java b/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojoTest.java index 339397e2f..6ac427185 100644 --- a/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojoTest.java +++ b/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojoTest.java @@ -70,7 +70,7 @@ public class BaseDependencyCheckMojoTest extends BaseTest { MavenProject project = new MockUp() { @Mock public Set getArtifacts() { - Set artifacts = new HashSet(); + Set artifacts = new HashSet<>(); Artifact a = new ArtifactStub(); try { File file = new File(Test.class.getProtectionDomain().getCodeSource().getLocation().toURI()); @@ -107,6 +107,9 @@ public class BaseDependencyCheckMojoTest extends BaseTest { } } + /** + * Implementation of ODC Mojo for testing. + */ public class BaseDependencyCheckMojoImpl extends BaseDependencyCheckMojo { @Override diff --git a/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java b/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java index 686e3e6b4..ef23a50ce 100644 --- a/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java +++ b/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java @@ -39,20 +39,9 @@ public class BaseTest { @BeforeClass public static void setUpClass() throws Exception { Settings.initialize(); - InputStream mojoProperties = null; - try { - mojoProperties = BaseTest.class.getClassLoader().getResourceAsStream(BaseTest.PROPERTIES_FILE); + try (InputStream mojoProperties = BaseTest.class.getClassLoader().getResourceAsStream(BaseTest.PROPERTIES_FILE)) { Settings.mergeProperties(mojoProperties); - } finally { - if (mojoProperties != null) { - try { - mojoProperties.close(); - } catch (IOException ex) { - Logger.getLogger(BaseTest.class.getName()).log(Level.SEVERE, null, ex); - } - } } - } @AfterClass diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml index 385f76203..da6abef71 100644 --- a/dependency-check-utils/pom.xml +++ b/dependency-check-utils/pom.xml @@ -120,7 +120,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. ${reporting.pmd-plugin.version} 1.6 - true + true utf-8 **/org/owasp/dependencycheck/org/apache/**/*.java diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java index 71f316b8f..643b83aea 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java @@ -65,11 +65,8 @@ public final class Checksum { */ public static byte[] getChecksum(String algorithm, File file) throws NoSuchAlgorithmException, IOException { final MessageDigest md = MessageDigest.getInstance(algorithm); - FileInputStream fis = null; - FileChannel ch = null; - try { - fis = new FileInputStream(file); - ch = fis.getChannel(); + try (FileInputStream fis = new FileInputStream(file); + FileChannel ch = fis.getChannel()) { final ByteBuffer buf = ByteBuffer.allocateDirect(8192); int b = ch.read(buf); while (b != -1 && b != 0) { @@ -81,21 +78,6 @@ public final class Checksum { b = ch.read(buf); } return md.digest(); - } finally { - if (ch != null) { - try { - ch.close(); - } catch (IOException ex) { - LOGGER.trace("Error closing channel '{}'.", file.getName(), ex); - } - } - if (fis != null) { - try { - fis.close(); - } catch (IOException ex) { - LOGGER.trace("Error closing file '{}'.", file.getName(), ex); - } - } } } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStream.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStream.java similarity index 91% rename from dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStream.java rename to dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStream.java index c14b026ee..abd10d4e6 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStream.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStream.java @@ -31,12 +31,12 @@ import java.util.List; * * @author Jeremy Long */ -public class ExpectedOjectInputStream extends ObjectInputStream { +public class ExpectedObjectInputStream extends ObjectInputStream { /** * The list of fully qualified class names that are able to be deserialized. */ - private List expected = new ArrayList(); + private final List expected = new ArrayList<>(); /** * Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes @@ -46,7 +46,7 @@ public class ExpectedOjectInputStream extends ObjectInputStream { * @param expected the fully qualified class names of the classes that can be deserialized * @throws IOException thrown if there is an error reading from the stream */ - public ExpectedOjectInputStream(InputStream inputStream, String... expected) throws IOException { + public ExpectedObjectInputStream(InputStream inputStream, String... expected) throws IOException { super(inputStream); this.expected.addAll(Arrays.asList(expected)); } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java index 59a70f487..4849de733 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java @@ -283,7 +283,7 @@ public class SSLSocketFactoryEx extends SSLSocketFactory { } } - final List aa = new ArrayList(); + final List aa = new ArrayList<>(); for (String preferredProtocol : preferredProtocols) { final int idx = Arrays.binarySearch(availableProtocols, preferredProtocol); if (idx >= 0) { diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index b38b58e6e..aac1d40ed 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -38,6 +38,7 @@ import java.util.Properties; * @author Jeremy Long */ public final class Settings { + /** * The logger. */ @@ -49,14 +50,14 @@ public final class Settings { /** * Thread local settings. */ - private static final ThreadLocal LOCAL_SETTINGS = new ThreadLocal(); + private static final ThreadLocal LOCAL_SETTINGS = new ThreadLocal<>(); /** * The properties. */ private Properties props = null; /** - * A reference to the temporary directory; used incase it needs to be + * A reference to the temporary directory; used in case it needs to be * deleted during cleanup. */ private static File tempDirectory = null; @@ -425,7 +426,6 @@ public final class Settings { } // - /** * Private constructor for the Settings class. This class loads the * properties files. @@ -433,10 +433,8 @@ public final class Settings { * @param propertiesFilePath the path to the base properties file to load */ private Settings(String propertiesFilePath) { - InputStream in = null; props = new Properties(); - try { - in = this.getClass().getClassLoader().getResourceAsStream(propertiesFilePath); + try (InputStream in = this.getClass().getClassLoader().getResourceAsStream(propertiesFilePath)) { props.load(in); } catch (NullPointerException ex) { LOGGER.error("Did not find settings file '{}'.", propertiesFilePath); @@ -444,14 +442,6 @@ public final class Settings { } catch (IOException ex) { LOGGER.error("Unable to load settings from '{}'.", propertiesFilePath); LOGGER.debug("", ex); - } finally { - if (in != null) { - try { - in.close(); - } catch (IOException ex) { - LOGGER.trace("", ex); - } - } } logProperties("Properties loaded", props); } @@ -530,9 +520,7 @@ public final class Settings { private static void logProperties(String header, Properties properties) { if (LOGGER.isDebugEnabled()) { final StringWriter sw = new StringWriter(); - PrintWriter pw = null; - try { - pw = new PrintWriter(sw); + try (PrintWriter pw = new PrintWriter(sw)) { pw.format("%s:%n%n", header); final Enumeration e = properties.propertyNames(); while (e.hasMoreElements()) { @@ -548,10 +536,6 @@ public final class Settings { } pw.flush(); LOGGER.debug(sw.toString()); - } finally { - if (pw != null) { - pw.close(); - } } } @@ -650,18 +634,8 @@ public final class Settings { * the properties */ public static void mergeProperties(File filePath) throws FileNotFoundException, IOException { - FileInputStream fis = null; - try { - fis = new FileInputStream(filePath); + try (FileInputStream fis = new FileInputStream(filePath)) { mergeProperties(fis); - } finally { - if (fis != null) { - try { - fis.close(); - } catch (IOException ex) { - LOGGER.trace("close error", ex); - } - } } } @@ -678,18 +652,8 @@ public final class Settings { * the properties */ public static void mergeProperties(String filePath) throws FileNotFoundException, IOException { - FileInputStream fis = null; - try { - fis = new FileInputStream(filePath); + try (FileInputStream fis = new FileInputStream(filePath)) { mergeProperties(fis); - } finally { - if (fis != null) { - try { - fis.close(); - } catch (IOException ex) { - LOGGER.trace("close error", ex); - } - } } } @@ -790,8 +754,7 @@ public final class Settings { * @return the property from the properties file */ public static String getString(String key, String defaultValue) { - final String str = System.getProperty(key, LOCAL_SETTINGS.get().props.getProperty(key, defaultValue)); - return str; + return System.getProperty(key, LOCAL_SETTINGS.get().props.getProperty(key, defaultValue)); } /** @@ -981,9 +944,10 @@ public final class Settings { */ public static File getDataDirectory() throws IOException { final File path = Settings.getDataFile(Settings.KEYS.DATA_DIRECTORY); - if (path.exists() || path.mkdirs()) { + if (path != null && (path.exists() || path.mkdirs())) { return path; } - throw new IOException(String.format("Unable to create the data directory '%s'", path.getAbsolutePath())); + throw new IOException(String.format("Unable to create the data directory '%s'", + (path == null) ? "unknown" : path.getAbsolutePath())); } } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/XmlUtils.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/XmlUtils.java index f7a975b34..9d81a2045 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/XmlUtils.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/XmlUtils.java @@ -120,8 +120,7 @@ public final class XmlUtils { factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - final DocumentBuilder db = factory.newDocumentBuilder(); - return db; + return factory.newDocumentBuilder(); } /** diff --git a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderTest.java b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderTest.java index 2ec75264f..7bc487fde 100644 --- a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderTest.java +++ b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderTest.java @@ -20,7 +20,6 @@ package org.owasp.dependencycheck.utils; import java.io.File; import static org.junit.Assert.assertTrue; import org.junit.Test; -import org.owasp.dependencycheck.utils.Downloader; /** * diff --git a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStreamTest.java b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java similarity index 57% rename from dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStreamTest.java rename to dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java index a70965cb9..0907da9bb 100644 --- a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStreamTest.java +++ b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java @@ -26,61 +26,53 @@ import java.util.ArrayList; import java.util.List; import static org.junit.Assert.fail; import org.junit.Test; +import static org.junit.Assert.fail; /** * * @author jeremy */ -public class ExpectedOjectInputStreamTest { +public class ExpectedObjectInputStreamTest { /** - * Test of resolveClass method, of class ExpectedOjectInputStream. + * Test of resolveClass method, of class ExpectedObjectInputStream. */ @Test public void testResolveClass() { - ObjectOutputStream out = null; - try { - List data = new ArrayList<>(); - data.add(new SimplePojo()); - ByteArrayOutputStream mem = new ByteArrayOutputStream(); - out = new ObjectOutputStream(new BufferedOutputStream(mem)); + List data = new ArrayList<>(); + data.add(new SimplePojo()); + try (ByteArrayOutputStream mem = new ByteArrayOutputStream(); + ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem))) { out.writeObject(data); out.flush(); byte[] buf = mem.toByteArray(); out.close(); ByteArrayInputStream in = new ByteArrayInputStream(buf); - ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo", "java.lang.Integer", "java.lang.Number"); + ExpectedObjectInputStream instance = new ExpectedObjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo", "java.lang.Integer", "java.lang.Number"); instance.readObject(); } catch (IOException | ClassNotFoundException ex) { fail(ex.getMessage()); - } finally { - try { - if (out != null) { - out.close(); - } - } catch (IOException ex) { - ex.printStackTrace(); - } } } /** - * Test of resolveClass method, of class ExpectedOjectInputStream. + * Test of resolveClass method, of class ExpectedObjectInputStream. */ @Test(expected = java.io.InvalidClassException.class) public void testResolveClassException() throws Exception { - List data = new ArrayList(); + List data = new ArrayList<>(); data.add(new SimplePojo()); ByteArrayOutputStream mem = new ByteArrayOutputStream(); - ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem)); - out.writeObject(data); - out.flush(); - byte[] buf = mem.toByteArray(); - out.close(); + byte[] buf; + try (ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem))) { + out.writeObject(data); + out.flush(); + buf = mem.toByteArray(); + } ByteArrayInputStream in = new ByteArrayInputStream(buf); - ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo"); + ExpectedObjectInputStream instance = new ExpectedObjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo"); instance.readObject(); } } diff --git a/src/site/markdown/general/internals.md b/src/site/markdown/general/internals.md index 35433a5e5..91cdde7a3 100644 --- a/src/site/markdown/general/internals.md +++ b/src/site/markdown/general/internals.md @@ -15,6 +15,9 @@ a list of vulnerable software: cpe:/a:vmware:springsource_spring_security:3.1.2 cpe:/a:vmware:springsource_spring_security:2.0.4 cpe:/a:vmware:springsource_spring_security:3.0.1 + + ... + ``` These CPE entries are read "cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:...". The CPE data is collected