From 6838b9b95062b0fe21a281a92df1a6d80efb103f Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 22 Nov 2016 06:21:30 -0500 Subject: [PATCH] fixed logic for single pom entry in a jar --- .../dependencycheck/analyzer/JarAnalyzer.java | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 1ebbdea36..401f507c6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -279,18 +279,32 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } return false; } - if (pomEntries != null && pomEntries.isEmpty()) { - final String pomPath = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom"; - final File externalPom = new File(pomPath); - if (externalPom.isFile()) { - Model pom = PomUtils.readPom(externalPom); + if (pomEntries != null && pomEntries.size() <= 1) { + String path = null; + Properties pomProperties = null; + File pomFile = null; + if (pomEntries.size() == 1) { + path = pomEntries.get(0); + pomFile = extractPom(path, jar); + pomProperties = retrievePomProperties(path, jar); + } else { + path = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom"; + pomFile = new File(path); + } + if (pomFile.isFile()) { + Model pom = PomUtils.readPom(pomFile); + if (pom != null && pomProperties != null) { + pom.processProperties(pomProperties); + } if (pom != null) { return setPomEvidence(dependency, pom, classes); } + return false; } else { return false; } } + //reported possible null dereference on pomEntries is on a non-feasible path for (String path : pomEntries) { //TODO - one of these is likely the pom for the main JAR we are analyzing