diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index f22b52fda..eb96f9b80 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -122,6 +122,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { "ipojo-components", "ipojo-extension", "eclipse-sourcereferences"); + /** + * Deprecated Jar manifest attribute, that is, nonetheless, useful for + * analysis. + */ + @SuppressWarnings("deprecation") + private static final String IMPLEMENTATION_VENDOR_ID = Attributes.Name.IMPLEMENTATION_VENDOR_ID + .toString(); /** * item in some manifest, should be considered medium confidence. */ @@ -670,7 +677,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { foundSomething = true; vendorEvidence.addEvidence(source, key, value, Confidence.HIGH); addMatchingValues(classInformation, value, vendorEvidence); - } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR_ID.toString())) { + } else if (key.equalsIgnoreCase(IMPLEMENTATION_VENDOR_ID)) { foundSomething = true; vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM); addMatchingValues(classInformation, value, vendorEvidence); @@ -918,9 +925,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { JarFile jar = null; try { jar = new JarFile(dependency.getActualFilePath()); - final Enumeration entries = jar.entries(); + final Enumeration entries = jar.entries(); while (entries.hasMoreElements()) { - final JarEntry entry = (JarEntry) entries.nextElement(); + final JarEntry entry = entries.nextElement(); final String name = entry.getName().toLowerCase(); //no longer stripping "|com\\.sun" - there are some com.sun jar files with CVEs. if (name.endsWith(".class") && !name.matches("^javax?\\..*$")) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java index 3c73cf619..d5e744c40 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java @@ -356,9 +356,22 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp try { result = URLDecoder.decode(text, "ASCII"); } catch (UnsupportedEncodingException ex1) { - result = URLDecoder.decode(text); + result = defaultUrlDecode(text); } } return result; } + + /** + * Call {@link java.net.URLDecoder#decode(String)} to URL decode using the + * default encoding. + * + * @param text + * www-form-encoded URL to decode + * @return the newly decoded String + */ + @SuppressWarnings("deprecation") + private String defaultUrlDecode(final String text) { + return URLDecoder.decode(text); + } }