From 765bfa0e1d3dce3465056465beb1d1e02e500078 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 22 Oct 2017 15:34:16 -0400 Subject: [PATCH] update per issue #933 --- .../analyzer/CMakeAnalyzer.java | 25 ++-------- .../analyzer/ComposerLockAnalyzer.java | 25 ++-------- .../analyzer/CMakeAnalyzerTest.java | 24 ---------- .../analyzer/ComposerLockAnalyzerTest.java | 23 --------- .../owasp/dependencycheck/utils/Checksum.java | 47 +++++++++++++++++++ 5 files changed, 53 insertions(+), 91 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index e473c7497..f938bc4d3 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -135,12 +135,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { */ @Override protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException { - try { - getSha1MessageDigest(); - } catch (IllegalStateException ex) { - setEnabled(false); - throw new InitializationException("Unable to create SHA1 MessageDigest", ex); - } + //do nothing } /** @@ -224,8 +219,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { } catch (UnsupportedEncodingException ex) { path = filePath.getBytes(); } - final MessageDigest sha1 = getSha1MessageDigest(); - currentDep.setSha1sum(Checksum.getHex(sha1.digest(path))); + currentDep.setSha1sum(Checksum.getSHA1Checksum(path)); + currentDep.setMd5sum(Checksum.getMD5Checksum(path)); engine.addDependency(currentDep); } final String source = currentDep.getFileName(); @@ -242,18 +237,4 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { protected String getAnalyzerEnabledSettingKey() { return Settings.KEYS.ANALYZER_CMAKE_ENABLED; } - - /** - * Returns the SHA1 message digest. - * - * @return the SHA1 message digest - */ - private MessageDigest getSha1MessageDigest() { - try { - return MessageDigest.getInstance("SHA1"); - } catch (NoSuchAlgorithmException e) { - LOGGER.error(e.getMessage()); - throw new IllegalStateException("Failed to obtain the SHA1 message digest.", e); - } - } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index aba20c9d5..95e750739 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -92,12 +92,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { */ @Override protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException { - try { - getSha1MessageDigest(); - } catch (IllegalStateException ex) { - setEnabled(false); - throw new InitializationException("Unable to create SHA1 MessageDigest", ex); - } + // do nothing } /** @@ -122,9 +117,9 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { d.setName(dep.getProject()); d.setVersion(dep.getVersion()); d.setEcosystem(DEPENDENCY_ECOSYSTEM); - final MessageDigest sha1 = getSha1MessageDigest(); d.setFilePath(filePath); - d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset())))); + d.setSha1sum(Checksum.getSHA1Checksum(filePath.getBytes(Charset.defaultCharset()))); + d.setMd5sum(Checksum.getMD5Checksum(filePath.getBytes(Charset.defaultCharset()))); d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST); d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST); d.addEvidence(EvidenceType.VERSION, COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST); @@ -175,18 +170,4 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { public AnalysisPhase getAnalysisPhase() { return AnalysisPhase.INFORMATION_COLLECTION; } - - /** - * Returns the sha1 message digest. - * - * @return the sha1 message digest - */ - private MessageDigest getSha1MessageDigest() { - try { - return MessageDigest.getInstance("SHA1"); - } catch (NoSuchAlgorithmException e) { - LOGGER.error(e.getMessage()); - throw new IllegalStateException("Failed to obtain the SHA1 message digest.", e); - } - } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java index b87b7c57c..df6f50708 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java @@ -17,8 +17,6 @@ */ package org.owasp.dependencycheck.analyzer; -import mockit.Mock; -import mockit.MockUp; import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -28,12 +26,8 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.exception.InitializationException; import java.io.File; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.List; import java.util.regex.Pattern; import static org.hamcrest.CoreMatchers.equalTo; @@ -197,22 +191,4 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { } assertTrue("Expected version evidence to contain \"" + version + "\".", found); } - - @Test(expected = InitializationException.class) - public void analyzerIsDisabledInCaseOfMissingMessageDigest() throws InitializationException { - new MockUp() { - @Mock - MessageDigest getInstance(String ignore) throws NoSuchAlgorithmException { - throw new NoSuchAlgorithmException(); - } - }; - - analyzer = new CMakeAnalyzer(); - analyzer.setFilesMatched(true); - assertTrue(analyzer.isEnabled()); - analyzer.initialize(getSettings()); - analyzer.prepare(null); - - assertFalse(analyzer.isEnabled()); - } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java index 53dd3e1a6..d5f1b8778 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java @@ -17,8 +17,6 @@ */ package org.owasp.dependencycheck.analyzer; -import mockit.Mock; -import mockit.MockUp; import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -27,11 +25,8 @@ import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.exception.InitializationException; import java.io.File; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import org.apache.commons.lang3.ArrayUtils; import static org.junit.Assert.assertEquals; @@ -137,22 +132,4 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase { assertEquals(ComposerLockAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem()); } } - - @Test(expected = InitializationException.class) - public void analyzerIsDisabledInCaseOfMissingMessageDigest() throws InitializationException { - new MockUp() { - @Mock - MessageDigest getInstance(String ignore) throws NoSuchAlgorithmException { - throw new NoSuchAlgorithmException("SHA1 is missing"); - } - }; - - analyzer = new ComposerLockAnalyzer(); - analyzer.setFilesMatched(true); - analyzer.initialize(getSettings()); - assertTrue(analyzer.isEnabled()); - analyzer.prepare(null); - - assertFalse(analyzer.isEnabled()); - } } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java index fa4565946..1f043c048 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java @@ -24,6 +24,8 @@ import java.nio.ByteBuffer; import java.nio.channels.FileChannel; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * Includes methods to generate the MD5 and SHA1 checksum. @@ -38,6 +40,11 @@ public final class Checksum { */ private static final String HEXES = "0123456789abcdef"; + /** + * The logger. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(Checksum.class); + /** * Private constructor for a utility class. */ @@ -100,6 +107,30 @@ public final class Checksum { return getHex(b); } + /** + * Calculates the MD5 checksum of a specified bytes. + * + * @param bytes the bytes to generate the MD5 checksum + * @return the hex representation of the MD5 hash + */ + public static String getMD5Checksum(byte[] bytes) { + MessageDigest algorithm = getMessageDigest("MD5"); + final byte[] b = algorithm.digest(bytes); + return getHex(b); + } + + /** + * Calculates the SHA1 checksum of a specified bytes. + * + * @param bytes the bytes to generate the MD5 checksum + * @return the hex representation of the SHA1 hash + */ + public static String getSHA1Checksum(byte[] bytes) { + MessageDigest algorithm = getMessageDigest("SHA1"); + final byte[] b = algorithm.digest(bytes); + return getHex(b); + } + /** *

* Converts a byte array into a hex string.

@@ -121,4 +152,20 @@ public final class Checksum { } return hex.toString(); } + + /** + * Returns the message digest. + * + * @param algorithm the algorithm for the message digest + * @return the message digest + */ + private static MessageDigest getMessageDigest(String algorithm) { + try { + return MessageDigest.getInstance(algorithm); + } catch (NoSuchAlgorithmException e) { + LOGGER.error(e.getMessage()); + final String msg = String.format("Failed to obtain the {} message digest.", algorithm); + throw new IllegalStateException(msg, e); + } + } }