update per issue #933

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -135,12 +135,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
      */
     @Override
     protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
-        try {
+        //do nothing
-            getSha1MessageDigest();
-        } catch (IllegalStateException ex) {
-            setEnabled(false);
-            throw new InitializationException("Unable to create SHA1 MessageDigest", ex);
-        }
     }
 
     /**
@@ -224,8 +219,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
                 } catch (UnsupportedEncodingException ex) {
                     path = filePath.getBytes();
                 }
-                final MessageDigest sha1 = getSha1MessageDigest();
+                currentDep.setSha1sum(Checksum.getSHA1Checksum(path));
-                currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
+                currentDep.setMd5sum(Checksum.getMD5Checksum(path));
                 engine.addDependency(currentDep);
             }
             final String source = currentDep.getFileName();
@@ -242,18 +237,4 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_CMAKE_ENABLED;
     }
-
-    /**
-     * Returns the SHA1 message digest.
-     *
-     * @return the SHA1 message digest
-     */
-    private MessageDigest getSha1MessageDigest() {
-        try {
-            return MessageDigest.getInstance("SHA1");
-        } catch (NoSuchAlgorithmException e) {
-            LOGGER.error(e.getMessage());
-            throw new IllegalStateException("Failed to obtain the SHA1 message digest.", e);
-        }
-    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java

@@ -92,12 +92,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
      */
     @Override
     protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
-        try {
+        // do nothing
-            getSha1MessageDigest();
-        } catch (IllegalStateException ex) {
-            setEnabled(false);
-            throw new InitializationException("Unable to create SHA1 MessageDigest", ex);
-        }
     }
 
     /**
@@ -122,9 +117,9 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
                 d.setName(dep.getProject());
                 d.setVersion(dep.getVersion());
                 d.setEcosystem(DEPENDENCY_ECOSYSTEM);
-                final MessageDigest sha1 = getSha1MessageDigest();
                 d.setFilePath(filePath);
-                d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset()))));
+                d.setSha1sum(Checksum.getSHA1Checksum(filePath.getBytes(Charset.defaultCharset())));
+                d.setMd5sum(Checksum.getMD5Checksum(filePath.getBytes(Charset.defaultCharset())));
                 d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
                 d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
                 d.addEvidence(EvidenceType.VERSION, COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
@@ -175,18 +170,4 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.INFORMATION_COLLECTION;
     }
-
-    /**
-     * Returns the sha1 message digest.
-     *
-     * @return the sha1 message digest
-     */
-    private MessageDigest getSha1MessageDigest() {
-        try {
-            return MessageDigest.getInstance("SHA1");
-        } catch (NoSuchAlgorithmException e) {
-            LOGGER.error(e.getMessage());
-            throw new IllegalStateException("Failed to obtain the SHA1 message digest.", e);
-        }
-    }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java

@@ -17,8 +17,6 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import mockit.Mock;
-import mockit.MockUp;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -28,12 +26,8 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.exception.InitializationException;
 
 import java.io.File;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.List;
 import java.util.regex.Pattern;
 
 import static org.hamcrest.CoreMatchers.equalTo;
@@ -197,22 +191,4 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
         }
         assertTrue("Expected version evidence to contain \"" + version + "\".", found);
     }
-
-    @Test(expected = InitializationException.class)
-    public void analyzerIsDisabledInCaseOfMissingMessageDigest() throws InitializationException {
-        new MockUp<MessageDigest>() {
-            @Mock
-            MessageDigest getInstance(String ignore) throws NoSuchAlgorithmException {
-                throw new NoSuchAlgorithmException();
-            }
-        };
-
-        analyzer = new CMakeAnalyzer();
-        analyzer.setFilesMatched(true);
-        assertTrue(analyzer.isEnabled());
-        analyzer.initialize(getSettings());
-        analyzer.prepare(null);
-
-        assertFalse(analyzer.isEnabled());
-    }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java

@@ -17,8 +17,6 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import mockit.Mock;
-import mockit.MockUp;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -27,11 +25,8 @@ import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.exception.InitializationException;
 
 import java.io.File;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import org.apache.commons.lang3.ArrayUtils;
 
 import static org.junit.Assert.assertEquals;
@@ -137,22 +132,4 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase {
             assertEquals(ComposerLockAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem());
         }
     }
-
-    @Test(expected = InitializationException.class)
-    public void analyzerIsDisabledInCaseOfMissingMessageDigest() throws InitializationException {
-        new MockUp<MessageDigest>() {
-            @Mock
-            MessageDigest getInstance(String ignore) throws NoSuchAlgorithmException {
-                throw new NoSuchAlgorithmException("SHA1 is missing");
-            }
-        };
-
-        analyzer = new ComposerLockAnalyzer();
-        analyzer.setFilesMatched(true);
-        analyzer.initialize(getSettings());
-        assertTrue(analyzer.isEnabled());
-        analyzer.prepare(null);
-
-        assertFalse(analyzer.isEnabled());
-    }
 }

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java

@@ -24,6 +24,8 @@ import java.nio.ByteBuffer;
 import java.nio.channels.FileChannel;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Includes methods to generate the MD5 and SHA1 checksum.
@@ -38,6 +40,11 @@ public final class Checksum {
      */
     private static final String HEXES = "0123456789abcdef";
 
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(Checksum.class);
+
     /**
      * Private constructor for a utility class.
      */
@@ -100,6 +107,30 @@ public final class Checksum {
         return getHex(b);
     }
 
+    /**
+     * Calculates the MD5 checksum of a specified bytes.
+     *
+     * @param bytes the bytes to generate the MD5 checksum
+     * @return the hex representation of the MD5 hash
+     */
+    public static String getMD5Checksum(byte[] bytes) {
+        MessageDigest algorithm = getMessageDigest("MD5");
+        final byte[] b = algorithm.digest(bytes);
+        return getHex(b);
+    }
+
+    /**
+     * Calculates the SHA1 checksum of a specified bytes.
+     *
+     * @param bytes the bytes to generate the MD5 checksum
+     * @return the hex representation of the SHA1 hash
+     */
+    public static String getSHA1Checksum(byte[] bytes) {
+        MessageDigest algorithm = getMessageDigest("SHA1");
+        final byte[] b = algorithm.digest(bytes);
+        return getHex(b);
+    }
+
     /**
      * <p>
      * Converts a byte array into a hex string.</p>
@@ -121,4 +152,20 @@ public final class Checksum {
         }
         return hex.toString();
     }
+
+    /**
+     * Returns the message digest.
+     *
+     * @param algorithm the algorithm for the message digest
+     * @return the message digest
+     */
+    private static MessageDigest getMessageDigest(String algorithm) {
+        try {
+            return MessageDigest.getInstance(algorithm);
+        } catch (NoSuchAlgorithmException e) {
+            LOGGER.error(e.getMessage());
+            final String msg = String.format("Failed to obtain the {} message digest.", algorithm);
+            throw new IllegalStateException(msg, e);
+        }
+    }
 }