updated so that all scanned dependencies are correctly kept in the dependency list

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -248,10 +248,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
         extractFiles(f, tmpDir, engine);
 
         //make a copy
-        final Set<Dependency> dependencySet = findMoreDependencies(engine, tmpDir);
+        final List<Dependency> dependencySet = findMoreDependencies(engine, tmpDir);
         
         if (!dependencySet.isEmpty()) {
             for (Dependency d : dependencySet) {
+                if (d.getFilePath().startsWith(tmpDir.getAbsolutePath())) {
                     //fix the dependency's display name and path
                     final String displayPath = String.format("%s%s",
                             dependency.getFilePath(),
@@ -270,6 +271,20 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                         analyze(d, engine);
                         scanDepth -= 1;
                     }
+                } else {
+                    for (Dependency sub : dependencySet) {
+                        if (sub.getFilePath().startsWith(tmpDir.getAbsolutePath())) {
+                            final String displayPath = String.format("%s%s",
+                                    dependency.getFilePath(),
+                                    sub.getActualFilePath().substring(tmpDir.getAbsolutePath().length()));
+                            final String displayName = String.format("%s: %s",
+                                    dependency.getFileName(),
+                                    sub.getFileName());
+                            sub.setFilePath(displayPath);
+                            sub.setFileName(displayName);
+                        }
+                    }
+                }
             }
         }
         if (REMOVE_FROM_ANALYSIS.accept(dependency.getActualFile())) {
@@ -293,30 +308,37 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
             final String fileName = dependency.getFileName();
             
             LOGGER.info("The zip file '{}' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName);
-
             final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
+            //store the archives sha1 and change it so that the engine doesn't think the zip and jar file are the same
+            // and add it is a related dependency.
+            String archiveSha1 = dependency.getSha1sum();
             try {
-                org.apache.commons.io.FileUtils.copyFile(tdir, tmpLoc);
-                final Set<Dependency> dependencySet = findMoreDependencies(engine, tmpLoc);
+                dependency.setSha1sum("");
+                org.apache.commons.io.FileUtils.copyFile(dependency.getActualFile(), tmpLoc);
+                final List<Dependency> dependencySet = findMoreDependencies(engine, tmpLoc);
                 if (!dependencySet.isEmpty()) {
-                    if (dependencySet.size() != 1) {
-                        LOGGER.info("Deep copy of ZIP to JAR file resulted in more than one dependency?");
-                    }
                     for (Dependency d : dependencySet) {
                         //fix the dependency's display name and path
+                        if (d.getActualFile().equals(tmpLoc)) {
                             d.setFilePath(dependency.getFilePath());
                             d.setDisplayFileName(dependency.getFileName());
+                        } else {
+                            for (Dependency sub : d.getRelatedDependencies()) {
+                                if (sub.getActualFile().equals(tmpLoc)) {
+                                    sub.setFilePath(dependency.getFilePath());
+                                    sub.setDisplayFileName(dependency.getFileName());
+                                }
+                            }
+                        }
                     }
                 }
             } catch (IOException ex) {
                 LOGGER.debug("Unable to perform deep copy on '{}'", dependency.getActualFile().getPath(), ex);
+            } finally {
+                dependency.setSha1sum(archiveSha1);
             }
         }
     }
-    /**
-     * An empty dependency set.
-     */
-    private static final Set<Dependency> EMPTY_DEPENDENCY_SET = Collections.emptySet();
 
     /**
      * Scan the given file/folder, and return any new dependencies found.
@@ -325,20 +347,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      * @param file target of scanning
      * @return any dependencies that weren't known to the engine before
      */
-    private static Set<Dependency> findMoreDependencies(Engine engine, File file) {
-        final List<Dependency> before = new ArrayList<Dependency>(engine.getDependencies());
-        engine.scan(file);
-        final List<Dependency> after = engine.getDependencies();
-        final boolean sizeChanged = before.size() != after.size();
-        final Set<Dependency> newDependencies;
-        if (sizeChanged) {
-            //get the new dependencies
-            newDependencies = new HashSet<Dependency>(after);
-            newDependencies.removeAll(before);
-        } else {
-            newDependencies = EMPTY_DEPENDENCY_SET;
-        }
-        return newDependencies;
+    private static List<Dependency> findMoreDependencies(Engine engine, File file) {
+        List<Dependency> added = engine.scan(file);
+        return added;
     }
 
     /**