From 988d1d5147a6dcc5a00f7df56db6b5d820485dc9 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 25 Oct 2017 06:47:48 -0400
Subject: [PATCH] centralized string converversion to bytes

---
 .../analyzer/CMakeAnalyzer.java               | 16 +---
 .../analyzer/ComposerLockAnalyzer.java        |  7 +-
 .../owasp/dependencycheck/utils/Checksum.java | 50 ++++++++---
 .../dependencycheck/utils/ChecksumTest.java   | 83 +++++++++++++++++--
 4 files changed, 118 insertions(+), 38 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
index f938bc4d3..3a568daf2 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
@@ -32,10 +32,7 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
 import java.nio.charset.Charset;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.dependency.EvidenceType;
@@ -186,9 +183,6 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
      * @param engine the dependency-check engine
      * @param contents the version information
      */
-    @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(
-            value = "DM_DEFAULT_ENCODING",
-            justification = "Default encoding is only used if UTF-8 is not available")
     private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
         Dependency currentDep = dependency;
 
@@ -213,14 +207,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
                 final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
                 currentDep.setFilePath(filePath);
 
-                byte[] path;
-                try {
-                    path = filePath.getBytes("UTF-8");
-                } catch (UnsupportedEncodingException ex) {
-                    path = filePath.getBytes();
-                }
-                currentDep.setSha1sum(Checksum.getSHA1Checksum(path));
-                currentDep.setMd5sum(Checksum.getMD5Checksum(path));
+                currentDep.setSha1sum(Checksum.getSHA1Checksum(filePath));
+                currentDep.setMd5sum(Checksum.getMD5Checksum(filePath));
                 engine.addDependency(currentDep);
             }
             final String source = currentDep.getFileName();
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
index 95e750739..e2aeba101 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
@@ -34,9 +34,6 @@ import org.slf4j.LoggerFactory;
 import java.io.FileFilter;
 import java.io.FileInputStream;
 import java.io.IOException;
-import java.nio.charset.Charset;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 
 /**
@@ -118,8 +115,8 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
                 d.setVersion(dep.getVersion());
                 d.setEcosystem(DEPENDENCY_ECOSYSTEM);
                 d.setFilePath(filePath);
-                d.setSha1sum(Checksum.getSHA1Checksum(filePath.getBytes(Charset.defaultCharset())));
-                d.setMd5sum(Checksum.getMD5Checksum(filePath.getBytes(Charset.defaultCharset())));
+                d.setSha1sum(Checksum.getSHA1Checksum(filePath));
+                d.setMd5sum(Checksum.getMD5Checksum(filePath));
                 d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
                 d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
                 d.addEvidence(EvidenceType.VERSION, COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
index 1f043c048..25200c077 100644
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
@@ -22,6 +22,8 @@ import java.io.FileInputStream;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.FileChannel;
+import java.nio.charset.Charset;
+import java.nio.charset.UnsupportedCharsetException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import org.slf4j.Logger;
@@ -110,25 +112,53 @@ public final class Checksum {
     /**
      * Calculates the MD5 checksum of a specified bytes.
      *
+     * @param algorithm the algorithm to use (md5, sha1, etc.) to calculate the
+     * message digest
      * @param bytes the bytes to generate the MD5 checksum
      * @return the hex representation of the MD5 hash
      */
-    public static String getMD5Checksum(byte[] bytes) {
-        MessageDigest algorithm = getMessageDigest("MD5");
-        final byte[] b = algorithm.digest(bytes);
+    public static String getChecksum(String algorithm, byte[] bytes) {
+        MessageDigest digest = getMessageDigest(algorithm);
+        final byte[] b = digest.digest(bytes);
         return getHex(b);
     }
 
     /**
-     * Calculates the SHA1 checksum of a specified bytes.
+     * Calculates the MD5 checksum of the specified text.
      *
-     * @param bytes the bytes to generate the MD5 checksum
-     * @return the hex representation of the SHA1 hash
+     * @param text the text to generate the MD5 checksum
+     * @return the hex representation of the MD5
      */
-    public static String getSHA1Checksum(byte[] bytes) {
-        MessageDigest algorithm = getMessageDigest("SHA1");
-        final byte[] b = algorithm.digest(bytes);
-        return getHex(b);
+    public static String getMD5Checksum(String text) {
+        final byte[] data = stringToBytes(text);
+        return getChecksum("MD5", data);
+    }
+
+    /**
+     * Calculates the SHA1 checksum of the specified text.
+     *
+     * @param text the text to generate the SHA1 checksum
+     * @return the hex representation of the SHA1
+     */
+    public static String getSHA1Checksum(String text) {
+        final byte[] data = stringToBytes(text);
+        return getChecksum("SHA1", data);
+    }
+
+    /**
+     * Converts the given text into bytes.
+     *
+     * @param text the text to convert
+     * @return the bytes
+     */
+    private static byte[] stringToBytes(String text) {
+        byte[] data;
+        try {
+            data = text.getBytes(Charset.forName("UTF-8"));
+        } catch (UnsupportedCharsetException ex) {
+            data = text.getBytes(Charset.defaultCharset());
+        }
+        return data;
     }
 
     /**
diff --git a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java
index 14b347c98..ce5e68481 100644
--- a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java
+++ b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java
@@ -20,10 +20,15 @@ package org.owasp.dependencycheck.utils;
 import java.io.File;
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
+import org.junit.After;
+import org.junit.AfterClass;
+import static org.junit.Assert.assertArrayEquals;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
+import org.junit.Before;
+import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
@@ -48,15 +53,7 @@ public class ChecksumTest {
         File file = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
         byte[] expResult = {-16, -111, 92, 95, 70, -72, -49, -94, -125, -27, -83, 103, -96, -101, 55, -109};
         byte[] result = Checksum.getChecksum(algorithm, file);
-        boolean arraysAreEqual = true;
-        if (expResult.length == result.length) {
-            for (int i = 0; arraysAreEqual && i < result.length; i++) {
-                arraysAreEqual = result[i] == expResult[i];
-            }
-        } else {
-            fail("Checksum results do not match expected results.");
-        }
-        assertTrue(arraysAreEqual);
+        assertArrayEquals(expResult, result);
     }
 
     /**
@@ -128,4 +125,72 @@ public class ChecksumTest {
         String result = Checksum.getHex(raw);
         assertEquals(expResult, result);
     }
+
+    /**
+     * Test of getChecksum method, of class Checksum.
+     */
+    @Test
+    public void testGetChecksum_String_File() throws Exception {
+        String algorithm = "MD5";
+        File file = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
+        byte[] expResult = {-16, -111, 92, 95, 70, -72, -49, -94, -125, -27, -83, 103, -96, -101, 55, -109};
+        byte[] result = Checksum.getChecksum(algorithm, file);
+        assertArrayEquals(expResult, result);
+    }
+
+    /**
+     * Test of getMD5Checksum method, of class Checksum.
+     */
+    @Test
+    public void testGetMD5Checksum_File() throws Exception {
+        File file = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
+        String expResult = "f0915c5f46b8cfa283e5ad67a09b3793";
+        String result = Checksum.getMD5Checksum(file);
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of getSHA1Checksum method, of class Checksum.
+     */
+    @Test
+    public void testGetSHA1Checksum_File() throws Exception {
+        File file = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
+        String expResult = "b8a9ff28b21bcb1d0b50e24a5243d8b51766851a";
+        String result = Checksum.getSHA1Checksum(file);
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of getChecksum method, of class Checksum.
+     */
+    @Test
+    public void testGetChecksum_String_byteArr() {
+        String algorithm = "SHA1";
+        byte[] bytes =  {-16, -111, 92, 95, 70, -72, -49, -94, -125, -27, -83, 103, -96, -101, 55, -109};
+        String expResult = "89268a389a97f0bfba13d3ff2370d8ad436e36f6";
+        String result = Checksum.getChecksum(algorithm, bytes);
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of getMD5Checksum method, of class Checksum.
+     */
+    @Test
+    public void testGetMD5Checksum_String() {
+        String text = "test string";
+        String expResult = "6f8db599de986fab7a21625b7916589c";
+        String result = Checksum.getMD5Checksum(text);
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of getSHA1Checksum method, of class Checksum.
+     */
+    @Test
+    public void testGetSHA1Checksum_String() {
+        String text = "test string";
+        String expResult = "661295c9cbf9d6b2f6428414504a8deed3020641";
+        String result = Checksum.getSHA1Checksum(text);
+        assertEquals(expResult, result);
+    }
 }