mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-23 17:41:28 +01:00
coverity, checkstyle, pmd, and findbugs suggested corrections
This commit is contained in:
Jeremy Long
@@ -17,7 +17,6 @@
|
|||||||
*/
|
*/
|
||||||
package org.owasp.dependencycheck.analyzer;
|
package org.owasp.dependencycheck.analyzer;
|
||||||
|
|
||||||
import java.io.BufferedReader;
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.io.FileFilter;
|
import java.io.FileFilter;
|
||||||
import java.io.FileOutputStream;
|
import java.io.FileOutputStream;
|
||||||
@@ -36,9 +35,6 @@ import org.slf4j.Logger;
|
|||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
import org.w3c.dom.Document;
|
import org.w3c.dom.Document;
|
||||||
import org.xml.sax.SAXException;
|
import org.xml.sax.SAXException;
|
||||||
import java.io.InputStreamReader;
|
|
||||||
import java.nio.file.Path;
|
|
||||||
import java.nio.file.Paths;
|
|
||||||
|
|
||||||
import javax.xml.parsers.DocumentBuilder;
|
import javax.xml.parsers.DocumentBuilder;
|
||||||
import javax.xml.parsers.DocumentBuilderFactory;
|
import javax.xml.parsers.DocumentBuilderFactory;
|
||||||
@@ -122,6 +118,10 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
}
|
}
|
||||||
|
|
||||||
final List<String> args = buildArgumentList();
|
final List<String> args = buildArgumentList();
|
||||||
|
if (args == null) {
|
||||||
|
LOGGER.warn("Assembly Analyzer was unable to execute");
|
||||||
|
return;
|
||||||
|
}
|
||||||
args.add(dependency.getActualFilePath());
|
args.add(dependency.getActualFilePath());
|
||||||
final ProcessBuilder pb = new ProcessBuilder(args);
|
final ProcessBuilder pb = new ProcessBuilder(args);
|
||||||
Document doc = null;
|
Document doc = null;
|
||||||
@@ -249,6 +249,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
+ "'exe' or 'dll' was scanned. The 'mono' executale could not be found on "
|
+ "'exe' or 'dll' was scanned. The 'mono' executale could not be found on "
|
||||||
+ "the path; either disable the Assembly Analyzer or configure the path mono.");
|
+ "the path; either disable the Assembly Analyzer or configure the path mono.");
|
||||||
LOGGER.error("----------------------------------------------------");
|
LOGGER.error("----------------------------------------------------");
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
final ProcessBuilder pb = new ProcessBuilder(args);
|
final ProcessBuilder pb = new ProcessBuilder(args);
|
||||||
@@ -353,10 +354,10 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
* <code>false</code>
|
* <code>false</code>
|
||||||
*/
|
*/
|
||||||
private boolean isInPath(String file) {
|
private boolean isInPath(String file) {
|
||||||
ProcessBuilder pb = new ProcessBuilder("which", file);
|
final ProcessBuilder pb = new ProcessBuilder("which", file);
|
||||||
try {
|
try {
|
||||||
Process proc = pb.start();
|
final Process proc = pb.start();
|
||||||
int retCode = proc.waitFor();
|
final int retCode = proc.waitFor();
|
||||||
if (retCode == 0) {
|
if (retCode == 0) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -196,6 +196,9 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
* @param engine the dependency-check engine
|
* @param engine the dependency-check engine
|
||||||
* @param contents the version information
|
* @param contents the version information
|
||||||
*/
|
*/
|
||||||
|
@edu.umd.cs.findbugs.annotations.SuppressFBWarnings(
|
||||||
|
value = "DM_DEFAULT_ENCODING",
|
||||||
|
justification = "Default encoding is only used if UTF-8 is not available")
|
||||||
private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
|
private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
|
||||||
Dependency currentDep = dependency;
|
Dependency currentDep = dependency;
|
||||||
|
|
||||||
|
|||||||
@@ -13,7 +13,7 @@
|
|||||||
* See the License for the specific language governing permissions and
|
* See the License for the specific language governing permissions and
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*
|
*
|
||||||
* © Copyright IBM Corporation 2016.
|
* Copyright (c) 2016 IBM Corporation. All Rights Reserved.
|
||||||
*/
|
*/
|
||||||
package org.owasp.dependencycheck.analyzer;
|
package org.owasp.dependencycheck.analyzer;
|
||||||
|
|
||||||
@@ -154,19 +154,32 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
setPackagePath(dependency);
|
setPackagePath(dependency);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Extracts evidence from the contents and adds it to the given evidence
|
||||||
|
* collection.
|
||||||
|
*
|
||||||
|
* @param evidences the evidence collection to update
|
||||||
|
* @param contents the text to extract evidence from
|
||||||
|
* @param blockVariable the block variable within the content to search for
|
||||||
|
* @param field the name of the field being searched for
|
||||||
|
* @param fieldPattern the field pattern within the contents to search for
|
||||||
|
* @param confidence the confidence level of the evidence if found
|
||||||
|
* @return the string that was added as evidence
|
||||||
|
*/
|
||||||
private String addStringEvidence(EvidenceCollection evidences, String contents,
|
private String addStringEvidence(EvidenceCollection evidences, String contents,
|
||||||
String blockVariable, String field, String fieldPattern, Confidence confidence) {
|
String blockVariable, String field, String fieldPattern, Confidence confidence) {
|
||||||
String value = "";
|
String value = "";
|
||||||
|
|
||||||
//capture array value between [ ]
|
//capture array value between [ ]
|
||||||
final Matcher arrayMatcher = Pattern.compile(
|
final Matcher arrayMatcher = Pattern.compile(
|
||||||
String.format("\\s*?%s\\.%s\\s*?=\\s*?\\{\\s*?(.*?)\\s*?\\}", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
|
String.format("\\s*?%s\\.%s\\s*?=\\s*?\\{\\s*?(.*?)\\s*?\\}", blockVariable, fieldPattern),
|
||||||
|
Pattern.CASE_INSENSITIVE).matcher(contents);
|
||||||
if (arrayMatcher.find()) {
|
if (arrayMatcher.find()) {
|
||||||
value = arrayMatcher.group(1);
|
value = arrayMatcher.group(1);
|
||||||
} //capture single value between quotes
|
} else { //capture single value between quotes
|
||||||
else {
|
|
||||||
final Matcher matcher = Pattern.compile(
|
final Matcher matcher = Pattern.compile(
|
||||||
String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
|
String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern),
|
||||||
|
Pattern.CASE_INSENSITIVE).matcher(contents);
|
||||||
if (matcher.find()) {
|
if (matcher.find()) {
|
||||||
value = matcher.group(2);
|
value = matcher.group(2);
|
||||||
}
|
}
|
||||||
@@ -177,9 +190,14 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
return value;
|
return value;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the package path on the given dependency.
|
||||||
|
*
|
||||||
|
* @param dep the dependency to update
|
||||||
|
*/
|
||||||
private void setPackagePath(Dependency dep) {
|
private void setPackagePath(Dependency dep) {
|
||||||
File file = new File(dep.getFilePath());
|
final File file = new File(dep.getFilePath());
|
||||||
String parent = file.getParent();
|
final String parent = file.getParent();
|
||||||
if (parent != null) {
|
if (parent != null) {
|
||||||
dep.setPackagePath(parent);
|
dep.setPackagePath(parent);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -411,6 +411,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determines which of the swift dependencies should be considered the
|
||||||
|
* primary.
|
||||||
|
*
|
||||||
|
* @param dependency1 the first swift dependency to compare
|
||||||
|
* @param dependency2 the second swift dependency to compare
|
||||||
|
* @return the primary swift dependency
|
||||||
|
*/
|
||||||
private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) {
|
private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) {
|
||||||
if (isSameSwiftPackage(dependency1, dependency2)) {
|
if (isSameSwiftPackage(dependency1, dependency2)) {
|
||||||
if (dependency1.getFileName().endsWith(".podspec")) {
|
if (dependency1.getFileName().endsWith(".podspec")) {
|
||||||
|
|||||||
@@ -70,10 +70,12 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
|
|||||||
/**
|
/**
|
||||||
* Python init files
|
* Python init files
|
||||||
*/
|
*/
|
||||||
|
//CSOFF: WhitespaceAfter
|
||||||
private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{
|
private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{
|
||||||
"__init__.py",
|
"__init__.py",
|
||||||
"__init__.pyc",
|
"__init__.pyc",
|
||||||
"__init__.pyo",});
|
"__init__.pyo",});
|
||||||
|
//CSON: WhitespaceAfter
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Collects information about the file name.
|
* Collects information about the file name.
|
||||||
|
|||||||
@@ -228,10 +228,13 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
throw new AnalysisException(ex);
|
throw new AnalysisException(ex);
|
||||||
}
|
}
|
||||||
|
|
||||||
collectWheelMetadata(
|
File matchingFile = getMatchingFile(temp, folderFilter);
|
||||||
dependency,
|
if (matchingFile != null) {
|
||||||
getMatchingFile(getMatchingFile(temp, folderFilter),
|
matchingFile = getMatchingFile(matchingFile, metadataFilter);
|
||||||
metadataFilter));
|
if (matchingFile != null) {
|
||||||
|
collectWheelMetadata(dependency, matchingFile);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -280,11 +280,16 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
}
|
}
|
||||||
final File parentFile = dependency.getActualFile().getParentFile();
|
final File parentFile = dependency.getActualFile().getParentFile();
|
||||||
final Process process = launchBundleAudit(parentFile);
|
final Process process = launchBundleAudit(parentFile);
|
||||||
|
final int exitValue;
|
||||||
try {
|
try {
|
||||||
process.waitFor();
|
exitValue = process.waitFor();
|
||||||
} catch (InterruptedException ie) {
|
} catch (InterruptedException ie) {
|
||||||
throw new AnalysisException("bundle-audit process interrupted", ie);
|
throw new AnalysisException("bundle-audit process interrupted", ie);
|
||||||
}
|
}
|
||||||
|
if (exitValue != 0) {
|
||||||
|
final String msg = String.format("Unexpected exit code from bundle-audit process; exit code: %s", exitValue);
|
||||||
|
throw new AnalysisException(msg);
|
||||||
|
}
|
||||||
BufferedReader rdr = null;
|
BufferedReader rdr = null;
|
||||||
BufferedReader errReader = null;
|
BufferedReader errReader = null;
|
||||||
try {
|
try {
|
||||||
|
|||||||
@@ -13,7 +13,7 @@
|
|||||||
* See the License for the specific language governing permissions and
|
* See the License for the specific language governing permissions and
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*
|
*
|
||||||
* © Copyright IBM Corporation 2016.
|
* Copyright (c) 2016 IBM Corporation. All Rights Reserved.
|
||||||
*/
|
*/
|
||||||
package org.owasp.dependencycheck.analyzer;
|
package org.owasp.dependencycheck.analyzer;
|
||||||
|
|
||||||
|
|||||||
@@ -13,7 +13,7 @@
|
|||||||
* See the License for the specific language governing permissions and
|
* See the License for the specific language governing permissions and
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*
|
*
|
||||||
* © Copyright IBM Corporation 2016.
|
* Copyright (c) 2016 IBM Corporation. All Rights Reserved.
|
||||||
*/
|
*/
|
||||||
package org.owasp.dependencycheck.analyzer;
|
package org.owasp.dependencycheck.analyzer;
|
||||||
|
|
||||||
@@ -146,6 +146,17 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
setPackagePath(dependency);
|
setPackagePath(dependency);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Extracts evidence from the package description and adds it to the given
|
||||||
|
* evidence collection.
|
||||||
|
*
|
||||||
|
* @param evidences the evidence collection to update
|
||||||
|
* @param packageDescription the text to extract evidence from
|
||||||
|
* @param field the name of the field being searched for
|
||||||
|
* @param fieldPattern the field pattern within the contents to search for
|
||||||
|
* @param confidence the confidence level of the evidence if found
|
||||||
|
* @return the string that was added as evidence
|
||||||
|
*/
|
||||||
private String addStringEvidence(EvidenceCollection evidences,
|
private String addStringEvidence(EvidenceCollection evidences,
|
||||||
String packageDescription, String field, String fieldPattern, Confidence confidence) {
|
String packageDescription, String field, String fieldPattern, Confidence confidence) {
|
||||||
String value = "";
|
String value = "";
|
||||||
@@ -166,6 +177,11 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
|
|||||||
return value;
|
return value;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the package path on the given dependency.
|
||||||
|
*
|
||||||
|
* @param dep the dependency to update
|
||||||
|
*/
|
||||||
private void setPackagePath(Dependency dep) {
|
private void setPackagePath(Dependency dep) {
|
||||||
final File file = new File(dep.getFilePath());
|
final File file = new File(dep.getFilePath());
|
||||||
final String parent = file.getParent();
|
final String parent = file.getParent();
|
||||||
|
|||||||
@@ -212,7 +212,7 @@ public class ExceptionCollection extends Exception {
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public String getMessage() {
|
public String getMessage() {
|
||||||
StringBuilder sb = new StringBuilder();
|
final StringBuilder sb = new StringBuilder();
|
||||||
final String msg = super.getMessage();
|
final String msg = super.getMessage();
|
||||||
if (msg == null || msg.isEmpty()) {
|
if (msg == null || msg.isEmpty()) {
|
||||||
sb.append("One or more exceptions occured during analysis:");
|
sb.append("One or more exceptions occured during analysis:");
|
||||||
|
|||||||
@@ -17,8 +17,6 @@
|
|||||||
*/
|
*/
|
||||||
package org.owasp.dependencycheck.xml.suppression;
|
package org.owasp.dependencycheck.xml.suppression;
|
||||||
|
|
||||||
import org.slf4j.Logger;
|
|
||||||
import org.slf4j.LoggerFactory;
|
|
||||||
import org.xml.sax.ErrorHandler;
|
import org.xml.sax.ErrorHandler;
|
||||||
import org.xml.sax.SAXException;
|
import org.xml.sax.SAXException;
|
||||||
import org.xml.sax.SAXParseException;
|
import org.xml.sax.SAXParseException;
|
||||||
@@ -33,7 +31,7 @@ public class SuppressionErrorHandler implements ErrorHandler {
|
|||||||
/**
|
/**
|
||||||
* The logger.
|
* The logger.
|
||||||
*/
|
*/
|
||||||
private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionErrorHandler.class);
|
//private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionErrorHandler.class);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Builds a prettier exception message.
|
* Builds a prettier exception message.
|
||||||
|
|||||||
@@ -58,11 +58,11 @@ public final class Checksum {
|
|||||||
* @throws NoSuchAlgorithmException when an algorithm is specified that does not exist
|
* @throws NoSuchAlgorithmException when an algorithm is specified that does not exist
|
||||||
*/
|
*/
|
||||||
public static byte[] getChecksum(String algorithm, File file) throws NoSuchAlgorithmException, IOException {
|
public static byte[] getChecksum(String algorithm, File file) throws NoSuchAlgorithmException, IOException {
|
||||||
MessageDigest digest = MessageDigest.getInstance(algorithm);
|
final MessageDigest digest = MessageDigest.getInstance(algorithm);
|
||||||
FileInputStream fis = null;
|
FileInputStream fis = null;
|
||||||
try {
|
try {
|
||||||
fis = new FileInputStream(file);
|
fis = new FileInputStream(file);
|
||||||
FileChannel ch = fis.getChannel();
|
final FileChannel ch = fis.getChannel();
|
||||||
long remainingToRead = file.length();
|
long remainingToRead = file.length();
|
||||||
long start = 0;
|
long start = 0;
|
||||||
while (remainingToRead > 0) {
|
while (remainingToRead > 0) {
|
||||||
@@ -74,7 +74,7 @@ public final class Checksum {
|
|||||||
amountToRead = remainingToRead;
|
amountToRead = remainingToRead;
|
||||||
remainingToRead = 0;
|
remainingToRead = 0;
|
||||||
}
|
}
|
||||||
MappedByteBuffer byteBuffer = ch.map(FileChannel.MapMode.READ_ONLY, start, amountToRead);
|
final MappedByteBuffer byteBuffer = ch.map(FileChannel.MapMode.READ_ONLY, start, amountToRead);
|
||||||
digest.update(byteBuffer);
|
digest.update(byteBuffer);
|
||||||
start += amountToRead;
|
start += amountToRead;
|
||||||
}
|
}
|
||||||
@@ -99,7 +99,7 @@ public final class Checksum {
|
|||||||
* @throws NoSuchAlgorithmException when the MD5 algorithm is not available
|
* @throws NoSuchAlgorithmException when the MD5 algorithm is not available
|
||||||
*/
|
*/
|
||||||
public static String getMD5Checksum(File file) throws IOException, NoSuchAlgorithmException {
|
public static String getMD5Checksum(File file) throws IOException, NoSuchAlgorithmException {
|
||||||
byte[] b = getChecksum("MD5", file);
|
final byte[] b = getChecksum("MD5", file);
|
||||||
return getHex(b);
|
return getHex(b);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -112,7 +112,7 @@ public final class Checksum {
|
|||||||
* @throws NoSuchAlgorithmException when the SHA1 algorithm is not available
|
* @throws NoSuchAlgorithmException when the SHA1 algorithm is not available
|
||||||
*/
|
*/
|
||||||
public static String getSHA1Checksum(File file) throws IOException, NoSuchAlgorithmException {
|
public static String getSHA1Checksum(File file) throws IOException, NoSuchAlgorithmException {
|
||||||
byte[] b = getChecksum("SHA1", file);
|
final byte[] b = getChecksum("SHA1", file);
|
||||||
return getHex(b);
|
return getHex(b);
|
||||||
}
|
}
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -304,7 +304,7 @@ public final class Downloader {
|
|||||||
Throwable cause = ex;
|
Throwable cause = ex;
|
||||||
while (cause != null) {
|
while (cause != null) {
|
||||||
if (cause instanceof java.net.UnknownHostException) {
|
if (cause instanceof java.net.UnknownHostException) {
|
||||||
final String msg = String.format("Unable to resolve domain '%s'", cause.getMessage());
|
final String msg = format("Unable to resolve domain '%s'", cause.getMessage());
|
||||||
LOGGER.error(msg);
|
LOGGER.error(msg);
|
||||||
throw new DownloadFailedException(msg);
|
throw new DownloadFailedException(msg);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -7,8 +7,9 @@
|
|||||||
<suppressions>
|
<suppressions>
|
||||||
<suppress checks=".*" files=".*[\\/]package-info\.java" />
|
<suppress checks=".*" files=".*[\\/]package-info\.java" />
|
||||||
<suppress checks=".*" files=".*[\\/]org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Filter.java" />
|
<suppress checks=".*" files=".*[\\/]org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Filter.java" />
|
||||||
<suppress checks=".*" files=".*[\\/]org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Checksum.java" />
|
<!--suppress checks=".*" files=".*[\\/]org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Checksum.java" /-->
|
||||||
<suppress checks=".*" files=".*[\\/]generated[\\/].*.java" />
|
<suppress checks=".*" files=".*[\\/]generated[\\/].*.java" />
|
||||||
<suppress checks=".*" files=".*[\\/]maven-plugin-plugin-sources[\\/].*.properties" />
|
<suppress checks=".*" files=".*[\\/]maven-plugin-plugin-sources[\\/].*.properties" />
|
||||||
<suppress checks=".*" files=".*[\\/]org[\\/]owasp[\\/]dependencycheck[\\/]org[\\/]apache[\\/].*.java" />
|
<!--suppress checks=".*" files=".*[\\/]org[\\/]owasp[\\/]dependencycheck[\\/]org[\\/]apache[\\/].*.java" /-->
|
||||||
|
<suppress checks="RegexpHeader" files=".*[\\/]org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]SSLSocketFactoryEx.java" />
|
||||||
</suppressions>
|
</suppressions>
|
||||||
Reference in New Issue
Block a user