github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-29 21:32:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

catch IOExceptions when parsing jar manifest

Browse Source
This commit is contained in:
Richard Mealing
2017-08-17 19:54:13 +01:00
parent fb2b3159e8
commit ab2e5f31c8
2 changed files with 28 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -223,23 +223,19 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
*/ */
@Override @Override
public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
try { final List<ClassNameInformation> classNames = collectClassNames(dependency);
final List<ClassNameInformation> classNames = collectClassNames(dependency); final String fileName = dependency.getFileName().toLowerCase();
final String fileName = dependency.getFileName().toLowerCase(); if (classNames.isEmpty()
if (classNames.isEmpty() && (fileName.endsWith("-sources.jar")
&& (fileName.endsWith("-sources.jar") || fileName.endsWith("-javadoc.jar")
|| fileName.endsWith("-javadoc.jar") || fileName.endsWith("-src.jar")
|| fileName.endsWith("-src.jar") || fileName.endsWith("-doc.jar"))) {
|| fileName.endsWith("-doc.jar"))) { engine.getDependencies().remove(dependency);
engine.getDependencies().remove(dependency);
}
final boolean hasManifest = parseManifest(dependency, classNames);
final boolean hasPOM = analyzePOM(dependency, classNames, engine);
final boolean addPackagesAsEvidence = !(hasManifest && hasPOM);
analyzePackageNames(classNames, dependency, addPackagesAsEvidence);
} catch (IOException ex) {
throw new AnalysisException("Exception occurred reading the JAR file (" + dependency.getFileName() + ").", ex);
} }
final boolean hasManifest = parseManifest(dependency, classNames);
final boolean hasPOM = analyzePOM(dependency, classNames, engine);
final boolean addPackagesAsEvidence = !(hasManifest && hasPOM);
analyzePackageNames(classNames, dependency, addPackagesAsEvidence);
} }
/** /**
@@ -587,10 +583,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @param dependency A reference to the dependency * @param dependency A reference to the dependency
* @param classInformation a collection of class information * @param classInformation a collection of class information
* @return whether evidence was identified parsing the manifest * @return whether evidence was identified parsing the manifest
* @throws IOException if there is an issue reading the JAR file
*/ */
protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) {
throws IOException {
boolean foundSomething = false; boolean foundSomething = false;
try (JarFile jar = new JarFile(dependency.getActualFilePath())) { try (JarFile jar = new JarFile(dependency.getActualFilePath())) {
final Manifest manifest = jar.getManifest(); final Manifest manifest = jar.getManifest();
@@ -747,6 +741,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
foundSomething = true; foundSomething = true;
versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH); versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH);
} }
} catch (IOException ex) {
LOGGER.warn("Unable to read JarFile '{}'.", dependency.getActualFilePath());
LOGGER.trace("", ex);
} }
return foundSomething; return foundSomething;
} }

19
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -17,24 +17,22 @@
*/ */
package org.owasp.dependencycheck.analyzer; package org.owasp.dependencycheck.analyzer;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import java.io.File; import java.io.File;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.analyzer.JarAnalyzer.ClassNameInformation;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence; import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.Settings;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
/** /**
* @author Jeremy Long * @author Jeremy Long
*/ */
@@ -176,4 +174,11 @@ public class JarAnalyzerTest extends BaseTest {
List<String> results = instance.getPackageStructure(); List<String> results = instance.getPackageStructure();
assertEquals(expected, results); assertEquals(expected, results);
} }
@Test
public void testParseManifest_CatchesIOException() {
Dependency dependency = new Dependency();
dependency.setActualFilePath("doesNotExist");
assertFalse(new JarAnalyzer().parseManifest(dependency, new ArrayList<ClassNameInformation>()));
}
} }