diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java index a6d266e71..1dd2b41ba 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java @@ -77,7 +77,7 @@ public abstract class AbstractNpmAnalyzer extends AbstractFileTypeAnalyzer { accept = false; } } catch (IOException ex) { - throw new RuntimeException(ex); + throw new RuntimeException("Unable to process dependency", ex); } } @@ -211,38 +211,6 @@ public abstract class AbstractNpmAnalyzer extends AbstractFileTypeAnalyzer { if (DependencyBundlingAnalyzer.npmVersionsMatch(version, dependencyVersion)) { return d; } -// if (dependencyVersion.startsWith("^") || dependencyVersion.startsWith("~")) { -// dependencyVersion = dependencyVersion.substring(1); -// } -// -// if (version.equals(dependencyVersion)) { -// return d; -// } -// if (version.startsWith("^") || version.startsWith("~") || version.contains("*")) { -// String type; -// String tmp; -// if (version.startsWith("^") || version.startsWith("~")) { -// type = version.substring(0, 1); -// tmp = version.substring(1); -// } else { -// type = "*"; -// tmp = version; -// } -// final String[] v = tmp.split(" ")[0].split("\\."); -// final String[] depVersion = dependencyVersion.split("\\."); -// -// if ("^".equals(type) && v[0].equals(depVersion[0])) { -// return d; -// } else if ("~".equals(type) && v.length >= 2 && depVersion.length >= 2 -// && v[0].equals(depVersion[0]) && v[1].equals(depVersion[1])) { -// return d; -// } else if (v[0].equals("*") -// || (v.length >= 2 && v[0].equals(depVersion[0]) && v[1].equals("*")) -// || (v.length >= 3 && depVersion.length >= 2 && v[0].equals(depVersion[0]) -// && v[1].equals(depVersion[1]) && v[2].equals("*"))) { -// return d; -// } -// } } } return null; @@ -295,6 +263,7 @@ public abstract class AbstractNpmAnalyzer extends AbstractFileTypeAnalyzer { sb.append(array.getString(x)); } } + dependency.setLicense(sb.toString()); } else { dependency.setLicense(json.getJsonObject("license").getString("type")); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index 7d6916406..4ee2f8dea 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -85,7 +85,8 @@ public class NodePackageAnalyzer extends AbstractNpmAnalyzer { */ public static final String SHRINKWRAP_JSON = "npm-shrinkwrap.json"; /** - * Filter that detects files named "package-lock.json" or "npm-shrinkwrap.json". + * Filter that detects files named "package-lock.json" or + * "npm-shrinkwrap.json". */ private static final FileFilter PACKAGE_JSON_FILTER = FileFilterBuilder.newInstance() .addFilenames(PACKAGE_LOCK_JSON, SHRINKWRAP_JSON).build(); @@ -176,7 +177,7 @@ public class NodePackageAnalyzer extends AbstractNpmAnalyzer { return; } } catch (IOException ex) { - throw new RuntimeException(ex); + throw new AnalysisException("Unable to process dependency", ex); } final File baseDir = dependencyFile.getParentFile(); if (PACKAGE_LOCK_JSON.equals(dependency.getFileName())) { @@ -210,14 +211,15 @@ public class NodePackageAnalyzer extends AbstractNpmAnalyzer { * dependencies and then finding the package.json for the module and adding * it as a dependency. * - * @param json - * @param baseDir - * @param rootFile - * @param parentPackage - * @param engine - * @throws AnalysisException + * @param json the data to process + * @param baseDir the base directory being scanned + * @param rootFile the root package-lock/npm-shrinkwrap being analyzed + * @param parentPackage the parent package name of the current node + * @param engine a reference to the dependency-check engine + * @throws AnalysisException thrown if there is an exception */ - private void processDependencies(final JsonObject json, File baseDir, File rootFile, final String parentPackage, Engine engine) throws AnalysisException { + private void processDependencies(JsonObject json, File baseDir, File rootFile, + String parentPackage, Engine engine) throws AnalysisException { if (json.containsKey("dependencies")) { final JsonObject deps = json.getJsonObject("dependencies"); for (Map.Entry entry : deps.entrySet()) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java index 0a9ae2cf4..1d983171c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java @@ -169,7 +169,7 @@ public class NspAnalyzer extends AbstractNpmAnalyzer { return; } } catch (IOException ex) { - throw new RuntimeException(ex); + throw new AnalysisException("Unable to process dependency", ex); } try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(file))) { @@ -206,7 +206,7 @@ public class NspAnalyzer extends AbstractNpmAnalyzer { * Create a single vulnerable software object - these do not use CPEs unlike the NVD. */ final VulnerableSoftware vs = new VulnerableSoftware(); - //TODO consider changing this to available versions on the dependency + //TODO consider changing this to available versions on the dependency // - the update is a part of the version, not versions to update to //vs.setUpdate(advisory.getPatchedVersions()); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java index e0829d0da..7911b47e6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java @@ -126,7 +126,7 @@ public class EscapeTool { return "\"\""; } final String str = text.trim().replace("\n", " "); - if (str.length()==0) { + if (str.length() == 0) { return "\"\""; } return StringEscapeUtils.escapeCsv(str); @@ -155,7 +155,7 @@ public class EscapeTool { sb.append(id.getValue()); } } - if (sb.length()==0) { + if (sb.length() == 0) { return "\"\""; } return StringEscapeUtils.escapeCsv(sb.toString()); @@ -184,7 +184,7 @@ public class EscapeTool { sb.append(id.getValue()); } } - if (sb.length()==0) { + if (sb.length() == 0) { return "\"\""; } return StringEscapeUtils.escapeCsv(sb.toString()); @@ -213,7 +213,7 @@ public class EscapeTool { sb.append(id.getConfidence()); } } - if (sb.length()==0) { + if (sb.length() == 0) { return "\"\""; } return StringEscapeUtils.escapeCsv(sb.toString()); @@ -242,7 +242,7 @@ public class EscapeTool { sb.append(id.getValue()); } } - if (sb.length()==0) { + if (sb.length() == 0) { return "\"\""; } return StringEscapeUtils.escapeCsv(sb.toString()); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java index edb56b113..9cc3c7ea6 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java @@ -91,6 +91,9 @@ public class NspAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/minimal-invalid.json")); analyzer.analyze(result, engine); // Upon analysis, not throwing an exception in this case, is all that's required to pass this test + } catch(Throwable ex) { + fail("This test should not throw an exception"); + throw ex; } } }