From d9dcc8cc2deb6d587987315d2c0ca18511d9ee7e Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Fri, 17 Feb 2017 17:18:10 -0500
Subject: [PATCH] fixed UTF-8 BOM bug

---
 .../dependencycheck/xml/pom/PomParser.java    |  13 +-
 .../dependencycheck/xml/pom/PomUtilsTest.java |   5 +
 .../src/test/resources/jmockit-1.26.pom       | 268 ++++++++++++++++++
 3 files changed, 281 insertions(+), 5 deletions(-)
 create mode 100644 dependency-check-core/src/test/resources/jmockit-1.26.pom

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java
index fd4595737..5218e3d7a 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java
@@ -26,6 +26,8 @@ import java.io.InputStreamReader;
 import java.io.Reader;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
+import org.apache.commons.io.ByteOrderMark;
+import org.apache.commons.io.input.BOMInputStream;
 import org.owasp.dependencycheck.utils.XmlUtils;
 
 import org.slf4j.Logger;
@@ -88,14 +90,15 @@ public class PomParser {
             final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
             final XMLReader xmlReader = saxParser.getXMLReader();
             xmlReader.setContentHandler(handler);
-            final Reader reader = new InputStreamReader(inputStream, "UTF-8");
+            BOMInputStream bomStream = new BOMInputStream(inputStream);
+            ByteOrderMark bom = bomStream.getBOM();
+            String defaultEncoding = "UTF-8";
+            String charsetName = bom == null ? defaultEncoding : bom.getCharsetName();
+            final Reader reader = new InputStreamReader(bomStream, charsetName);
             final InputSource in = new InputSource(reader);
             xmlReader.parse(in);
             return handler.getModel();
-        } catch (ParserConfigurationException ex) {
-            LOGGER.debug("", ex);
-            throw new PomParseException(ex);
-        } catch (SAXException ex) {
+        } catch (ParserConfigurationException | SAXException ex) {
             LOGGER.debug("", ex);
             throw new PomParseException(ex);
         } catch (FileNotFoundException ex) {
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java
index adedf1b35..f16c05724 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java
@@ -38,6 +38,11 @@ public class PomUtilsTest extends BaseTest {
         String expResult = "Direct Web Remoting";
         Model result = PomUtils.readPom(file);
         assertEquals(expResult, result.getName());
+        
+        file = BaseTest.getResourceAsFile(this, "jmockit-1.26.pom");
+        expResult = "Main";
+        result = PomUtils.readPom(file);
+        assertEquals(expResult, result.getName());
     }
 
 }
diff --git a/dependency-check-core/src/test/resources/jmockit-1.26.pom b/dependency-check-core/src/test/resources/jmockit-1.26.pom
new file mode 100644
index 000000000..590d69b63
--- /dev/null
+++ b/dependency-check-core/src/test/resources/jmockit-1.26.pom
@@ -0,0 +1,268 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project
+   xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+   <modelVersion>4.0.0</modelVersion>
+
+   <groupId>org.jmockit</groupId><artifactId>jmockit</artifactId><version>1.26</version>
+   <packaging>jar</packaging>
+
+   <name>Main</name>
+   <description>
+      JMockit is a Java toolkit for automated developer testing.
+      It contains mocking and faking APIs and a code coverage tool, supporting both JUnit and TestNG.
+      The mocking API allows all kinds of Java code, without testability restrictions, to be tested
+      in isolation from selected dependencies.
+   </description>
+   <url>http://www.jmockit.org</url>
+   <licenses>
+      <license>
+         <name>The MIT License</name>
+         <url>http://www.opensource.org/licenses/mit-license.php</url>
+      </license>
+   </licenses>
+   <developers>
+      <developer><name>Rogério Liesenfeld</name></developer>
+   </developers>
+   <inceptionYear>2006</inceptionYear>
+   <scm>
+      <url>https://github.com/jmockit/jmockit1</url>
+      <connection>scm:git:https://github.com/jmockit/jmockit1</connection>
+   </scm>
+   <issueManagement>
+      <system>GitHub Issues</system>
+      <url>https://github.com/jmockit/jmockit1/issues</url>
+   </issueManagement>
+   <mailingLists>
+      <mailingList>
+         <name>JMockit Users</name>
+         <archive>http://groups.google.com/group/jmockit-users</archive>
+         <post>jmockit-users@googlegroups.com</post>
+      </mailingList>
+   </mailingLists>
+
+   <properties>
+      <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+   </properties>
+
+   <build>
+      <sourceDirectory>src</sourceDirectory>
+      <testSourceDirectory>test</testSourceDirectory>
+      <resources>
+         <resource>
+            <directory>.</directory>
+            <includes>
+               <include>META-INF/services/org.junit.platform.engine.TestEngine</include>
+               <include>META-INF/services/org.testng.ITestNGListener</include>
+            </includes>
+         </resource>
+         <resource>
+            <directory>src</directory>
+            <includes>
+               <include>**/*.css</include>
+               <include>**/*.js</include>
+               <include>**/*.png</include>
+            </includes>
+         </resource>
+         <resource>
+            <directory>..</directory>
+            <includes>
+               <include>LICENSE.txt</include>
+               <include>NOTICE.txt</include>
+            </includes>
+         </resource>
+      </resources>
+      <testResources>
+         <testResource>
+            <directory>test</directory>
+            <includes><include>**/*.zip</include></includes>
+         </testResource>
+      </testResources>
+      <plugins>
+         <plugin>
+            <artifactId>maven-enforcer-plugin</artifactId><version>1.4.1</version>
+            <executions>
+               <execution>
+                  <goals><goal>enforce</goal></goals>
+                  <configuration>
+                     <rules>
+                        <requireJavaVersion><version>1.8</version></requireJavaVersion>
+                        <requireMavenVersion><version>3.3.1</version></requireMavenVersion>
+                        <dependencyConvergence/>
+                     </rules>
+                  </configuration>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <artifactId>maven-compiler-plugin</artifactId><version>3.5.1</version>
+            <configuration>
+               <encoding>UTF-8</encoding>
+               <source>1.6</source><target>1.6</target>
+               <compilerArgs><arg>-Xlint:none</arg></compilerArgs>
+               <useIncrementalCompilation>false</useIncrementalCompilation>
+            </configuration>
+         </plugin>
+         <plugin>
+            <artifactId>maven-jar-plugin</artifactId><version>2.6</version>
+            <configuration>
+               <archive>
+                  <addMavenDescriptor>false</addMavenDescriptor>
+                  <manifestEntries>
+                     <Main-Class>mockit.coverage.CodeCoverage</Main-Class>
+                     <Premain-Class>mockit.internal.startup.Startup</Premain-Class>
+                     <Agent-Class>mockit.internal.startup.Startup</Agent-Class>
+                     <Can-Redefine-Classes>true</Can-Redefine-Classes>
+                     <Can-Retransform-Classes>true</Can-Retransform-Classes>
+                     <Implementation-Version>${project.version}</Implementation-Version>
+                     <Built-By/>
+                  </manifestEntries>
+               </archive>
+            </configuration>
+         </plugin>
+         <plugin>
+            <artifactId>maven-source-plugin</artifactId><version>3.0.0</version>
+            <configuration>
+               <excludes>
+                  <exclude>*</exclude>
+                  <exclude>**/*.css</exclude>
+                  <exclude>**/*.js</exclude>
+               </excludes>
+            </configuration>
+            <executions>
+               <execution>
+                  <id>attach-sources</id>
+                  <goals><goal>jar-no-fork</goal></goals>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <artifactId>maven-javadoc-plugin</artifactId><version>2.10.3</version>
+            <configuration>
+               <encoding>UTF-8</encoding>
+               <nodeprecated>true</nodeprecated>
+               <noindex>true</noindex>
+               <notree>true</notree>
+               <nohelp>true</nohelp>
+               <breakiterator>true</breakiterator>
+               <use>false</use>
+               <source>1.7</source>
+               <windowtitle>JMockit Toolkit API</windowtitle>
+               <doctitle>JMockit Toolkit API Documentation</doctitle>
+               <stylesheetfile>${project.basedir}/../../jmockit.github.io/api1x/stylesheet.css</stylesheetfile>
+               <overview>${project.basedir}/../../jmockit.github.io/api1x/overview.html</overview>
+               <header><![CDATA[<a href="http://jmockit.org" target="_top"><img src="resources/logo.png">JMockit Home</a>]]></header>
+               <footer><![CDATA[<a href="http://jmockit.org" target="_top"><img src="resources/logo.png">JMockit Home</a>]]></footer>
+               <notimestamp>true</notimestamp>
+               <quiet>true</quiet>
+               <sourcepath>${basedir}/src</sourcepath>
+               <subpackages>none</subpackages>
+               <additionalparam>-Xdoclint:none mockit mockit.integration.junit4</additionalparam>
+            </configuration>
+            <executions>
+               <execution>
+                  <id>attach-javadocs</id>
+                  <goals><goal>jar</goal></goals>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <artifactId>maven-surefire-plugin</artifactId><version>2.19.1</version>
+            <configuration>
+               <skipTests>true</skipTests>
+               <disableXmlReport>true</disableXmlReport>
+               <runOrder>alphabetical</runOrder>
+            </configuration>
+            <executions>
+               <execution>
+                  <id>JUnit-tests</id>
+                  <phase>test</phase>
+                  <goals><goal>test</goal></goals>
+                  <configuration>
+                     <skipTests>${skipTests}</skipTests>
+                     <testNGArtifactName>none:none</testNGArtifactName>
+                     <excludes>
+                        <exclude>**/*$*</exclude>
+                        <exclude>**/Base*Test.class</exclude>
+                        <exclude>**/JUnit4DecoratorTest.class</exclude>
+                        <exclude>**/testng/*Test.class</exclude>
+                        <exclude>**/MockStateBetweenTestMethodsNGTest.class</exclude>
+                        <exclude>**/mockit/integration/TestedClass.class</exclude>
+                     </excludes>
+                  </configuration>
+               </execution>
+               <execution>
+                  <id>TestNG-tests</id>
+                  <phase>test</phase>
+                  <goals><goal>test</goal></goals>
+                  <configuration>
+                     <skipTests>${skipTests}</skipTests>
+                     <junitArtifactName>none:none</junitArtifactName>
+                     <includes>
+                        <include>**/testng/*Test.class</include>
+                        <include>**/MockStateBetweenTestMethodsNGTest.class</include>
+                     </includes>
+                     <excludes>
+                        <exclude>**/TestNGViolatedExpectationsTest.class</exclude>
+                     </excludes>
+                  </configuration>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <artifactId>maven-gpg-plugin</artifactId><version>1.6</version>
+            <executions>
+               <execution>
+                  <id>sign-artifacts</id>
+                  <phase>deploy</phase>
+                  <goals><goal>sign</goal></goals>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <groupId>org.sonatype.plugins</groupId><artifactId>nexus-staging-maven-plugin</artifactId>
+            <version>1.6.7</version>
+            <extensions>true</extensions>
+            <configuration>
+               <serverId>sonatype-nexus-staging</serverId>
+               <nexusUrl>https://oss.sonatype.org/</nexusUrl>
+               <autoReleaseAfterClose>true</autoReleaseAfterClose>
+            </configuration>
+         </plugin>
+      </plugins>
+   </build>
+
+   <dependencies>
+      <dependency>
+         <groupId>com.google.code.findbugs</groupId><artifactId>jsr305</artifactId><version>3.0.0</version>
+         <optional>true</optional>
+      </dependency>
+      <dependency>
+         <groupId>junit</groupId><artifactId>junit</artifactId><version>4.12</version>
+         <optional>true</optional>
+      </dependency>
+      <dependency>
+         <groupId>org.junit.jupiter</groupId><artifactId>junit-jupiter-engine</artifactId><version>5.0.0-M1</version>
+         <optional>true</optional>
+      </dependency>
+      <dependency>
+         <groupId>org.testng</groupId><artifactId>testng</artifactId><version>6.9.10</version>
+         <optional>true</optional>
+         <exclusions>
+            <exclusion><groupId>com.google.inject</groupId><artifactId>guice</artifactId></exclusion>
+            <exclusion><groupId>org.beanshell</groupId><artifactId>bsh</artifactId></exclusion>
+         </exclusions>
+      </dependency>
+      <dependency>
+         <groupId>javax</groupId><artifactId>javaee-api</artifactId><version>7.0</version>
+         <optional>true</optional>
+         <exclusions>
+            <exclusion><groupId>com.sun.mail</groupId><artifactId>javax.mail</artifactId></exclusion>
+         </exclusions>
+      </dependency>
+      <dependency>
+         <groupId>org.springframework</groupId><artifactId>spring-web</artifactId><version>4.2.0.RELEASE</version>
+         <optional>true</optional>
+      </dependency>
+   </dependencies>
+</project>
\ No newline at end of file