From d7606d0263f40c4cb24628bac9b06382d7e071d0 Mon Sep 17 00:00:00 2001 From: a141757 Date: Mon, 27 Nov 2017 15:14:04 +0100 Subject: [PATCH 1/2] make Error on personal Suppression File to not fatal --- .../analyzer/AbstractSuppressionAnalyzer.java | 57 ++++++++++++------- 1 file changed, 38 insertions(+), 19 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java index b09a22d5b..7916523e5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java @@ -58,7 +58,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { /** * The list of suppression rules */ - private SuppressionRule[] rules = null; + private List rules = new ArrayList<>(); /** * Get the number of suppression rules. @@ -66,7 +66,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { * @return the number of suppression rules */ protected int getRuleCount() { - return rules.length; + return rules.size(); } /** @@ -86,18 +86,24 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { */ @Override public synchronized void prepareAnalyzer(Engine engine) throws InitializationException { - if (rules == null) { + if (rules == null || rules.isEmpty()) { + try { + loadSuppressionBaseData(); + } catch (SuppressionParseException ex) { + throw new InitializationException("Error initializing the suppression analyzer: " + ex.getLocalizedMessage(), ex, true); + } + try { loadSuppressionData(); } catch (SuppressionParseException ex) { - throw new InitializationException("Error initializing the suppression analyzer: " + ex.getLocalizedMessage(), ex, true); + throw new InitializationException("Warn initializing the suppression analyzer: " + ex.getLocalizedMessage(), ex, false); } } } @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - if (rules == null || rules.length <= 0) { + if (rules == null || rules.isEmpty()) { return; } for (final SuppressionRule rule : rules) { @@ -111,14 +117,8 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { * @throws SuppressionParseException thrown if the XML cannot be parsed. */ private void loadSuppressionData() throws SuppressionParseException { - List ruleList; + List ruleList = new ArrayList<>() final SuppressionParser parser = new SuppressionParser(); - try { - final InputStream in = FileUtils.getResourceAsStream("dependencycheck-base-suppression.xml"); - ruleList = parser.parseSuppressionRules(in); - } catch (SAXException ex) { - throw new SuppressionParseException("Unable to parse the base suppression data file", ex); - } final String[] suppressionFilePaths = getSettings().getArray(Settings.KEYS.SUPPRESSION_FILE); final List failedLoadingFiles = new ArrayList<>(); if (suppressionFilePaths != null && suppressionFilePaths.length > 0) { @@ -133,8 +133,8 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { } } } - rules = ruleList.toArray(new SuppressionRule[ruleList.size()]); LOGGER.debug("{} suppression rules were loaded.", ruleList.size()); + rules.addAll(ruleList); if (!failedLoadingFiles.isEmpty()) { LOGGER.debug("{} suppression files failed to load.", failedLoadingFiles.size()); final StringBuilder sb = new StringBuilder(); @@ -145,6 +145,24 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { } } + + /** + * Loads all the base suppression rules files. + * + * @throws SuppressionParseException thrown if the XML cannot be parsed. + */ + private void loadSuppressionBaseData() throws SuppressionParseException { + final SuppressionParser parser = new SuppressionParser(); + List ruleList; + try { + final InputStream in = FileUtils.getResourceAsStream("dependencycheck-base-suppression.xml"); + ruleList = parser.parseSuppressionRules(in); + } catch (SAXException ex) { + throw new SuppressionParseException("Unable to parse the base suppression data file", ex); + } + rules.addAll(ruleList) ; + } + /** * Load a single suppression rules file from the path provided using the * parser provided. @@ -185,7 +203,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { try { org.apache.commons.io.FileUtils.copyInputStreamToFile(suppressionsFromClasspath, file); } catch (IOException ex) { - throwSuppressionParseException("Unable to locate suppressions file in classpath", ex); + throwSuppressionParseException("Unable to locate suppressions file in classpath", ex, suppressionFilePath); } } } @@ -206,13 +224,13 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { } } } catch (DownloadFailedException ex) { - throwSuppressionParseException("Unable to fetch the configured suppression file", ex); + throwSuppressionParseException("Unable to fetch the configured suppression file", ex, suppressionFilePath); } catch (MalformedURLException ex) { - throwSuppressionParseException("Configured suppression file has an invalid URL", ex); + throwSuppressionParseException("Configured suppression file has an invalid URL", ex, suppressionFilePath); } catch (SuppressionParseException ex) { throw ex; } catch (IOException ex) { - throwSuppressionParseException("Unable to create temp file for suppressions", ex); + throwSuppressionParseException("Unable to create temp file for suppressions", ex, suppressionFilePath); } finally { if (deleteTempFile && file != null) { FileUtils.delete(file); @@ -226,11 +244,12 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { * * @param message the exception message * @param exception the cause of the exception + * @param suppressionFilePath the path file * @throws SuppressionParseException throws the generated * SuppressionParseException */ - private void throwSuppressionParseException(String message, Exception exception) throws SuppressionParseException { - LOGGER.warn(message); + private void throwSuppressionParseException(String message, Exception exception, String suppressionFilePath) throws SuppressionParseException { + LOGGER.warn(String.format(message + "'%s'", suppressionFilePath)); LOGGER.debug("", exception); throw new SuppressionParseException(message, exception); } From 76d79186c76269c11373d1c45eeba7c351f5529d Mon Sep 17 00:00:00 2001 From: stboiss Date: Mon, 27 Nov 2017 15:26:17 +0100 Subject: [PATCH 2/2] small correction --- .../dependencycheck/analyzer/AbstractSuppressionAnalyzer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java index 7916523e5..1643d2b97 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java @@ -117,7 +117,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { * @throws SuppressionParseException thrown if the XML cannot be parsed. */ private void loadSuppressionData() throws SuppressionParseException { - List ruleList = new ArrayList<>() + List ruleList = new ArrayList<>(); final SuppressionParser parser = new SuppressionParser(); final String[] suppressionFilePaths = getSettings().getArray(Settings.KEYS.SUPPRESSION_FILE); final List failedLoadingFiles = new ArrayList<>();