From ed22b6532f36311a7b358e5997194571b1b65cb5 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 3 Sep 2017 21:10:33 -0400
Subject: [PATCH] coverity suggested updates

---
 .../org/owasp/dependencycheck/Engine.java     | 51 +++++++++----------
 .../dependencycheck/analyzer/JarAnalyzer.java |  7 +--
 2 files changed, 28 insertions(+), 30 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
index 76de7b8d2..15e9c3e6f 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -584,7 +584,7 @@ public class Engine implements FileFilter, AutoCloseable {
      * @return the scanned dependency
      * @since v1.4.4
      */
-    protected Dependency scanFile(File file, String projectReference) {
+    protected synchronized Dependency scanFile(File file, String projectReference) {
         Dependency dependency = null;
         if (file.isFile()) {
             if (accept(file)) {
@@ -594,31 +594,30 @@ public class Engine implements FileFilter, AutoCloseable {
                 }
                 final String sha1 = dependency.getSha1sum();
                 boolean found = false;
-                synchronized (dependencies) {
-                    if (sha1 != null) {
-                        for (Dependency existing : dependencies) {
-                            if (sha1.equals(existing.getSha1sum())) {
-                                found = true;
-                                if (projectReference != null) {
-                                    existing.addProjectReference(projectReference);
-                                }
-                                if (existing.getActualFilePath() != null && dependency.getActualFilePath() != null
-                                        && !existing.getActualFilePath().equals(dependency.getActualFilePath())) {
-                                    existing.addRelatedDependency(dependency);
-                                } else {
-                                    dependency = existing;
-                                }
-                                break;
+
+                if (sha1 != null) {
+                    for (Dependency existing : dependencies) {
+                        if (sha1.equals(existing.getSha1sum())) {
+                            found = true;
+                            if (projectReference != null) {
+                                existing.addProjectReference(projectReference);
                             }
+                            if (existing.getActualFilePath() != null && dependency.getActualFilePath() != null
+                                    && !existing.getActualFilePath().equals(dependency.getActualFilePath())) {
+                                existing.addRelatedDependency(dependency);
+                            } else {
+                                dependency = existing;
+                            }
+                            break;
                         }
                     }
-                    if (!found) {
-                        dependencies.add(dependency);
-                    }
                 }
-            } else {
-                LOGGER.debug("Path passed to scanFile(File) is not a file that can be scanned by dependency-check: {}. Skipping the file.", file);
+                if (!found) {
+                    dependencies.add(dependency);
+                }
             }
+        } else {
+            LOGGER.debug("Path passed to scanFile(File) is not a file that can be scanned by dependency-check: {}. Skipping the file.", file);
         }
         return dependency;
     }
@@ -778,13 +777,11 @@ public class Engine implements FileFilter, AutoCloseable {
      * @param exceptions the collection of exceptions to collect
      * @return a collection of analysis tasks
      */
-    protected List<AnalysisTask> getAnalysisTasks(Analyzer analyzer, List<Throwable> exceptions) {
+    protected synchronized List<AnalysisTask> getAnalysisTasks(Analyzer analyzer, List<Throwable> exceptions) {
         final List<AnalysisTask> result = new ArrayList<>();
-        synchronized (dependencies) {
-            for (final Dependency dependency : dependencies) {
-                final AnalysisTask task = new AnalysisTask(analyzer, dependency, this, exceptions);
-                result.add(task);
-            }
+        for (final Dependency dependency : dependencies) {
+            final AnalysisTask task = new AnalysisTask(analyzer, dependency, this, exceptions);
+            result.add(task);
         }
         return result;
     }
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
index 30545a8f7..a4d2c765b 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -312,9 +312,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     private boolean isZipFile(final Dependency dependency) {
         final byte[] buffer = new byte[4];
         try (final FileInputStream fileInputStream = new FileInputStream(dependency.getActualFilePath())) {
-            fileInputStream.read(buffer);
-            if (Arrays.equals(buffer, ZIP_FIRST_BYTES) || Arrays.equals(buffer, ZIP_EMPTY_FIRST_BYTES)
-                    || Arrays.equals(buffer, ZIP_SPANNED_FIRST_BYTES)) {
+            if (fileInputStream.read(buffer) > 0
+                    && (Arrays.equals(buffer, ZIP_FIRST_BYTES)
+                    || Arrays.equals(buffer, ZIP_EMPTY_FIRST_BYTES)
+                    || Arrays.equals(buffer, ZIP_SPANNED_FIRST_BYTES))) {
                 return true;
             }
         } catch (Exception e) {