Coverage Report

Coverage Report - org.owasp.dependencycheck.data.composer.ComposerLockParser

Classes in this File

Line Coverage

Branch Coverage

Complexity

ComposerLockParser

89%

35/39

64%

9/14

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.composer;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.json.Json;
 import javax.json.JsonArray;
 import javax.json.JsonException;
 import javax.json.JsonObject;
 import javax.json.JsonReader;
 import javax.json.stream.JsonParsingException;
 import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.List;
 
 /**
  * Parses a Composer.lock file from an input stream. In a separate class so it can hopefully be injected.
  *
  * @author colezlaw
  */
 public class ComposerLockParser {
 
     /**
      * The JsonReader for parsing JSON
      */
     private final JsonReader jsonReader;
 
     /**
      * The input stream we'll read
      */
     private final InputStream inputStream; // NOPMD - it gets set in the constructor, read later
 
     /**
      * The List of ComposerDependencies found
      */
     private final List<ComposerDependency> composerDependencies;
 
     /**
      * The LOGGER
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockParser.class);
 
     /**
      * Createas a ComposerLockParser from a JsonReader and an InputStream.
      *
      * @param inputStream the InputStream to parse
      */
     public ComposerLockParser(InputStream inputStream) {
         LOGGER.info("Creating a ComposerLockParser");
         this.inputStream = inputStream;
         this.jsonReader = Json.createReader(inputStream);
         this.composerDependencies = new ArrayList<ComposerDependency>();
     }
 
     /**
      * Process the input stream to create the list of dependencies.
      */
     public void process() {
         LOGGER.info("Beginning Composer lock processing");
         try {
             final JsonObject composer = jsonReader.readObject();
             if (composer.containsKey("packages")) {
                 LOGGER.debug("Found packages");
                 final JsonArray packages = composer.getJsonArray("packages");
                 for (JsonObject pkg : packages.getValuesAs(JsonObject.class)) {
                     if (pkg.containsKey("name")) {
                         final String groupName = pkg.getString("name");
                         if (groupName.indexOf('/') >= 0 && groupName.indexOf('/') <= groupName.length() - 1) {
                             if (pkg.containsKey("version")) {
                                 final String group = groupName.substring(0, groupName.indexOf('/'));
                                 final String project = groupName.substring(groupName.indexOf('/') + 1);
                                 String version = pkg.getString("version");
                                 // Some version nubmers begin with v - which doesn't end up matching CPE's
                                 if (version.startsWith("v")) {
                                     version = version.substring(1);
                                 }
                                 LOGGER.debug("Got package {}/{}/{}", group, project, version);
                                 composerDependencies.add(new ComposerDependency(group, project, version));
                             } else {
                                 LOGGER.debug("Group/package {} does not have a version", groupName);
                             }
                         } else {
                             LOGGER.debug("Got a dependency with no name");
                         }
                     }
                 }
             }
         } catch (JsonParsingException jsonpe) {
             throw new ComposerException("Error parsing stream", jsonpe);
         } catch (JsonException jsone) {
             throw new ComposerException("Error reading stream", jsone);
         } catch (IllegalStateException ise) {
             throw new ComposerException("Illegal state in composer stream", ise);
         } catch (ClassCastException cce) {
             throw new ComposerException("Not exactly composer lock", cce);
         }
     }
 
     /**
      * Gets the list of dependencies.
      *
      * @return the list of dependencies
      */
     public List<ComposerDependency> getDependencies() {
         return composerDependencies;
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2015 The OWASP Foundation. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.data.composer;
19
20		import org.slf4j.Logger;
21		import org.slf4j.LoggerFactory;
22
23		import javax.json.Json;
24		import javax.json.JsonArray;
25		import javax.json.JsonException;
26		import javax.json.JsonObject;
27		import javax.json.JsonReader;
28		import javax.json.stream.JsonParsingException;
29		import java.io.InputStream;
30		import java.util.ArrayList;
31		import java.util.List;
32
33		/**
34		* Parses a Composer.lock file from an input stream. In a separate class so it can hopefully be injected.
35		*
36		* @author colezlaw
37		*/
38		public class ComposerLockParser {
39
40		/**
41		* The JsonReader for parsing JSON
42		*/
43		private final JsonReader jsonReader;
44
45		/**
46		* The input stream we'll read
47		*/
48		private final InputStream inputStream; // NOPMD - it gets set in the constructor, read later
49
50		/**
51		* The List of ComposerDependencies found
52		*/
53		private final List<ComposerDependency> composerDependencies;
54
55		/**
56		* The LOGGER
57		*/
58	2	private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockParser.class);
59
60		/**
61		* Createas a ComposerLockParser from a JsonReader and an InputStream.
62		*
63		* @param inputStream the InputStream to parse
64		*/
65	10	public ComposerLockParser(InputStream inputStream) {
66	10	LOGGER.info("Creating a ComposerLockParser");
67	10	this.inputStream = inputStream;
68	10	this.jsonReader = Json.createReader(inputStream);
69	10	this.composerDependencies = new ArrayList<ComposerDependency>();
70	10	}
71
72		/**
73		* Process the input stream to create the list of dependencies.
74		*/
75		public void process() {
76	10	LOGGER.info("Beginning Composer lock processing");
77		try {
78	10	final JsonObject composer = jsonReader.readObject();
79	6	if (composer.containsKey("packages")) {
80	6	LOGGER.debug("Found packages");
81	6	final JsonArray packages = composer.getJsonArray("packages");
82	4	for (JsonObject pkg : packages.getValuesAs(JsonObject.class)) {
83	120	if (pkg.containsKey("name")) {
84	120	final String groupName = pkg.getString("name");
85	120	if (groupName.indexOf('/') >= 0 && groupName.indexOf('/') <= groupName.length() - 1) {
86	120	if (pkg.containsKey("version")) {
87	120	final String group = groupName.substring(0, groupName.indexOf('/'));
88	120	final String project = groupName.substring(groupName.indexOf('/') + 1);
89	120	String version = pkg.getString("version");
90		// Some version nubmers begin with v - which doesn't end up matching CPE's
91	120	if (version.startsWith("v")) {
92	84	version = version.substring(1);
93		}
94	120	LOGGER.debug("Got package {}/{}/{}", group, project, version);
95	120	composerDependencies.add(new ComposerDependency(group, project, version));
96	120	} else {
97	0	LOGGER.debug("Group/package {} does not have a version", groupName);
98		}
99		} else {
100	0	LOGGER.debug("Got a dependency with no name");
101		}
102		}
103	120	}
104		}
105	2	} catch (JsonParsingException jsonpe) {
106	2	throw new ComposerException("Error parsing stream", jsonpe);
107	2	} catch (JsonException jsone) {
108	2	throw new ComposerException("Error reading stream", jsone);
109	0	} catch (IllegalStateException ise) {
110	0	throw new ComposerException("Illegal state in composer stream", ise);
111	2	} catch (ClassCastException cce) {
112	2	throw new ComposerException("Not exactly composer lock", cce);
113	4	}
114	4	}
115
116		/**
117		* Gets the list of dependencies.
118		*
119		* @return the list of dependencies
120		*/
121		public List<ComposerDependency> getDependencies() {
122	6	return composerDependencies;
123		}
124		}