Coverage Report

Coverage Report - org.owasp.dependencycheck.xml.pom.PomUtils

Classes in this File

Line Coverage

Branch Coverage

Complexity

PomUtils

14%

14/96

1/80

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.xml.pom;
 
 import java.io.File;
 import java.io.IOException;
 import java.util.jar.JarFile;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.zip.ZipEntry;
 import org.owasp.dependencycheck.analyzer.JarAnalyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 
 /**
  *
  * @author jeremy
  */
 public final class PomUtils {
 
     /**
      * empty private constructor for utility class.
      */
     private PomUtils() {
     }
     /**
      * The logger.
      */
     private static final Logger LOGGER = Logger.getLogger(PomUtils.class.getName());
 
     /**
      * Reads in the specified POM and converts it to a Model.
      *
      * @param file the pom.xml file
      * @return returns a
      * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
      * {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
      */
     public static Model readPom(File file) throws AnalysisException {
         Model model = null;
         try {
             PomParser parser = new PomParser();
             model = parser.parse(file);
         } catch (PomParseException ex) {
             final String msg = String.format("Unable to parse pom '%s'", file.getPath());
             LOGGER.log(Level.WARNING, msg);
             LOGGER.log(Level.FINE, "", ex);
             throw new AnalysisException(ex);
         } catch (IOException ex) {
             final String msg = String.format("Unable to parse pom '%s'(IO Exception)", file.getPath());
             LOGGER.log(Level.WARNING, msg);
             LOGGER.log(Level.FINE, "", ex);
             throw new AnalysisException(ex);
         } catch (Throwable ex) {
             final String msg = String.format("Unexpected error during parsing of the pom '%s'", file.getPath());
             LOGGER.log(Level.WARNING, msg);
             LOGGER.log(Level.FINE, "", ex);
             throw new AnalysisException(ex);
         }
         return model;
     }
 
     /**
      * Retrieves the specified POM from a jar file and converts it to a Model.
      *
      * @param path the path to the pom.xml file within the jar file
      * @param jar the jar file to extract the pom from
      * @return returns a
      * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
      * {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
      */
     public static Model readPom(String path, JarFile jar) throws AnalysisException {
         final ZipEntry entry = jar.getEntry(path);
         Model model = null;
         if (entry != null) { //should never be null
             try {
 //                final NonClosingStream stream = new NonClosingStream(jar.getInputStream(entry));
 //                final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
 //                final InputSource xml = new InputSource(reader);
 //                final SAXSource source = new SAXSource(xml);
                 final PomParser parser = new PomParser();
                 model = parser.parse(jar.getInputStream(entry));
                 LOGGER.fine(String.format("Read POM %s", path));
             } catch (SecurityException ex) {
                 final String msg = String.format("Unable to parse pom '%s' in jar '%s'; invalid signature", path, jar.getName());
                 LOGGER.log(Level.WARNING, msg);
                 LOGGER.log(Level.FINE, null, ex);
                 throw new AnalysisException(ex);
             } catch (IOException ex) {
                 final String msg = String.format("Unable to parse pom '%s' in jar '%s' (IO Exception)", path, jar.getName());
                 LOGGER.log(Level.WARNING, msg);
                 LOGGER.log(Level.FINE, "", ex);
                 throw new AnalysisException(ex);
             } catch (Throwable ex) {
                 final String msg = String.format("Unexpected error during parsing of the pom '%s' in jar '%s'", path, jar.getName());
                 LOGGER.log(Level.WARNING, msg);
                 LOGGER.log(Level.FINE, "", ex);
                 throw new AnalysisException(ex);
             }
         }
         return model;
     }
 
     /**
      * Reads in the pom file and adds elements as evidence to the given dependency.
      *
      * @param dependency the dependency being analyzed
      * @param pomFile the pom file to read
      * @throws AnalysisException is thrown if there is an exception parsing the pom
      */
     public static void analyzePOM(Dependency dependency, File pomFile) throws AnalysisException {
         final Model pom = PomUtils.readPom(pomFile);
 
         String groupid = pom.getGroupId();
         String parentGroupId = null;
 
         if (pom.getParentGroupId() != null) {
             parentGroupId = pom.getParentGroupId();
             if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
                 groupid = parentGroupId;
             }
         }
         if (groupid != null && !groupid.isEmpty()) {
             dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST);
             dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
             if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
                 dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
                 dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
             }
         }
         String artifactid = pom.getArtifactId();
         String parentArtifactId = null;
         if (pom.getParentArtifactId() != null) {
             parentArtifactId = pom.getParentArtifactId();
             if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
                 artifactid = parentArtifactId;
             }
         }
         if (artifactid != null && !artifactid.isEmpty()) {
             if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
                 artifactid = artifactid.substring(4);
             }
             dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST);
             dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
             if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
                 dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
                 dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
             }
         }
         //version
         String version = pom.getVersion();
         String parentVersion = null;
         if (pom.getParentVersion() != null) {
             parentVersion = pom.getParentVersion();
             if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
                 version = parentVersion;
             }
         }
         if (version != null && !version.isEmpty()) {
             dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
             if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
                 dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
             }
         }
 
         final String orgName = pom.getOrganization();
         if (orgName != null && !orgName.isEmpty()) {
             dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
         }
         final String pomName = pom.getName();
         if (pomName != null && !pomName.isEmpty()) {
             dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
         }
 
         if (pom.getDescription() != null) {
             final String description = pom.getDescription();
             if (description != null && !description.isEmpty()) {
                 JarAnalyzer.addDescription(dependency, description, "pom", "description");
             }
         }
         JarAnalyzer.extractLicense(pom, null, dependency);
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.xml.pom;
19
20		import java.io.File;
21		import java.io.IOException;
22		import java.util.jar.JarFile;
23		import java.util.logging.Level;
24		import java.util.logging.Logger;
25		import java.util.zip.ZipEntry;
26		import org.owasp.dependencycheck.analyzer.JarAnalyzer;
27		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
28		import org.owasp.dependencycheck.dependency.Confidence;
29		import org.owasp.dependencycheck.dependency.Dependency;
30
31		/**
32		*
33		* @author jeremy
34		*/
35		public final class PomUtils {
36
37		/**
38		* empty private constructor for utility class.
39		*/
40	0	private PomUtils() {
41	0	}
42		/**
43		* The logger.
44		*/
45	1	private static final Logger LOGGER = Logger.getLogger(PomUtils.class.getName());
46
47		/**
48		* Reads in the specified POM and converts it to a Model.
49		*
50		* @param file the pom.xml file
51		* @return returns a
52		* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
53		* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
54		*/
55		public static Model readPom(File file) throws AnalysisException {
56	1	Model model = null;
57		try {
58	1	PomParser parser = new PomParser();
59	1	model = parser.parse(file);
60	0	} catch (PomParseException ex) {
61	0	final String msg = String.format("Unable to parse pom '%s'", file.getPath());
62	0	LOGGER.log(Level.WARNING, msg);
63	0	LOGGER.log(Level.FINE, "", ex);
64	0	throw new AnalysisException(ex);
65	0	} catch (IOException ex) {
66	0	final String msg = String.format("Unable to parse pom '%s'(IO Exception)", file.getPath());
67	0	LOGGER.log(Level.WARNING, msg);
68	0	LOGGER.log(Level.FINE, "", ex);
69	0	throw new AnalysisException(ex);
70	0	} catch (Throwable ex) {
71	0	final String msg = String.format("Unexpected error during parsing of the pom '%s'", file.getPath());
72	0	LOGGER.log(Level.WARNING, msg);
73	0	LOGGER.log(Level.FINE, "", ex);
74	0	throw new AnalysisException(ex);
75	1	}
76	1	return model;
77		}
78
79		/**
80		* Retrieves the specified POM from a jar file and converts it to a Model.
81		*
82		* @param path the path to the pom.xml file within the jar file
83		* @param jar the jar file to extract the pom from
84		* @return returns a
85		* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
86		* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
87		*/
88		public static Model readPom(String path, JarFile jar) throws AnalysisException {
89	1	final ZipEntry entry = jar.getEntry(path);
90	1	Model model = null;
91	1	if (entry != null) { //should never be null
92		try {
93		// final NonClosingStream stream = new NonClosingStream(jar.getInputStream(entry));
94		// final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
95		// final InputSource xml = new InputSource(reader);
96		// final SAXSource source = new SAXSource(xml);
97	1	final PomParser parser = new PomParser();
98	1	model = parser.parse(jar.getInputStream(entry));
99	1	LOGGER.fine(String.format("Read POM %s", path));
100	0	} catch (SecurityException ex) {
101	0	final String msg = String.format("Unable to parse pom '%s' in jar '%s'; invalid signature", path, jar.getName());
102	0	LOGGER.log(Level.WARNING, msg);
103	0	LOGGER.log(Level.FINE, null, ex);
104	0	throw new AnalysisException(ex);
105	0	} catch (IOException ex) {
106	0	final String msg = String.format("Unable to parse pom '%s' in jar '%s' (IO Exception)", path, jar.getName());
107	0	LOGGER.log(Level.WARNING, msg);
108	0	LOGGER.log(Level.FINE, "", ex);
109	0	throw new AnalysisException(ex);
110	0	} catch (Throwable ex) {
111	0	final String msg = String.format("Unexpected error during parsing of the pom '%s' in jar '%s'", path, jar.getName());
112	0	LOGGER.log(Level.WARNING, msg);
113	0	LOGGER.log(Level.FINE, "", ex);
114	0	throw new AnalysisException(ex);
115	1	}
116		}
117	1	return model;
118		}
119
120		/**
121		* Reads in the pom file and adds elements as evidence to the given dependency.
122		*
123		* @param dependency the dependency being analyzed
124		* @param pomFile the pom file to read
125		* @throws AnalysisException is thrown if there is an exception parsing the pom
126		*/
127		public static void analyzePOM(Dependency dependency, File pomFile) throws AnalysisException {
128	0	final Model pom = PomUtils.readPom(pomFile);
129
130	0	String groupid = pom.getGroupId();
131	0	String parentGroupId = null;
132
133	0	if (pom.getParentGroupId() != null) {
134	0	parentGroupId = pom.getParentGroupId();
135	0	if ((groupid == null \|\| groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
136	0	groupid = parentGroupId;
137		}
138		}
139	0	if (groupid != null && !groupid.isEmpty()) {
140	0	dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST);
141	0	dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
142	0	if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
143	0	dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
144	0	dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
145		}
146		}
147	0	String artifactid = pom.getArtifactId();
148	0	String parentArtifactId = null;
149	0	if (pom.getParentArtifactId() != null) {
150	0	parentArtifactId = pom.getParentArtifactId();
151	0	if ((artifactid == null \|\| artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
152	0	artifactid = parentArtifactId;
153		}
154		}
155	0	if (artifactid != null && !artifactid.isEmpty()) {
156	0	if (artifactid.startsWith("org.") \|\| artifactid.startsWith("com.")) {
157	0	artifactid = artifactid.substring(4);
158		}
159	0	dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST);
160	0	dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
161	0	if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
162	0	dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
163	0	dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
164		}
165		}
166		//version
167	0	String version = pom.getVersion();
168	0	String parentVersion = null;
169	0	if (pom.getParentVersion() != null) {
170	0	parentVersion = pom.getParentVersion();
171	0	if ((version == null \|\| version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
172	0	version = parentVersion;
173		}
174		}
175	0	if (version != null && !version.isEmpty()) {
176	0	dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
177	0	if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
178	0	dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
179		}
180		}
181
182	0	final String orgName = pom.getOrganization();
183	0	if (orgName != null && !orgName.isEmpty()) {
184	0	dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
185		}
186	0	final String pomName = pom.getName();
187	0	if (pomName != null && !pomName.isEmpty()) {
188	0	dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
189	0	dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
190		}
191
192	0	if (pom.getDescription() != null) {
193	0	final String description = pom.getDescription();
194	0	if (description != null && !description.isEmpty()) {
195	0	JarAnalyzer.addDescription(dependency, description, "pom", "description");
196		}
197		}
198	0	JarAnalyzer.extractLicense(pom, null, dependency);
199	0	}
200		}