View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.xml.pom;
19  
20  import java.io.File;
21  import java.io.IOException;
22  import java.util.jar.JarFile;
23  import java.util.zip.ZipEntry;
24  import org.owasp.dependencycheck.analyzer.JarAnalyzer;
25  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
26  import org.owasp.dependencycheck.dependency.Dependency;
27  import org.slf4j.Logger;
28  import org.slf4j.LoggerFactory;
29  
30  /**
31   *
32   * @author jeremy
33   */
34  public final class PomUtils {
35  
36      /**
37       * empty private constructor for utility class.
38       */
39      private PomUtils() {
40      }
41      /**
42       * The logger.
43       */
44      private static final Logger LOGGER = LoggerFactory.getLogger(PomUtils.class);
45  
46      /**
47       * Reads in the specified POM and converts it to a Model.
48       *
49       * @param file the pom.xml file
50       * @return returns a
51       * @throws AnalysisException is thrown if there is an exception extracting
52       * or parsing the POM {@link Model} object
53       */
54      public static Model readPom(File file) throws AnalysisException {
55          try {
56              final PomParser parser = new PomParser();
57              final Model model = parser.parse(file);
58              if (model == null) {
59                  throw new AnalysisException(String.format("Unable to parse pom '%s'", file.getPath()));
60              }
61              return model;
62          } catch (PomParseException ex) {
63              LOGGER.warn("Unable to parse pom '{}'", file.getPath());
64              LOGGER.debug("", ex);
65              throw new AnalysisException(ex);
66          } catch (IOException ex) {
67              LOGGER.warn("Unable to parse pom '{}'(IO Exception)", file.getPath());
68              LOGGER.debug("", ex);
69              throw new AnalysisException(ex);
70          } catch (Throwable ex) {
71              LOGGER.warn("Unexpected error during parsing of the pom '{}'", file.getPath());
72              LOGGER.debug("", ex);
73              throw new AnalysisException(ex);
74          }
75      }
76  
77      /**
78       * Retrieves the specified POM from a jar file and converts it to a Model.
79       *
80       * @param path the path to the pom.xml file within the jar file
81       * @param jar the jar file to extract the pom from
82       * @return returns a
83       * @throws AnalysisException is thrown if there is an exception extracting
84       * or parsing the POM {@link Model} object
85       */
86      public static Model readPom(String path, JarFile jar) throws AnalysisException {
87          final ZipEntry entry = jar.getEntry(path);
88          Model model = null;
89          if (entry != null) { //should never be null
90              try {
91                  final PomParser parser = new PomParser();
92                  model = parser.parse(jar.getInputStream(entry));
93                  if (model == null) {
94                      throw new AnalysisException(String.format("Unable to parse pom '%s/%s'", jar.getName(), path));
95                  }
96              } catch (SecurityException ex) {
97                  LOGGER.warn("Unable to parse pom '{}' in jar '{}'; invalid signature", path, jar.getName());
98                  LOGGER.debug("", ex);
99                  throw new AnalysisException(ex);
100             } catch (IOException ex) {
101                 LOGGER.warn("Unable to parse pom '{}' in jar '{}' (IO Exception)", path, jar.getName());
102                 LOGGER.debug("", ex);
103                 throw new AnalysisException(ex);
104             } catch (Throwable ex) {
105                 LOGGER.warn("Unexpected error during parsing of the pom '{}' in jar '{}'", path, jar.getName());
106                 LOGGER.debug("", ex);
107                 throw new AnalysisException(ex);
108             }
109         }
110         return model;
111     }
112 
113     /**
114      * Reads in the pom file and adds elements as evidence to the given
115      * dependency.
116      *
117      * @param dependency the dependency being analyzed
118      * @param pomFile the pom file to read
119      * @throws AnalysisException is thrown if there is an exception parsing the
120      * pom
121      */
122     public static void analyzePOM(Dependency dependency, File pomFile) throws AnalysisException {
123         final Model pom = PomUtils.readPom(pomFile);
124         JarAnalyzer.setPomEvidence(dependency, pom, null);
125     }
126 }