View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.xml.pom;
19  
20  import java.io.File;
21  import java.io.IOException;
22  import java.util.jar.JarFile;
23  import java.util.zip.ZipEntry;
24  import org.owasp.dependencycheck.analyzer.JarAnalyzer;
25  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
26  import org.owasp.dependencycheck.dependency.Dependency;
27  import org.slf4j.Logger;
28  import org.slf4j.LoggerFactory;
29  
30  /**
31   *
32   * @author jeremy
33   */
34  public final class PomUtils {
35  
36      /**
37       * empty private constructor for utility class.
38       */
39      private PomUtils() {
40      }
41      /**
42       * The logger.
43       */
44      private static final Logger LOGGER = LoggerFactory.getLogger(PomUtils.class);
45  
46      /**
47       * Reads in the specified POM and converts it to a Model.
48       *
49       * @param file the pom.xml file
50       * @return returns a
51       * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM {@link Model} object
52       */
53      public static Model readPom(File file) throws AnalysisException {
54          Model model = null;
55          try {
56              final PomParser parser = new PomParser();
57              model = parser.parse(file);
58          } catch (PomParseException ex) {
59              LOGGER.warn("Unable to parse pom '{}'", file.getPath());
60              LOGGER.debug("", ex);
61              throw new AnalysisException(ex);
62          } catch (IOException ex) {
63              LOGGER.warn("Unable to parse pom '{}'(IO Exception)", file.getPath());
64              LOGGER.debug("", ex);
65              throw new AnalysisException(ex);
66          } catch (Throwable ex) {
67              LOGGER.warn("Unexpected error during parsing of the pom '{}'", file.getPath());
68              LOGGER.debug("", ex);
69              throw new AnalysisException(ex);
70          }
71          return model;
72      }
73  
74      /**
75       * Retrieves the specified POM from a jar file and converts it to a Model.
76       *
77       * @param path the path to the pom.xml file within the jar file
78       * @param jar the jar file to extract the pom from
79       * @return returns a
80       * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM {@link Model} object
81       */
82      public static Model readPom(String path, JarFile jar) throws AnalysisException {
83          final ZipEntry entry = jar.getEntry(path);
84          Model model = null;
85          if (entry != null) { //should never be null
86              try {
87                  final PomParser parser = new PomParser();
88                  model = parser.parse(jar.getInputStream(entry));
89                  LOGGER.debug("Read POM {}", path);
90              } catch (SecurityException ex) {
91                  LOGGER.warn("Unable to parse pom '{}' in jar '{}'; invalid signature", path, jar.getName());
92                  LOGGER.debug("", ex);
93                  throw new AnalysisException(ex);
94              } catch (IOException ex) {
95                  LOGGER.warn("Unable to parse pom '{}' in jar '{}' (IO Exception)", path, jar.getName());
96                  LOGGER.debug("", ex);
97                  throw new AnalysisException(ex);
98              } catch (Throwable ex) {
99                  LOGGER.warn("Unexpected error during parsing of the pom '{}' in jar '{}'", path, jar.getName());
100                 LOGGER.debug("", ex);
101                 throw new AnalysisException(ex);
102             }
103         }
104         return model;
105     }
106 
107     /**
108      * Reads in the pom file and adds elements as evidence to the given dependency.
109      *
110      * @param dependency the dependency being analyzed
111      * @param pomFile the pom file to read
112      * @throws AnalysisException is thrown if there is an exception parsing the pom
113      */
114     public static void analyzePOM(Dependency dependency, File pomFile) throws AnalysisException {
115         final Model pom = PomUtils.readPom(pomFile);
116         JarAnalyzer.setPomEvidence(dependency, pom, null);
117     }
118 }