fix: #6819 handle invalid toml file (#7548)

Author: nhumblot

core/src/main/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzer.java

@@ -12,8 +12,6 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
- *
- * Copyright (c) 2019 Nima Yahyazadeh. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
@@ -36,6 +34,8 @@
 
 import com.moandjiezana.toml.Toml;
 import java.io.File;
+import java.util.Optional;
+
 import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
 import org.owasp.dependencycheck.dependency.naming.GenericIdentifier;
 import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
@@ -147,7 +147,12 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         //do not report on the build file itself
         engine.removeDependency(dependency);
 
-        final Toml result = new Toml().read(dependency.getActualFile());
+        Optional<Toml> potentiallyParsedToml = parseDependencyFile(dependency);
+        if (potentiallyParsedToml.isEmpty()) {
+            LOGGER.warn("toml file skipped: {} could not be parsed", dependency.getActualFilePath());
+            return;
+        }
+        final Toml result = potentiallyParsedToml.get();
         if (PYPROJECT_TOML.equals(dependency.getActualFile().getName())) {
             if (result.getTable("tool.poetry") == null) {
                 LOGGER.debug("skipping {} as it does not contain `tool.poetry`", dependency.getDisplayFileName());
@@ -200,6 +205,30 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
         });
     }
 
+    private Optional<Toml> parseDependencyFile(Dependency dependency) {
+        try {
+            Toml toml = new Toml().read(dependency.getActualFile());
+            return Optional.of(toml);
+        } catch (RuntimeException e) {
+            Optional<String> unparsableFileErrorMessage = Optional.ofNullable(e.getCause())
+                    .filter(c -> c instanceof IllegalStateException)
+                    .map(Throwable::getMessage)
+                    .filter(PoetryAnalyzer::isInvalidKeyErrorMessage);
+
+            if (unparsableFileErrorMessage.isPresent()) {
+                String message = String.format("Invalid toml file, cannot parse '%s'", dependency.getActualFile());
+                LOGGER.debug(message, e);
+                return Optional.empty();
+            }
+
+            throw e;
+        }
+    }
+
+    private static boolean isInvalidKeyErrorMessage(String m) {
+        return m.startsWith("Invalid key");
+    }
+
     private void ensureLock(File parent) throws AnalysisException {
         final File lock = new File(parent, POETRY_LOCK);
         final File requirements = new File(parent, "requirements.txt");

core/src/test/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzerTest.java

@@ -12,8 +12,6 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
- *
- * Copyright (c) 2019 Nima Yahyazadeh. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
@@ -80,6 +78,13 @@ public void testPyprojectToml() throws AnalysisException {
         analyzer.analyze(result, engine);
     }
 
+    @Test
+    public void testNodeGypToml() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "node-gyp-toml/pyproject.toml"));
+        //returns with no error.
+        analyzer.analyze(result, engine);
+    }
+
     @Test(expected = AnalysisException.class)
     public void testPoetryToml() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "python-poetry-toml/pyproject.toml"));

core/src/test/resources/node-gyp-toml/pyproject.toml

@@ -0,0 +1,119 @@
+[build-system]
+requires = ["setuptools>=61.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "gyp-next"
+version = "0.16.1"
+authors = [
+  { name="Node.js contributors", email="[email protected]" },
+]
+description = "A fork of the GYP build system for use in the Node.js projects"
+readme = "README.md"
+license = { file="LICENSE" }
+requires-python = ">=3.8"
+# The Python module "packaging" is vendored in the "pylib/packaging" directory to support Python >= 3.12.
+# dependencies = ["packaging>=23.1"]  # Uncomment this line if the vendored version is removed.
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: BSD License",
+    "Natural Language :: English",
+    "Programming Language :: Python",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.8",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+]
+
+[project.optional-dependencies]
+dev = ["flake8", "ruff", "pytest"]
+
+[project.scripts]
+gyp = "gyp:script_main"
+
+[project.urls]
+"Homepage" = "https://github.com/nodejs/gyp-next"
+
+[tool.ruff]
+lint.select = [
+  "C4",   # flake8-comprehensions
+  "C90",  # McCabe cyclomatic complexity
+  "DTZ",  # flake8-datetimez
+  "E",    # pycodestyle
+  "F",    # Pyflakes
+  "G",    # flake8-logging-format
+  "ICN",  # flake8-import-conventions
+  "INT",  # flake8-gettext
+  "PL",   # Pylint
+  "PYI",  # flake8-pyi
+  "RSE",  # flake8-raise
+  "RUF",  # Ruff-specific rules
+  "T10",  # flake8-debugger
+  "TCH",  # flake8-type-checking
+  "TID",  # flake8-tidy-imports
+  "UP",   # pyupgrade
+  "W",    # pycodestyle
+  "YTT",  # flake8-2020
+  # "A",    # flake8-builtins
+  # "ANN",  # flake8-annotations
+  # "ARG",  # flake8-unused-arguments
+  # "B",    # flake8-bugbear
+  # "BLE",  # flake8-blind-except
+  # "COM",  # flake8-commas
+  # "D",    # pydocstyle
+  # "DJ",   # flake8-django
+  # "EM",   # flake8-errmsg
+  # "ERA",  # eradicate
+  # "EXE",  # flake8-executable
+  # "FBT",  # flake8-boolean-trap
+  # "I",    # isort
+  # "INP",  # flake8-no-pep420
+  # "ISC",  # flake8-implicit-str-concat
+  # "N",    # pep8-naming
+  # "NPY",  # NumPy-specific rules
+  # "PD",   # pandas-vet
+  # "PGH",  # pygrep-hooks
+  # "PIE",  # flake8-pie
+  # "PT",   # flake8-pytest-style
+  # "PTH",  # flake8-use-pathlib
+  # "Q",    # flake8-quotes
+  # "RET",  # flake8-return
+  # "S",    # flake8-bandit
+  # "SIM",  # flake8-simplify
+  # "SLF",  # flake8-self
+  # "T20",  # flake8-print
+  # "TRY",  # tryceratops
+]
+lint.ignore = [
+  "E721",
+  "PLC1901",
+  "PLR0402",
+  "PLR1714",
+  "PLR2004",
+  "PLR5501",
+  "PLW0603",
+  "PLW2901",
+  "PYI024",
+  "RUF005",
+  "RUF012",
+  "UP031",
+]
+extend-exclude = ["pylib/packaging"]
+line-length = 88
+target-version = "py37"
+
+[tool.ruff.lint.mccabe]
+max-complexity = 101
+
+[tool.ruff.lint.pylint]
+max-args = 11
+max-branches = 108
+max-returns = 10
+max-statements = 286
+
+[tool.setuptools]
+package-dir = {"" = "pylib"}
+packages = ["gyp", "gyp.generator"]