@@ -107,94 +107,93 @@ def analyze_jar_file(path_to_find_bin):
107107 owasp_items = {}
108108 remove_vulnerability_items = []
109109 vulnerability_items = {}
110+ success = True
110111
111- try :
112- command = ['dependency-check' , '--scan' , f'{ path_to_find_bin } , '--out' , f'{ path_to_find_bin } ,
113- '--disableArchive' , '--disableAssembly' , '--disableRetireJS' , '--disableNodeJS' ,
114- '--disableNodeAudit' , '--disableNugetconf' , '--disableNuspec' , '--disableOpenSSL' ,
115- '--disableOssIndex' , '--disableBundleAudit' , '--cveValidForHours' , '24' , '-f' , 'ALL' ]
116- run_analysis (command , dependency_check_run )
112+ command = ['dependency-check' , '--scan' , f'{ path_to_find_bin } , '--out' , f'{ path_to_find_bin } ,
113+ '--disableArchive' , '--disableAssembly' , '--disableRetireJS' , '--disableNodeJS' ,
114+ '--disableNodeAudit' , '--disableNugetconf' , '--disableNuspec' , '--disableOpenSSL' ,
115+ '--disableOssIndex' , '--disableBundleAudit' , '--cveValidForHours' , '24' , '-f' , 'ALL' ]
116+ run_analysis (command , dependency_check_run )
117117
118+ try :
118119 json_file = os .path .join (path_to_find_bin , 'dependency-check-report.json' )
120+ with open (json_file , 'r' ) as f :
121+ jar_contents = json .load (f )
122+ except Exception as ex :
123+ logger .debug (f"Error to read dependency-check-report.json file : { ex } )
124+ success = False
125+ return
119126
120- try :
121- with open (json_file , 'r' ) as f :
122- jar_contents = json .load (f )
123-
124- dependencies = jar_contents .get ("dependencies" )
125- for val in dependencies :
126- bin_with_path = ""
127- oss_name = ""
128- oss_ver = ""
129- oss_artifactid = ""
130- oss_groupid = ""
131- oss_dl_url = ""
132- oss_license = get_oss_lic_in_jar (val )
133- get_oss_info = False
134-
135- all_evidence = val .get ("evidenceCollected" )
136- vulnerability = val .get ("vulnerabilityIds" )
137- vendor_evidences = all_evidence .get ('vendorEvidence' )
138- product_evidences = all_evidence .get ('productEvidence' )
139- version_evidences = all_evidence .get ('versionEvidence' )
140-
141- # Check if the file is .jar file
142- # Even if the oss info is from pom.xml in jar file, the file name will be .jar file.
143- # But the oss info from pom.xml could be different from .jar file.
144- bin_with_path = val .get ("filePath" )
145- if not bin_with_path .endswith ('.jar' ):
146- bin_with_path = bin_with_path .split ('.jar' )[0 ] + '.jar'
147-
148- file_with_path = os .path .relpath (bin_with_path , path_to_find_bin )
149- # Get Version info from versionEvidence
150- for version_info in version_evidences :
151- oss_ver = get_oss_ver (version_info )
152-
153- # Get Artifact ID, Group ID, OSS Name from vendorEvidence
154- for vendor_info in vendor_evidences :
155- # Get OSS Info from POM
156- if vendor_info ['source' ] == 'pom' :
157- if vendor_info ['name' ] == 'artifactid' :
158- oss_artifactid = vendor_info ['value' ]
159- if vendor_info ['name' ] == 'groupid' :
160- oss_groupid = vendor_info ['value' ]
161- if vendor_info ['name' ] == 'url' :
162- oss_dl_url = vendor_info ['value' ]
163- if oss_artifactid != "" and oss_groupid != "" :
164- oss_name = f"{ oss_groupid } { oss_artifactid }
165-
166- # Check if get oss_name and version from pom
167- if oss_name != "" and oss_ver != "" :
168- get_oss_info = True
169-
170- # If there is no pom.mxl in .jar file, get oss info from MANIFEST.MF file
171- if get_oss_info is False :
172- for product_info in product_evidences :
173- if product_info ['source' ] == 'Manifest' :
174- if oss_name == "" and (product_info ['name' ] == 'Implementation-Title' or product_info ['name' ] == 'specification-title' ):
175- oss_name = product_info ['value' ]
176- if oss_ver == "" and (product_info ['name' ] == 'Implementation-Version' or product_info ['name' ] == 'Bundle-Version' ):
177- oss_ver = product_info ['value' ]
178-
179- # Get Vulnerability Info.
180- try :
181- vulnerability_items = get_vulnerability_info (file_with_path , vulnerability , vulnerability_items , remove_vulnerability_items )
182- except Exception as ex :
183- logger .info (f"Error to get vulnerability Info. : { ex } )
184-
185- if oss_name != "" or oss_ver != "" or oss_license != "" or oss_dl_url != "" :
186- oss = OssItem (oss_name , oss_ver , oss_license , oss_dl_url )
187- oss .set_comment ("OWASP Result. " )
188-
189- remove_owasp_item = owasp_items .get (file_with_path )
190- if remove_owasp_item :
191- remove_owasp_item .append (oss )
192- else :
193- owasp_items [file_with_path ] = [oss ]
194-
195- except Exception as ex :
196- logger .warning (f"Error to read json file : { ex } )
127+ dependencies = jar_contents .get ("dependencies" )
128+ try :
129+ for val in dependencies :
130+ bin_with_path = ""
131+ oss_name = ""
132+ oss_ver = ""
133+ oss_artifactid = ""
134+ oss_groupid = ""
135+ oss_dl_url = ""
136+ oss_license = get_oss_lic_in_jar (val )
137+ get_oss_info = False
138+
139+ all_evidence = val .get ("evidenceCollected" )
140+ vulnerability = val .get ("vulnerabilityIds" )
141+ vendor_evidences = all_evidence .get ('vendorEvidence' )
142+ product_evidences = all_evidence .get ('productEvidence' )
143+ version_evidences = all_evidence .get ('versionEvidence' )
144+
145+ # Check if the file is .jar file
146+ # Even if the oss info is from pom.xml in jar file, the file name will be .jar file.
147+ # But the oss info from pom.xml could be different from .jar file.
148+ bin_with_path = val .get ("filePath" )
149+ if not bin_with_path .endswith ('.jar' ):
150+ bin_with_path = bin_with_path .split ('.jar' )[0 ] + '.jar'
151+
152+ file_with_path = os .path .relpath (bin_with_path , path_to_find_bin )
153+ # Get Version info from versionEvidence
154+ for version_info in version_evidences :
155+ oss_ver = get_oss_ver (version_info )
156+
157+ # Get Artifact ID, Group ID, OSS Name from vendorEvidence
158+ for vendor_info in vendor_evidences :
159+ # Get OSS Info from POM
160+ if vendor_info ['source' ] == 'pom' :
161+ if vendor_info ['name' ] == 'artifactid' :
162+ oss_artifactid = vendor_info ['value' ]
163+ if vendor_info ['name' ] == 'groupid' :
164+ oss_groupid = vendor_info ['value' ]
165+ if vendor_info ['name' ] == 'url' :
166+ oss_dl_url = vendor_info ['value' ]
167+ if oss_artifactid != "" and oss_groupid != "" :
168+ oss_name = f"{ oss_groupid } { oss_artifactid }
169+
170+ # Check if get oss_name and version from pom
171+ if oss_name != "" and oss_ver != "" :
172+ get_oss_info = True
173+
174+ # If there is no pom.mxl in .jar file, get oss info from MANIFEST.MF file
175+ if get_oss_info is False :
176+ for product_info in product_evidences :
177+ if product_info ['source' ] == 'Manifest' :
178+ if oss_name == "" and (product_info ['name' ] == 'Implementation-Title' or product_info ['name' ] == 'specification-title' ):
179+ oss_name = product_info ['value' ]
180+ if oss_ver == "" and (product_info ['name' ] == 'Implementation-Version' or product_info ['name' ] == 'Bundle-Version' ):
181+ oss_ver = product_info ['value' ]
182+
183+ # Get Vulnerability Info.
184+ vulnerability_items = get_vulnerability_info (file_with_path , vulnerability , vulnerability_items , remove_vulnerability_items )
185+
186+ if oss_name != "" or oss_ver != "" or oss_license != "" or oss_dl_url != "" :
187+ oss = OssItem (oss_name , oss_ver , oss_license , oss_dl_url )
188+ oss .set_comment ("OWASP Result. " )
189+
190+ remove_owasp_item = owasp_items .get (file_with_path )
191+ if remove_owasp_item :
192+ remove_owasp_item .append (oss )
193+ else :
194+ owasp_items [file_with_path ] = [oss ]
197195 except Exception as ex :
198- logger .warning (f"Error to use dependency-check : { ex } )
196+ logger .debug (f"Error to get depency Info in jar_contets: { ex } )
197+ success = False
199198
200- return owasp_items , vulnerability_items
199+ return owasp_items , vulnerability_items , success
0 commit comments