search

eclipse / jbom

Apache License 2.0
111 stars 5 forks source link

StringIndexOutOfBoundsException with camel-base-engine jar #19

Closed ndjensen closed 1 year ago

ndjensen commented 1 year ago

jbom version: 1.2.1 Java version: OpenJDK 11

When I run jbom against a lib directory of dependencies, it logs a StringIndexOutOfBoundsException against the camel-base-engine jar.

2023-04-06 14:29:50:739 TRACE --- [jbom] Problem extracting metadata from META-INF/services/org/apache/camel/resource-resolver/gzip based on myDirectory/lib/org.apache.camel/camel-base-engine-3.14.1.jar. Continuing.
java.lang.StringIndexOutOfBoundsException: begin 0, end -1, length 57
    at java.base/java.lang.String.checkBoundsBeginEnd(String.java:3319)
    at java.base/java.lang.String.substring(String.java:1874)
    at com.contrastsecurity.Library.parsePath(Library.java:45)
    at com.contrastsecurity.Libraries.scanInner(Libraries.java:146)
    at com.contrastsecurity.Libraries.scan(Libraries.java:112)
    at com.contrastsecurity.Libraries.addAllLibraries(Libraries.java:87)
    at com.contrastsecurity.Libraries.runScan(Libraries.java:40)
    at com.contrastsecurity.Jbom.doLocalDirectory(Jbom.java:216)
    at com.contrastsecurity.Jbom.run(Jbom.java:113)
    at picocli.CommandLine.executeUserObject(CommandLine.java:1939)
    at picocli.CommandLine.access$1300(CommandLine.java:145)
    at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2358)
    at picocli.CommandLine$RunLast.handle(CommandLine.java:2352)
    at picocli.CommandLine$RunLast.handle(CommandLine.java:2314)
    at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
    at picocli.CommandLine$RunLast.execute(CommandLine.java:2316)
    at picocli.CommandLine.execute(CommandLine.java:2078)
    at com.contrastsecurity.Jbom.main(Jbom.java:73)

The sbom entry appears to generate successfully for that jar so this would be a very low priority to fix. I looked at the jar and don't see what's different about it than other jars, but I did not debug into jbom to understand the error deeper. To repeat the issue, you can download the offending jar here and run jbom with the -d directory argument: https://mvnrepository.com/artifact/org.apache.camel/camel-base-engine/3.14.1

planetlevel commented 1 year ago

Great bug report. Thanks. Turns out parser was looking for files that end in .jar, war, ear, and zip. Notice the "." was left off war, ear, and zip. So your test jar file happens to have a jarentry that is simple named gzip. So the parser blew up. Your sbom should be fine. But it's fixed now anyway. Will pick this up in next release.

planetlevel commented 1 year ago

Closed