search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.35k stars 1.27k forks source link

InvalidPathException on archive file with filename ending in space #5385

Closed cheide-beta closed 1 year ago

cheide-beta commented 1 year ago

A DependencyCheck scan of a .war file that contains a file whose filename ends in a space throws an exception during scanning, on a Windows host system. The scanner does continue running, but exits with an error code and does not generate any output for that file.

The problem has occurred with both version 7.4.4 and 8.0.1 of the scanner, invoked through the Jenkins plugin, on a Windows Server 2019 host system.

This seems narrow enough that only this excerpt of the log file should be needed:

[DependencyCheck] [INFO] Analysis Started
[DependencyCheck] [WARN] An unexpected error occurred during analysis of 'C:\jenkins\work\<full path elided>\jasper\jasperserver.war' (Archive Analyzer): Trailing char < > at index 46: META-INF/services/javax.xml.xpath.XPathFactory 
[DependencyCheck] [ERROR] 
[DependencyCheck] java.nio.file.InvalidPathException: Trailing char < > at index 46: META-INF/services/javax.xml.xpath.XPathFactory 
[DependencyCheck]   at java.base/sun.nio.fs.WindowsPathParser.normalize(WindowsPathParser.java:191)
[DependencyCheck]   at java.base/sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:153)
[DependencyCheck]   at java.base/sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:77)
[DependencyCheck]   at java.base/sun.nio.fs.WindowsPath.parse(WindowsPath.java:92)
[DependencyCheck]   at java.base/sun.nio.fs.WindowsFileSystem.getPath(WindowsFileSystem.java:229)
[DependencyCheck]   at java.base/java.nio.file.Path.resolve(Path.java:515)
[DependencyCheck]   at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractArchive(ArchiveAnalyzer.java:587)
[DependencyCheck]   at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractFiles(ArchiveAnalyzer.java:453)
[DependencyCheck]   at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractAndAnalyze(ArchiveAnalyzer.java:293)
[DependencyCheck]   at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.analyzeDependency(ArchiveAnalyzer.java:275)
[DependencyCheck]   at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
[DependencyCheck]   at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
[DependencyCheck]   at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
[DependencyCheck]   at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
[DependencyCheck]   at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[DependencyCheck]   at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[DependencyCheck]   at java.base/java.lang.Thread.run(Thread.java:834)
[DependencyCheck] [INFO] Finished Archive Analyzer (40 seconds)

In this case, the META-INF/services/javax.xml.xpath.XPathFactory file within the archive actually does have a space at the end of its filename, verified by extracting it onto a Linux system.

To reproduce the problem, download the TIB_js-jrs-cp_8.1.1_bin.zip file from (https://sourceforge.net/projects/jasperserver/files/JasperServer/JasperReports%20Server%20Community%20Edition%20Service%20Pack%208.1.1), extract the jasperserver.war file from it, and scan it on a Windows host system.

mprins commented 1 year ago

It seems thit path is not considered valid by your JVM on your filesystem; ODC does actually parse the file correctly or you would get a file not found exception instead