fix(core): correct xml schema validation handling without needing external access (#8272)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>

Author: chadlwilson

core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -140,14 +140,6 @@ public class Engine implements FileFilter, AutoCloseable {
      * A reference to the database.
      */
     private CveDB database = null;
-    /**
-     * Used to store the value of
-     * System.getProperty("javax.xml.accessExternalSchema") - ODC may change the
-     * value of this system property at runtime. We store the value to reset the
-     * property to its original value.
-     */
-    private final String accessExternalSchema;
-
     /**
      * Creates a new {@link Mode#STANDALONE} Engine.
      *
@@ -188,8 +180,6 @@ public Engine(@NotNull final ClassLoader serviceClassLoader, @NotNull final Mode
         this.settings = settings;
         this.serviceClassLoader = serviceClassLoader;
         this.mode = mode;
-        this.accessExternalSchema = System.getProperty("javax.xml.accessExternalSchema");
-
         initializeEngine();
     }
 
@@ -215,11 +205,6 @@ public void close() {
                 database = null;
             }
         }
-        if (accessExternalSchema != null) {
-            System.setProperty("javax.xml.accessExternalSchema", accessExternalSchema);
-        } else {
-            System.clearProperty("javax.xml.accessExternalSchema");
-        }
         JCS.shutdown();
     }
 

core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -263,6 +263,9 @@ private void loadHostedSuppressionBaseData(final SuppressionParser parser, final
                     HostedSuppressionsDataSource.DEFAULT_SUPPRESSIONS_URL);
             final URL url = new URL(configuredUrl);
             final String fileName = new File(url.getPath()).getName();
+            if (fileName.isBlank()) {
+                throw new IOException("Hosted Suppression URL must imply a filename");
+            }
             final File repoFile = new File(getSettings().getDataDirectory(), fileName);
             boolean repoEmpty = !repoFile.isFile() || repoFile.length() <= 1L;
             if (repoEmpty) {
@@ -333,18 +336,6 @@ private void loadCachedHostedSuppressionsRules(final SuppressionParser parser, f
         }
     }
 
-    private static boolean forceUpdateHostedSuppressions(final Engine engine, final File repoFile) {
-        final HostedSuppressionsDataSource ds = new HostedSuppressionsDataSource();
-        boolean repoEmpty = true;
-        try {
-            ds.update(engine);
-            repoEmpty = !repoFile.isFile() || repoFile.length() <= 1L;
-        } catch (UpdateException ex) {
-            LOGGER.warn("Failed to update the Hosted Suppression file", ex);
-        }
-        return repoEmpty;
-    }
-
     /**
      * Load a single suppression rules file from the path provided using the
      * parser provided.
@@ -407,19 +398,17 @@ private List<SuppressionRule> loadSuppressionFile(final SuppressionParser parser
                     }
                 }
             }
-            if (file != null) {
-                if (!file.exists()) {
-                    final String msg = String.format("Suppression file '%s' does not exist", file.getPath());
-                    LOGGER.warn(msg);
-                    throw new SuppressionParseException(msg);
-                }
-                try {
-                    list.addAll(parser.parseSuppressionRules(file));
-                } catch (SuppressionParseException ex) {
-                    LOGGER.warn("Unable to parse suppression xml file '{}'", file.getPath());
-                    LOGGER.warn(ex.getMessage());
-                    throw ex;
-                }
+            if (!file.exists()) {
+                final String msg = String.format("Suppression file '%s' does not exist", file.getPath());
+                LOGGER.warn(msg);
+                throw new SuppressionParseException(msg);
+            }
+            try {
+                list.addAll(parser.parseSuppressionRules(file));
+            } catch (SuppressionParseException ex) {
+                LOGGER.warn("Unable to parse suppression xml file '{}'", file.getPath());
+                LOGGER.warn(ex.getMessage());
+                throw ex;
             }
         } catch (DownloadFailedException ex) {
             throwSuppressionParseException("Unable to fetch the configured suppression file", ex, suppressionFilePath);

core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -407,9 +407,6 @@ public void prepareFileTypeAnalyzer(Engine engine) throws InitializationExceptio
     private File extractGrokAssembly() throws InitializationException {
         final File location;
         try (InputStream in = FileUtils.getResourceAsStream("GrokAssembly.zip")) {
-            if (in == null) {
-                throw new InitializationException("Unable to extract GrokAssembly.dll - file not found");
-            }
             location = FileUtils.createTempDirectory(getSettings().getTempDirectory());
             ExtractionUtil.extractFiles(in, location);
         } catch (ExtractionException ex) {

core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import org.jetbrains.annotations.VisibleForTesting;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -248,9 +249,6 @@ private void loadHintRules() throws HintParseException {
         final HintParser parser = new HintParser();
         File file = null;
         try (InputStream in = FileUtils.getResourceAsStream(HINT_RULE_FILE_NAME)) {
-            if (in == null) {
-                throw new HintParseException("Hint rules `" + HINT_RULE_FILE_NAME + "` could not be found");
-            }
             parser.parseHints(in);
         } catch (SAXException | IOException ex) {
             throw new HintParseException("Error parsing hints: " + ex.getMessage(), ex);
@@ -299,23 +297,19 @@ private void loadHintRules() throws HintParseException {
                     }
                 }
 
-                if (file == null) {
-                    throw new HintParseException("Unable to locate hints file:" + filePath);
-                } else {
-                    try {
-                        parser.parseHints(file);
-                        if (parser.getHintRules() != null && !parser.getHintRules().isEmpty()) {
-                            localHints.addAll(parser.getHintRules());
-                        }
-                        if (parser.getVendorDuplicatingHintRules() != null && !parser.getVendorDuplicatingHintRules().isEmpty()) {
-                            localVendorHints.addAll(parser.getVendorDuplicatingHintRules());
-                        }
-                    } catch (HintParseException ex) {
-                        LOGGER.warn("Unable to parse hint rule xml file '{}'", file.getPath());
-                        LOGGER.warn(ex.getMessage());
-                        LOGGER.debug("", ex);
-                        throw ex;
+                try {
+                    parser.parseHints(file);
+                    if (parser.getHintRules() != null && !parser.getHintRules().isEmpty()) {
+                        localHints.addAll(parser.getHintRules());
                     }
+                    if (parser.getVendorDuplicatingHintRules() != null && !parser.getVendorDuplicatingHintRules().isEmpty()) {
+                        localVendorHints.addAll(parser.getVendorDuplicatingHintRules());
+                    }
+                } catch (HintParseException ex) {
+                    LOGGER.warn("Unable to parse hint rule xml file '{}'", file.getPath());
+                    LOGGER.warn(ex.getMessage());
+                    LOGGER.debug("", ex);
+                    throw ex;
                 }
             } catch (DownloadFailedException ex) {
                 throw new HintParseException("Unable to fetch the configured hint file", ex);
@@ -334,4 +328,14 @@ private void loadHintRules() throws HintParseException {
         LOGGER.debug("{} hint rules were loaded.", hints.length);
         LOGGER.debug("{} duplicating hint rules were loaded.", vendorHints.length);
     }
+
+    @VisibleForTesting
+    HintRule[] getHintRules() {
+        return hints;
+    }
+
+    @VisibleForTesting
+    VendorDuplicatingHintRule[] getVendorDuplicatingHintRules() {
+        return vendorHints;
+    }
 }

core/src/main/java/org/owasp/dependencycheck/data/cache/DataCacheFactory.java

@@ -104,10 +104,6 @@ public DataCacheFactory(Settings settings) {
                     throw new CacheException("Unable to create disk cache: " + cacheDirectory);
                 }
                 try (InputStream in = FileUtils.getResourceAsStream(CACHE_PROPERTIES)) {
-                    if (in == null) {
-                        throw new RuntimeException("Cache properties `" + CACHE_PROPERTIES + "` could not be found");
-                    }
-
                     final Properties properties = new Properties();
                     properties.load(in);
                     properties.put("jcs.auxiliary.ODC.attributes.DiskPath", cacheDirectory.getCanonicalPath());

core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -41,7 +41,6 @@
 import org.slf4j.LoggerFactory;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
-import org.xml.sax.XMLReader;
 
 import javax.annotation.concurrent.NotThreadSafe;
 import javax.xml.XMLConstants;
@@ -445,48 +444,31 @@ protected void processTemplate(String template, File file) throws ReportExceptio
      * @throws ReportException is thrown when an exception occurs
      */
     protected void processTemplate(String templateName, OutputStream outputStream) throws ReportException {
-        InputStream input = null;
-        String logTag;
-        final File f = new File(templateName);
         try {
+            String logTag;
+            InputStream input;
+            final File f = new File(templateName);
             if (f.isFile()) {
-                try {
-                    logTag = templateName;
-                    input = new FileInputStream(f);
-                } catch (FileNotFoundException ex) {
-                    throw new ReportException("Unable to locate template file: " + templateName, ex);
-                }
+                logTag = templateName;
+                input = new FileInputStream(f);
             } else {
                 logTag = "templates/" + templateName + ".vsl";
                 input = FileUtils.getResourceAsStream(logTag);
             }
-            if (input == null) {
-                logTag = templateName;
-                input = FileUtils.getResourceAsStream(templateName);
-            }
-            if (input == null) {
-                throw new ReportException("Template file doesn't exist: " + logTag);
-            }
 
             try (InputStreamReader reader = new InputStreamReader(input, StandardCharsets.UTF_8);
                  OutputStreamWriter writer = new OutputStreamWriter(outputStream, StandardCharsets.UTF_8)) {
                 if (!velocityEngine.evaluate(context, writer, logTag, reader)) {
                     throw new ReportException("Failed to convert the template into html.");
                 }
                 writer.flush();
-            } catch (UnsupportedEncodingException ex) {
-                throw new ReportException("Unable to generate the report using UTF-8", ex);
             }
+        } catch (UnsupportedEncodingException ex) {
+            throw new ReportException("Unable to generate the report using UTF-8", ex);
+        } catch (FileNotFoundException ex) {
+            throw new ReportException("Unable to locate template file: " + templateName, ex);
         } catch (IOException ex) {
             throw new ReportException("Unable to write the report", ex);
-        } finally {
-            if (input != null) {
-                try {
-                    input.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("Error closing input", ex);
-                }
-            }
         }
     }
 
@@ -513,9 +495,8 @@ private void ensureParentDirectoryExists(File file) throws ReportException {
      * Reformats the given XML file.
      *
      * @param path the path to the XML file to be reformatted
-     * @throws ReportException thrown if the given JSON file is malformed
      */
-    private void pretifyXml(String path) throws ReportException {
+    private void pretifyXml(String path) {
         final String outputPath = path + ".pretty";
         final File in = new File(path);
         final File out = new File(outputPath);
@@ -527,10 +508,7 @@ private void pretifyXml(String path) throws ReportException {
             transformer.setOutputProperty(OutputKeys.INDENT, "yes");
             transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
 
-            final SAXSource saxs = new SAXSource(new InputSource(path));
-            final XMLReader saxReader = XmlUtils.buildSecureSaxParser().getXMLReader();
-
-            saxs.setXMLReader(saxReader);
+            final SAXSource saxs = new SAXSource(XmlUtils.buildSecureXmlReader(), new InputSource(path));
             transformer.transform(saxs, new StreamResult(new OutputStreamWriter(os, StandardCharsets.UTF_8)));
         } catch (ParserConfigurationException | TransformerConfigurationException ex) {
             LOGGER.debug("Configuration exception when pretty printing", ex);
@@ -539,17 +517,7 @@ private void pretifyXml(String path) throws ReportException {
             LOGGER.debug("Malformed XML?", ex);
             LOGGER.error("Unable to generate pretty report, caused by: {}", ex.getMessage());
         }
-        if (out.isFile() && in.isFile() && in.delete()) {
-            try {
-                Thread.sleep(1000);
-                Files.move(out.toPath(), in.toPath());
-            } catch (IOException ex) {
-                LOGGER.error("Unable to generate pretty report, caused by: {}", ex.getMessage());
-            } catch (InterruptedException ex) {
-                Thread.currentThread().interrupt();
-                LOGGER.error("Unable to generate pretty report, caused by: {}", ex.getMessage());
-            }
-        }
+        replaceWithPrettified(out, in);
     }
 
     /**
@@ -581,10 +549,14 @@ private void pretifyJson(String pathToJson) throws ReportException {
             LOGGER.debug("Malformed JSON?", ex);
             throw new ReportException("Unable to generate json report", ex);
         }
-        if (out.isFile() && in.isFile() && in.delete()) {
+        replaceWithPrettified(out, in);
+    }
+
+    private void replaceWithPrettified(File prettified, File original) {
+        if (prettified.isFile() && original.isFile() && original.delete()) {
             try {
                 Thread.sleep(1000);
-                Files.move(out.toPath(), in.toPath());
+                Files.move(prettified.toPath(), original.toPath());
             } catch (IOException ex) {
                 LOGGER.error("Unable to generate pretty report, caused by: {}", ex.getMessage());
             } catch (InterruptedException ex) {

core/src/main/java/org/owasp/dependencycheck/xml/assembly/GrokParser.java

@@ -27,9 +27,8 @@
 import java.nio.charset.StandardCharsets;
 import javax.annotation.concurrent.ThreadSafe;
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
 
-import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.AutoCloseableInputSource;
 import org.owasp.dependencycheck.utils.XmlUtils;
 
 import org.slf4j.Logger;
@@ -38,6 +37,8 @@
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
 
+import static org.owasp.dependencycheck.utils.AutoCloseableInputSource.fromResource;
+
 /**
  * A simple validating parser for XML Grok Assembly XML files.
  *
@@ -80,10 +81,9 @@ public AssemblyData parse(File file) throws GrokParseException {
      * @throws GrokParseException thrown if the XML cannot be parsed
      */
     public AssemblyData parse(InputStream inputStream) throws GrokParseException {
-        try (InputStream schema = FileUtils.getResourceAsStream(GROK_SCHEMA)) {
+        try (AutoCloseableInputSource schema = fromResource(GROK_SCHEMA)) {
             final GrokHandler handler = new GrokHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schema);
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureValidatingXmlReader(schema);
             xmlReader.setErrorHandler(new GrokErrorHandler());
             xmlReader.setContentHandler(handler);
             try (Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {