From 401d031ead08f8aaa05ae4ec4a98c870648e916c Mon Sep 17 00:00:00 2001
From: Jan Philipp <knallisworld@googlemail.com>
Date: Sat, 23 Dec 2023 13:05:36 +0100
Subject: [PATCH] fix: rework fix for closing input streams on errors correctly
 (#6338)

---
 .../data/update/nvd/api/NvdApiProcessor.java  | 46 ++++++++++---------
 1 file changed, 25 insertions(+), 21 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/nvd/api/NvdApiProcessor.java b/core/src/main/java/org/owasp/dependencycheck/data/update/nvd/api/NvdApiProcessor.java
index b01da9c3b69..6585da2df58 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/update/nvd/api/NvdApiProcessor.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/update/nvd/api/NvdApiProcessor.java
@@ -89,33 +89,37 @@ public NvdApiProcessor(final CveDB cveDB, File jsonFile) {
 
     @Override
     public NvdApiProcessor call() throws Exception {
-        try (CveItemSource<DefCveItem> itemSource = buildItemSource(jsonFile)) {
-            while (itemSource.hasNext()) {
-                DefCveItem entry = itemSource.next();
-                try {
-                    cveDB.updateVulnerability(entry, mapper.getEcosystem(entry));
-                } catch (Exception ex) {
-                    LOGGER.error("Failed to process " + entry.getCve().getId(), ex);
-                }
+        if (jsonFile.getName().endsWith(".jsonarray.gz")) {
+            try (InputStream fis = Files.newInputStream(jsonFile.toPath());
+                 InputStream is = new BufferedInputStream(new GZIPInputStream(fis));
+                 CveItemSource<DefCveItem> itemSource = new JsonArrayCveItemSource(is)) {
+                updateCveDb(itemSource);
+            }
+        } else if (jsonFile.getName().endsWith(".gz")) {
+            try (InputStream fis = Files.newInputStream(jsonFile.toPath());
+                 InputStream is = new BufferedInputStream(new GZIPInputStream(fis));
+                 CveItemSource<DefCveItem> itemSource = new CveApiJson20CveItemSource(is)) {
+                updateCveDb(itemSource);
+            }
+        } else {
+            try (InputStream fis = Files.newInputStream(jsonFile.toPath());
+                 InputStream is = new BufferedInputStream(fis);
+                 CveItemSource<DefCveItem> itemSource = new JsonArrayCveItemSource(is)) {
+                updateCveDb(itemSource);
             }
         }
         endTime = System.currentTimeMillis();
         return this;
     }
 
-    static CveItemSource<DefCveItem> buildItemSource(File file) throws IOException {
-        if (file.getName().endsWith(".jsonarray.gz")) {
-            return new JsonArrayCveItemSource(new BufferedInputStream(new GZIPInputStream(
-                    Files.newInputStream(file.toPath())
-            )));
-        } else if (file.getName().endsWith(".gz")) {
-            return new CveApiJson20CveItemSource(new BufferedInputStream(new GZIPInputStream(
-                    Files.newInputStream(file.toPath())
-            )));
-        } else {
-            return new JsonArrayCveItemSource(new BufferedInputStream(
-                    Files.newInputStream(file.toPath())
-            ));
+    private void updateCveDb(CveItemSource<DefCveItem> itemSource) throws IOException {
+        while (itemSource.hasNext()) {
+            DefCveItem entry = itemSource.next();
+            try {
+                cveDB.updateVulnerability(entry, mapper.getEcosystem(entry));
+            } catch (Exception ex) {
+                LOGGER.error("Failed to process " + entry.getCve().getId(), ex);
+            }
         }
     }