From 0da1463ff737934c8936bb1cf005dde6d53c8acf Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Tue, 27 Aug 2024 20:59:56 +0200 Subject: [PATCH 1/5] chore(deprecation): Replace deprecated BOMInputStream constructor by its replacement --- .../dependencycheck/analyzer/MSBuildProjectAnalyzer.java | 6 +++--- .../org/owasp/dependencycheck/xml/hints/HintParser.java | 2 +- .../java/org/owasp/dependencycheck/xml/pom/PomParser.java | 5 +++-- .../dependencycheck/xml/suppression/SuppressionParser.java | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzer.java index c7a69aef755..6a67b07c3e4 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzer.java @@ -150,7 +150,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An final List packages; try (FileInputStream fis = new FileInputStream(dependency.getActualFilePath()); - BOMInputStream bis = new BOMInputStream(fis)) { + BOMInputStream bis = BOMInputStream.builder().setInputStream(fis).get()) { //skip BOM if it exists bis.getBOM(); packages = parser.parse(bis, props, centrallyManaged); @@ -315,7 +315,7 @@ private Map readDirectoryBuildProps(File directoryProps) throws if (directoryProps != null && directoryProps.isFile()) { final DirectoryBuildPropsParser parser = new DirectoryBuildPropsParser(); try (FileInputStream fis = new FileInputStream(directoryProps); - BOMInputStream bis = new BOMInputStream(fis)) { + BOMInputStream bis = BOMInputStream.builder().setInputStream(fis).get()) { //skip BOM if it exists bis.getBOM(); entries = parser.parse(bis); @@ -344,7 +344,7 @@ private Map loadCentrallyManaged(File folder, Properties props) if (packages != null && packages.isFile()) { final DirectoryPackagesPropsParser parser = new DirectoryPackagesPropsParser(); try (FileInputStream fis = new FileInputStream(packages); - BOMInputStream bis = new BOMInputStream(fis)) { + BOMInputStream bis = BOMInputStream.builder().setInputStream(fis).get()) { //skip BOM if it exists bis.getBOM(); return parser.parse(bis, props); diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java b/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java index 2cc320fd664..6c54b8f4146 100644 --- a/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java +++ b/core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java @@ -148,7 +148,7 @@ public void parseHints(InputStream inputStream) throws HintParseException, SAXEx InputStream schemaStream12 = FileUtils.getResourceAsStream(HINT_SCHEMA_1_2); InputStream schemaStream11 = FileUtils.getResourceAsStream(HINT_SCHEMA_1_1)) { - final BOMInputStream bomStream = new BOMInputStream(inputStream); + final BOMInputStream bomStream = BOMInputStream.builder().setInputStream(inputStream).get(); final ByteOrderMark bom = bomStream.getBOM(); final String defaultEncoding = StandardCharsets.UTF_8.name(); final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName(); diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java b/core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java index 92c808f6334..e27fc335e0a 100644 --- a/core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java +++ b/core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java @@ -111,7 +111,8 @@ public Model parse(InputStream inputStream) throws PomParseException { final XMLReader xmlReader = saxParser.getXMLReader(); xmlReader.setContentHandler(handler); - final BOMInputStream bomStream = new BOMInputStream(new XmlInputStream(new PomProjectInputStream(inputStream))); + final BOMInputStream bomStream = BOMInputStream.builder() + .setInputStream(new XmlInputStream(new PomProjectInputStream(inputStream))).get(); final ByteOrderMark bom = bomStream.getBOM(); final String defaultEncoding = StandardCharsets.UTF_8.name(); final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName(); @@ -141,7 +142,7 @@ public Model parseWithoutDocTypeCleanup(InputStream inputStream) throws PomParse final XMLReader xmlReader = saxParser.getXMLReader(); xmlReader.setContentHandler(handler); - final BOMInputStream bomStream = new BOMInputStream(new XmlInputStream(inputStream)); + final BOMInputStream bomStream = BOMInputStream.builder().setInputStream(new XmlInputStream(inputStream)).get(); final ByteOrderMark bom = bomStream.getBOM(); final String defaultEncoding = StandardCharsets.UTF_8.name(); final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName(); diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java index d56c32c07bf..edafaa044b2 100644 --- a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java +++ b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java @@ -106,7 +106,7 @@ public List parseSuppressionRules(InputStream inputStream) InputStream schemaStream11 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_1); InputStream schemaStream10 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_0)) { - final BOMInputStream bomStream = new BOMInputStream(inputStream); + final BOMInputStream bomStream = BOMInputStream.builder().setInputStream(inputStream).get(); final ByteOrderMark bom = bomStream.getBOM(); final String defaultEncoding = StandardCharsets.UTF_8.name(); final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName(); From 5a1f274c41fbe79fcb6c5488fbf7e06bfb9da1e9 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Tue, 27 Aug 2024 22:32:02 +0200 Subject: [PATCH 2/5] chore(deprecation): Replace deprecated methods in ArchiveAnalyzer with their replacements --- .../owasp/dependencycheck/analyzer/ArchiveAnalyzer.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 2c956c3f99b..7e7a113b6b0 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -28,7 +28,7 @@ import org.apache.commons.compress.compressors.bzip2.BZip2Utils; import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream; import org.apache.commons.compress.compressors.gzip.GzipUtils; -import org.apache.commons.compress.utils.IOUtils; +import org.apache.commons.io.IOUtils; import org.eclipse.packager.rpm.RpmTag; import org.eclipse.packager.rpm.parse.RpmInputStream; import org.owasp.dependencycheck.Engine; @@ -460,7 +460,7 @@ private void extractFiles(File archive, File destination, Engine engine) throws tin = new TarArchiveInputStream(in); extractArchive(tin, destination, engine); } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) { - final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName()); + final String uncompressedName = GzipUtils.getUncompressedFileName(archive.getName()); final File f = new File(destination, uncompressedName); if (engine.accept(f)) { final String destPath = destination.getCanonicalPath(); @@ -475,7 +475,7 @@ private void extractFiles(File archive, File destination, Engine engine) throws decompressFile(gin, f); } } else if ("bz2".equals(archiveExt) || "tbz2".equals(archiveExt)) { - final String uncompressedName = BZip2Utils.getUncompressedFilename(archive.getName()); + final String uncompressedName = BZip2Utils.getUncompressedFileName(archive.getName()); final File f = new File(destination, uncompressedName); if (engine.accept(f)) { final String destPath = destination.getCanonicalPath(); @@ -728,7 +728,7 @@ private boolean isZipFileActuallyJarFile(Dependency dependency) { boolean isJar = false; ZipFile zip = null; try { - zip = new ZipFile(dependency.getActualFilePath()); + zip = ZipFile.builder().setFile(dependency.getActualFilePath()).get(); if (zip.getEntry("META-INF/MANIFEST.MF") != null || zip.getEntry("META-INF/maven") != null) { final Enumeration entries = zip.getEntries(); From 4a56a78f64059c6f4b2e5202eb49f567ed9a17dd Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Tue, 27 Aug 2024 22:59:08 +0200 Subject: [PATCH 3/5] chore(deprecations): Remove deprecated forceJavacCompilerUse from maven-compiler-plugin configuration forceJavacCompilerUse was introduced in the past as part of configuring Google ErrorProne. Google ErrorProne was (temporarily) removed in 2020, but even when introducing it again the current configuration instructions for using ErrorProne with maven no longer require this flag to be set as per https://errorprone.info/docs/installation So rather than using the new flag forceLegacyJavacApi it's better to remove it --- pom.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/pom.xml b/pom.xml index 535af719c9a..f369c053d14 100644 --- a/pom.xml +++ b/pom.xml @@ -440,7 +440,6 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-compiler-plugin - true true 8 From bb144c790d316238ddaf39fa60953f93b0d7ad4a Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Tue, 27 Aug 2024 23:21:02 +0200 Subject: [PATCH 4/5] chore(deprecations): Fixup deprecated method usage in CveApiJson20CveItemSource.java --- .../data/update/nvd/api/CveApiJson20CveItemSource.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/nvd/api/CveApiJson20CveItemSource.java b/core/src/main/java/org/owasp/dependencycheck/data/update/nvd/api/CveApiJson20CveItemSource.java index 26b7bd19b7e..618bdc86676 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/update/nvd/api/CveApiJson20CveItemSource.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/update/nvd/api/CveApiJson20CveItemSource.java @@ -45,7 +45,7 @@ public CveApiJson20CveItemSource(InputStream inputStream) throws IOException { do { token = jsonParser.nextToken(); if (token == JsonToken.FIELD_NAME) { - String fieldName = jsonParser.getCurrentName(); + String fieldName = jsonParser.currentName(); if (fieldName.equals("vulnerabilities") && (jsonParser.nextToken() == JsonToken.START_ARRAY)) { nextItem = readItem(jsonParser); } From 56735e7c1339e94fba3df5347ef417c382136b4b Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Tue, 27 Aug 2024 23:22:57 +0200 Subject: [PATCH 5/5] chore(deprecations): Fixup deprecated method usage in BaseDBTestCase --- .../src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java b/core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java index 9ececeb49d4..1fa9d365732 100644 --- a/core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java +++ b/core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java @@ -24,7 +24,7 @@ import java.io.FileOutputStream; import java.util.zip.ZipEntry; import java.util.zip.ZipInputStream; -import org.apache.commons.compress.utils.IOUtils; +import org.apache.commons.io.IOUtils; import org.junit.Before; import org.owasp.dependencycheck.data.nvdcve.DatabaseManager; import org.owasp.dependencycheck.utils.WriteLock;