ScannerFacade#getFilename not working properly on Windows

[GunoH]

The ScannerFacade#getFilename method uses a hard-coded '/' as path separator, causing the method not to work properly on Windows, as windows uses backslashes as path separator.

private static String getFilename(String path) {
    int lastSlash = path.lastIndexOf('/');
    if(lastSlash < 0) lastSlash = 0;
    return path.substring(lastSlash+1);
}

In this code, the lastSlash variable will always be 0, as a Windows path (or filename) cannot contain forward slashes.

It probably should use something like File.pathSeparator instead of the hard-coded '/'.

[h3xstream]

In which context (Burp, ZAP or Maven) are you getting the bug ? I assume it must be with the Maven integration.

[GunoH]

@h3xstream Sorry for taking that long to respond; only seeing your question now.

This happens to me when I run the DependencyCheck Gradle plugin on my project. Retirejs is unable to parse the filename/version number for one of my dependencies correctly because of this, leading to a false positive.

To be more specific: when com.h3xstream.retirejs.repo.ScannerFacade#getFilename is handed a path like c:\a\b\123\myapp\libs\somelib.min.js, it returns :\a\b\123\myapp\libs\somelib.min.js,. Subsequently VulnerabilitiesRepository#findByFileName wrongfully assumes the library version is 123.