PE Analyzer Index 3968 out of bounds for length 3968

[31deR]

Hello!

Describe the bug Trying to scan this artefact https://repo.maven.apache.org/maven2/org/wildfly/wildfly-dist/26.0.1.Final/wildfly-dist-26.0.1.Final.zip and got this error An unexpected error occurred during analysis of '/var/folders/vy/dhppcn5d3ws8p8m03kjpt0s1gsp2ts/T/dctemp4fb7edfc-55e3-4423-ba6d-98c6f8a5cd9f/check5523144844114864788tmp/1/wildfly-26.0.1.Final/docs/contrib/scripts/service/amd64/wildfly-service.exe' (PE Analyzer): Index 3968 out of bounds for length 3968

When i try to scan manually extracted from archive wildfly-service.exe - there is no such problem. 7-0-4/bin/dependency-check.sh --scan /Users/user/PycharmProjects/Tools/scanners/target/wildfly-service.exe --format HTML --enableExperimental --noupdate --disableOssIndex --disableNodeJS --retireJsUrl http://127.0.0.1:8000/jsrepository/ --out report/wildfly-service.exe.html

[INFO] Analysis Started [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Assembly Analyzer (0 seconds) [INFO] Finished PE Analyzer (0 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (1 seconds) [INFO] Finished NPM CPE Analyzer (1 seconds) [INFO] Created CPE Index (1 seconds) [INFO] Finished CPE Analyzer (1 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (3 seconds) [INFO] Writing report to: /Users/user/PycharmProjects/Tools/scanners/odc/report/wildfly-service.exe.html

Process finished with exit code 0

Version of dependency-check used The problem occurs using version 7.0.4 of the cli

Log file [INFO] Analysis Started [INFO] Finished Archive Analyzer (12 seconds) [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Jar Analyzer (1 seconds) [INFO] Finished Central Analyzer (66 seconds) [INFO] Finished Assembly Analyzer (0 seconds) [INFO] Finished Python Distribution Analyzer (0 seconds) [WARN] An unexpected error occurred during analysis of '/var/folders/vy/dhppcn5d3ws8p8m03kjpt0s1gsp2ts/T/dctemp4fb7edfc-55e3-4423-ba6d-98c6f8a5cd9f/check5523144844114864788tmp/1/wildfly-26.0.1.Final/docs/contrib/scripts/service/amd64/wildfly-service.exe' (PE Analyzer): Index 3968 out of bounds for length 3968 [ERROR] java.lang.ArrayIndexOutOfBoundsException: Index 3968 out of bounds for length 3968 at org.boris.pecoff4j.io.ByteArrayDataReader.read(ByteArrayDataReader.java:61) at org.owasp.dependencycheck.utils.PEParser.readResourceEntry(PEParser.java:754) at org.owasp.dependencycheck.utils.PEParser.readResourceDirectory(PEParser.java:721) at org.owasp.dependencycheck.utils.PEParser.readResourceEntry(PEParser.java:742) at org.owasp.dependencycheck.utils.PEParser.readResourceDirectory(PEParser.java:721) at org.owasp.dependencycheck.utils.PEParser.readResourceEntry(PEParser.java:742) at org.owasp.dependencycheck.utils.PEParser.readResourceDirectory(PEParser.java:721) at org.owasp.dependencycheck.utils.PEParser.readResourceDirectory(PEParser.java:711) at org.owasp.dependencycheck.utils.PEParser.readImageData(PEParser.java:392) at org.owasp.dependencycheck.utils.PEParser.readSection(PEParser.java:508) at org.owasp.dependencycheck.utils.PEParser.read(PEParser.java:87) at org.owasp.dependencycheck.utils.PEParser.parse(PEParser.java:52) at org.owasp.dependencycheck.utils.PEParser.parse(PEParser.java:48) at org.owasp.dependencycheck.analyzer.PEAnalyzer.analyzeDependency(PEAnalyzer.java:160) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) at java.base/java.lang.Thread.run(Thread.java:832) [INFO] Finished PE Analyzer (0 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (1 seconds) [INFO] Finished NPM CPE Analyzer (1 seconds) [INFO] Created CPE Index (1 seconds) [INFO] Finished CPE Analyzer (5 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) 00:00 INFO: Vulnerability found: bootstrap below 3.4.1 00:00 INFO: Vulnerability found: bootstrap below 3.4.0 00:00 INFO: Vulnerability found: bootstrap below 3.4.0 00:00 INFO: Vulnerability found: bootstrap below 3.4.0 00:00 INFO: Vulnerability found: jquery below 3.0.0-beta1 00:00 INFO: Vulnerability found: jquery below 2.2.0 00:00 INFO: Vulnerability found: jquery below 3.4.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: moment.js below 2.11.2 00:01 INFO: Vulnerability found: jquery below 3.5.0 00:01 INFO: Vulnerability found: jquery below 3.5.0 00:01 INFO: Vulnerability found: jquery below 3.5.0 00:01 INFO: Vulnerability found: jquery below 3.5.0 [INFO] Finished RetireJS Analyzer (13 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (1 seconds) [INFO] Analysis Complete (107 seconds) [INFO] Writing report to: /Users/user/PycharmProjects/Tools/scanners/odc/report/exe.html [ERROR] Index 3968 out of bounds for length 3968

Process finished with exit code 0

To Reproduce scan https://repo.maven.apache.org/maven2/org/wildfly/wildfly-dist/26.0.1.Final/wildfly-dist-26.0.1.Final.zip

Expected behavior ODC report

[aikebah]

When i try to scan manually extracted from archive wildfly-service.exe - there is no such problem. 7-0-4/bin/dependency-check.sh --scan /Users/user/PycharmProjects/Tools/scanners/target/wildfly-service.exe --format HTML --enableExperimental --noupdate --disableOssIndex --disableNodeJS --retireJsUrl http://127.0.0.1:8000/jsrepository/ --out report/wildfly-service.exe.html

For me it yields the same result as scanning the entire zipfile. Which to me is no surprise as there should be no difference as it is scanning the same executable.

[nhumblot]

We actually use https://github.com/whitesource/pecoff4j-maven, which is archived. We could switch to https://github.com/kichik/pecoff4j (mvn repo: https://mvnrepository.com/artifact/com.kichik.pecoff4j/pecoff4j), which got more recent updates.

Issue has been reported on the new project: https://github.com/kichik/pecoff4j/issues/7