DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Regression: problem with some zip : ZipCoder MALFORMED

Open eballetbaz opened this issue 2 years ago • 7 comments

Describe the bug A regression with version 8.0.2 has been found. Some zip throws java.lang.IllegalArgumentException: MALFORMED This is the exact same symptoms than old issue "#12 Problem with some zip-files" The files in the ZIP contains special characters like é (French accentuated e), ' (single quote) and - (dash) It was working with version 7.4.4

Version of dependency-check used The problem occurs using version 8.0.2 of the maven plugin

Log file

[INFO] Analysis Started
[WARNING] An unexpected error occurred during analysis of '/work/jenkins/workspace/****.zip' (Archive Analyzer): MALFORMED
[ERROR] 
java.lang.IllegalArgumentException: MALFORMED
    at java.util.zip.ZipCoder.toString (ZipCoder.java:58)
    at java.util.zip.ZipInputStream.readLOC (ZipInputStream.java:300)
    at java.util.zip.ZipInputStream.getNextEntry (ZipInputStream.java:122)
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractArchive (ArchiveAnalyzer.java:582)
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractFiles (ArchiveAnalyzer.java:457)
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractAndAnalyze (ArchiveAnalyzer.java:295)
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.analyzeDependency (ArchiveAnalyzer.java:277)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
    at java.lang.Thread.run (Thread.java:750)
[INFO] Finished Archive Analyzer (2 seconds)

To Reproduce Steps to reproduce the behavior:

  1. Create a ZIP file with files having characters é (French accentuated e), ' (single quote) and - (dash)
  2. Run analysis

eballetbaz avatar Feb 08 '23 12:02 eballetbaz

More likely you're suffering from an intentional change referenced in the release notes and before you just didn't notice it didn't work?:

ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (https://github.com/jeremylong/DependencyCheck/pull/5371).

aikebah avatar Feb 08 '23 13:02 aikebah

I don't think. I reverted to version 7.4.4 and there is no warning:

15:33:12 [INFO] Analysis Started
15:33:14 [INFO] Finished Archive Analyzer (2 seconds)
15:33:14 [INFO] Finished File Name Analyzer (0 seconds)
15:33:17 [INFO] Finished Jar Analyzer (2 seconds)
....

eballetbaz avatar Feb 08 '23 14:02 eballetbaz

The error would have been in the debug log - not output to the console.

jeremylong avatar Feb 09 '23 10:02 jeremylong

I'm seeing something similar in the gradle plugin, when scanning a zip file embedded in a war file. Is there a way to suppress this or configure it to ignore the nested zip file so the scan completes and reports other issues it might have discovered?

cmuchinsky avatar Feb 13 '23 20:02 cmuchinsky

It should still complete scanning. if the plugin is failing the build you can set the failOnError=false.

jeremylong avatar Feb 13 '23 23:02 jeremylong

See https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html

jeremylong avatar Feb 13 '23 23:02 jeremylong

The error would have been in the debug log - not output to the console.

Hi, error still occurs with latest version. How can I enable the debug log using the maven plugin ?

Thanks

eballetbaz avatar Dec 01 '23 13:12 eballetbaz