eclipse/jbom

jbom 1.1 fails to scan dirs with URL encoded characters in name

tellison opened this issue · 1 comments

tellison commented

jbom appears to be over-eagerly URL-decoding directory names so that this works:

$ java -jar jbom-1.1.jar -f test/test.jar 
2022-03-14 14:52:52:974 TRACE --- [jbom] 
2022-03-14 14:52:52:975 TRACE --- [jbom]                       _ __
2022-03-14 14:52:52:975 TRACE --- [jbom]                      (_) /_  ____  ____ ___
2022-03-14 14:52:52:975 TRACE --- [jbom]                     / / __ \/ __ \/ __ `__ \
2022-03-14 14:52:52:975 TRACE --- [jbom]                    / / /_/ / /_/ / / / / / /
2022-03-14 14:52:52:975 TRACE --- [jbom]                 __/ /_.___/\____/_/ /_/ /_/
2022-03-14 14:52:52:976 TRACE --- [jbom]                /___/
2022-03-14 14:52:52:976 TRACE --- [jbom] 
2022-03-14 14:52:52:976 TRACE --- [jbom]      by Contrast Security - https://contrastsecurity.com
2022-03-14 14:52:52:976 TRACE --- [jbom] 
2022-03-14 14:52:52:976 TRACE --- [jbom]       jbom generates SBOMs for all JVMs running on a host
2022-03-14 14:52:52:976 TRACE --- [jbom]          https://github.com/Contrast-Security-OSS/jbom
2022-03-14 14:52:52:977 TRACE --- [jbom] 
2022-03-14 14:52:52:977 TRACE --- [jbom] Analyzing file test/test.jar
2022-03-14 14:52:53:093 TRACE --- [jbom] Saving SBOM with 1 components to /Users/tellison/sbom/jbom-test.json
2022-03-14 14:52:53:566 TRACE --- [jbom] 
2022-03-14 14:52:53:566 TRACE --- [jbom] jbom complete

but this fails (note the dir is now called test+1/ but the scan is running on test 1):

$ java -jar jbom-1.1.jar -f test+1/test.jar 
2022-03-14 14:53:05:008 TRACE --- [jbom] 
2022-03-14 14:53:05:008 TRACE --- [jbom]                       _ __
2022-03-14 14:53:05:008 TRACE --- [jbom]                      (_) /_  ____  ____ ___
2022-03-14 14:53:05:009 TRACE --- [jbom]                     / / __ \/ __ \/ __ `__ \
2022-03-14 14:53:05:009 TRACE --- [jbom]                    / / /_/ / /_/ / / / / / /
2022-03-14 14:53:05:009 TRACE --- [jbom]                 __/ /_.___/\____/_/ /_/ /_/
2022-03-14 14:53:05:009 TRACE --- [jbom]                /___/
2022-03-14 14:53:05:009 TRACE --- [jbom] 
2022-03-14 14:53:05:009 TRACE --- [jbom]      by Contrast Security - https://contrastsecurity.com
2022-03-14 14:53:05:009 TRACE --- [jbom] 
2022-03-14 14:53:05:010 TRACE --- [jbom]       jbom generates SBOMs for all JVMs running on a host
2022-03-14 14:53:05:010 TRACE --- [jbom]          https://github.com/Contrast-Security-OSS/jbom
2022-03-14 14:53:05:010 TRACE --- [jbom] 
2022-03-14 14:53:05:010 TRACE --- [jbom] Analyzing file test+1/test.jar
2022-03-14 14:53:05:022 TRACE --- [jbom] The jbom project needs your help to deal with unusual CodeSources.
2022-03-14 14:53:05:022 TRACE --- [jbom] Report issue here: https://github.com/Contrast-Security-OSS/jbom/issues/new/choose
2022-03-14 14:53:05:022 TRACE --- [jbom] Please include:
2022-03-14 14:53:05:022 TRACE --- [jbom]   CodeSource: /Users/tellison/test+1/test.jar
java.io.FileNotFoundException: /Users/tellison/test 1/test.jar (No such file or directory)
	at java.base/java.io.FileInputStream.open0(Native Method)
	at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
	at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
	at com.contrastsecurity.Libraries.addAllLibraries(Libraries.java:90)
	at com.contrastsecurity.Libraries.runScan(Libraries.java:39)
	at com.contrastsecurity.Jbom.doLocalFile(Jbom.java:171)
	at com.contrastsecurity.Jbom.run(Jbom.java:95)
	at picocli.CommandLine.executeUserObject(CommandLine.java:1939)
	at picocli.CommandLine.access$1300(CommandLine.java:145)
	at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2358)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2352)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2314)
	at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
	at picocli.CommandLine$RunLast.execute(CommandLine.java:2316)
	at picocli.CommandLine.execute(CommandLine.java:2078)
	at com.contrastsecurity.Jbom.main(Jbom.java:68)
2022-03-14 14:53:05:058 TRACE --- [jbom] Saving SBOM with 1 components to /Users/tellison/sbom/jbom-test.json
2022-03-14 14:53:05:537 TRACE --- [jbom] 
2022-03-14 14:53:05:537 TRACE --- [jbom] jbom complete

and just for fun:

...
2022-03-14 15:00:26:350 TRACE --- [jbom]   CodeSource: /Users/tellison/test%23/test.jar
java.io.FileNotFoundException: /Users/tellison/test#/test.jar (No such file or directory)
...
planetlevel commented

Resolved in jbom-1.2 by applying URL decoding only to real codesources, not file system references.