Scan crashes with error -14 reading a corrupt MANIFEST.MF #1024
Description
Two issues:
- Scanning a jar with corrupt MANIFEST.MF leads to error -14 and incomplete scan. Errors could be handled more gracefully, such as reporting the bad jar and continuing with the rest of the scan.
- Console output is insufficient to diagnose the error. Logging could be improved to show the stack trace for unexpected exceptions, or point to a log file where the stack trace is logged.
I ran this command using v3.0.2:
--project org.eclipse.persistence.core_2.6.0.v20140809-296a69f.jar --log R:\owasp\dep.log --scan "R:\org.eclipse.persistence.core_2.6.0.v20140809-296a69f.jar" --noupdate --data D:\owasp-nvddb --format XML
Here is the console output. Notice the generic log message at the end. It says there was an exception, but there is no explanation or stack trace so the error is not very useful:
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[WARN] An error occurred while analyzing 'R:\org.eclipse.persistence.core_2.6.0.v20140809-296a69f.jar' (Jar Analyzer).
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Central Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished Cpe Suppression Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
[ERROR] Exception occurred reading the JAR file (org.eclipse.persistence.core_2.6.0.v20140809-296a69f.jar).
I re-ran from source tag v3.0.2 and added the exception to the log message.
_App.java line 206_: LOGGER.error(e.getMessage(), e); // log the stack trace
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Exception occurred reading the JAR file (org.eclipse.persistence.core_2.6.0.v20140809-296a69f.jar).
at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:268)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:137)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:1)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: invalid header field
at java.util.jar.Attributes.read(Attributes.java:406)
at java.util.jar.Manifest.read(Manifest.java:251)
at java.util.jar.Manifest.<init>(Manifest.java:69)
at java.util.jar.JarFile.getManifestFromReference(JarFile.java:181)
at java.util.jar.JarFile.getManifest(JarFile.java:167)
at org.owasp.dependencycheck.analyzer.JarAnalyzer.parseManifest(JarAnalyzer.java:695)
at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:262)
... 7 common frames omitted
I will attach the broken and fixed jar files so you can reproduce the -14 error.
Thank you,
Justin
Broken jar:
org.eclipse.persistence.core_2.6.0.v20140809-296a69f.ZIP
Fixed jar:
org.eclipse.persistence.core_2.6.0.v20140809-296a69f-FIXED.ZIP