cyclic symlinks put dependency check into a loop.

[blaksec]

Stumbled upon an issue with cyclic symlink which puts dependency check into a loop

Scanning /usr/local/apache which has the following inside

/usr/local/apache/lib_php/
/usr/local/apache/lib_php/php -> ../lib_php

My command line looks like this
./bin/dependencycheck-cli.sh -a MyPrj -s /usr/local/apache/ -l MyPrj.log

Once it hits the "lib_php" it goes into a loop, writing continuously to the log file something like
"FINE: Path passed to scanFile(File) is not a file: /usr/local/apache/lib_php/php/lib_php/php......"

if I change the scan path to "/usr/local/apache/*/.jar" it stops writing to the log file but instead writes to the terminal: "Skipping symbolic link /usr/local/apache/lib_php/php/lib_php/php......" eventually running out of memory here DirectoryScanner.java:notFollowedSymlinks.add(file.getAbsolutePath());

I know killing the horse does not fix the leg but could there be a way to detect cyclic symlinks? or ignore symlinks all together? or have an ignore list where I can specify a path to ignore for during recursive scans?

[jeremylong]

I added an option to the CLI 1.2.12-SNAPSHOT so that you can specify the depth that symbolic links will be followed. Currently, the default value is 0 indicating symbolic links will not be followed.

More testing of this patch are needed before I will close this issue.

--Jeremy

[blaksec]

Thank you. I'll test it tomorrow and update with results.

Quick thing I noticed while scanning the code:
throw new ParseException("Symbolic Link Depth (symLink) must be greater then zero."); <= "than zero"?

[blaksec]

Manually merged the changes from 5b8d3de, 7b092f7.

"--symLink" appears in the list of options, passed 0 to it to ignore symlinks.

When I pass the files as "-s /my/path/*/.jar". In the console I get
"Skipping symbolic link.. " but no issues, no more OOM even on large directory structures.

When I pass the files as "-s /my/path/**" or "-s /my/path/" it seems to go into the loop again, continuously writing to the log file "FINE: Path passed to scanFile(File) is not a file: /usr/local/apache/lib_php/php/lib_php/php......"

[jeremylong]

Realized my mistake in the first patch; this should be fixed now. I'll test on my linux box in the next day or two.

[jeremylong]

Thanks for reporting the bug. I have made one final tweak to the patch and have tested the patch.

--Jeremy

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.