fix: #6688 Trim version number when parsin POM

jeremylong · Jun 1, 2024 · a70e6e3 · a70e6e3
1 parent d643a78
commit a70e6e3
Show file tree

Hide file tree

Showing 3 changed files with 118 additions and 1 deletion.
diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java b/core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java
@@ -174,7 +174,7 @@ public void endElement(String uri, String localName, String qName) throws SAXExc
                                 model.setArtifactId(currentText.toString());
                                 break;
                             case VERSION:
-                                model.setVersion(currentText.toString());
+                                model.setVersion(currentText.toString().trim());
                                 break;
                             case NAME:
                                 model.setName(currentText.toString());

diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java
@@ -23,6 +23,7 @@
 import org.junit.Test;
 import static org.junit.Assert.*;
 import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 
 /**
  * Test the PomUtils object.
@@ -69,4 +70,14 @@ public void testReadPom_String_File() throws Exception {
         assertEquals(expResult, result.getName());
     }
 
+    @Test
+    public void testReadPom_should_trim_version() throws AnalysisException {
+        File input = BaseTest.getResourceAsFile(this, "pom/pom-with-new-line.xml");
+        String expectedOutputVersion = "2.2.0";
+
+        Model output = PomUtils.readPom(input);
+
+        assertEquals(expectedOutputVersion, output.getVersion());
+    }
+
 }
diff --git a/core/src/test/resources/pom/pom-with-new-line.xml b/core/src/test/resources/pom/pom-with-new-line.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <name>Summit AST</name>
+  <description>Summit - Apex Language Abstract Syntax Tree</description>
+  <url>https://github.com/google/summit-ast</url>
+  <licenses>
+    <license>
+      <name>Apache License, Version 2.0</name>
+      <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+    </license>
+  </licenses>
+  <scm>
+    <connection>https://github.com/google/summit-ast.git</connection>
+    <developerConnection>https://github.com/google/summit-ast.git</developerConnection>
+    <tag>2.2.0
+</tag>
+    <url>https://github.com/google/summit-ast.git</url>
+  </scm>
+  <groupId>com.google.summit</groupId>
+  <artifactId>summit-ast</artifactId>
+  <version>2.2.0
+</version>
+  <dependencies>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>listenablefuture</artifactId>
+      <version>9999.0-empty-to-avoid-conflict-with-guava</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.j2objc</groupId>
+      <artifactId>j2objc-annotations</artifactId>
+      <version>1.3</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.code.findbugs</groupId>
+      <artifactId>jsr305</artifactId>
+      <version>3.0.2</version>
+    </dependency>
+    <dependency>
+      <groupId>org.checkerframework</groupId>
+      <artifactId>checker-qual</artifactId>
+      <version>3.13.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.errorprone</groupId>
+      <artifactId>error_prone_annotations</artifactId>
+      <version>2.11.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>failureaccess</artifactId>
+      <version>1.0.1</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+      <version>31.1-jre</version>
+    </dependency>
+    <dependency>
+      <groupId>org.checkerframework</groupId>
+      <artifactId>checker-compat-qual</artifactId>
+      <version>2.5.3</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.flogger</groupId>
+      <artifactId>flogger</artifactId>
+      <version>0.7.4</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.flogger</groupId>
+      <artifactId>flogger-system-backend</artifactId>
+      <version>0.7.4</version>
+    </dependency>
+    <dependency>
+      <groupId>org.antlr</groupId>
+      <artifactId>antlr4-runtime</artifactId>
+      <version>4.9.1</version>
+    </dependency>
+    <dependency>
+      <groupId>io.github.apex-dev-tools</groupId>
+      <artifactId>apex-parser</artifactId>
+      <version>3.6.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.code.gson</groupId>
+      <artifactId>gson</artifactId>
+      <version>2.9.1</version>
+    </dependency>
+    <dependency>
+      <groupId>javax.annotation</groupId>
+      <artifactId>jsr250-api</artifactId>
+      <version>1.0</version>
+    </dependency>
+    <dependency>
+      <groupId>org.danilopianini</groupId>
+      <artifactId>gson-extras</artifactId>
+      <version>1.0.0</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <version>3.6</version>
+    </dependency>
+  </dependencies>
+</project>