From ff963b422087335620bce645122c5ba3f4525b16 Mon Sep 17 00:00:00 2001 From: Max Gipson Date: Wed, 22 May 2024 08:42:14 -0400 Subject: [PATCH] fix: skip pyproject.toml unless it contains before ensuring lockfiles --- .../dependencycheck/analyzer/PoetryAnalyzer.java | 11 ++++++----- .../analyzer/PoetryAnalyzerTest.java | 9 ++++++++- .../resources/python-poetry-toml/pyproject.toml | 14 ++++++++++++++ 3 files changed, 28 insertions(+), 6 deletions(-) create mode 100644 core/src/test/resources/python-poetry-toml/pyproject.toml diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzer.java index 678e5adea76..29d6316e447 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzer.java @@ -147,18 +147,19 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An //do not report on the build file itself engine.removeDependency(dependency); + final Toml result = new Toml().read(dependency.getActualFile()); if (PYPROJECT_TOML.equals(dependency.getActualFile().getName())) { + if (result.getTable("tool.poetry") == null) { + LOGGER.debug("skipping {} as it does not contain `tool.poetry`", dependency.getDisplayFileName()); + return; + } + final File parentPath = dependency.getActualFile().getParentFile(); ensureLock(parentPath); //exit as we can't analyze pyproject.toml - insufficient version information return; } - final Toml result = new Toml().read(dependency.getActualFile()); - if (PYPROJECT_TOML.equals(dependency.getActualFile().getName()) && result.getTables("tool.poetry") == null) { - LOGGER.debug("skipping {} as it does not contain `tool.poetry`", dependency.getDisplayFileName()); - return; - } final List projectsLocks = result.getTables("package"); if (projectsLocks == null) { return; diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzerTest.java index 643d9fd79b3..49891087b30 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzerTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzerTest.java @@ -73,9 +73,16 @@ public void testPoetryLock() throws AnalysisException { assertTrue("Expeced to find PyYAML", found); } - @Test(expected = AnalysisException.class) + @Test public void testPyprojectToml() throws AnalysisException { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "python-myproject-toml/pyproject.toml")); + //returns with no error. + analyzer.analyze(result, engine); + } + + @Test(expected = AnalysisException.class) + public void testPoetryToml() throws AnalysisException { + final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "python-poetry-toml/pyproject.toml")); //causes an exception. analyzer.analyze(result, engine); } diff --git a/core/src/test/resources/python-poetry-toml/pyproject.toml b/core/src/test/resources/python-poetry-toml/pyproject.toml new file mode 100644 index 00000000000..3d9e9515375 --- /dev/null +++ b/core/src/test/resources/python-poetry-toml/pyproject.toml @@ -0,0 +1,14 @@ +[tool.poetry] +name = "test" +version = "0.1.0" +description = "" +authors = ["Your Name "] +readme = "README.md" + +[tool.poetry.dependencies] +python = "^3.7" + + +[build-system] +requires = ["poetry-core"] +build-backend = "poetry.core.masonry.api"