apply google format and extract classpath parsing function into separate method

Author: anddann

src/main/java/de/codeshield/log4jshell/ClassDetector.java

@@ -1,10 +1,11 @@
 package de.codeshield.log4jshell;
 
 import de.codeshield.log4jshell.data.VulnerableClassSHAData;
+import org.apache.commons.codec.digest.DigestUtils;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Set;
-import org.apache.commons.codec.digest.DigestUtils;
 
 public class ClassDetector {
 

src/main/java/de/codeshield/log4jshell/Log4JDetector.java

@@ -1,5 +1,9 @@
 package de.codeshield.log4jshell;
 
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.filefilter.DirectoryFileFilter;
+import org.apache.commons.io.filefilter.RegexFileFilter;
+
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
@@ -10,9 +14,6 @@
 import java.util.Enumeration;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
-import org.apache.commons.io.FileUtils;
-import org.apache.commons.io.filefilter.DirectoryFileFilter;
-import org.apache.commons.io.filefilter.RegexFileFilter;
 
 /**
  * A simple command line tool that scans a jar file for the CVE-2021-44228 vulnerability that
@@ -37,7 +38,8 @@ public static void main(String[] args) throws IOException {
     detector.run(args[0]);
   }
 
-  //Taken from https://stackoverflow.com/questions/981578/how-to-unzip-files-recursively-in-java/7108813#7108813
+  // Taken from
+  // https://stackoverflow.com/questions/981578/how-to-unzip-files-recursively-in-java/7108813#7108813
   public static String extractFolder(String zipFile) throws IOException {
     int buffer = 2048;
     File file = new File(zipFile);
@@ -89,30 +91,26 @@ public static String extractFolder(String zipFile) throws IOException {
 
   public boolean run(String pathToJarFile) throws IOException {
     String folder = extractFolder(pathToJarFile);
-    Collection<File> pomFiles = FileUtils.listFiles(
-        new File(folder),
-        new RegexFileFilter("^(pom.xml)"),
-        DirectoryFileFilter.DIRECTORY
-    );
+    Collection<File> pomFiles =
+        FileUtils.listFiles(
+            new File(folder), new RegexFileFilter("^(pom.xml)"), DirectoryFileFilter.DIRECTORY);
     boolean isVulnerable = false;
     for (File pomFile : pomFiles) {
       try (FileInputStream is = new FileInputStream(pomFile)) {
-        //Check if a pom file matches one of the pre-computed groupId:artifactId:version
+        // Check if a pom file matches one of the pre-computed groupId:artifactId:version
         if (POMDetector.isVulnerablePOM(is)) {
           isVulnerable = true;
           System.err.println("CVE-2021-44228 found declared as dependency in " + pomFile);
         }
       }
     }
-    Collection<File> classFiles = FileUtils.listFiles(
-        new File(folder),
-        new RegexFileFilter(".*.class$"),
-        DirectoryFileFilter.DIRECTORY
-    );
+    Collection<File> classFiles =
+        FileUtils.listFiles(
+            new File(folder), new RegexFileFilter(".*.class$"), DirectoryFileFilter.DIRECTORY);
 
     for (File classFile : classFiles) {
       try (FileInputStream is = new FileInputStream(classFile)) {
-        //Check if a class file matches one of the pre-computed vulnerable SHAs.
+        // Check if a class file matches one of the pre-computed vulnerable SHAs.
         if (ClassDetector.isVulnerableClass(is)) {
           isVulnerable = true;
           System.err.println("CVE-2021-44228 found declared as dependency in " + classFile);
@@ -125,5 +123,4 @@ public boolean run(String pathToJarFile) throws IOException {
     FileUtils.deleteDirectory(new File(folder));
     return isVulnerable;
   }
-
 }

src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java

@@ -1,5 +1,6 @@
 package de.codeshield.log4jshell;
 
+import edu.emory.mathcs.backport.java.util.Collections;
 import org.apache.commons.lang.StringUtils;
 
 import java.io.BufferedReader;
@@ -30,32 +31,16 @@ public static void main(String[] args) throws IOException {
     }
 
     // analyze each output
-    // search for the "-classpath" parameter
     for (String outputLine : lines) {
-      String searchStr = "-classpath";
-      int i = StringUtils.indexOf(outputLine, searchStr);
-      if (i == -1) {
-        // check if someone used -cp
-        searchStr = "-cp";
-        i = StringUtils.indexOf(outputLine, searchStr);
-      }
-
-      if (i > 0) {
-        String cpArgs = outputLine.substring(i + searchStr.length() + 1);
-
-        // scan for jar files
-        String[] cpArgsSplit = cpArgs.split(File.pathSeparator);
-        final List<String> foundJarsOnCp =
-            Arrays.stream(cpArgsSplit)
-                .map(x -> StringUtils.substring(x, 0, StringUtils.indexOf(x, ".jar") + 4))
-                .collect(Collectors.toList());
 
+      final List<String> foundJarsOnCp = parsePSOutPutClassPath(outputLine);
+      if (!foundJarsOnCp.isEmpty()) {
         for (String jarFile : foundJarsOnCp) {
           try {
             Log4JDetector detector = new Log4JDetector();
             System.out.println("Scanning jar file " + jarFile);
-           // detector.run(jarFile);
-          } catch (Exception e){
+            // detector.run(jarFile);
+          } catch (Exception e) {
             System.out.println("Could not scan jar file " + jarFile);
           }
         }
@@ -66,4 +51,29 @@ public static void main(String[] args) throws IOException {
       }
     }
   }
+
+  public static List<String> parsePSOutPutClassPath(String outputLine) {
+    // search for the "-classpath" parameter
+
+    String searchStr = "-classpath";
+    int i = StringUtils.indexOf(outputLine, searchStr);
+    if (i == -1) {
+      // check if someone used -cp
+      searchStr = "-cp";
+      i = StringUtils.indexOf(outputLine, searchStr);
+    }
+    if (i > 0) {
+      String cpArgs = outputLine.substring(i + searchStr.length() + 1);
+
+      // scan for jar files
+      String[] cpArgsSplit = cpArgs.split(File.pathSeparator);
+      final List<String> foundJarsOnCp =
+          Arrays.stream(cpArgsSplit)
+              .map(x -> StringUtils.substring(x, 0, StringUtils.indexOf(x, ".jar") + 4))
+              .collect(Collectors.toList());
+      return foundJarsOnCp;
+    }
+
+    return Collections.emptyList();
+  }
 }

src/main/java/de/codeshield/log4jshell/POMDetector.java

@@ -2,20 +2,21 @@
 
 import de.codeshield.log4jshell.data.GAVWithClassifier;
 import de.codeshield.log4jshell.data.VulnerableGavsData;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.List;
-import java.util.Set;
 import org.apache.maven.model.Dependency;
 import org.apache.maven.model.Model;
 import org.apache.maven.model.io.xpp3.MavenXpp3Reader;
 import org.apache.maven.project.MavenProject;
 import org.codehaus.plexus.util.xml.pull.XmlPullParserException;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.List;
+import java.util.Set;
+
 public class POMDetector {
 
-  private static final Set<GAVWithClassifier> VULNERABLE_GAV_DATA = VulnerableGavsData
-      .readDataFromCSV();
+  private static final Set<GAVWithClassifier> VULNERABLE_GAV_DATA =
+      VulnerableGavsData.readDataFromCSV();
 
   public static boolean isVulnerablePOM(InputStream inputStream) {
     final MavenXpp3Reader mavenreader = new MavenXpp3Reader();
@@ -24,21 +25,21 @@ public static boolean isVulnerablePOM(InputStream inputStream) {
       model = mavenreader.read(inputStream);
       MavenProject mavenProject = new MavenProject(model);
 
-      //Check whether the Maven Project or any of its parents is affected.
+      // Check whether the Maven Project or any of its parents is affected.
       if (isVulnerableProject(mavenProject)) {
         return true;
       }
 
-      //Check if any of the dependencies is affected.
+      // Check if any of the dependencies is affected.
       List dependencies = mavenProject.getDependencies();
       for (Object dependency : dependencies) {
         if (!(dependency instanceof Dependency)) {
           continue;
         }
         Dependency dep = (Dependency) dependency;
         if (VULNERABLE_GAV_DATA.contains(
-            new GAVWithClassifier(dep.getGroupId(), dep.getArtifactId(), dep.getVersion(),
-                dep.getClassifier()))) {
+            new GAVWithClassifier(
+                dep.getGroupId(), dep.getArtifactId(), dep.getVersion(), dep.getClassifier()))) {
           return true;
         }
       }
@@ -50,11 +51,13 @@ public static boolean isVulnerablePOM(InputStream inputStream) {
     return false;
   }
 
-
   private static boolean isVulnerableProject(MavenProject mavenProject) {
     if (VULNERABLE_GAV_DATA.contains(
-        new GAVWithClassifier(mavenProject.getGroupId(), mavenProject.getArtifactId(),
-            mavenProject.getVersion(), ""))) {
+        new GAVWithClassifier(
+            mavenProject.getGroupId(),
+            mavenProject.getArtifactId(),
+            mavenProject.getVersion(),
+            ""))) {
       return true;
     }
     MavenProject parent = mavenProject.getParent();

src/main/java/de/codeshield/log4jshell/data/GAVWithClassifier.java

@@ -9,8 +9,7 @@ public class GAVWithClassifier {
   private final String version;
   private final String classifier;
 
-  public GAVWithClassifier(String groupId, String artifactId, String version,
-      String classifier) {
+  public GAVWithClassifier(String groupId, String artifactId, String version, String classifier) {
     this.groupId = groupId;
     this.artifactId = artifactId;
     this.version = version;
@@ -26,10 +25,10 @@ public boolean equals(Object o) {
       return false;
     }
     GAVWithClassifier that = (GAVWithClassifier) o;
-    return Objects.equals(groupId, that.groupId) &&
-        Objects.equals(artifactId, that.artifactId) &&
-        Objects.equals(version, that.version) &&
-        Objects.equals(classifier, that.classifier);
+    return Objects.equals(groupId, that.groupId)
+        && Objects.equals(artifactId, that.artifactId)
+        && Objects.equals(version, that.version)
+        && Objects.equals(classifier, that.classifier);
   }
 
   @Override

src/main/java/de/codeshield/log4jshell/data/VulnerableClassSHAData.java

@@ -2,6 +2,7 @@
 
 import com.opencsv.CSVReader;
 import com.opencsv.exceptions.CsvException;
+
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
@@ -22,12 +23,11 @@ public static Set<String> readDataFromCSV() {
         vulnerableSHAs.add(vulnerableClassSha[1]);
       }
       csvReader.close();
-    }  catch (IOException e) {
-      System.err.println("Error reading CSV file ("+CSV_DATA+")");
+    } catch (IOException e) {
+      System.err.println("Error reading CSV file (" + CSV_DATA + ")");
     } catch (CsvException e) {
-      System.err.println("Error parsing CSV file ("+CSV_DATA+")");
+      System.err.println("Error parsing CSV file (" + CSV_DATA + ")");
     }
     return vulnerableSHAs;
   }
-
 }

src/main/java/de/codeshield/log4jshell/data/VulnerableGavsData.java

@@ -2,6 +2,7 @@
 
 import com.opencsv.CSVReader;
 import com.opencsv.exceptions.CsvException;
+
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
@@ -16,16 +17,16 @@ public class VulnerableGavsData {
   public static Set<GAVWithClassifier> readDataFromCSV() {
     InputStream resource = VulnerableGavsData.class.getResourceAsStream(CSV_DATA);
     Set<GAVWithClassifier> vulnerableGavs = new HashSet<>();
-    try (BufferedReader bufferedReader =  new BufferedReader(new InputStreamReader(resource))) {
+    try (BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(resource))) {
       CSVReader csvReader = new CSVReader(bufferedReader);
       for (String[] dep : csvReader.readAll()) {
         vulnerableGavs.add(new GAVWithClassifier(dep[0], dep[1], dep[2], dep[3]));
       }
       csvReader.close();
     } catch (IOException e) {
-      System.err.println("Error reading CSV file ("+CSV_DATA+")");
+      System.err.println("Error reading CSV file (" + CSV_DATA + ")");
     } catch (CsvException e) {
-      System.err.println("Error parsing CSV file ("+CSV_DATA+")");
+      System.err.println("Error parsing CSV file (" + CSV_DATA + ")");
     }
     return vulnerableGavs;
   }