fix(fortifyExecuteScan): Throw error on classpath detection issues (#2876)

* Update fortifyExecuteScan.go * Raise error to the top level * Update fortifyExecuteScan.go * Update fortifyExecuteScan.go * Fix code and test * Add tests * Fix test * Last attempt
2024-12-12 10:55:20 +02:00 · 2021-06-16 08:15:41 +02:00 · 2021-06-16 08:15:41 +02:00 · 07b90dc10b
commit 07b90dc10b
parent 367ca6211a
2 changed files with 43 additions and 6 deletions
--- a/cmd/fortifyExecuteScan.go
+++ b/cmd/fortifyExecuteScan.go
@ -621,7 +621,7 @@ func autoresolvePipClasspath(executable string, parameters []string, file string
 	return readClasspathFile(file), nil
 }

-func autoresolveMavenClasspath(config fortifyExecuteScanOptions, file string, utils fortifyUtils) string {
+func autoresolveMavenClasspath(config fortifyExecuteScanOptions, file string, utils fortifyUtils) (string, error) {
 	if filepath.IsAbs(file) {
 		log.Entry().Warnf("Passing an absolute path for -Dmdep.outputFile results in the classpath only for the last module in multi-module maven projects.")
 	}
@ -636,9 +636,10 @@ func autoresolveMavenClasspath(config fortifyExecuteScanOptions, file string, ut
 	}
 	_, err := maven.Execute(&executeOptions, utils)
 	if err != nil {
-		log.Entry().WithError(err).Warn("failed to determine classpath using Maven")
+		log.Entry().WithError(err).Error("failed to determine classpath using Maven")
+		return "", err
 	}
-	return readAllClasspathFiles(file)
+	return readAllClasspathFiles(file), nil
 }

 // readAllClasspathFiles tests whether the passed file is an absolute path. If not, it will glob for
@ -707,7 +708,10 @@ func triggerFortifyScan(config fortifyExecuteScanOptions, utils fortifyUtils, bu
 	classpath := ""
 	if config.BuildTool == "maven" {
 		if config.AutodetectClasspath {
-			classpath = autoresolveMavenClasspath(config, classpathFileName, utils)
+			classpath, err = autoresolveMavenClasspath(config, classpathFileName, utils)
+			if err != nil {
+				return err
+			}
 		}
 		config.Translate, err = populateMavenTranslate(&config, classpath)
 		if err != nil {
--- a/cmd/fortifyExecuteScan_test.go
+++ b/cmd/fortifyExecuteScan_test.go
@ -336,7 +336,13 @@ func (er *execRunnerMock) RunExecutable(e string, p ...string) error {
 	classpathPip := "/usr/lib/python35.zip;/usr/lib/python3.5;/usr/lib/python3.5/plat-x86_64-linux-gnu;/usr/lib/python3.5/lib-dynload;/home/piper/.local/lib/python3.5/site-packages;/usr/local/lib/python3.5/dist-packages;/usr/lib/python3/dist-packages;./lib"
 	classpathMaven := "some.jar;someother.jar"
 	if e == "python2" {
-		er.currentExecution().outWriter.Write([]byte(classpathPip))
+		if p[1] == "invalid" {
+			return errors.New("Invalid command")
+		}
+		_, err := er.currentExecution().outWriter.Write([]byte(classpathPip))
+		if err != nil {
+			return err
+		}
 	} else if e == "mvn" {
 		path := strings.ReplaceAll(p[2], "-Dmdep.outputFile=", "")
 		err := ioutil.WriteFile(path, []byte(classpathMaven), 0644)
@ -820,6 +826,25 @@ func TestAutoresolveClasspath(t *testing.T) {
 		assert.Equal(t, "/usr/lib/python35.zip;/usr/lib/python3.5;/usr/lib/python3.5/plat-x86_64-linux-gnu;/usr/lib/python3.5/lib-dynload;/home/piper/.local/lib/python3.5/site-packages;/usr/local/lib/python3.5/dist-packages;/usr/lib/python3/dist-packages;./lib", result, "Expected different result")
 	})

+	t.Run("error pip file", func(t *testing.T) {
+		utils := newFortifyTestUtilsBundle()
+
+		_, err := autoresolvePipClasspath("python2", []string{"-c", "import sys;p=sys.path;p.remove('');print(';'.join(p))"}, "../.", &utils)
+		assert.Error(t, err)
+	})
+
+	t.Run("error pip command", func(t *testing.T) {
+		utils := newFortifyTestUtilsBundle()
+		dir, err := ioutil.TempDir("", "classpath")
+		assert.NoError(t, err, "Unexpected error detected")
+		defer os.RemoveAll(dir)
+		file := filepath.Join(dir, "cp.txt")
+
+		_, err = autoresolvePipClasspath("python2", []string{"-c", "invalid"}, file, &utils)
+		assert.Error(t, err)
+		assert.Equal(t, "failed to run classpath autodetection command python2 with parameters [-c invalid]: Invalid command", err.Error())
+	})
+
 	t.Run("success maven", func(t *testing.T) {
 		utils := newFortifyTestUtilsBundle()
 		dir, err := ioutil.TempDir("", "classpath")
@ -827,11 +852,19 @@ func TestAutoresolveClasspath(t *testing.T) {
 		defer os.RemoveAll(dir)
 		file := filepath.Join(dir, "cp.txt")

-		result := autoresolveMavenClasspath(fortifyExecuteScanOptions{BuildDescriptorFile: "pom.xml"}, file, &utils)
+		result, err := autoresolveMavenClasspath(fortifyExecuteScanOptions{BuildDescriptorFile: "pom.xml"}, file, &utils)
+		assert.NoError(t, err)
 		assert.Equal(t, "mvn", utils.executions[0].executable, "Expected different executable")
 		assert.Equal(t, []string{"--file", "pom.xml", fmt.Sprintf("-Dmdep.outputFile=%v", file), "-DincludeScope=compile", "-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn", "--batch-mode", "dependency:build-classpath"}, utils.executions[0].parameters, "Expected different parameters")
 		assert.Equal(t, "some.jar;someother.jar", result, "Expected different result")
 	})
+
+	t.Run("error maven", func(t *testing.T) {
+		utils := newFortifyTestUtilsBundle()
+
+		_, err := autoresolveMavenClasspath(fortifyExecuteScanOptions{BuildDescriptorFile: "pom.xml"}, "../.", &utils)
+		assert.Error(t, err)
+	})
 }

 func TestPopulateMavenTranslate(t *testing.T) {