Skip to content

Commit

Permalink
fix: check java 8 update version
Browse files Browse the repository at this point in the history
resolves #6114
  • Loading branch information
jeremylong committed Nov 26, 2023
1 parent 5601e55 commit 548903f
Show file tree
Hide file tree
Showing 3 changed files with 66 additions and 2 deletions.
7 changes: 7 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,13 @@ issues arise you may need to purge the database:

## Requirements

### Java Version

Minimum Java Version: Java 8 update 251

While dependency-check 9.0.0 and higher will still run on Java 8 - the update version
must be higher then 251.

### Internet Access

OWASP dependency-check requires access to several externally hosted resources.
Expand Down
21 changes: 19 additions & 2 deletions core/src/main/java/org/owasp/dependencycheck/Engine.java
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@
import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_INFORMATION_COLLECTION;
import org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer;
import org.owasp.dependencycheck.dependency.naming.Identifier;
import org.owasp.dependencycheck.utils.Utils;

/**
* Scans files, directories, etc. for Dependencies. Analyzers are loaded and
Expand Down Expand Up @@ -188,6 +189,9 @@ public Engine(@NotNull final ClassLoader serviceClassLoader, @NotNull final Mode
this.serviceClassLoader = serviceClassLoader;
this.mode = mode;
this.accessExternalSchema = System.getProperty("javax.xml.accessExternalSchema");

checkRuntimeVersion();

initializeEngine();
}

Expand Down Expand Up @@ -252,8 +256,8 @@ public List<Analyzer> getAnalyzers(AnalysisPhase phase) {

/**
* Adds a dependency. In some cases, when adding a virtual dependency, the
* method will identify if the virtual dependency was previously added and update
* the existing dependency rather then adding a duplicate.
* method will identify if the virtual dependency was previously added and
* update the existing dependency rather then adding a duplicate.
*
* @param dependency the dependency to add
*/
Expand Down Expand Up @@ -1280,6 +1284,19 @@ private boolean identifiersMatch(Set<Identifier> left, Set<Identifier> right) {
return false;
}

/**
* Checks that if Java 8 is being used, it is at least update 251. This is
* required as a new method was introduced that is used by Apache HTTP
* Client. See
* https://stackoverflow.com/questions/76226322/exception-in-thread-httpclient-dispatch-1-java-lang-nosuchmethoderror-javax-n#comment134427003_76226322
*/
private void checkRuntimeVersion() {
if (Utils.getJavaVersion() == 8 && Utils.getJavaUpdateVersion() < 251) {
LOGGER.error("Non-supported Java Runtime: dependency-check requires at least Java 8 update 251 or higher.");
throw new RuntimeException("dependency-check requires Java 8 update 251 or higher");
}
}

/**
* {@link Engine} execution modes.
*/
Expand Down
40 changes: 40 additions & 0 deletions core/src/main/java/org/owasp/dependencycheck/utils/Utils.java
Original file line number Diff line number Diff line change
Expand Up @@ -46,4 +46,44 @@ public static int getJavaVersion() {
}
return Integer.parseInt(version);
}

/**
* Returns the update version from the Java runtime.
*
* @return the update version
*/
public static int getJavaUpdateVersion() {
//"1.8.0_144" "11.0.2+9" "17.0.8.1"
String runtimeVersion = System.getProperty("java.runtime.version");
try {
String[] parts = runtimeVersion.split("\\.");
if (parts.length == 4) {
return Integer.parseInt(parts[2]);
}
int pos = runtimeVersion.indexOf('_');
if (pos <= 0) {
pos = runtimeVersion.lastIndexOf('.');
if (pos <= 0) {
//unexpected java version - return 0
return 0;
}
}
int end = runtimeVersion.lastIndexOf('+');
if (end < 0) {
end = runtimeVersion.lastIndexOf('-');
}
if (end > pos) {
return Integer.parseInt(runtimeVersion.substring(pos + 1, end));
}
return Integer.parseInt(runtimeVersion.substring(pos + 1));
} catch (NumberFormatException nfe) {
// If the update version is not available, return 0
return 0;
}
}

public static void main(String[] args) {
System.out.println("Java version : " + getJavaVersion());
System.out.println("Java update : " + getJavaUpdateVersion());
}
}

0 comments on commit 548903f

Please sign in to comment.