From 8cf981ab8b2728122eda5b941999e63020435328 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 2 Aug 2018 06:51:54 -0400
Subject: [PATCH] patch for issue #1400

Conflicts:
	core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
---
 .../xml/pom/PomProjectInputStream.java        |  11 +-
 .../xml/pom/PomParserTest.java                |  58 +++++++++
 core/src/test/resources/pom/mailapi-1.4.3.pom | 110 ++++++++++++++++++
 3 files changed, 171 insertions(+), 8 deletions(-)
 create mode 100644 core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
 create mode 100644 core/src/test/resources/pom/mailapi-1.4.3.pom

diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/pom/PomProjectInputStream.java b/core/src/main/java/org/owasp/dependencycheck/xml/pom/PomProjectInputStream.java
index e41dfbb7540..56d0a5dfe21 100644
--- a/core/src/main/java/org/owasp/dependencycheck/xml/pom/PomProjectInputStream.java
+++ b/core/src/main/java/org/owasp/dependencycheck/xml/pom/PomProjectInputStream.java
@@ -62,22 +62,17 @@ private void skipToProject() throws IOException {
         final byte[] buffer = new byte[BUFFER_SIZE];
         super.mark(BUFFER_SIZE);
         int count = super.read(buffer, 0, BUFFER_SIZE);
-        int adjustment = 0;
         while (count > 0) {
             final int pos = findSequence(PROJECT, buffer);
             if (pos >= 0) {
                 super.reset();
-                super.skip(pos - adjustment);
+                super.skip(pos);
                 return;
             }
             super.reset();
-            super.skip(PROJECT.length);
+            super.skip(count - PROJECT.length);
             super.mark(BUFFER_SIZE);
-            for (int i = 0; i < PROJECT.length; i++) {
-                buffer[i] = buffer[BUFFER_SIZE - PROJECT.length + i];
-            }
-            adjustment = PROJECT.length;
-            count = super.read(buffer, PROJECT.length, BUFFER_SIZE - PROJECT.length);
+            count = super.read(buffer, 0, BUFFER_SIZE);
         }
     }
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
new file mode 100644
index 00000000000..2a5b51a788f
--- /dev/null
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2018 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.xml.pom;
+
+import java.io.File;
+import java.io.InputStream;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.owasp.dependencycheck.BaseTest;
+
+/**
+ *
+ * @author jeremy
+ */
+public class PomParserTest {
+
+    /**
+     * Test of parse method, of class PomParser.
+     */
+    @Test
+    public void testParse_File() throws Exception {
+        File file = BaseTest.getResourceAsFile(this, "pom/mailapi-1.4.3.pom");
+        PomParser instance = new PomParser();
+        String expVersion = "1.4.3";
+        Model result = instance.parse(file);
+        assertEquals("Invalid version extracted", expVersion, result.getParentVersion());
+    }
+
+    /**
+     * Test of parse method, of class PomParser.
+     */
+    @Test
+    public void testParse_InputStream() throws Exception {
+        InputStream inputStream = BaseTest.getResourceAsStream(this, "pom/plexus-utils-3.0.24.pom");
+        PomParser instance = new PomParser();
+        String expectedArtifactId = "plexus-utils";
+        Model result = instance.parse(inputStream);
+        assertEquals("Invalid artifactId extracted", expectedArtifactId, result.getArtifactId());
+    }
+
+}
diff --git a/core/src/test/resources/pom/mailapi-1.4.3.pom b/core/src/test/resources/pom/mailapi-1.4.3.pom
new file mode 100644
index 00000000000..fee7186c027
--- /dev/null
+++ b/core/src/test/resources/pom/mailapi-1.4.3.pom
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!--
+    DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+
+    Copyright 1997-2009 Sun Microsystems, Inc. All rights reserved.
+
+    The contents of this file are subject to the terms of either the GNU
+    General Public License Version 2 only ("GPL") or the Common Development
+    and Distribution License("CDDL") (collectively, the "License").  You
+    may not use this file except in compliance with the License. You can obtain
+    a copy of the License at https://glassfish.dev.java.net/public/CDDL+GPL.html
+    or glassfish/bootstrap/legal/LICENSE.txt.  See the License for the specific
+    language governing permissions and limitations under the License.
+
+    When distributing the software, include this License Header Notice in each
+    file and include the License file at glassfish/bootstrap/legal/LICENSE.txt.
+    Sun designates this particular file as subject to the "Classpath" exception
+    as provided by Sun in the GPL Version 2 section of the License file that
+    accompanied this code.  If applicable, add the following below the License
+    Header, with the fields enclosed by brackets [] replaced by your own
+    identifying information: "Portions Copyrighted [year]
+    [name of copyright owner]"
+
+    Contributor(s):
+
+    If you wish your version of this file to be governed by only the CDDL or
+    only the GPL Version 2, indicate your decision by adding "[Contributor]
+    elects to include this software in this distribution under the [CDDL or GPL
+    Version 2] license."  If you don't indicate a single choice of license, a
+    recipient has the option to distribute your version of this file under
+    either the CDDL, the GPL Version 2 or to extend the choice of license to
+    its licensees as provided above.  However, if you add GPL Version 2 code
+    and therefore, elected the GPL Version 2 license, then the option applies
+    only if the new code is made subject to such option by the copyright
+    holder.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+			    http://maven.apache.org/maven-v4_0_0.xsd">
+    <parent>
+	<groupId>com.sun.mail</groupId>
+	<artifactId>all</artifactId>
+	<version>1.4.3</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>javax.mail</groupId>
+    <artifactId>mailapi</artifactId>
+    <packaging>jar</packaging>
+    <name>JavaMail API jar</name>
+
+    <properties>
+	<mail.packages.export>
+	    javax.mail.*; version=${mail.spec.version},
+	    com.sun.mail.util; version=${mail.version},
+	    com.sun.mail.util.logging; version=${mail.version},
+	    com.sun.mail.handlers; version=${mail.version}
+	</mail.packages.export>
+    </properties>
+
+    <build>
+        <plugins>
+	    <plugin>
+		<artifactId>maven-dependency-plugin</artifactId>
+		<executions>
+		    <execution>
+			<id>unpack</id>
+			<phase>process-sources</phase>
+			<goals>
+			    <goal>unpack</goal>
+			</goals>
+		    </execution>
+		</executions>
+		<configuration>
+		    <artifactItems>
+			<artifactItem>
+			    <groupId>javax.mail</groupId>
+			    <artifactId>mail</artifactId>
+			    <version>${mail.version}</version>
+			</artifactItem>
+		    </artifactItems>
+		    <outputDirectory>
+			${project.build.outputDirectory}
+		    </outputDirectory>
+		    <includes>
+			javax/**,
+			com/sun/mail/util/**,
+			com/sun/mail/handlers/**,
+			META-INF/*
+		    </includes>
+		    <excludes>
+			META-INF/javamail.default.*
+		    </excludes>
+		</configuration>
+	    </plugin>
+	    <plugin>
+		<artifactId>maven-jar-plugin</artifactId>
+		<configuration>
+		    <finalName>${project.artifactId}</finalName>
+		    <archive>
+			<manifestFile>
+			  ${project.build.outputDirectory}/META-INF/MANIFEST.MF
+			</manifestFile>
+		    </archive>
+		</configuration>
+	    </plugin>
+        </plugins>
+    </build>
+</project>