Update Jackson to 2.10.3

sonar-dependency-check-plugin/pom.xml

@@ -26,7 +26,7 @@
         <sonar.pluginName>Dependency-Check</sonar.pluginName>
         <sonar.pluginKey>dependencycheck</sonar.pluginKey>
         <junit.jupiter.version>5.5.2</junit.jupiter.version>
-        <jackson.version>2.8.11</jackson.version>
+        <jackson.version>2.10.3</jackson.version>
     </properties>
 
     <dependencies>
@@ -44,24 +44,12 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>${jackson.version}.4</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-core</artifactId>
-                </exclusion>
-            </exclusions>
+            <version>${jackson.version}</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-xml</artifactId>
             <version>${jackson.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-databind</artifactId>
-                </exclusion>
-            </exclusions>
         </dependency>
         <dependency>
             <groupId>com.github.spotbugs</groupId>

sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/EvidenceDeserializer.java

@@ -54,21 +54,19 @@ protected EvidenceDeserializer(@Nullable Class<?> vc) {
 
     @Override
     public Map<String, List<Evidence>> deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException, JsonProcessingException {
-        ArrayList<Evidence> evidences = new ArrayList<>();
-        while (jsonParser.nextToken() != JsonToken.END_OBJECT) {
+        List<Evidence> evidences = new ArrayList<>();
+        // empty evidenceCollected in XML
+        if (StringUtils.equals(jsonParser.getCurrentName(), "evidenceCollected") && JsonToken.VALUE_STRING.equals(jsonParser.getCurrentToken())) {
+            return buildFinalEvidences(evidences);
+        }
+        while (!JsonToken.END_OBJECT.equals(jsonParser.nextToken())) {
             JsonToken jsonToken = jsonParser.currentToken();
             // For JSON
             if (JsonToken.START_ARRAY.equals(jsonToken)) {
-                String fieldName = jsonParser.getCurrentName();
-                if (StringUtils.equalsAnyIgnoreCase(fieldName, "vendorEvidence", "productEvidence", "versionEvidence")) {
-                    while (jsonParser.nextToken() != JsonToken.END_ARRAY) {
-                        Evidence ev = jsonParser.readValueAs(Evidence.class);
-                        evidences.add(ev);
-                    }
-                }
+                parseJson(jsonParser, evidences);
             }
             // For XML
-            if(JsonToken.START_OBJECT.equals(jsonToken)){
+            else if(JsonToken.START_OBJECT.equals(jsonToken)){
                 String fieldName = jsonParser.getCurrentName();
                 if (StringUtils.equalsIgnoreCase("evidence", fieldName)) {
                     evidences.add(jsonParser.readValueAs(Evidence.class));
@@ -78,6 +76,16 @@ public Map<String, List<Evidence>> deserialize(JsonParser jsonParser, Deserializ
         return buildFinalEvidences(evidences);
     }
 
+    private void parseJson(JsonParser jsonParser, List<Evidence> evidences) throws IOException {
+        String fieldName = jsonParser.getCurrentName();
+        if (StringUtils.equalsAnyIgnoreCase(fieldName, "vendorEvidence", "productEvidence", "versionEvidence")) {
+            while (!JsonToken.END_ARRAY.equals(jsonParser.nextToken())) {
+                Evidence ev = jsonParser.readValueAs(Evidence.class);
+                evidences.add(ev);
+            }
+        }
+    }
+
     private Map<String, List<Evidence>> buildFinalEvidences(List<Evidence> evidences) {
         Map<String, List<Evidence>> evidencesMap = new HashMap<>();
         for (Evidence evidence : evidences) {

sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/deserializer/VulnarabilitiesDeserializer.java

@@ -53,19 +53,36 @@ protected VulnarabilitiesDeserializer(@Nullable Class<?> vc) {
     @Override
     public List<Vulnerability> deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException, JsonProcessingException {
         ArrayList<Vulnerability> vulnerabilities = new ArrayList<>();
-        while (jsonParser.nextToken() != JsonToken.END_OBJECT) {
-            JsonToken jsonToken = jsonParser.currentToken();
-            if (JsonToken.START_OBJECT.equals(jsonToken)) {
-                String fieldName = jsonParser.getCurrentName();
+        // for JSON
+        if (JsonToken.START_ARRAY.equals(jsonParser.currentToken())) {
+            parseJson(jsonParser, vulnerabilities);
+        }
+        // For XML
+        else if (JsonToken.START_OBJECT.equals(jsonParser.currentToken())) {
+            parseXML(jsonParser, vulnerabilities);
+        }
+        return vulnerabilities;
+    }
+
+    private void parseXML(JsonParser jsonParser, List<Vulnerability> vulnerabilities) throws IOException {
+        while (!JsonToken.END_OBJECT.equals(jsonParser.nextToken())) {
+            if (JsonToken.START_OBJECT.equals(jsonParser.currentToken())) {
                 Vulnerability vul = jsonParser.readValueAs(Vulnerability.class);
-                // fieldName == null with JSON
-                // fieldName == vulnerability with XML
-                // fieldName == suppressedVulnerabilities with XML but skip it
-                if (fieldName == null || StringUtils.equals(fieldName, "vulnerability")) {
+                // skip suppressedVulnerabilities
+                if (StringUtils.equals(jsonParser.getCurrentName(), "vulnerability")) {
                     vulnerabilities.add(vul);
                 }
             }
         }
-        return vulnerabilities;
+    }
+
+    private void parseJson(JsonParser jsonParser, List<Vulnerability> vulnerabilities) throws IOException {
+        while (!JsonToken.END_ARRAY.equals(jsonParser.nextToken())) {
+            JsonToken jsonToken = jsonParser.currentToken();
+            if (JsonToken.START_OBJECT.equals(jsonToken)) {
+                Vulnerability vul = jsonParser.readValueAs(Vulnerability.class);
+                vulnerabilities.add(vul);
+            }
+        }
     }
 }

sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/PomParserHelperTest.java

@@ -74,7 +74,7 @@ public void parsePomIOException() {
         InputStream inputStream = mock(InputStream.class);
         doThrow(IOException.class).when(inputStream);
         ReportParserException exception = assertThrows(ReportParserException.class, () -> PomParserHelper.parse(inputStream), "No IOException thrown");
-        assertEquals("IO Problem with pom.xml", exception.getMessage());
+        assertEquals("Could not parse pom.xml", exception.getMessage());
     }
 
 }

sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/XMLReportParserHelperTest.java

@@ -58,7 +58,7 @@ public void parseReportXMLIOException() {
         InputStream inputStream = mock(InputStream.class);
         doThrow(IOException.class).when(inputStream);
         ReportParserException exception = assertThrows(ReportParserException.class, () -> XMLReportParserHelper.parse(inputStream), "No IOException thrown");
-        assertEquals("IO Problem with XML-Report", exception.getMessage());
+        assertEquals("Could not parse XML", exception.getMessage());
     }
 
     @Test