Skip to content

fix: ensure open handles will not leak on errors#6326

Merged
jeremylong merged 2 commits intodependency-check:mainfrom
knalli:feature/handle_leaks_on_error
Dec 19, 2023
Merged

fix: ensure open handles will not leak on errors#6326
jeremylong merged 2 commits intodependency-check:mainfrom
knalli:feature/handle_leaks_on_error

Conversation

@knalli
Copy link
Copy Markdown
Contributor

@knalli knalli commented Dec 18, 2023
edited
Loading

Fixes Issue

As mentioned in jeremylong/DependencyCheck#6275 (comment), I found possible hidden memory leaks in case of broken inputs.

Background: Before #6275, the I/O handling (managing streams, file handling) itself was handled in NvdApiProcessor (IMHO the right place) which also handled the auto-closing on errors. After the change, the stream creation and parsing have moved both into the source implementation classes. If the readItem() methods fail (unexpected), the source constructor will not be succeeded, which means no instance at all, which means no auto-close with try-catch and therefore the created input streams will not be closed anymore.

Also the close runs several closes in sequential order ignoring any exceptions happening there.

Also the read file will not be deleted, however that may be fine.

Description of Change

  • The creations of input streams is back in NvdApiProcessor which ensures via auto-closing the streams will be closed anytimes.
  • Because I did not managed to find a reference of deleting the original file jsonFile in the previous version, I skipped this for now. Maybe reconsider adding again if this is required.
  • The closing implemented in the reader classes (e.e. JsonArrayCveItemSource) may suffer from leaking when a sequential list of closables breaks in the line. Even if this is not the case today, it can change anytimes depending on the external tooling (here Jackson). I have decided to use from commons-io:commons-io the org.apache.commons.io.IOUtils#closeQuietly(java.io.Closeable...). If the errors should propagate, then use #close(java.io.Closeable...)

Have test cases been added to cover the new functionality?

no

@boring-cyborg boring-cyborg Bot added the core changes to core label Dec 18, 2023
@knalli knalli mentioned this pull request Dec 18, 2023
Merged
@philippn
Copy link
Copy Markdown

philippn commented Dec 18, 2023

Hi @knalli ,

did you test drive this code? I would expect it to throw errors at runtime because the InputStreams are closed by the try-with-resources blocks inside of buildItemSource. They need to be open during the lifetime of the CveItemSource, in order for the streaming read to work properly. I would suggest to remove the try-with-resources there.

Kind regards,
Philipp

@knalli
Copy link
Copy Markdown
Contributor Author

knalli commented Dec 18, 2023

Oh, good catch. Thank you having a look. After applying my original purpose, I thought it would be good to move everything into a builder method.

Well, I have issues running the tests (missed this in the PR to mention). Although I have a JDK 1.8 it blocks because of an invalid byte code level. Thought I can wait for the test run here, unfortunately, it did not run.

jeremylong
jeremylong reviewed Dec 18, 2023
View reviewed changes
Comment thread core/src/main/java/org/owasp/dependencycheck/data/update/nvd/api/NvdApiProcessor.java Outdated
@jeremylong
Copy link
Copy Markdown
Collaborator

jeremylong commented Dec 18, 2023

See suggested change.

@knalli knalli force-pushed the feature/handle_leaks_on_error branch from c940c49 to e578b48 Compare December 18, 2023 22:08
@knalli
Copy link
Copy Markdown
Contributor Author

knalli commented Dec 18, 2023

I think I have managed to run the tests locally, without changing any default profile:

[WARNING] Tests run: 473, Failures: 0, Errors: 0, Skipped: 13

However that is a run in which I disabled the NvdApiProcessor#call() with an explicit exception effectively. Looks like there is a test case missing. In case I did not overseen something, an additional, regular unit test should be fine?

@knalli
Copy link
Copy Markdown
Contributor Author

knalli commented Dec 18, 2023

I'm adding an additional commit for a simple unit test which should cover the technical issues. I don't know where to get a "real" file input, so the current processValidStructure tests only for a "valid json" [].

@boring-cyborg boring-cyborg Bot added the tests test cases label Dec 18, 2023
jeremylong
jeremylong approved these changes Dec 19, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jeremylong jeremylong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jeremylong jeremylong added this to the 9.0.8 milestone Dec 19, 2023
@jeremylong jeremylong merged commit 006684b into dependency-check:main Dec 19, 2023
@knalli knalli deleted the feature/handle_leaks_on_error branch December 19, 2023 19:08
knalli added a commit to knalli/DependencyCheck that referenced this pull request Dec 21, 2023
@knalli
fix: rework fix for closing input streams on errors correctly
ad23edb 
see also dependency-check#6326, 006684b
@knalli knalli mentioned this pull request Dec 21, 2023
Merged
@thejk thejk mentioned this pull request Jan 9, 2024
Closed
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Dec 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees

No one assigned

Labels

core changes to core tests test cases

Projects

None yet

Milestone

9.0.8

Development

Successfully merging this pull request may close these issues.

3 participants

@knalli @philippn @jeremylong