解析json文件时安全处理不存在的对象

时间:2018-01-18 11:06:47

标签: java json jackson

我正在努力避免在某些对象不存在的情况下解析json文件时避免空指针豁免。我有一个json文件的pojo表示,以实现更好的处理。下面是一个示例json文件:

{
"Registry": "docker.io",
"ImageName": "postgres",
"Tag": "latest",
"Layers": [
    {
        "Layer": {
            "Name": "556f99c912b469ef5c176cb058a3eb32d06dc19f5f482115c760724bbb1b0da6",
            "NamespaceName": "debian:8",
            "IndexedByVersion": 3,
            "Features": [
                {
                    "Name": "db5.3",
                    "NamespaceName": "debian:8",
                    "Version": "5.3.28-9",
                    "Vulnerabilities": [
                        {
                            "Name": "CVE-2017-10140",
                            "NamespaceName": "debian:8",
                            "Link": "https://security-tracker.debian.org/tracker/CVE-2017-10140",
                            "Severity": "Unknown",
                            "FixedBy": "5.3.28-9+deb8u1"
                        }
                    ],
                    "AddedBy": "556f99c912b469ef5c176cb058a3eb32d06dc19f5f482115c760724bbb1b0da6"
                },
                {
                    "Name": "adduser",
                    "NamespaceName": "debian:8",
                    "Version": "3.113+nmu3",
                    "AddedBy": "556f99c912b469ef5c176cb058a3eb32d06dc19f5f482115c760724bbb1b0da6"
                }

这是我的类应该获取ScanReport对象,尤其是漏洞:

    Layers layers = new Layers();
    Layer layer = new Layer();

    // List<Layers> de.security.reports.ScanReport.getLayers()
    File reportFile = new File("reports/json/analysis-postgres-latest.json");
    FileReader reader = new FileReader(reportFile);
    JSONObject obj = new JSONObject();
    ObjectMapper mapper = new ObjectMapper();

    ScanReport tester = mapper.readValue(reportFile, ScanReport.class);
    List<Layers> layerList = tester.getLayers();
    List<Feature> featureList;
    List<Vulnerability> vulnerabilities = null;
    for (Layers layers2 : layerList) {
        featureList = layers2.getLayer().getFeatures();
        System.out.println("Number of features: " + featureList.size());
        System.out.println("***************************************************************");
        for (Feature feature : featureList) {
            System.out.println("Feature name :" + feature.getName());

            if (feature.getVulnerabilities().equals(" ") || feature.getVulnerabilities().isEmpty()
                    || feature.getVulnerabilities().size() == 0) {

                System.out.println("no vulnerability found");
            } else {
                vulnerabilities = feature.getVulnerabilities();


                System.out.println("------------------------------------------------------------");
                for (Vulnerability vulnerability : vulnerabilities) {
                    System.out.println("    ===   Vulnerabilities  === ");

                    System.out.println("CVE: " + vulnerability.getName());
                    System.out.println("Namespace: " + vulnerability.getNamespaceName());

                }

            }
        }

    }

}

2 个答案:

答案 0 :(得分:0)

使用注释

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;

@JsonIgnoreProperties(ignoreUnknown = true)
public class MyMappingClass {

}

请参阅Jackson在线文档中的JsonIgnoreProperties。

使用配置 比注释更少侵入。

import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectReader;

ObjectMapper objectMapper = new ObjectMapper();
objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);

ObjectReader objectReader = objectMapper.reader(MyMappingClass.class);
MyMappingClass myMappingClass = objectReader.readValue(json);

请参阅杰克逊在线文档中的FAIL_ON_UNKNOWN_PROPERTIES

答案 1 :(得分:0)

您的问题似乎与序列化无关。我认为你的情况很糟糕,试试这个:

if (feature.getVulnerabilities() == null || feature.getVulnerabilities().equals(" ") || feature.getVulnerabilities().isEmpty() || feature.getVulnerabilities().size() == 0)
相关问题
最新问题