github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-22 00:59:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

bug fixes

Browse Source 
Former-commit-id: a415f5e84dbe7c887a20a8acd18403655c82f9be
This commit is contained in:
Jeremy Long
2012-12-02 22:22:25 -05:00
parent 4cd759bfa6
commit 0027e75a45
20 changed files with 115 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.txt
View File

@@ -7,10 +7,10 @@ If found, it will generate a report linking to the associated CVE entries.
Usage: Usage:
$ mvn package $ mvn package
$ cd target $ cd target
$ java -jar DependencyCheck-0.2.3.jar -h $ java -jar DependencyCheck-0.2.3.1.jar -h
$ java -jar DependencyCheck-0.2.3.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib $ java -jar DependencyCheck-0.2.3.1.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
Then load the resulting 'Testing.html' into your favorite browser. Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
Author: Jeremy Long (jeremy.long@gmail.com) Author: Jeremy Long (jeremy.long@gmail.com)

13
pom.xml
View File

@@ -23,7 +23,7 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses/>.
<groupId>org.codesecure</groupId> <groupId>org.codesecure</groupId>
<artifactId>DependencyCheck</artifactId> <artifactId>DependencyCheck</artifactId>
<version>0.2.3</version> <version>0.2.3.1</version>
<packaging>jar</packaging> <packaging>jar</packaging>
<name>DependencyCheck</name> <name>DependencyCheck</name>
@@ -100,7 +100,7 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses/>.
<artifactId>maven-javadoc-plugin</artifactId> <artifactId>maven-javadoc-plugin</artifactId>
<version>2.8.1</version> <version>2.8.1</version>
<configuration> <configuration>
<bottom>Copyright &#169; 2012 Jeremy Long. All Rights Reserved.</bottom> <bottom>Copyright&#169; 2012 Jeremy Long. All Rights Reserved.</bottom>
</configuration> </configuration>
</plugin> </plugin>
<plugin> <plugin>
@@ -451,5 +451,14 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses/>.
<artifactId>hawtdb</artifactId> <artifactId>hawtdb</artifactId>
<version>1.6</version> <version>1.6</version>
</dependency>--> </dependency>-->
<!-- The following dependencies are only scanned during integration testing -->
<!--<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>2.5.5</version>
<scope>test</scope>
</dependency>-->
</dependencies> </dependencies>
</project> </project>

1
src/main/java/org/codesecure/dependencycheck/App.java
View File

@@ -28,7 +28,6 @@ import java.util.logging.LogManager;
import java.util.logging.Logger; import java.util.logging.Logger;
import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.ParserConfigurationException;
import org.apache.commons.cli.ParseException; import org.apache.commons.cli.ParseException;
import org.codesecure.dependencycheck.analyzer.AnalysisPhase;
import org.codesecure.dependencycheck.data.cpe.xml.Importer; import org.codesecure.dependencycheck.data.cpe.xml.Importer;
import org.codesecure.dependencycheck.reporting.ReportGenerator; import org.codesecure.dependencycheck.reporting.ReportGenerator;
import org.codesecure.dependencycheck.dependency.Dependency; import org.codesecure.dependencycheck.dependency.Dependency;

4
src/main/java/org/codesecure/dependencycheck/Engine.java
View File

@@ -195,7 +195,7 @@ public class Engine {
try { try {
a.initialize(); a.initialize();
} catch (Exception ex) { } catch (Exception ex) {
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, Logger.getLogger(Engine.class.getName()).log(Level.SEVERE,
"Exception occured initializing " + a.getName() + ".", ex); "Exception occured initializing " + a.getName() + ".", ex);
try { try {
a.close(); a.close();
@@ -255,7 +255,7 @@ public class Engine {
try { try {
source.update(); source.update();
} catch (UpdateException ex) { } catch (UpdateException ex) {
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, Logger.getLogger(Engine.class.getName()).log(Level.SEVERE,
"Unable to update " + source.getClass().getName(), ex); "Unable to update " + source.getClass().getName(), ex);
} }
} }

12
src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -186,6 +186,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
parseManifest(dependency); parseManifest(dependency);
analyzePackageNames(dependency); analyzePackageNames(dependency);
analyzePOM(dependency); analyzePOM(dependency);
addPredefinedData(dependency);
} catch (IOException ex) { } catch (IOException ex) {
throw new AnalysisException("Exception occured reading the JAR file.", ex); throw new AnalysisException("Exception occured reading the JAR file.", ex);
} catch (JAXBException ex) { } catch (JAXBException ex) {
@@ -615,4 +616,15 @@ public class JarAnalyzer extends AbstractAnalyzer {
sb.append(text.substring(end + 1)); sb.append(text.substring(end + 1));
return interpolateString(sb.toString(), properties); //yes yes, this should be a loop... return interpolateString(sb.toString(), properties); //yes yes, this should be a loop...
} }
private void addPredefinedData(Dependency dependency) {
Evidence spring = new Evidence("Manifest",
"Implementation-Title",
"Spring Framework",
Evidence.Confidence.HIGH);
if (dependency.getProductEvidence().getEvidence().contains(spring)) {
dependency.getVendorEvidence().addEvidence("a priori", "vendor", "SpringSource", Evidence.Confidence.HIGH);
}
}
} }

22
src/main/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzer.java
View File

@@ -149,23 +149,11 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal
Confidence versionConf = Confidence.HIGH; Confidence versionConf = Confidence.HIGH;
String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), vendorConf); String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), vendorConf);
//dependency.getVendorEvidence().toString(vendorConf);
// if ("".equals(vendors)) {
// vendors = STRING_THAT_WILL_NEVER_BE_IN_THE_INDEX;
// }
String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), productConf); String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), productConf);
///dependency.getProductEvidence().toString(productConf);
// if ("".equals(products)) {
// products = STRING_THAT_WILL_NEVER_BE_IN_THE_INDEX;
// }
String versions = addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), versionConf); String versions = addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), versionConf);
//dependency.getVersionEvidence().toString(versionConf);
// if ("".equals(versions)) {
// versions = STRING_THAT_WILL_NEVER_BE_IN_THE_INDEX;
// }
boolean found = false; boolean found = false;
int cnt = 0; int ctr = 0;
do { do {
List<Entry> entries = searchCPE(vendors, products, versions, dependency.getProductEvidence().getWeighting(), List<Entry> entries = searchCPE(vendors, products, versions, dependency.getProductEvidence().getWeighting(),
dependency.getVendorEvidence().getWeighting()); dependency.getVendorEvidence().getWeighting());
@@ -186,14 +174,14 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal
if (!found) { if (!found) {
int round = cnt % 3; int round = ctr % 3;
if (round == 0) { if (round == 0) {
vendorConf = reduceConfidence(vendorConf); vendorConf = reduceConfidence(vendorConf);
if (dependency.getVendorEvidence().contains(vendorConf)) { if (dependency.getVendorEvidence().contains(vendorConf)) {
//vendors += " " + dependency.getVendorEvidence().toString(vendorConf); //vendors += " " + dependency.getVendorEvidence().toString(vendorConf);
vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), vendorConf); vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), vendorConf);
} else { } else {
cnt += 1; ctr += 1;
round += 1; round += 1;
} }
} }
@@ -203,7 +191,7 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal
//products += " " + dependency.getProductEvidence().toString(productConf); //products += " " + dependency.getProductEvidence().toString(productConf);
products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), productConf); products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), productConf);
} else { } else {
cnt += 1; ctr += 1;
round += 1; round += 1;
} }
} }
@@ -215,7 +203,7 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal
} }
} }
} }
} while (!found && (++cnt) < 9); } while (!found && (++ctr) < 9);
} }
/** /**

26
src/main/java/org/codesecure/dependencycheck/data/cpe/Entry.java
View File

@@ -45,17 +45,12 @@ public class Entry {
public static Entry parse(Document doc) { public static Entry parse(Document doc) {
Entry entry = new Entry(); Entry entry = new Entry();
try { try {
entry.setName(doc.get(Fields.NAME)); entry.parseName(doc.get(Fields.NAME));
entry.setTitle(doc.get(Fields.TITLE)); entry.setTitle(doc.get(Fields.TITLE));
} catch (UnsupportedEncodingException ex) { } catch (UnsupportedEncodingException ex) {
Logger.getLogger(Entry.class.getName()).log(Level.SEVERE, null, ex); Logger.getLogger(Entry.class.getName()).log(Level.SEVERE, null, ex);
entry.name = doc.get(Fields.NAME); entry.name = doc.get(Fields.NAME);
} }
// entry.vendor = doc.get(Fields.VENDOR);
// entry.version = doc.get(Fields.VERSION);
// //entry.revision = doc.get(Fields.REVISION);
// entry.product = doc.get(Fields.TITLE);
// entry.nvdId = doc.get(Fields.NVDID);
return entry; return entry;
} }
/** /**
@@ -95,15 +90,12 @@ public class Entry {
} }
/** /**
* Set the value of name and calls parseName to obtain the * Set the value of name
* vendor:product:version:revision
* *
* @param name new value of name * @param name new value of name
* @throws UnsupportedEncodingException should never be thrown...
*/ */
public void setName(String name) throws UnsupportedEncodingException { public void setName(String name) {
this.name = name; this.name = name;
parseName();
} }
/** /**
* The status of the CPE Entry. * The status of the CPE Entry.
@@ -310,15 +302,17 @@ public class Entry {
* <p>Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li> * <p>Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
* <li>Version: 1.1</li> <li>Revision: rc2</li> </ul> * <li>Version: 1.1</li> <li>Revision: rc2</li> </ul>
* *
* @param cpeName the cpe name
* @throws UnsupportedEncodingException should never be thrown... * @throws UnsupportedEncodingException should never be thrown...
*/ */
private void parseName() throws UnsupportedEncodingException { public void parseName(String cpeName) throws UnsupportedEncodingException {
if (name != null && name.length() > 7) { this.name = cpeName;
String[] data = name.substring(7).split(":"); if (cpeName != null && cpeName.length() > 7) {
String[] data = cpeName.substring(7).split(":");
if (data.length >= 1) { if (data.length >= 1) {
vendor = URLDecoder.decode(data[0], "UTF-8"); vendor = URLDecoder.decode(data[0], "UTF-8").replaceAll("[_-]", " ");
if (data.length >= 2) { if (data.length >= 2) {
product = URLDecoder.decode(data[1], "UTF-8"); product = URLDecoder.decode(data[1], "UTF-8").replaceAll("[_-]", " ");
if (data.length >= 3) { if (data.length >= 3) {
version = URLDecoder.decode(data[2], "UTF-8"); version = URLDecoder.decode(data[2], "UTF-8");
if (data.length >= 4) { if (data.length >= 4) {

6
src/main/java/org/codesecure/dependencycheck/data/cpe/Index.java
View File

@@ -100,6 +100,11 @@ public class Index extends AbstractIndex implements CachedWebDataSource {
} }
File path = new File(exePath.getCanonicalFile() + File.separator + fileName); File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
path = new File(path.getCanonicalPath()); path = new File(path.getCanonicalPath());
if (!path.exists()) {
if (!path.mkdirs()) {
throw new IOException("Unable to create CPE Data directory");
}
}
return path; return path;
} }
@@ -113,6 +118,7 @@ public class Index extends AbstractIndex implements CachedWebDataSource {
Map fieldAnalyzers = new HashMap(); Map fieldAnalyzers = new HashMap();
fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer()); fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper( PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
new StandardAnalyzer(Version.LUCENE_35), fieldAnalyzers); new StandardAnalyzer(Version.LUCENE_35), fieldAnalyzers);

2
src/main/java/org/codesecure/dependencycheck/data/cpe/xml/CPEHandler.java
View File

@@ -66,7 +66,7 @@ public class CPEHandler extends DefaultHandler {
skip = (temp != null && temp.equals("true")); skip = (temp != null && temp.equals("true"));
try { try {
if (!skip && name.startsWith("cpe:/a:")) { if (!skip && name.startsWith("cpe:/a:")) {
entry.setName(name); entry.parseName(name);
} else { } else {
skip = true; skip = true;
} }

4
src/main/java/org/codesecure/dependencycheck/data/cpe/xml/Indexer.java
View File

@@ -27,7 +27,6 @@ import org.apache.lucene.index.Term;
import org.codesecure.dependencycheck.data.cpe.Entry; import org.codesecure.dependencycheck.data.cpe.Entry;
import org.codesecure.dependencycheck.data.cpe.Fields; import org.codesecure.dependencycheck.data.cpe.Fields;
import org.codesecure.dependencycheck.data.cpe.Index; import org.codesecure.dependencycheck.data.cpe.Index;
import org.codesecure.dependencycheck.data.lucene.LuceneUtils;
/** /**
* The Indexer is used to convert a CPE Entry, retrieved from the CPE XML file, * The Indexer is used to convert a CPE Entry, retrieved from the CPE XML file,
@@ -46,7 +45,8 @@ public class Indexer extends Index implements EntrySaveDelegate {
*/ */
public void saveEntry(Entry entry) throws CorruptIndexException, IOException { public void saveEntry(Entry entry) throws CorruptIndexException, IOException {
Document doc = convertEntryToDoc(entry); Document doc = convertEntryToDoc(entry);
Term term = new Term(Fields.NVDID, LuceneUtils.escapeLuceneQuery(entry.getNvdId())); //Term term = new Term(Fields.NVDID, LuceneUtils.escapeLuceneQuery(entry.getNvdId()));
Term term = new Term(Fields.NAME, entry.getName());
indexWriter.updateDocument(term, doc); indexWriter.updateDocument(term, doc);
} }

5
src/main/java/org/codesecure/dependencycheck/data/nvdcve/Index.java
View File

@@ -98,6 +98,11 @@ public class Index extends AbstractIndex implements CachedWebDataSource {
} }
File path = new File(exePath.getCanonicalFile() + File.separator + fileName); File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
path = new File(path.getCanonicalPath()); path = new File(path.getCanonicalPath());
if (!path.exists()) {
if (!path.mkdirs()) {
throw new IOException("Unable to create NVD CVE Data directory");
}
}
return path; return path;
} }

11
src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/Importer.java
View File

@@ -43,15 +43,17 @@ public class Importer {
*/ */
public static void importXML(File file) { public static void importXML(File file) {
NvdCveParser indexer = null; NvdCveParser indexer = null;
org.codesecure.dependencycheck.data.cpe.xml.Indexer cpeIndexer = null;
try { try {
indexer = new NvdCveParser(); indexer = new NvdCveParser();
indexer.openIndexWriter(); indexer.openIndexWriter();
//HACK - hack to ensure all CPE data is stored in the index.
cpeIndexer = new org.codesecure.dependencycheck.data.cpe.xml.Indexer();
cpeIndexer.openIndexWriter();
indexer.setCPEIndexer(cpeIndexer);
indexer.parse(file); indexer.parse(file);
} catch (CorruptIndexException ex) { } catch (CorruptIndexException ex) {
Logger.getLogger(Importer.class.getName()).log(Level.SEVERE, null, ex); Logger.getLogger(Importer.class.getName()).log(Level.SEVERE, null, ex);
} catch (IOException ex) { } catch (IOException ex) {
@@ -60,6 +62,9 @@ public class Importer {
if (indexer != null) { if (indexer != null) {
indexer.close(); indexer.close();
} }
if (cpeIndexer != null) {
cpeIndexer.close();
}
} }
} }
// public static void importXML(File file) throws FileNotFoundException, IOException, JAXBException, // public static void importXML(File file) throws FileNotFoundException, IOException, JAXBException,

35
src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCveParser.java
View File

@@ -23,14 +23,17 @@ import java.io.File;
import java.io.FileNotFoundException; import java.io.FileNotFoundException;
import java.io.FileReader; import java.io.FileReader;
import java.io.IOException; import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.logging.Logger; import java.util.logging.Logger;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import org.apache.lucene.document.Document; import org.apache.lucene.document.Document;
import org.apache.lucene.document.Field; import org.apache.lucene.document.Field;
import org.apache.lucene.index.CorruptIndexException;
import org.apache.lucene.index.FieldInfo.IndexOptions; import org.apache.lucene.index.FieldInfo.IndexOptions;
import org.apache.lucene.index.Term; import org.apache.lucene.index.Term;
import org.codesecure.dependencycheck.data.cpe.Entry;
import org.codesecure.dependencycheck.data.nvdcve.Fields; import org.codesecure.dependencycheck.data.nvdcve.Fields;
import org.codesecure.dependencycheck.data.nvdcve.Index; import org.codesecure.dependencycheck.data.nvdcve.Index;
@@ -40,6 +43,19 @@ import org.codesecure.dependencycheck.data.nvdcve.Index;
*/ */
public class NvdCveParser extends Index { public class NvdCveParser extends Index {
//HACK - this has initially been placed here as a hack because not all
// of the CPEs listed in the NVD CVE are actually in the CPE xml file
// hosted by NIST.
private org.codesecure.dependencycheck.data.cpe.xml.Indexer cpeIndexer = null;
/**
* Adds the CPE Index to add additional CPEs found by parsing the NVD CVE.
* @param indexer the CPE Indexer to write new CPEs into.
*/
public void setCPEIndexer(org.codesecure.dependencycheck.data.cpe.xml.Indexer indexer) {
this.cpeIndexer = indexer;
}
/** /**
* Parses an NVD CVE xml file using a buffered readerd. This * Parses an NVD CVE xml file using a buffered readerd. This
* method maybe more fragile then using a partial-unmarshalling SAX * method maybe more fragile then using a partial-unmarshalling SAX
@@ -164,10 +180,27 @@ public class NvdCveParser extends Index {
* Adds a CPE to the Lucene Document * Adds a CPE to the Lucene Document
* @param cpe a string representing a CPE * @param cpe a string representing a CPE
* @param doc a lucene document * @param doc a lucene document
* @throws CorruptIndexException is thrown if the CPE Index is corrupt
* @throws IOException is thrown if there is an IO Exception while writting to the CPE Index
*/ */
private void addVulnerableCpe(String cpe, Document doc) { private void addVulnerableCpe(String cpe, Document doc) throws CorruptIndexException, IOException {
Field vulnerable = new Field(Fields.VULNERABLE_CPE, cpe, Field.Store.NO, Field.Index.ANALYZED); Field vulnerable = new Field(Fields.VULNERABLE_CPE, cpe, Field.Store.NO, Field.Index.ANALYZED);
vulnerable.setIndexOptions(IndexOptions.DOCS_ONLY); vulnerable.setIndexOptions(IndexOptions.DOCS_ONLY);
doc.add(vulnerable); doc.add(vulnerable);
//HACK - this has initially been placed here as a hack because not all
// of the CPEs listed in the NVD CVE are actually in the CPE xml file
// hosted by NIST.
Entry cpeEntry = new Entry();
try {
cpeEntry.parseName(cpe);
cpeEntry.setNvdId("0");
cpeEntry.setTitle(cpe);
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(NvdCveParser.class.getName()).log(Level.SEVERE, null, ex);
}
if (cpeIndexer != null) {
cpeIndexer.saveEntry(cpeEntry);
}
} }
} }

2
src/main/java/org/codesecure/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -184,7 +184,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
text = text.toLowerCase(); text = text.toLowerCase();
for (Evidence e : this.list) { for (Evidence e : this.list) {
if (e.used && e.value.contains(text)) { if (e.used && e.value.toLowerCase().contains(text)) {
return true; return true;
} }
} }

2
src/main/java/org/codesecure/dependencycheck/utils/CliParser.java
View File

@@ -326,7 +326,7 @@ public final class CliParser {
* @return if auto-update is allowed. * @return if auto-update is allowed.
*/ */
public boolean isAutoUpdate() { public boolean isAutoUpdate() {
return (line != null) ? !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE) : false; return (line != null) ? !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE) : true;
} }
/** /**

10
src/main/resources/templates/HtmlReport.vsl
View File

@@ -34,7 +34,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</script> </script>
<script type="text/javascript"> <script type="text/javascript">
$(document).ready(function() { $(document).ready(function() {
$(".expandablesubsection").click(function (e) { $(".expandable").click(function (e) {
e = e || window.event; e = e || window.event;
var h = e.target || e.srcElement; var h = e.target || e.srcElement;
var content = "#content" + h.id.substr(6); var content = "#content" + h.id.substr(6);
@@ -64,7 +64,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
.hidden { .hidden {
display: none; display: none;
} }
.exandable {}
.expandablesubsection { .expandablesubsection {
cursor: pointer; cursor: pointer;
/*background-image: url(img/plus.gif);*/ /*background-image: url(img/plus.gif);*/
@@ -312,7 +312,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#if ( $dependency.analysisExceptions.size() != 0 ) #if ( $dependency.analysisExceptions.size() != 0 )
#set($cnt=$cnt+1) #set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandablesubsection red">Exceptions Occured During Analysis</h4> <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection red">Exceptions Occured During Analysis</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection hidden"> <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<ul> <ul>
#foreach($ex in $dependency.analysisExceptions) #foreach($ex in $dependency.analysisExceptions)
@@ -340,7 +340,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</div> </div>
#end #end
#set($cnt=$cnt+1) #set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandablesubsection white">Evidence</h4> <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection hidden"> <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<table class="lined fullwidth" border="0"> <table class="lined fullwidth" border="0">
<tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr> <tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
@@ -381,7 +381,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</div> </div>
#if($dependency.getVulnerabilities().size()>0) #if($dependency.getVulnerabilities().size()>0)
#set($cnt=$cnt+1) #set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader white">Published Vulnerabilities</h4> <h4 id="header$cnt" class="subsectionheader expandable collaspablesubsection white">Published Vulnerabilities</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection"> <div id="content$cnt" class="subsectioncontent standardsubsection">
#foreach($vuln in $dependency.getVulnerabilities()) #foreach($vuln in $dependency.getVulnerabilities())
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b></p> <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b></p>

2
src/site/site.xml
View File

@@ -6,4 +6,4 @@
<body> <body>
<menu ref="reports" /> <menu ref="reports" />
</body> </body>
</project> </project>

9
src/test/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzerTest.java
View File

@@ -98,11 +98,16 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
JarAnalyzer jarAnalyzer = new JarAnalyzer(); JarAnalyzer jarAnalyzer = new JarAnalyzer();
Dependency depends = new Dependency(file); Dependency depends = new Dependency(file);
jarAnalyzer.analyze(depends); jarAnalyzer.analyze(depends);
File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
Dependency spring = new Dependency(fileSpring);
jarAnalyzer.analyze(spring);
CPEAnalyzer instance = new CPEAnalyzer(); CPEAnalyzer instance = new CPEAnalyzer();
instance.open(); instance.open();
String expResult = "cpe:/a:apache:struts:2.1.2"; String expResult = "cpe:/a:apache:struts:2.1.2";
instance.determineCPE(depends); instance.determineCPE(depends);
instance.determineCPE(spring);
instance.close(); instance.close();
assertTrue("Incorrect match", depends.getIdentifiers().size() == 1); assertTrue("Incorrect match", depends.getIdentifiers().size() == 1);
assertTrue("Incorrect match", depends.getIdentifiers().get(0).getValue().equals(expResult)); assertTrue("Incorrect match", depends.getIdentifiers().get(0).getValue().equals(expResult));
@@ -131,7 +136,7 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
expResult = "cpe:/a:apache:struts:2.3.1.2"; expResult = "cpe:/a:apache:struts:2.3.1.2";
result = instance.searchCPE(vendor, product, version); result = instance.searchCPE(vendor, product, version);
assertEquals(expResult, result.get(0).getName()); assertEquals(expResult, result.get(0).getName());
instance.close(); instance.close();
} }

2
src/test/java/org/codesecure/dependencycheck/data/cpe/EntryTest.java
View File

@@ -35,7 +35,7 @@ public class EntryTest extends TestCase {
String name = "cpe:/a:apache:struts:1.1:rc2"; String name = "cpe:/a:apache:struts:1.1:rc2";
Entry instance = new Entry(); Entry instance = new Entry();
instance.setName(name); instance.parseName(name);
assertEquals(name,instance.getName()); assertEquals(name,instance.getName());
assertEquals("apache", instance.getVendor()); assertEquals("apache", instance.getVendor());

BIN
src/test/resources/spring-core-2.5.5.jar Normal file
View File

Binary file not shown.