github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-16 16:46:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

merge upstream

Browse Source
This commit is contained in:
bjiang
2016-06-15 13:54:49 -04:00
parent 413c71eb0a c5ffc21660
commit 00d4ee47de
73 changed files with 2070 additions and 836 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
View File

@@ -18,9 +18,12 @@
package org.owasp.dependencycheck.analyzer;
import java.util.Iterator;
import java.util.List;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.BaseDBTestCase;
import org.owasp.dependencycheck.utils.Settings;
/**
*
@@ -34,15 +37,42 @@ public class AnalyzerServiceTest extends BaseDBTestCase {
@Test
public void testGetAnalyzers() {
AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
Iterator<Analyzer> result = instance.getAnalyzers();
List<Analyzer> result = instance.getAnalyzers();
boolean found = false;
while (result.hasNext()) {
Analyzer a = result.next();
for (Analyzer a : result) {
if ("Jar Analyzer".equals(a.getName())) {
found = true;
}
}
assertTrue("JarAnalyzer loaded", found);
}
/**
* Test of getAnalyzers method, of class AnalyzerService.
*/
@Test
public void testGetExperimentalAnalyzers() {
Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
List<Analyzer> result = instance.getAnalyzers();
String experimental = "CMake Analyzer";
boolean found = false;
for (Analyzer a : result) {
if (experimental.equals(a.getName())) {
found = true;
}
}
assertFalse("Experimental analyzer loaded when set to false", found);
Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, true);
result = instance.getAnalyzers();
found = false;
for (Analyzer a : result) {
if (experimental.equals(a.getName())) {
found = true;
}
}
assertTrue("Experimental analyzer not loaded when set to true", found);
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
View File

@@ -240,7 +240,7 @@ public class CPEAnalyzerIntegrationTest extends BaseDBTestCase {
Set<String> vendorWeightings = Collections.singleton("apache");
List<IndexEntry> result = instance.searchCPE(vendor, product, productWeightings, vendorWeightings);
List<IndexEntry> result = instance.searchCPE(vendor, product, vendorWeightings, productWeightings);
instance.close();
boolean found = false;

97
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java
View File

@@ -31,6 +31,7 @@ import org.junit.After;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseDBTestCase;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -48,7 +49,7 @@ import org.slf4j.LoggerFactory;
*
* @author Dale Visser
*/
public class RubyBundleAuditAnalyzerTest extends BaseTest {
public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzerTest.class);
@@ -64,7 +65,10 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
*/
@Before
public void setUp() throws Exception {
Settings.initialize();
super.setUp();
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
analyzer = new RubyBundleAuditAnalyzer();
analyzer.setFilesMatched(true);
}
@@ -76,7 +80,6 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
*/
@After
public void tearDown() throws Exception {
Settings.cleanup();
analyzer.close();
analyzer = null;
}
@@ -104,7 +107,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
*/
@Test
public void testAnalysis() throws AnalysisException, DatabaseException {
try {
try {
analyzer.initialize();
final String resource = "ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock";
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, resource));
@@ -112,14 +115,14 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
analyzer.analyze(result, engine);
int size = engine.getDependencies().size();
assertTrue(size >= 1);
Dependency dependency = engine.getDependencies().get(0);
assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet"));
assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2"));
assertTrue(dependency.getFilePath().endsWith(resource));
assertTrue(dependency.getFileName().equals("Gemfile.lock"));
} catch (Exception e) {
LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".", e);
LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".");
Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e);
}
}
@@ -137,7 +140,6 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
final Engine engine = new Engine();
analyzer.analyze(result, engine);
Dependency dependency = engine.getDependencies().get(0);
Vulnerability vulnerability = dependency.getVulnerabilities().first();
assertEquals(vulnerability.getCvssScore(), 5.0f, 0.0);
@@ -148,7 +150,6 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
}
}
/**
* Test when Ruby bundle-audit is not available on the system.
*
@@ -156,17 +157,16 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
*/
@Test
public void testMissingBundleAudit() throws AnalysisException, DatabaseException {
//set a non-exist bundle-audit
//set a non-exist bundle-audit
Settings.setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, "phantom-bundle-audit");
try {
//initialize should fail.
analyzer.initialize();
} catch (Exception e) {
//expected, so ignore.
}
finally {
assertThat(analyzer.isEnabled(), is(false));
LOGGER.info("phantom-bundle-audit is not available. Ruby Bundle Audit Analyzer is disabled as expected.");
analyzer.initialize();
} catch (Exception e) {
//expected, so ignore.
} finally {
assertThat(analyzer.isEnabled(), is(false));
LOGGER.info("phantom-bundle-audit is not available. Ruby Bundle Audit Analyzer is disabled as expected.");
}
}
@@ -177,45 +177,48 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
*/
@Test
public void testDependenciesPath() throws AnalysisException, DatabaseException {
final Engine engine = new Engine();
engine.scan(BaseTest.getResourceAsFile(this,
"ruby/vulnerable/gems/rails-4.1.15/"));
engine.analyzeDependencies();
try {
engine.analyzeDependencies();
} catch (NullPointerException ex) {
LOGGER.error("NPE", ex);
throw ex;
}
List<Dependency> dependencies = engine.getDependencies();
LOGGER.info(dependencies.size() + " dependencies found.");
Iterator<Dependency> dIterator = dependencies.iterator();
while(dIterator.hasNext()) {
Dependency dept = dIterator.next();
LOGGER.info("dept path: " + dept.getActualFilePath());
while (dIterator.hasNext()) {
Dependency dept = dIterator.next();
LOGGER.info("dept path: " + dept.getActualFilePath());
Set<Identifier> identifiers = dept.getIdentifiers();
Iterator<Identifier> idIterator = identifiers.iterator();
while(idIterator.hasNext()) {
Identifier id = idIterator.next();
LOGGER.info(" Identifier: " + id.getValue() + ", type=" + id.getType() + ", url=" + id.getUrl() + ", conf="+ id.getConfidence());
}
Set<Evidence> prodEv = dept.getProductEvidence().getEvidence();
Iterator<Evidence> it = prodEv.iterator();
while(it.hasNext()) {
Evidence e = it.next();
LOGGER.info(" prod: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence());
}
Set<Evidence> versionEv = dept.getVersionEvidence().getEvidence();
Iterator<Evidence> vIt = versionEv.iterator();
while(vIt.hasNext()) {
Evidence e = vIt.next();
LOGGER.info(" version: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence());
}
Set<Identifier> identifiers = dept.getIdentifiers();
Iterator<Identifier> idIterator = identifiers.iterator();
while (idIterator.hasNext()) {
Identifier id = idIterator.next();
LOGGER.info(" Identifier: " + id.getValue() + ", type=" + id.getType() + ", url=" + id.getUrl() + ", conf=" + id.getConfidence());
}
Set<Evidence> vendorEv = dept.getVendorEvidence().getEvidence();
Iterator<Evidence> vendorIt = vendorEv.iterator();
while(vendorIt.hasNext()) {
Evidence e = vendorIt.next();
LOGGER.info(" vendor: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence());
}
Set<Evidence> prodEv = dept.getProductEvidence().getEvidence();
Iterator<Evidence> it = prodEv.iterator();
while (it.hasNext()) {
Evidence e = it.next();
LOGGER.info(" prod: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence());
}
Set<Evidence> versionEv = dept.getVersionEvidence().getEvidence();
Iterator<Evidence> vIt = versionEv.iterator();
while (vIt.hasNext()) {
Evidence e = vIt.next();
LOGGER.info(" version: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence());
}
Set<Evidence> vendorEv = dept.getVendorEvidence().getEvidence();
Iterator<Evidence> vendorIt = vendorEv.iterator();
while (vendorIt.hasNext()) {
Evidence e = vendorIt.next();
LOGGER.info(" vendor: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence());
}
}
}
}

33
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_2_0_HandlerTest.java
View File

@@ -19,6 +19,8 @@ package org.owasp.dependencycheck.data.update.nvd;
import org.owasp.dependencycheck.data.update.nvd.NvdCve20Handler;
import java.io.File;
import java.util.List;
import java.util.Map;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.junit.After;
@@ -28,6 +30,7 @@ import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
/**
*
@@ -49,12 +52,42 @@ public class NvdCve_2_0_HandlerTest extends BaseTest {
saxParser.parse(file, instance);
} catch (Throwable ex) {
ex.printStackTrace();
results = ex;
}
assertTrue("Exception thrown during parse of 2012 CVE version 2.0?", results == null);
if (results != null) {
System.err.println(results);
}
}
@Test
public void testParserWithPreviousVersion() {
Throwable results = null;
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
File file12 = BaseTest.getResourceAsFile(this, "cve-1.2-2008_4411.xml");
final NvdCve12Handler cve12Handler = new NvdCve12Handler();
saxParser.parse(file12, cve12Handler);
final Map<String, List<VulnerableSoftware>> prevVersionVulnMap = cve12Handler.getVulnerabilities();
//File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2.0-2012.xml").getPath());
File file20 = BaseTest.getResourceAsFile(this, "cve-2.0-2008_4411.xml");
NvdCve20Handler instance = new NvdCve20Handler();
instance.setPrevVersionVulnMap(prevVersionVulnMap);
saxParser.parse(file20, instance);
assertTrue(instance.getTotalNumberOfEntries()==1);
} catch (Throwable ex) {
results = ex;
}
assertTrue("Exception thrown during parse of 2012 CVE version 2.0?", results == null);
if (results != null) {
System.err.println(results);
}
}
}

161
dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerabilityTest.java Normal file
View File

@@ -0,0 +1,161 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertFalse;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
* @author Jens Hausherr
*/
public class VulnerabilityTest extends BaseTest {
/**
* Test of equals method, of class VulnerableSoftware.
*/
@Test
public void testDuplicateVersions() {
Vulnerability obj = new Vulnerability();
obj.addVulnerableSoftware("cpe:/a:mortbay:jetty:6.1.0");
obj.addVulnerableSoftware("cpe:/a:mortbay:jetty:6.1.1");
obj.addVulnerableSoftware("cpe:/a:mortbay:jetty:6.1.0");
assertEquals(2, obj.getVulnerableSoftware().size());
}
@Test
public void testDpulicateVersionsWithPreviousVersion() {
Vulnerability obj = new Vulnerability();
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-103%28a%29", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-118", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.3.132", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.12-200", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.2-127", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.9", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.10", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.11", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.12-118", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.4-143", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-109", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.6-156", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.4", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.3", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.10-186", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.6", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.5", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.5-146", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.8", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.7", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.2", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.2", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.1", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.8-177", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.1", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.0", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.7-168", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-103", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.11-197", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.9-178", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.12-200", "1");
assertEquals(31, obj.getVulnerableSoftware().size());
}
@Test
public void testSoftwareSorting() {
Vulnerability obj = new Vulnerability();
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-103%28a%29", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-118", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.3.132", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.12-200", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.2-127", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.9", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.10", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.11", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.12-118", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.4-143", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-109", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.6-156", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.4", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.3", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.10-186", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.6", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.5", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.5-146", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.8", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.7", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.2", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.2", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.1", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.8-177", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.1", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.0", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.7-168", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-103", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.11-197", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.9-178", null);
Set<VulnerableSoftware> software = obj.getVulnerableSoftware();
VulnerableSoftware vs[] = software.toArray(new VulnerableSoftware[software.size()]);
assertTrue("cpe:/a:hp:system_management_homepage:2.0.0".equals(vs[0].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.0.1".equals(vs[1].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.0.2".equals(vs[2].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1".equals(vs[3].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.0-103".equals(vs[4].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.0-103%28a%29".equals(vs[5].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.0-109".equals(vs[6].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.0-118".equals(vs[7].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.1".equals(vs[8].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.2".equals(vs[9].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.2-127".equals(vs[10].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.3".equals(vs[11].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.3.132".equals(vs[12].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.4".equals(vs[13].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.4-143".equals(vs[14].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.5".equals(vs[15].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.5-146".equals(vs[16].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.6".equals(vs[17].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.6-156".equals(vs[18].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.7".equals(vs[19].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.7-168".equals(vs[20].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.8".equals(vs[21].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.8-177".equals(vs[22].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.9".equals(vs[23].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.9-178".equals(vs[24].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.10".equals(vs[25].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.10-186".equals(vs[26].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.11".equals(vs[27].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.11-197".equals(vs[28].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.12-118".equals(vs[29].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.12-200".equals(vs[30].getName()));
}
}

81
dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
View File

@@ -20,6 +20,8 @@ package org.owasp.dependencycheck.dependency;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertFalse;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
@@ -29,7 +31,7 @@ import org.owasp.dependencycheck.BaseTest;
*
* @author Jeremy Long
*/
public class VulnerableSoftwareTest extends BaseTest {
public class VulnerableSoftwareTest extends BaseTest {
/**
* Test of equals method, of class VulnerableSoftware.
@@ -40,9 +42,20 @@ public class VulnerableSoftwareTest extends BaseTest {
obj.setCpe("cpe:/a:mortbay:jetty:6.1.0");
VulnerableSoftware instance = new VulnerableSoftware();
instance.setCpe("cpe:/a:mortbay:jetty:6.1");
boolean expResult = false;
boolean result = instance.equals(obj);
assertEquals(expResult, result);
assertFalse(instance.equals(obj));
}
/**
* Test of equals method, of class VulnerableSoftware.
*/
@Test
public void testEquals2() {
VulnerableSoftware obj = new VulnerableSoftware();
obj.setCpe("cpe:/a:mortbay:jetty:6.1.0");
VulnerableSoftware instance = new VulnerableSoftware();
instance.setCpe("cpe:/a:mortbay:jetty:6.1.0");
obj.setPreviousVersion("1");
assertTrue(instance.equals(obj));
}
/**
@@ -78,4 +91,64 @@ public class VulnerableSoftwareTest extends BaseTest {
result = instance.compareTo(vs);
assertEquals(expResult, result);
}
@Test
public void testCompareToNonNumerical() {
VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe("cpe:/a:mysql:mysql:5.1.23a");
VulnerableSoftware vs1 = new VulnerableSoftware();
vs1.setCpe("cpe:/a:mysql:mysql:5.1.23a");
vs1.setPreviousVersion("1");
assertEquals(0, vs.compareTo(vs1));
assertEquals(0, vs1.compareTo(vs));
}
@Test
public void testCompareToComplex() {
VulnerableSoftware vs = new VulnerableSoftware();
VulnerableSoftware vs1 = new VulnerableSoftware();
vs.setCpe("2.1");
vs1.setCpe("2.1.10");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("cpe:/a:hp:system_management_homepage:2.1.1");
vs1.setCpe("cpe:/a:hp:system_management_homepage:2.1.10");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("10");
vs1.setCpe("10-186");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("2.1.10");
vs1.setCpe("2.1.10-186");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("cpe:/a:hp:system_management_homepage:2.1.10");
vs1.setCpe("cpe:/a:hp:system_management_homepage:2.1.10-186");
assertTrue(vs.compareTo(vs1) < 0);
//assertTrue(vs1.compareTo(vs)>0);
}
@Test
public void testEqualsPreviousVersion() {
VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe("cpe:/a:mysql:mysql:5.1.23a");
VulnerableSoftware vs1 = new VulnerableSoftware();
vs1.setCpe("cpe:/a:mysql:mysql:5.1.23a");
vs1.setPreviousVersion("1");
assertEquals(vs, vs1);
assertEquals(vs1, vs);
}
@Test
public void testParseCPE() {
VulnerableSoftware vs = new VulnerableSoftware();
/* Version for test taken from CVE-2008-2079 */
vs.setCpe("cpe:/a:mysql:mysql:5.1.23a");
assertEquals("mysql", vs.getVendor());
assertEquals("mysql", vs.getProduct());
assertEquals("5.1.23a", vs.getVersion());
}
}

57
dependency-check-core/src/test/resources/cve-1.2-2008_4411.xml Normal file
View File

@@ -0,0 +1,57 @@
<?xml version='1.0' encoding='UTF-8'?>
<nvd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://nvd.nist.gov/feeds/cve/1.2" nvd_xml_version="1.2" pub_date="2016-05-28" xsi:schemaLocation="http://nvd.nist.gov/feeds/cve/1.2 http://nvd.nist.gov/schema/nvdcve_1.2.1.xsd">
<entry type="CVE" name="CVE-2008-4411" seq="2008-4411" published="2008-10-13" modified="2011-03-07" severity="Medium" CVSS_version="2.0" CVSS_score="4.3" CVSS_base_score="4.3" CVSS_impact_subscore="2.9" CVSS_exploit_subscore="8.6" CVSS_vector="(AV:N/AC:M/Au:N/C:N/I:P/A:N)">
<desc>
<descript source="cve">Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 2.1.15.210 on Linux and Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-1663.</descript>
</desc>
<loss_types>
<int/>
</loss_types>
<range>
<network/>
</range>
<refs>
<ref source="BID" url="http://www.securityfocus.com/bid/31663" patch="1">31663</ref>
<ref source="XF" url="http://xforce.iss.net/xforce/xfdb/45754">smh-unspecified-xss(45754)</ref>
<ref source="VUPEN" url="http://www.vupen.com/english/advisories/2008/2778">ADV-2008-2778</ref>
<ref source="SECTRACK" url="http://securitytracker.com/id?1021015">1021015</ref>
<ref source="SREASON" url="http://securityreason.com/securityalert/4398">4398</ref>
</refs>
<vuln_soft>
<prod name="system_management_homepage" vendor="hp">
<vers num="2.0.0"/>
<vers num="2.0.1"/>
<vers num="2.0.2"/>
<vers num="2.1"/>
<vers num="2.1.0-103"/>
<vers num="2.1.0-103(a)"/>
<vers num="2.1.0-109"/>
<vers num="2.1.0-118"/>
<vers num="2.1.1"/>
<vers num="2.1.10"/>
<vers num="2.1.10-186"/>
<vers num="2.1.11"/>
<vers num="2.1.11-197"/>
<vers num="2.1.12-118"/>
<vers num="2.1.12-200" prev="1"/>
<vers num="2.1.2"/>
<vers num="2.1.2-127"/>
<vers num="2.1.3"/>
<vers num="2.1.3.132"/>
<vers num="2.1.4"/>
<vers num="2.1.4-143"/>
<vers num="2.1.5"/>
<vers num="2.1.5-146"/>
<vers num="2.1.6"/>
<vers num="2.1.6-156"/>
<vers num="2.1.7"/>
<vers num="2.1.7-168"/>
<vers num="2.1.8"/>
<vers num="2.1.8-177"/>
<vers num="2.1.9"/>
<vers num="2.1.9-178"/>
</prod>
</vuln_soft>
</entry>
</nvd>

115
dependency-check-core/src/test/resources/cve-2.0-2008_4411.xml Normal file
View File

@@ -0,0 +1,115 @@
<?xml version='1.0' encoding='UTF-8'?>
<nvd xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:patch="http://scap.nist.gov/schema/patch/0.1" xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" pub_date="2016-05-28T04:10:38" nvd_xml_version="2.0" xsi:schemaLocation="http://scap.nist.gov/schema/patch/0.1 http://nvd.nist.gov/schema/patch_0.1.xsd http://scap.nist.gov/schema/feed/vulnerability/2.0 http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd http://scap.nist.gov/schema/scap-core/0.1 http://nvd.nist.gov/schema/scap-core_0.1.xsd">
<entry id="CVE-2008-4411">
<vuln:vulnerable-configuration id="http://nvd.nist.gov/">
<cpe-lang:logical-test operator="OR" negate="false">
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.0.1"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.0.2"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.11"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.10"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.0.0"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.3"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.2"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.1"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.3.132"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.8"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.4"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.5"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.6"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.7"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.9"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.12-200"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.11-197"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.10-186"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.9-178"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.8-177"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.7-168"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.6-156"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.5-146"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.4-143"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.2-127"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.12-118"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.0-118"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.0-109"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.0-103%28a%29"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.0-103"/>
</cpe-lang:logical-test>
</vuln:vulnerable-configuration>
<vuln:vulnerable-software-list>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.0-103%28a%29</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.0-118</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.3.132</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.12-200</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.2-127</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.9</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.10</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.11</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.12-118</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.4-143</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.0-109</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.6-156</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.4</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.3</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.10-186</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.6</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.5</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.5-146</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.8</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.7</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.2</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.0.2</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.1</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.8-177</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.0.1</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.0.0</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.7-168</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.0-103</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.11-197</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.9-178</vuln:product>
</vuln:vulnerable-software-list>
<vuln:cve-id>CVE-2008-4411</vuln:cve-id>
<vuln:published-datetime>2008-10-13T16:00:02.277-04:00</vuln:published-datetime>
<vuln:last-modified-datetime>2011-03-07T22:12:25.097-05:00</vuln:last-modified-datetime>
<vuln:cvss>
<cvss:base_metrics>
<cvss:score>4.3</cvss:score>
<cvss:access-vector>NETWORK</cvss:access-vector>
<cvss:access-complexity>MEDIUM</cvss:access-complexity>
<cvss:authentication>NONE</cvss:authentication>
<cvss:confidentiality-impact>NONE</cvss:confidentiality-impact>
<cvss:integrity-impact>PARTIAL</cvss:integrity-impact>
<cvss:availability-impact>NONE</cvss:availability-impact>
<cvss:source>http://nvd.nist.gov</cvss:source>
<cvss:generated-on-datetime>2008-10-14T10:57:00.000-04:00</cvss:generated-on-datetime>
</cvss:base_metrics>
</vuln:cvss>
<vuln:cwe id="CWE-79"/>
<vuln:references xml:lang="en" reference_type="PATCH">
<vuln:source>BID</vuln:source>
<vuln:reference href="http://www.securityfocus.com/bid/31663" xml:lang="en">31663</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="UNKNOWN">
<vuln:source>XF</vuln:source>
<vuln:reference href="http://xforce.iss.net/xforce/xfdb/45754" xml:lang="en">smh-unspecified-xss(45754)</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="UNKNOWN">
<vuln:source>VUPEN</vuln:source>
<vuln:reference href="http://www.vupen.com/english/advisories/2008/2778" xml:lang="en">ADV-2008-2778</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="UNKNOWN">
<vuln:source>SECTRACK</vuln:source>
<vuln:reference href="http://securitytracker.com/id?1021015" xml:lang="en">1021015</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="UNKNOWN">
<vuln:source>SREASON</vuln:source>
<vuln:reference href="http://securityreason.com/securityalert/4398" xml:lang="en">4398</vuln:reference>
</vuln:references>
<vuln:summary>Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 2.1.15.210 on Linux and Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-1663.</vuln:summary>
</entry>
</nvd>

8
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -58,12 +58,6 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
cpe.validfordays=30
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
# file type analyzer settings:
analyzer.archive.enabled=true
analyzer.jar.enabled=true
analyzer.nuspec.enabled=true
analyzer.assembly.enabled=true
analyzer.composer.lock.enabled=true
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true
@@ -82,7 +76,7 @@ archive.scan.depth=3
# use HEAD (default) or GET as HTTP request method for query timestamp
downloader.quick.query.timestamp=true
analyzer.experimental.enabled=true
analyzer.jar.enabled=true
analyzer.archive.enabled=true
analyzer.node.package.enabled=true