diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java index 6502d02ab..66343c79d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java @@ -53,7 +53,10 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "Ruby Bundler Analyzer"; - + /** + * The types of files on which this will work. + */ + static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; /** * Folder name that contains .gemspec files created by "bundle install" */ @@ -97,7 +100,7 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { super.analyzeDependency(dependency, engine); - + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment" final File gemspecFile = dependency.getActualFile(); final String gemFileName = gemspecFile.getName(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index b600236d2..dd66d4da8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -56,7 +56,10 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "Ruby Gemspec Analyzer"; - + /** + * The Dependency's ecosystem. + */ + static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; /** * The phase that this analyzer is intended to run in. */ @@ -132,6 +135,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setDependencyEcosystem(DEPENDENCY_ECOSYSTEM); String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); @@ -148,6 +152,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { final EvidenceCollection product = dependency.getProductEvidence(); final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST); if (!name.isEmpty()) { + dependency.setName(name); vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); } addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.LOW); @@ -158,10 +163,14 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST); final String value = addStringEvidence(dependency.getVersionEvidence(), contents, - blockVariable, "version", "version", Confidence.HIGHEST); + blockVariable, "version", "version", Confidence.HIGHEST); if (value.length() < 1) { addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence()); } + else + { + dependency.setVersion(value); + } } setPackagePath(dependency); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java index cfab09c4e..6b90dbc91 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java @@ -80,6 +80,7 @@ public class RubyBundlerAnalyzerTest extends BaseTest { public void testSupportsFiles() { assertThat(analyzer.accept(new File("test.gemspec")), is(false)); assertThat(analyzer.accept(new File("specifications" + File.separator + "test.gemspec")), is(true)); + assertThat(analyzer.accept(new File("gemspec.lock")), is(false)); } /** @@ -100,7 +101,12 @@ public class RubyBundlerAnalyzerTest extends BaseTest { assertThat(vendorString, containsString("https://github.com/petergoldstein/dalli")); assertThat(vendorString, containsString("MIT")); assertThat(result.getProductEvidence().toString(), containsString("dalli")); + assertEquals("dalli",result.getName()); assertThat(result.getProductEvidence().toString(), containsString("High performance memcached client for Ruby")); assertThat(result.getVersionEvidence().toString(), containsString("2.7.5")); + assertEquals("2.7.5",result.getVersion()); + assertEquals(RubyBundlerAnalyzer.DEPENDENCY_ECOSYSTEM, result.getDependencyEcosystem()); + assertEquals("dalli:2.7.5",result.getDisplayFileName()); + } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java index 4521504be..0c6e71cf7 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java @@ -79,6 +79,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest { @Test public void testSupportsFiles() { assertThat(analyzer.accept(new File("test.gemspec")), is(true)); + assertThat(analyzer.accept(new File("gemspec.lock")), is(false)); // assertThat(analyzer.accept(new File("Rakefile")), is(true)); } @@ -93,12 +94,16 @@ public class RubyGemspecAnalyzerTest extends BaseTest { "ruby/vulnerable/gems/specifications/rest-client-1.7.2.gemspec")); analyzer.analyze(result, null); final String vendorString = result.getVendorEvidence().toString(); + assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getDependencyEcosystem()); assertThat(vendorString, containsString("REST Client Team")); assertThat(vendorString, containsString("rest-client_project")); assertThat(vendorString, containsString("rest.client@librelist.com")); assertThat(vendorString, containsString("https://github.com/rest-client/rest-client")); assertThat(result.getProductEvidence().toString(), containsString("rest-client")); + assertEquals("rest-client",result.getName()); assertThat(result.getVersionEvidence().toString(), containsString("1.7.2")); + assertEquals("1.7.2",result.getVersion()); + assertEquals("rest-client:1.7.2",result.getDisplayFileName()); } /** @@ -106,11 +111,16 @@ public class RubyGemspecAnalyzerTest extends BaseTest { * * @throws AnalysisException is thrown when an exception occurs. */ - //@Test TODO: place holder to test Rakefile support + //@Test + //TODO: place holder to test Rakefile support public void testAnalyzeRakefile() throws AnalysisException { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/gems/pg-0.18.4/Rakefile")); analyzer.analyze(result, null); assertTrue(result.getEvidence().size()>0); + assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getDependencyEcosystem()); + assertEquals("pg",result.getName()); + assertEquals("0.18.4",result.getVersion()); + assertEquals("pg:0.18.4",result.getDisplayFileName()); } }