diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java index c3f3714b3..24e973f95 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java @@ -1,4 +1,4 @@ /** * This package includes the Ant task definitions. */ -package org.owasp.dependencycheck.taskdefs; +package org.owasp.dependencycheck.ant.logging; diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 0767e3d54..7534f128c 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -64,12 +64,12 @@ Advanced Configuration The following properties can be configured in the plugin. However, they are less frequently changed. One exception may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. -Property | Description | Default Value ----------------------|-------------------------------------------------------------------------|------------------ -cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml -cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml -cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml -cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml +Property | Description | Default Value +---------------------|--------------------------------------------------------------------------|------------------ +cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml +cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml +cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. |   databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 2b441852d..f15e8d086 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -250,9 +250,6 @@ public class App { final String suppressionFile = cli.getSuppressionFile(); final boolean jarDisabled = cli.isJarDisabled(); final boolean archiveDisabled = cli.isArchiveDisabled(); - final boolean pyDistDisabled = cli.isPythonDistributionDisabled(); - final boolean pyPkgDisabled = cli.isPythonPackageDisabled(); - final boolean autoconfDisabled = cli.isAutoconfDisabled(); final boolean assemblyDisabled = cli.isAssemblyDisabled(); final boolean nuspecDisabled = cli.isNuspecDisabled(); final boolean centralDisabled = cli.isCentralDisabled(); @@ -320,11 +317,12 @@ public class App { //File Type Analyzer Settings Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !pyDistDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !pyPkgDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !autoconfDisabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !cli.isPythonPackageDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !centralDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index a998407d5..8d93e91ec 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -367,6 +367,9 @@ public final class CliParser { .withLongOpt(ARGUMENT.DISABLE_AUTOCONF) .withDescription("Disable the Autoconf Analyzer.").create(); + final Option disableOpenSSLAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_OPENSSL) + .withDescription("Disable the OpenSSL Analyzer.").create(); + final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL) .withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable " + "the Nexus Analyzer.").create(); @@ -396,6 +399,7 @@ public final class CliParser { .addOption(disablePythonDistributionAnalyzer) .addOption(disablePythonPackageAnalyzer) .addOption(disableAutoconfAnalyzer) + .addOption(disableOpenSSLAnalyzer) .addOption(disableNuspecAnalyzer) .addOption(disableCentralAnalyzer) .addOption(disableNexusAnalyzer) @@ -521,6 +525,15 @@ public final class CliParser { return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS); } + /** + * Returns true if the disableOpenSSL command line argument was specified. + * + * @return true if the disableOpenSSL command line argument was specified; otherwise false + */ + public boolean isOpenSSLDisabled() { + return (line != null) && line.hasOption(ARGUMENT.DISABLE_OPENSSL); + } + /** * Returns true if the disableCentral command line argument was specified. * @@ -1033,6 +1046,10 @@ public final class CliParser { * Disables the Nexus Analyzer. */ public static final String DISABLE_NEXUS = "disableNexus"; + /** + * Disables the OpenSSL Analyzer. + */ + public static final String DISABLE_OPENSSL = "disableOpenSSL"; /** * The URL of the nexus server. */ diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index ca2beb9b6..850e382c7 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -21,11 +21,16 @@ Advanced Options ================ Short | Argument Name        | Parameter | Description | Default Value -------|-----------------------|-----------------|----------------------------------------------------------------------------------|------------------- + | \-\-cveUrl12Modified | \ | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml + | \-\-cveUrl20Modified | \ | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml + | \-\-cveUrl12Base | \ | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml + | \-\-cveUrl20Base | \ | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml \-P | \-\-propertyfile | \ | Specifies a file that contains properties to use instead of applicaion defaults. |   | \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. |   | \-\-disablePyDist | | Sets whether the Python Distribution Analyzer will be used. | false | \-\-disablePyPkg | | Sets whether the Python Package Analyzer will be used. | false | \-\-disableAutoconf | | Sets whether the Autoconf Analyzer will be used. | false + | \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false | \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   | \-\-disableJar | | Sets whether the Jar Analyzer will be used. | false diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index 8b004765e..ff737c451 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -154,9 +154,11 @@ public class CPEAnalyzer implements Analyzer { public void close() { if (cpe != null) { cpe.close(); + cpe = null; } if (cve != null) { cve.close(); + cve = null; } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java new file mode 100644 index 000000000..2940fed57 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -0,0 +1,172 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.apache.commons.io.FileUtils; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.Settings; + +import java.io.File; +import java.io.FileFilter; +import java.io.IOException; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +/** + * Used to analyze OpenSSL source code present in the file system. + * + * @author Dale Visser + */ +public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { + + private static final int HEXADECIMAL = 16; + /** + * Filename to analyze. All other .h files get removed from consideration. + */ + private static final String OPENSSLV_H = "opensslv.h"; + + /** + * Filter that detects files named "__init__.py". + */ + private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build(); + private static final Pattern VERSION_PATTERN = Pattern.compile( + "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL + | Pattern.CASE_INSENSITIVE); + private static final int MAJOR_OFFSET = 28; + private static final long MINOR_MASK = 0x0ff00000L; + private static final int MINOR_OFFSET = 20; + private static final long FIX_MASK = 0x000ff000L; + private static final int FIX_OFFSET = 12; + private static final long PATCH_MASK = 0x00000ff0L; + private static final int PATCH_OFFSET = 4; + private static final int NUM_LETTERS = 26; + private static final int STATUS_MASK = 0x0000000f; + + static String getOpenSSLVersion(long openSSLVersionConstant) { + long major = openSSLVersionConstant >>> MAJOR_OFFSET; + long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET; + long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET; + long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET; + String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" : + String.valueOf((char) (patchLevel + 'a' - 1)); + int statusCode = (int) (openSSLVersionConstant & STATUS_MASK); + String status = 0xf == statusCode ? "" : + (0 == statusCode ? "-dev" : "-beta" + statusCode); + return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status); + } + + /** + * Returns the name of the Python Package Analyzer. + * + * @return the name of the analyzer + */ + @Override + public String getName() { + return "OpenSSL Source Analyzer"; + } + + /** + * Tell that we are used for information collection. + * + * @return INFORMATION_COLLECTION + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return AnalysisPhase.INFORMATION_COLLECTION; + } + + /** + * Returns the set of supported file extensions. + * + * @return the set of supported file extensions + */ + @Override + protected FileFilter getFileFilter() { + return OPENSSLV_FILTER; + } + + /** + * No-op initializer implementation. + * + * @throws Exception never thrown + */ + @Override + protected void initializeFileTypeAnalyzer() throws Exception { + // Nothing to do here. + } + + /** + * Analyzes python packages and adds evidence to the dependency. + * + * @param dependency the dependency being analyzed + * @param engine the engine being used to perform the scan + * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency + */ + @Override + protected void analyzeFileType(Dependency dependency, Engine engine) + throws AnalysisException { + final File file = dependency.getActualFile(); + final String parentName = file.getParentFile().getName(); + boolean found = false; + final String contents = getFileContents(file); + if (!contents.isEmpty()) { + final Matcher matcher = VERSION_PATTERN.matcher(contents); + if (matcher.find()) { + dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant", + getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH); + found = true; + } + } + if (found) { + dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H); + dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST); + dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST); + } else { + engine.getDependencies().remove(dependency); + } + } + + /** + * Retrieves the contents of a given file. + * + * @param actualFile the file to read + * @return the contents of the file + * @throws AnalysisException thrown if there is an IO Exception + */ + private String getFileContents(final File actualFile) + throws AnalysisException { + String contents; + try { + contents = FileUtils.readFileToString(actualFile).trim(); + } catch (IOException e) { + throw new AnalysisException( + "Problem occurred while reading dependency file.", e); + } + return contents; + } + + + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_OPENSSL_ENABLED; + } +} \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java index e054e9303..798b2a6db 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java @@ -58,6 +58,8 @@ public abstract class BaseUpdater { if (cveDB != null) { try { cveDB.close(); + cveDB = null; + properties = null; } catch (Throwable ignore) { LOGGER.trace("Error closing the database", ignore); } @@ -76,11 +78,11 @@ public abstract class BaseUpdater { try { cveDB = new CveDB(); cveDB.open(); + properties = cveDB.getDatabaseProperties(); } catch (DatabaseException ex) { closeDataStores(); LOGGER.debug("Database Exception opening databases", ex); throw new UpdateException("Error updating the database, please see the log file for more details."); } - properties = cveDB.getDatabaseProperties(); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java index 1c943d9ad..81df9557b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java @@ -97,7 +97,7 @@ public class EngineVersionCheck implements CachedWebDataSource { final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion); if (updateNeeded) { LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.", - updateToVersion); + updateToVersion); } } catch (DatabaseException ex) { LOGGER.debug("Database Exception opening databases to retrieve properties", ex); @@ -115,8 +115,8 @@ public class EngineVersionCheck implements CachedWebDataSource { * @param properties the database properties object * @param currentVersion the current version of dependency-check * @return true if a newer version of the database has been released; otherwise false - * @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the - * local database. + * @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the local + * database. */ protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties, String currentVersion) throws UpdateException { @@ -172,6 +172,7 @@ public class EngineVersionCheck implements CachedWebDataSource { if (cveDB != null) { try { cveDB.close(); + cveDB = null; } catch (Throwable ignore) { LOGGER.trace("Error closing the cveDB", ignore); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java index edfd300e4..17336daee 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java @@ -141,13 +141,13 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. - * This is a way of combining evidence from multiple sources to boost the confidence of the given evidence. + * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. This is a way + * of combining evidence from multiple sources to boost the confidence of the given evidence. * - * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the - * package names within the JAR file we may add these package names to the "weighted" strings collection to boost - * the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the - * collection AND in the weighted strings; as such, we will boost the confidence of the term Apache. + * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package + * names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the + * Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted + * strings; as such, we will boost the confidence of the term Apache. * * @param str to add to the weighting collection. */ @@ -156,8 +156,8 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in - * another location. + * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another + * location. * * @return Set */ @@ -322,11 +322,11 @@ public class EvidenceCollection implements Serializable, Iterable { final Set ret = new TreeSet(); for (EvidenceCollection col : ec) { for (Evidence e : col) { - if (e.isUsed()) { - final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null); - newEvidence.setUsed(true); - ret.add(newEvidence); - } + //if (e.isUsed()) { + final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null); + newEvidence.setUsed(true); + ret.add(newEvidence); + //} } } return ret; @@ -357,11 +357,11 @@ public class EvidenceCollection implements Serializable, Iterable { /** *

- * Takes a string that may contain a fully qualified domain and it will return the string having removed the query - * string, the protocol, the sub-domain of 'www', and the file extension of the path.

+ * Takes a string that may contain a fully qualified domain and it will return the string having removed the query string, the + * protocol, the sub-domain of 'www', and the file extension of the path.

*

- * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file - * extension, etc. may produce false positives. + * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file extension, etc. + * may produce false positives. * *

* Example, given the following input:

diff --git a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index 6a3bae2bf..31a22eb0f 100644 --- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -14,4 +14,5 @@ org.owasp.dependencycheck.analyzer.NuspecAnalyzer org.owasp.dependencycheck.analyzer.AssemblyAnalyzer org.owasp.dependencycheck.analyzer.PythonDistributionAnalyzer org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer -org.owasp.dependencycheck.analyzer.AutoconfAnalyzer \ No newline at end of file +org.owasp.dependencycheck.analyzer.AutoconfAnalyzer +org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer \ No newline at end of file diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml index 9e151f75e..40ae34dc0 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml @@ -138,4 +138,19 @@ com.microsoft.bingads:microsoft.bingads:.* cpe:/a:microsoft:bing + + + .*jersey.* + cpe:/a:oracle:glassfish_server + cpe:/a:oracle:glassfish + + + + .*\bhk2\b.* + cpe:/a:oracle:glassfish + \ No newline at end of file diff --git a/dependency-check-core/src/main/resources/schema/DependencyCheck.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd similarity index 98% rename from dependency-check-core/src/main/resources/schema/DependencyCheck.xsd rename to dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd index 896d1ab3e..232d1c424 100644 --- a/dependency-check-core/src/main/resources/schema/DependencyCheck.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd @@ -1,5 +1,5 @@ - + @@ -111,6 +111,8 @@ + + diff --git a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl index e1b217a47..979d16327 100644 --- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl @@ -560,7 +560,7 @@ arising out of or in connection with the use of this tool, the analysis performe Highest Severity CVE Count CPE Confidence - Evidence Count + Evidence Count #foreach($dependency in $dependencies) #set($lnkcnt=$lnkcnt+1) diff --git a/dependency-check-core/src/main/resources/templates/XmlReport.vsl b/dependency-check-core/src/main/resources/templates/XmlReport.vsl index 7a7049a0a..78dc468d6 100644 --- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl @@ -18,7 +18,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. @author Jeremy Long @version 1.1 *# - + $version #foreach($prop in $properties.getMetaData().entrySet()) @@ -68,8 +68,22 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end -#foreach($evidence in $dependency.getEvidenceForDisplay()) - +#foreach($evidence in $dependency.getVendorEvidence()) + + $enc.xml($evidence.getSource()) + $enc.xml($evidence.getName()) + $enc.xml($evidence.getValue().trim()) + +#end +#foreach($evidence in $dependency.getProductEvidence()) + + $enc.xml($evidence.getSource()) + $enc.xml($evidence.getName()) + $enc.xml($evidence.getValue().trim()) + +#end +#foreach($evidence in $dependency.getVersionEvidence()) + $enc.xml($evidence.getSource()) $enc.xml($evidence.getName()) $enc.xml($evidence.getValue().trim()) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java index 404d57ece..6e272206e 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java @@ -94,7 +94,7 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase { try { //callDetermineCPE_full("struts2-core-2.3.16.3.jar", "cpe:/a:apache:struts:2.3.16.3", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("hazelcast-2.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); - callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:vmware:springsource_spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); + callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java index 85e1bca85..1f518ab27 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java @@ -111,7 +111,6 @@ public class HintAnalyzerTest extends BaseTest { assertTrue(evidence.contains(springTest3)); //assertTrue(evidence.contains(springTest4)); //assertTrue(evidence.contains(springTest5)); - } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java new file mode 100644 index 000000000..c5fcc289e --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -0,0 +1,119 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; + +import java.io.File; + +import static org.hamcrest.CoreMatchers.containsString; +import static org.junit.Assert.*; + +/** + * Unit tests for OpenSSLAnalyzerAnalyzer. + * + * @author Dale Visser + */ +public class OpenSSLAnalyzerTest extends BaseTest { + + /** + * The package analyzer to test. + */ + OpenSSLAnalyzer analyzer; + + /** + * Setup the PtyhonPackageAnalyzer. + * + * @throws Exception if there is a problem + */ + @Before + public void setUp() throws Exception { + analyzer = new OpenSSLAnalyzer(); + analyzer.setFilesMatched(true); + analyzer.initialize(); + } + + /** + * Cleanup any resources used. + * + * @throws Exception if there is a problem + */ + @After + public void tearDown() throws Exception { + analyzer.close(); + analyzer = null; + } + + /** + * Test of getName method, of class OpenSSLAnalyzer. + */ + @Test + public void testGetName() { + assertEquals("Analyzer name wrong.", "OpenSSL Source Analyzer", + analyzer.getName()); + } + + /** + * Test of supportsExtension method, of class PythonPackageAnalyzer. + */ + @Test + public void testAccept() { + assertTrue("Should support files named \"opensslv.h\".", + analyzer.accept(new File("opensslv.h"))); + } + + @Test + public void testVersionConstantExamples() { + final long[] constants = {0x1000203fL + , 0x00903000 + , 0x00903001 + , 0x00903002l + , 0x0090300f + , 0x0090301f + , 0x0090400f + , 0x102031af}; + final String[] versions = {"1.0.2c", + "0.9.3-dev", + "0.9.3-beta1", + "0.9.3-beta2", + "0.9.3", + "0.9.3a", + "0.9.4", + "1.2.3z"}; + assertEquals(constants.length, versions.length); + for (int i = 0; i < constants.length; i++) { + assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i])); + } + } + + @Test + public void testOpenSSLVersionHeaderFile() throws AnalysisException { + final Dependency result = new Dependency(BaseTest.getResourceAsFile( + this, + "openssl/opensslv.h")); + analyzer.analyze(result, null); + assertThat(result.getProductEvidence().toString(), containsString("OpenSSL")); + assertThat(result.getVendorEvidence().toString(), containsString("OpenSSL")); + assertThat(result.getVersionEvidence().toString(), containsString("1.0.2c")); + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java index 76fe5cecd..652dc6e60 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java @@ -27,6 +27,7 @@ import java.util.zip.ZipInputStream; import org.junit.Before; import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** @@ -37,6 +38,8 @@ public abstract class BaseDBTestCase extends BaseTest { protected final static int BUFFER_SIZE = 2048; + private final static Logger LOGGER = LoggerFactory.getLogger(BaseDBTestCase.class); + @Before public void setUp() throws Exception { ensureDBExists(); @@ -46,8 +49,11 @@ public abstract class BaseDBTestCase extends BaseTest { java.io.File dataPath = Settings.getDataDirectory(); String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME); + LOGGER.trace("DB file name {}", fileName); java.io.File dataFile = new File(dataPath, fileName); + LOGGER.trace("Ensuring {} exists", dataFile.toString()); if (!dataPath.exists() || !dataFile.exists()) { + LOGGER.trace("Extracting database to {}", dataPath.toString()); dataPath.mkdirs(); FileInputStream fis = null; ZipInputStream zin = null; @@ -75,7 +81,7 @@ public abstract class BaseDBTestCase extends BaseTest { dest.write(data, 0, count); } } catch (Throwable ex) { - LoggerFactory.getLogger(BaseDBTestCase.class).error("", ex); + LOGGER.error("", ex); } finally { try { if (dest != null) { @@ -83,14 +89,14 @@ public abstract class BaseDBTestCase extends BaseTest { dest.close(); } } catch (Throwable ex) { - LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); + LOGGER.trace("", ex); } try { if (fos != null) { fos.close(); } } catch (Throwable ex) { - LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); + LOGGER.trace("", ex); } } } @@ -100,14 +106,14 @@ public abstract class BaseDBTestCase extends BaseTest { zin.close(); } } catch (Throwable ex) { - LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); + LOGGER.trace("", ex); } try { if (fis != null) { fis.close(); } } catch (Throwable ex) { - LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); + LOGGER.trace("", ex); } } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java index c1b3e43e7..f0d2d5f93 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java @@ -39,10 +39,16 @@ public class CveDBIntegrationTest extends BaseDBTestCase { */ @Test public void testOpen() throws Exception { - CveDB instance = new CveDB(); - instance.open(); - instance.commit(); - instance.close(); + CveDB instance = null; + try { + instance = new CveDB(); + instance.open(); + instance.commit(); + } finally { + if (instance != null) { + instance.close(); + } + } } /** @@ -50,15 +56,18 @@ public class CveDBIntegrationTest extends BaseDBTestCase { */ @Test public void testGetCPEs() throws Exception { - CveDB instance = new CveDB(); + CveDB instance = null; try { + instance = new CveDB(); String vendor = "apache"; String product = "struts"; instance.open(); Set result = instance.getCPEs(vendor, product); assertTrue(result.size() > 5); } finally { - instance.close(); + if (instance != null) { + instance.close(); + } } } @@ -68,9 +77,10 @@ public class CveDBIntegrationTest extends BaseDBTestCase { @Test public void testGetVulnerabilities() throws Exception { String cpeStr = "cpe:/a:apache:struts:2.1.2"; - CveDB instance = new CveDB(); + CveDB instance = null; List results; try { + instance = new CveDB(); instance.open(); results = instance.getVulnerabilities(cpeStr); assertTrue(results.size() > 5); @@ -99,7 +109,9 @@ public class CveDBIntegrationTest extends BaseDBTestCase { assertTrue("Expected " + expected + ", but was not identified", found); } finally { - instance.close(); + if (instance != null) { + instance.close(); + } } } @@ -108,56 +120,61 @@ public class CveDBIntegrationTest extends BaseDBTestCase { */ @Test public void testGetMatchingSoftware() throws Exception { + CveDB instance = null; HashMap versions = new HashMap(); DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o"); versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE); + try { + instance = new CveDB(); + Entry results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); + Assert.assertNull(results); + versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE); + results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); + Assert.assertNull(results); - CveDB instance = new CveDB(); - Entry results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); - Assert.assertNull(results); - versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE); - results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); - Assert.assertNull(results); + versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE); + results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); + Assert.assertNotNull(results); + Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey()); - versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE); - results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); - Assert.assertNotNull(results); - Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey()); + versions.clear(); - versions.clear(); + versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE); + versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE); + versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE); - versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE); - versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE); - versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE); + versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE); + versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE); + versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE); + versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE); - versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE); - versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE); - versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE); - versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE); + identifiedVersion = new DependencyVersion("3.2.2"); + results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); + Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey()); + Assert.assertTrue(results.getValue()); + identifiedVersion = new DependencyVersion("3.2.12"); + results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); + Assert.assertNull(results); - identifiedVersion = new DependencyVersion("3.2.2"); - results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); - Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey()); - Assert.assertTrue(results.getValue()); - identifiedVersion = new DependencyVersion("3.2.12"); - results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); - Assert.assertNull(results); + identifiedVersion = new DependencyVersion("4.0.0"); + results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); + Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey()); + Assert.assertTrue(results.getValue()); + identifiedVersion = new DependencyVersion("4.1.0"); + results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); + Assert.assertNull(results); - identifiedVersion = new DependencyVersion("4.0.0"); - results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); - Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey()); - Assert.assertTrue(results.getValue()); - identifiedVersion = new DependencyVersion("4.1.0"); - results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); - Assert.assertNull(results); - - versions.clear(); - - versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE); - identifiedVersion = new DependencyVersion("1.6.3"); - results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); - Assert.assertNotNull(results); + versions.clear(); + versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE); + identifiedVersion = new DependencyVersion("1.6.3"); + results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); + Assert.assertNotNull(results); + } finally { + if (instance != null) { + instance.close(); + } + } } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java index 0d5d4112f..04e66f086 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java @@ -34,14 +34,20 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { */ @Test public void testIsEmpty() throws Exception { - CveDB cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - boolean expResult = false; - boolean result = instance.isEmpty(); - //no exception means the call worked... whether or not it is empty depends on if the db is new - //assertEquals(expResult, result); - cveDB.close(); + CveDB cveDB = null; + try { + cveDB = new CveDB(); + cveDB.open(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + boolean expResult = false; + boolean result = instance.isEmpty(); + //no exception means the call worked... whether or not it is empty depends on if the db is new + //assertEquals(expResult, result); + } finally { + if (cveDB != null) { + cveDB.close(); + } + } } /** @@ -54,18 +60,24 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { long expected = 1337; updatedValue.setId(key); updatedValue.setTimestamp(expected); - CveDB cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - instance.save(updatedValue); - //reload the properties - cveDB.close(); - cveDB = new CveDB(); - cveDB.open(); - instance = cveDB.getDatabaseProperties(); - cveDB.close(); - long results = Long.parseLong(instance.getProperty("NVD CVE " + key)); - assertEquals(expected, results); + CveDB cveDB = null; + try { + cveDB = new CveDB(); + cveDB.open(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + instance.save(updatedValue); + //reload the properties + cveDB.close(); + cveDB = new CveDB(); + cveDB.open(); + instance = cveDB.getDatabaseProperties(); + long results = Long.parseLong(instance.getProperty("NVD CVE " + key)); + assertEquals(expected, results); + } finally { + if (cveDB != null) { + cveDB.close(); + } + } } /** @@ -75,13 +87,19 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { public void testGetProperty_String_String() throws Exception { String key = "doesn't exist"; String defaultValue = "default"; - CveDB cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - cveDB.close(); - String expResult = "default"; - String result = instance.getProperty(key, defaultValue); - assertEquals(expResult, result); + CveDB cveDB = null; + try { + cveDB = new CveDB(); + cveDB.open(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + String expResult = "default"; + String result = instance.getProperty(key, defaultValue); + assertEquals(expResult, result); + } finally { + if (cveDB != null) { + cveDB.close(); + } + } } /** @@ -90,14 +108,20 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { @Test public void testGetProperty_String() throws DatabaseException { String key = "version"; - CveDB cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - cveDB.close(); - String result = instance.getProperty(key); - double version = Double.parseDouble(result); - assertTrue(version >= 2.8); - assertTrue(version <= 10); + CveDB cveDB = null; + try { + cveDB = new CveDB(); + cveDB.open(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + String result = instance.getProperty(key); + double version = Double.parseDouble(result); + assertTrue(version >= 2.8); + assertTrue(version <= 10); + } finally { + if (cveDB != null) { + cveDB.close(); + } + } } /** @@ -105,11 +129,17 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { */ @Test public void testGetProperties() throws DatabaseException { - CveDB cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - cveDB.close(); - Properties result = instance.getProperties(); - assertTrue(result.size() > 0); + CveDB cveDB = null; + try { + cveDB = new CveDB(); + cveDB.open(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + Properties result = instance.getProperties(); + assertTrue(result.size() > 0); + } finally { + if (cveDB != null) { + cveDB.close(); + } + } } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java index a5f212609..28dace177 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java @@ -147,7 +147,7 @@ public class ReportGeneratorIntegrationTest extends BaseTest { engine.cleanup(); - InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/DependencyCheck.xsd"); + InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.3.xsd"); StreamSource xsdSource = new StreamSource(xsdStream); StreamSource xmlSource = new StreamSource(new File(writeTo)); SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index 84c3597be..bac90d541 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -40,7 +40,8 @@ data.driver_name=org.h2.Driver data.driver_path= # the path to the cpe xml file -cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz +#cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz +cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz # the path to the cpe meta data file. cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta @@ -61,8 +62,6 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml cpe.validfordays=30 -cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz - # the URL for searching Nexus for SHA-1 hashes and whether it's enabled analyzer.nexus.enabled=true diff --git a/dependency-check-core/src/test/resources/logback-test.xml b/dependency-check-core/src/test/resources/logback-test.xml index a1c62eae5..97d2b4f91 100644 --- a/dependency-check-core/src/test/resources/logback-test.xml +++ b/dependency-check-core/src/test/resources/logback-test.xml @@ -7,11 +7,14 @@ [%level] %msg%n - + - + + + + \ No newline at end of file diff --git a/dependency-check-core/src/test/resources/openssl/opensslv.h b/dependency-check-core/src/test/resources/openssl/opensslv.h new file mode 100644 index 000000000..7cc19dc51 --- /dev/null +++ b/dependency-check-core/src/test/resources/openssl/opensslv.h @@ -0,0 +1,97 @@ +#ifndef HEADER_OPENSSLV_H +# define HEADER_OPENSSLV_H + +#ifdef __cplusplus +extern "C" { +#endif + +/*- + * Numeric release version identifier: + * MNNFFPPS: major minor fix patch status + * The status nibble has one of the values 0 for development, 1 to e for betas + * 1 to 14, and f for release. The patch level is exactly that. + * For example: + * 0.9.3-dev 0x00903000 + * 0.9.3-beta1 0x00903001 + * 0.9.3-beta2-dev 0x00903002 + * 0.9.3-beta2 0x00903002 (same as ...beta2-dev) + * 0.9.3 0x0090300f + * 0.9.3a 0x0090301f + * 0.9.4 0x0090400f + * 1.2.3z 0x102031af + * + * For continuity reasons (because 0.9.5 is already out, and is coded + * 0x00905100), between 0.9.5 and 0.9.6 the coding of the patch level + * part is slightly different, by setting the highest bit. This means + * that 0.9.5a looks like this: 0x0090581f. At 0.9.6, we can start + * with 0x0090600S... + * + * (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.) + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +# define OPENSSL_VERSION_NUMBER 0x1000203fL +# ifdef OPENSSL_FIPS +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c-fips 12 Jun 2015" +# else +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c 12 Jun 2015" +# endif +# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT + +/*- + * The macros below are to be used for shared library (.so, .dll, ...) + * versioning. That kind of versioning works a bit differently between + * operating systems. The most usual scheme is to set a major and a minor + * number, and have the runtime loader check that the major number is equal + * to what it was at application link time, while the minor number has to + * be greater or equal to what it was at application link time. With this + * scheme, the version number is usually part of the file name, like this: + * + * libcrypto.so.0.9 + * + * Some unixen also make a softlink with the major verson number only: + * + * libcrypto.so.0 + * + * On Tru64 and IRIX 6.x it works a little bit differently. There, the + * shared library version is stored in the file, and is actually a series + * of versions, separated by colons. The rightmost version present in the + * library when linking an application is stored in the application to be + * matched at run time. When the application is run, a check is done to + * see if the library version stored in the application matches any of the + * versions in the version string of the library itself. + * This version string can be constructed in any way, depending on what + * kind of matching is desired. However, to implement the same scheme as + * the one used in the other unixen, all compatible versions, from lowest + * to highest, should be part of the string. Consecutive builds would + * give the following versions strings: + * + * 3.0 + * 3.0:3.1 + * 3.0:3.1:3.2 + * 4.0 + * 4.0:4.1 + * + * Notice how version 4 is completely incompatible with version, and + * therefore give the breach you can see. + * + * There may be other schemes as well that I haven't yet discovered. + * + * So, here's the way it works here: first of all, the library version + * number doesn't need at all to match the overall OpenSSL version. + * However, it's nice and more understandable if it actually does. + * The current library version is stored in the macro SHLIB_VERSION_NUMBER, + * which is just a piece of text in the format "M.m.e" (Major, minor, edit). + * For the sake of Tru64, IRIX, and any other OS that behaves in similar ways, + * we need to keep a history of version numbers, which is done in the + * macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and + * should only keep the versions that are binary compatible with the current. + */ +# define SHLIB_VERSION_HISTORY "" +# define SHLIB_VERSION_NUMBER "1.0.0" + + +#ifdef __cplusplus +} +#endif +#endif /* HEADER_OPENSSLV_H */ diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 487ccc4a3..9e308aca5 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -225,6 +225,10 @@ public final class Settings { * The properties key for whether the Central analyzer is enabled. */ public static final String ANALYZER_CENTRAL_ENABLED = "analyzer.central.enabled"; + /** + * The properties key for whether the OpenSSL analyzer is enabled. + */ + public static final String ANALYZER_OPENSSL_ENABLED = "analyzer.openssl.enabled"; /** * The properties key for the Central search URL. */ diff --git a/pom.xml b/pom.xml index 6aefafccf..8a83bab9e 100644 --- a/pom.xml +++ b/pom.xml @@ -245,6 +245,11 @@ Copyright (c) 2012 - Jeremy Long maven-surefire-plugin 2.18.1 + + org.apache.maven.plugins + maven-antrun-plugin + 1.8 + @@ -336,6 +341,27 @@ Copyright (c) 2012 - Jeremy Long true + + + false + org.apache.maven.plugins + maven-antrun-plugin + 1.8 + + + copy-xsd + compile + + run + + + + + + + + + diff --git a/src/site/markdown/analyzers/autoconf-analyzer.md b/src/site/markdown/analyzers/autoconf-analyzer.md new file mode 100644 index 000000000..1a9badb37 --- /dev/null +++ b/src/site/markdown/analyzers/autoconf-analyzer.md @@ -0,0 +1,11 @@ +Autoconf Analyzer +================= + +OWASP dependency-check includes an analyzer that will scan Autoconf project +configuration files. The analyzer will collect as much information it can +about the project. The information collected is internally referred to as +evidence and is grouped into vendor, product, and version buckets. Other +analyzers later use this evidence to identify any Common Platform Enumeration +(CPE) identifiers that apply. + +File names scanned: configure, configure.in, configure.ac diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 524c75941..30dfb3a21 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -5,8 +5,10 @@ to extract identification information from the files analyzed. - [Archive Analyzer](./archive-analyzer.html) - [Assembly Analyzer](./assembly-analyzer.html) +- [Autoconf Analyzer](./autoconf-analyzer.html) - [Central Analyzer](./central-analyzer.html) - [Jar Analyzer](./jar-analyzer.html) - [Nexus Analyzer](./nexus-analyzer.html) - [Nuspec Analyzer](./nuspec-analyzer.html) +- [OpenSSL Analyzer](./openssl-analyzer.html) - [Python Analyzer](./python-analyzer.html) diff --git a/src/site/markdown/analyzers/openssl-analyzer.md b/src/site/markdown/analyzers/openssl-analyzer.md new file mode 100644 index 000000000..0f7ef81c7 --- /dev/null +++ b/src/site/markdown/analyzers/openssl-analyzer.md @@ -0,0 +1,10 @@ +OpenSSL Analyzer +================ + +OWASP dependency-check includes an analyzer that will scan OpenSSL source code +files for the OpenSSL version information. The information collected is +internally referred to as evidence and is grouped into vendor, product, and +version buckets. Other analyzers later use this evidence to identify any +Common Platform Enumeration (CPE) identifiers that apply. + +File names scanned: opensslv.h \ No newline at end of file diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index fa715273e..7a179cc2f 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -4,7 +4,9 @@ OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities). Dependency-check can currently be used to scan Java, .NET, and Python applications (and their dependent libraries) to identify known vulnerable -components. +components. In addition, Dependency-check can be used to scan some source +code, including OpenSSL source code and source code for projects that use +Autoconf. The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of diff --git a/src/site/site.xml b/src/site/site.xml index 3b918c0ac..6d0a9d3ed 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -124,6 +124,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Nuspec Analyzer + + Autoconf Analyzer + + + OpenSSL Analyzer +