From 8127dc2620008bc6c39b620dd0a7ac71ece257f4 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 7 Jul 2015 15:51:33 -0400 Subject: [PATCH 01/28] OpenSSL: Initial skeleton of OpenSSLAnalyzer and unit test suite. Fixed package imports in PythonPackageAnalyzerTest.java Former-commit-id: b27fa07cde451c0a19e5ce3f2d46701f02dda47e --- .../analyzer/OpenSSLAnalyzer.java | 150 ++++++++++++++++++ .../analyzer/OpenSSLAnalyzerTest.java | 96 +++++++++++ .../analyzer/PythonPackageAnalyzerTest.java | 13 +- 3 files changed, 252 insertions(+), 7 deletions(-) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java new file mode 100644 index 000000000..d05b57e80 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -0,0 +1,150 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.apache.commons.io.FileUtils; +import org.apache.commons.io.filefilter.NameFileFilter; +import org.apache.commons.io.filefilter.SuffixFileFilter; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.utils.Settings; +import org.owasp.dependencycheck.utils.UrlStringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.File; +import java.io.FileFilter; +import java.io.IOException; +import java.net.MalformedURLException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +/** + * Used to analyze OpenSSL source code present in the file system. + * + * @author Dale Visser + */ +public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { + + /** + * Used when compiling file scanning regex patterns. + */ + private static final int REGEX_OPTIONS = Pattern.DOTALL + | Pattern.CASE_INSENSITIVE; + + /** + * The logger. + */ + private static final Logger LOGGER = LoggerFactory + .getLogger(OpenSSLAnalyzer.class); + + /** + * Filename extensions for files to be analyzed. + */ + private static final Set EXTENSIONS = Collections + .unmodifiableSet(Collections.singleton("h")); + + /** + * Filter that detects files named "__init__.py". + */ + private static final FileFilter OPENSSLV_FILTER = new NameFileFilter("opensslv.h"); + + /** + * Returns the name of the Python Package Analyzer. + * + * @return the name of the analyzer + */ + @Override + public String getName() { + return "OpenSSL Source Analyzer"; + } + + /** + * Tell that we are used for information collection. + * + * @return INFORMATION_COLLECTION + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return AnalysisPhase.INFORMATION_COLLECTION; + } + + /** + * Returns the set of supported file extensions. + * + * @return the set of supported file extensions + */ + @Override + protected Set getSupportedExtensions() { + return EXTENSIONS; + } + + /** + * No-op initializer implementation. + * + * @throws Exception never thrown + */ + @Override + protected void initializeFileTypeAnalyzer() throws Exception { + // Nothing to do here. + } + + /** + * Analyzes python packages and adds evidence to the dependency. + * + * @param dependency the dependency being analyzed + * @param engine the engine being used to perform the scan + * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency + */ + @Override + protected void analyzeFileType(Dependency dependency, Engine engine) + throws AnalysisException { + final File file = dependency.getActualFile(); + final File parent = file.getParentFile(); + final String parentName = parent.getName(); + boolean found = false; +// if (INIT_PY_FILTER.accept(file)) { +// for (final File sourcefile : parent.listFiles(PY_FILTER)) { +// found |= analyzeFileContents(dependency, sourcefile); +// } +// } + if (found) { + dependency.setDisplayFileName(parentName + "/__init__.py"); + dependency.getProductEvidence().addEvidence(file.getName(), + "PackageName", parentName, Confidence.MEDIUM); + } else { + // copy, alter and set in case some other thread is iterating over + final List deps = new ArrayList( + engine.getDependencies()); + deps.remove(dependency); + engine.setDependencies(deps); + } + } + + @Override + protected String getAnalyzerEnabledSettingKey() { + return "fixme"; + } +} \ No newline at end of file diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java new file mode 100644 index 000000000..839bbee8a --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -0,0 +1,96 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.apache.commons.lang.StringUtils; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; + +import java.util.Arrays; +import java.util.HashSet; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +/** + * Unit tests for OpenSSLAnalyzerAnalyzer. + * + * @author Dale Visser + */ +public class OpenSSLAnalyzerTest extends BaseTest { + + /** + * The package analyzer to test. + */ + OpenSSLAnalyzer analyzer; + + /** + * Setup the PtyhonPackageAnalyzer. + * + * @throws Exception if there is a problem + */ + @Before + public void setUp() throws Exception { + analyzer = new OpenSSLAnalyzer(); + analyzer.setFilesMatched(true); + analyzer.initialize(); + } + + /** + * Cleanup any resources used. + * + * @throws Exception if there is a problem + */ + @After + public void tearDown() throws Exception { + analyzer.close(); + analyzer = null; + } + + /** + * Test of getName method, of class OpenSSLAnalyzer. + */ + @Test + public void testGetName() { + assertEquals("Analyzer name wrong.", "OpenSSL Source Analyzer", + analyzer.getName()); + } + + /** + * Test of getSupportedExtensions method, of class OpenSSLAnalyzer. + */ + @Test + public void testGetSupportedExtensions() { + final String[] expected = {"h"}; + assertEquals("Supported extensions should just have the following: " + + StringUtils.join(expected, ", "), + new HashSet(Arrays.asList(expected)), + analyzer.getSupportedExtensions()); + } + + /** + * Test of supportsExtension method, of class PythonPackageAnalyzer. + */ + @Test + public void testSupportsExtension() { + assertTrue("Should support \"h\" extension.", + analyzer.supportsExtension("h")); + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java index 0b13dd153..d77a8380c 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java @@ -17,15 +17,8 @@ */ package org.owasp.dependencycheck.analyzer; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - -import java.util.Arrays; -import java.util.HashSet; - import org.apache.commons.lang.StringUtils; import org.junit.After; -import static org.junit.Assert.assertTrue; import org.junit.Before; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; @@ -33,6 +26,12 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; +import java.util.Arrays; +import java.util.HashSet; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + /** * Unit tests for PythonPackageAnalyzer. * From ad0b6c28baf2cea622a06a8e4c7d53b78f35381c Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 7 Jul 2015 16:48:38 -0400 Subject: [PATCH 02/28] Added long hexadecimal to version string conversion function, and passing unit test. Former-commit-id: 846e2a3c07016974c396770397304875fd36b7f6 --- .../analyzer/OpenSSLAnalyzer.java | 31 ++++++++++++++----- .../analyzer/OpenSSLAnalyzerTest.java | 24 ++++++++++++++ 2 files changed, 47 insertions(+), 8 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index d05b57e80..38438aa08 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -17,28 +17,20 @@ */ package org.owasp.dependencycheck.analyzer; -import org.apache.commons.io.FileUtils; import org.apache.commons.io.filefilter.NameFileFilter; -import org.apache.commons.io.filefilter.SuffixFileFilter; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; -import org.owasp.dependencycheck.utils.Settings; -import org.owasp.dependencycheck.utils.UrlStringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; -import java.io.IOException; -import java.net.MalformedURLException; import java.util.ArrayList; import java.util.Collections; import java.util.List; import java.util.Set; -import java.util.regex.Matcher; import java.util.regex.Pattern; /** @@ -71,6 +63,29 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { */ private static final FileFilter OPENSSLV_FILTER = new NameFileFilter("opensslv.h"); + private static final int MAJOR_OFFSET = 28; + private static final long MINOR_MASK = 0x0ff00000L; + private static final int MINOR_OFFSET = 20; + private static final long FIX_MASK = 0x000ff000L; + private static final int FIX_OFFSET = 12; + private static final long PATCH_MASK = 0x00000ff0L; + private static final int PATCH_OFFSET = 4; + private static final int NUM_LETTERS = 26; + private static final int STATUS_MASK = 0x0000000f; + + static String getOpenSSLVersion(long openSSLVersionConstant) { + long major = openSSLVersionConstant >>> MAJOR_OFFSET; + long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET; + long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET; + long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET; + String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" : + String.valueOf((char) (patchLevel + 'a' - 1)); + int statusCode = (int) (openSSLVersionConstant & STATUS_MASK); + String status = 0xf == statusCode ? "" : + (0 == statusCode ? "-dev" : "-beta" + statusCode); + return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status); + } + /** * Returns the name of the Python Package Analyzer. * diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java index 839bbee8a..1464e8658 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -93,4 +93,28 @@ public class OpenSSLAnalyzerTest extends BaseTest { assertTrue("Should support \"h\" extension.", analyzer.supportsExtension("h")); } + + @Test + public void testVersionConstantExamples() { + final long[] constants = {0x1000203fL + , 0x00903000 + , 0x00903001 + , 0x00903002l + , 0x0090300f + , 0x0090301f + , 0x0090400f + , 0x102031af}; + final String[] versions = {"1.0.2c", + "0.9.3-dev", + "0.9.3-beta1", + "0.9.3-beta2", + "0.9.3", + "0.9.3a", + "0.9.4", + "1.2.3z"}; + assertEquals(constants.length, versions.length); + for (int i = 0; i < constants.length; i++) { + assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i])); + } + } } From c214b704599cd200a2280c26b128cf5fcfd9079a Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 7 Jul 2015 17:37:31 -0400 Subject: [PATCH 03/28] OpenSSL: Analyzer unit test passes. Former-commit-id: 06d36762375a5fc55bc7f30a7857713ce332fceb --- .../analyzer/OpenSSLAnalyzer.java | 64 ++++++++---- .../analyzer/OpenSSLAnalyzerTest.java | 17 +++- .../src/test/resources/openssl/opensslv.h | 97 +++++++++++++++++++ 3 files changed, 158 insertions(+), 20 deletions(-) create mode 100644 dependency-check-core/src/test/resources/openssl/opensslv.h diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index 38438aa08..b2333ddd6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -17,6 +17,7 @@ */ package org.owasp.dependencycheck.analyzer; +import org.apache.commons.io.FileUtils; import org.apache.commons.io.filefilter.NameFileFilter; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; @@ -27,10 +28,12 @@ import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; +import java.io.IOException; import java.util.ArrayList; import java.util.Collections; import java.util.List; import java.util.Set; +import java.util.regex.Matcher; import java.util.regex.Pattern; /** @@ -40,29 +43,32 @@ import java.util.regex.Pattern; */ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { + private static final int HEXADECIMAL = 16; + /** + * Filename to analyze. All other .h files get removed from consideration. + */ + private static final String OPENSSLV_H = "opensslv.h"; /** * Used when compiling file scanning regex patterns. */ private static final int REGEX_OPTIONS = Pattern.DOTALL | Pattern.CASE_INSENSITIVE; - /** * The logger. */ private static final Logger LOGGER = LoggerFactory .getLogger(OpenSSLAnalyzer.class); - /** * Filename extensions for files to be analyzed. */ private static final Set EXTENSIONS = Collections .unmodifiableSet(Collections.singleton("h")); - /** * Filter that detects files named "__init__.py". */ - private static final FileFilter OPENSSLV_FILTER = new NameFileFilter("opensslv.h"); - + private static final FileFilter OPENSSLV_FILTER = new NameFileFilter(OPENSSLV_H); + private static final Pattern VERSION_PATTERN = Pattern.compile( + "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", REGEX_OPTIONS); private static final int MAJOR_OFFSET = 28; private static final long MINOR_MASK = 0x0ff00000L; private static final int MINOR_OFFSET = 20; @@ -140,24 +146,46 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { final File parent = file.getParentFile(); final String parentName = parent.getName(); boolean found = false; -// if (INIT_PY_FILTER.accept(file)) { -// for (final File sourcefile : parent.listFiles(PY_FILTER)) { -// found |= analyzeFileContents(dependency, sourcefile); -// } -// } + if (OPENSSLV_FILTER.accept(file)) { + final String contents = getFileContents(file); + if (!contents.isEmpty()) { + final Matcher matcher = VERSION_PATTERN.matcher(contents); + while (matcher.find()) { + dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant", + getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH); + found = true; + } + } + } if (found) { - dependency.setDisplayFileName(parentName + "/__init__.py"); - dependency.getProductEvidence().addEvidence(file.getName(), - "PackageName", parentName, Confidence.MEDIUM); + dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H); + dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST); + dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST); } else { - // copy, alter and set in case some other thread is iterating over - final List deps = new ArrayList( - engine.getDependencies()); - deps.remove(dependency); - engine.setDependencies(deps); + engine.getDependencies().remove(dependency); } } + /** + * Retrieves the contents of a given file. + * + * @param actualFile the file to read + * @return the contents of the file + * @throws AnalysisException thrown if there is an IO Exception + */ + private String getFileContents(final File actualFile) + throws AnalysisException { + String contents = ""; + try { + contents = FileUtils.readFileToString(actualFile).trim(); + } catch (IOException e) { + throw new AnalysisException( + "Problem occured while reading dependency file.", e); + } + return contents; + } + + @Override protected String getAnalyzerEnabledSettingKey() { return "fixme"; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java index 1464e8658..d81df57a8 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -22,12 +22,14 @@ import org.junit.After; import org.junit.Before; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; import java.util.Arrays; import java.util.HashSet; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; /** * Unit tests for OpenSSLAnalyzerAnalyzer. @@ -117,4 +119,15 @@ public class OpenSSLAnalyzerTest extends BaseTest { assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i])); } } + + @Test + public void testOpenSSLVersionHeaderFile() throws AnalysisException { + final Dependency result = new Dependency(BaseTest.getResourceAsFile( + this, + "openssl/opensslv.h")); + analyzer.analyze(result, null); + assertThat(result.getProductEvidence().toString(), containsString("OpenSSL")); + assertThat(result.getVendorEvidence().toString(), containsString("OpenSSL")); + assertThat(result.getVersionEvidence().toString(), containsString("1.0.2c")); + } } diff --git a/dependency-check-core/src/test/resources/openssl/opensslv.h b/dependency-check-core/src/test/resources/openssl/opensslv.h new file mode 100644 index 000000000..7cc19dc51 --- /dev/null +++ b/dependency-check-core/src/test/resources/openssl/opensslv.h @@ -0,0 +1,97 @@ +#ifndef HEADER_OPENSSLV_H +# define HEADER_OPENSSLV_H + +#ifdef __cplusplus +extern "C" { +#endif + +/*- + * Numeric release version identifier: + * MNNFFPPS: major minor fix patch status + * The status nibble has one of the values 0 for development, 1 to e for betas + * 1 to 14, and f for release. The patch level is exactly that. + * For example: + * 0.9.3-dev 0x00903000 + * 0.9.3-beta1 0x00903001 + * 0.9.3-beta2-dev 0x00903002 + * 0.9.3-beta2 0x00903002 (same as ...beta2-dev) + * 0.9.3 0x0090300f + * 0.9.3a 0x0090301f + * 0.9.4 0x0090400f + * 1.2.3z 0x102031af + * + * For continuity reasons (because 0.9.5 is already out, and is coded + * 0x00905100), between 0.9.5 and 0.9.6 the coding of the patch level + * part is slightly different, by setting the highest bit. This means + * that 0.9.5a looks like this: 0x0090581f. At 0.9.6, we can start + * with 0x0090600S... + * + * (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.) + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +# define OPENSSL_VERSION_NUMBER 0x1000203fL +# ifdef OPENSSL_FIPS +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c-fips 12 Jun 2015" +# else +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c 12 Jun 2015" +# endif +# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT + +/*- + * The macros below are to be used for shared library (.so, .dll, ...) + * versioning. That kind of versioning works a bit differently between + * operating systems. The most usual scheme is to set a major and a minor + * number, and have the runtime loader check that the major number is equal + * to what it was at application link time, while the minor number has to + * be greater or equal to what it was at application link time. With this + * scheme, the version number is usually part of the file name, like this: + * + * libcrypto.so.0.9 + * + * Some unixen also make a softlink with the major verson number only: + * + * libcrypto.so.0 + * + * On Tru64 and IRIX 6.x it works a little bit differently. There, the + * shared library version is stored in the file, and is actually a series + * of versions, separated by colons. The rightmost version present in the + * library when linking an application is stored in the application to be + * matched at run time. When the application is run, a check is done to + * see if the library version stored in the application matches any of the + * versions in the version string of the library itself. + * This version string can be constructed in any way, depending on what + * kind of matching is desired. However, to implement the same scheme as + * the one used in the other unixen, all compatible versions, from lowest + * to highest, should be part of the string. Consecutive builds would + * give the following versions strings: + * + * 3.0 + * 3.0:3.1 + * 3.0:3.1:3.2 + * 4.0 + * 4.0:4.1 + * + * Notice how version 4 is completely incompatible with version, and + * therefore give the breach you can see. + * + * There may be other schemes as well that I haven't yet discovered. + * + * So, here's the way it works here: first of all, the library version + * number doesn't need at all to match the overall OpenSSL version. + * However, it's nice and more understandable if it actually does. + * The current library version is stored in the macro SHLIB_VERSION_NUMBER, + * which is just a piece of text in the format "M.m.e" (Major, minor, edit). + * For the sake of Tru64, IRIX, and any other OS that behaves in similar ways, + * we need to keep a history of version numbers, which is done in the + * macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and + * should only keep the versions that are binary compatible with the current. + */ +# define SHLIB_VERSION_HISTORY "" +# define SHLIB_VERSION_NUMBER "1.0.0" + + +#ifdef __cplusplus +} +#endif +#endif /* HEADER_OPENSSLV_H */ From 30087b5e79e93441034dbe33b1eaf4f87d1bf456 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 7 Jul 2015 17:48:50 -0400 Subject: [PATCH 04/28] OpenSSL: Minor code edits/refactoring. Former-commit-id: 5c0247772406b55a0e1e7219b83389a5ed0605f4 --- .../analyzer/OpenSSLAnalyzer.java | 20 ++++--------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index b2333ddd6..a5d6ec993 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -23,15 +23,11 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; import java.io.IOException; -import java.util.ArrayList; import java.util.Collections; -import java.util.List; import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -48,16 +44,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { * Filename to analyze. All other .h files get removed from consideration. */ private static final String OPENSSLV_H = "opensslv.h"; - /** - * Used when compiling file scanning regex patterns. - */ - private static final int REGEX_OPTIONS = Pattern.DOTALL - | Pattern.CASE_INSENSITIVE; - /** - * The logger. - */ - private static final Logger LOGGER = LoggerFactory - .getLogger(OpenSSLAnalyzer.class); + /** * Filename extensions for files to be analyzed. */ @@ -68,7 +55,8 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { */ private static final FileFilter OPENSSLV_FILTER = new NameFileFilter(OPENSSLV_H); private static final Pattern VERSION_PATTERN = Pattern.compile( - "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", REGEX_OPTIONS); + "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL + | Pattern.CASE_INSENSITIVE); private static final int MAJOR_OFFSET = 28; private static final long MINOR_MASK = 0x0ff00000L; private static final int MINOR_OFFSET = 20; @@ -180,7 +168,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { contents = FileUtils.readFileToString(actualFile).trim(); } catch (IOException e) { throw new AnalysisException( - "Problem occured while reading dependency file.", e); + "Problem occurred while reading dependency file.", e); } return contents; } From a3ad598004dfa69574ae5b7c55948c619102ac44 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 8 Jul 2015 14:07:17 -0400 Subject: [PATCH 05/28] OpenSSL: Untested changes to get command-line working. Former-commit-id: f81a410bba6cbc1b71cb7d5fef121eb4f52a780b --- .../java/org/owasp/dependencycheck/App.java | 10 ++++------ .../org/owasp/dependencycheck/CliParser.java | 17 +++++++++++++++++ .../src/site/markdown/arguments.md | 1 + .../analyzer/OpenSSLAnalyzer.java | 3 ++- .../org.owasp.dependencycheck.analyzer.Analyzer | 3 ++- .../owasp/dependencycheck/utils/Settings.java | 4 ++++ 6 files changed, 30 insertions(+), 8 deletions(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index d068d435b..346ca8be2 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -250,9 +250,6 @@ public class App { final String suppressionFile = cli.getSuppressionFile(); final boolean jarDisabled = cli.isJarDisabled(); final boolean archiveDisabled = cli.isArchiveDisabled(); - final boolean pyDistDisabled = cli.isPythonDistributionDisabled(); - final boolean pyPkgDisabled = cli.isPythonPackageDisabled(); - final boolean autoconfDisabled = cli.isAutoconfDisabled(); final boolean assemblyDisabled = cli.isAssemblyDisabled(); final boolean nuspecDisabled = cli.isNuspecDisabled(); final boolean centralDisabled = cli.isCentralDisabled(); @@ -316,11 +313,12 @@ public class App { //File Type Analyzer Settings Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !pyDistDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !pyPkgDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !autoconfDisabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !cli.isPythonPackageDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !centralDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 313537ab3..ebf57e7dc 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -339,6 +339,9 @@ public final class CliParser { .withLongOpt(ARGUMENT.DISABLE_AUTOCONF) .withDescription("Disable the Autoconf Analyzer.").create(); + final Option disableOpenSSLAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_OPENSSL) + .withDescription("Disable the OpenSSL Analyzer.").create(); + final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL) .withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable " + "the Nexus Analyzer.") @@ -385,6 +388,7 @@ public final class CliParser { .addOption(disablePythonDistributionAnalyzer) .addOption(disablePythonPackageAnalyzer) .addOption(disableAutoconfAnalyzer) + .addOption(disableOpenSSLAnalyzer) .addOption(disableNuspecAnalyzer) .addOption(disableCentralAnalyzer) .addOption(disableNexusAnalyzer) @@ -510,6 +514,15 @@ public final class CliParser { return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS); } + /** + * Returns true if the disableOpenSSL command line argument was specified. + * + * @return true if the disableOpenSSL command line argument was specified; otherwise false + */ + public boolean isOpenSSLDisabled() { + return (line != null) && line.hasOption(ARGUMENT.DISABLE_OPENSSL); + } + /** * Returns true if the disableCentral command line argument was specified. * @@ -970,6 +983,10 @@ public final class CliParser { * Disables the Nexus Analyzer. */ public static final String DISABLE_NEXUS = "disableNexus"; + /** + * Disables the OpenSSL Analyzer. + */ + public static final String DISABLE_OPENSSL = "disableOpenSSL"; /** * The URL of the nexus server. */ diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index ca2beb9b6..84e900db6 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -26,6 +26,7 @@ Short | Argument Name        | Paramete | \-\-disablePyDist | | Sets whether the Python Distribution Analyzer will be used. | false | \-\-disablePyPkg | | Sets whether the Python Package Analyzer will be used. | false | \-\-disableAutoconf | | Sets whether the Autoconf Analyzer will be used. | false + | \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false | \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   | \-\-disableJar | | Sets whether the Jar Analyzer will be used. | false diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index a5d6ec993..92420a027 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -23,6 +23,7 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.Settings; import java.io.File; import java.io.FileFilter; @@ -176,6 +177,6 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { @Override protected String getAnalyzerEnabledSettingKey() { - return "fixme"; + return Settings.KEYS.ANALYZER_OPENSSL_ENABLED; } } \ No newline at end of file diff --git a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index 6a3bae2bf..31a22eb0f 100644 --- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -14,4 +14,5 @@ org.owasp.dependencycheck.analyzer.NuspecAnalyzer org.owasp.dependencycheck.analyzer.AssemblyAnalyzer org.owasp.dependencycheck.analyzer.PythonDistributionAnalyzer org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer -org.owasp.dependencycheck.analyzer.AutoconfAnalyzer \ No newline at end of file +org.owasp.dependencycheck.analyzer.AutoconfAnalyzer +org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer \ No newline at end of file diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 884263202..654416171 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -217,6 +217,10 @@ public final class Settings { * The properties key for whether the Central analyzer is enabled. */ public static final String ANALYZER_CENTRAL_ENABLED = "analyzer.central.enabled"; + /** + * The properties key for whether the OpenSSL analyzer is enabled. + */ + public static final String ANALYZER_OPENSSL_ENABLED = "analyzer.openssl.enabled"; /** * The properties key for the Central search URL. */ From 433c2e59162e82a2b8124a0b2e5d91d37cfca5bf Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Thu, 9 Jul 2015 16:35:04 -0400 Subject: [PATCH 06/28] OpenSSL: Updates to use FileFilter instead of file extension. Former-commit-id: 974bc28171b5b3ac3e772c93447489e1afb797f1 --- .../analyzer/OpenSSLAnalyzer.java | 36 +++++++------------ .../analyzer/OpenSSLAnalyzerTest.java | 24 +++---------- 2 files changed, 18 insertions(+), 42 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index 92420a027..2940fed57 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -18,18 +18,16 @@ package org.owasp.dependencycheck.analyzer; import org.apache.commons.io.FileUtils; -import org.apache.commons.io.filefilter.NameFileFilter; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; import java.io.File; import java.io.FileFilter; import java.io.IOException; -import java.util.Collections; -import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -46,15 +44,10 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { */ private static final String OPENSSLV_H = "opensslv.h"; - /** - * Filename extensions for files to be analyzed. - */ - private static final Set EXTENSIONS = Collections - .unmodifiableSet(Collections.singleton("h")); /** * Filter that detects files named "__init__.py". */ - private static final FileFilter OPENSSLV_FILTER = new NameFileFilter(OPENSSLV_H); + private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build(); private static final Pattern VERSION_PATTERN = Pattern.compile( "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL | Pattern.CASE_INSENSITIVE); @@ -107,8 +100,8 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { * @return the set of supported file extensions */ @Override - protected Set getSupportedExtensions() { - return EXTENSIONS; + protected FileFilter getFileFilter() { + return OPENSSLV_FILTER; } /** @@ -132,18 +125,15 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { final File file = dependency.getActualFile(); - final File parent = file.getParentFile(); - final String parentName = parent.getName(); + final String parentName = file.getParentFile().getName(); boolean found = false; - if (OPENSSLV_FILTER.accept(file)) { - final String contents = getFileContents(file); - if (!contents.isEmpty()) { - final Matcher matcher = VERSION_PATTERN.matcher(contents); - while (matcher.find()) { - dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant", - getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH); - found = true; - } + final String contents = getFileContents(file); + if (!contents.isEmpty()) { + final Matcher matcher = VERSION_PATTERN.matcher(contents); + if (matcher.find()) { + dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant", + getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH); + found = true; } } if (found) { @@ -164,7 +154,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { */ private String getFileContents(final File actualFile) throws AnalysisException { - String contents = ""; + String contents; try { contents = FileUtils.readFileToString(actualFile).trim(); } catch (IOException e) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java index d81df57a8..c5fcc289e 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -17,7 +17,6 @@ */ package org.owasp.dependencycheck.analyzer; -import org.apache.commons.lang.StringUtils; import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -25,11 +24,10 @@ import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; -import java.util.Arrays; -import java.util.HashSet; +import java.io.File; +import static org.hamcrest.CoreMatchers.containsString; import static org.junit.Assert.*; -import static org.hamcrest.CoreMatchers.*; /** * Unit tests for OpenSSLAnalyzerAnalyzer. @@ -75,25 +73,13 @@ public class OpenSSLAnalyzerTest extends BaseTest { analyzer.getName()); } - /** - * Test of getSupportedExtensions method, of class OpenSSLAnalyzer. - */ - @Test - public void testGetSupportedExtensions() { - final String[] expected = {"h"}; - assertEquals("Supported extensions should just have the following: " - + StringUtils.join(expected, ", "), - new HashSet(Arrays.asList(expected)), - analyzer.getSupportedExtensions()); - } - /** * Test of supportsExtension method, of class PythonPackageAnalyzer. */ @Test - public void testSupportsExtension() { - assertTrue("Should support \"h\" extension.", - analyzer.supportsExtension("h")); + public void testAccept() { + assertTrue("Should support files named \"opensslv.h\".", + analyzer.accept(new File("opensslv.h"))); } @Test From 5354137c763429ef1b944e945080d8ba7f8d3d4e Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Thu, 9 Jul 2015 17:11:06 -0400 Subject: [PATCH 07/28] OpenSSL: Site doc additions, including about Autoconf analyzer. Former-commit-id: 35253cfbf5cfcf04b2f3fe39f0891cd0bf1155b4 --- src/site/markdown/analyzers/index.md | 2 ++ src/site/markdown/index.md | 4 +++- src/site/site.xml | 6 ++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 524c75941..30dfb3a21 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -5,8 +5,10 @@ to extract identification information from the files analyzed. - [Archive Analyzer](./archive-analyzer.html) - [Assembly Analyzer](./assembly-analyzer.html) +- [Autoconf Analyzer](./autoconf-analyzer.html) - [Central Analyzer](./central-analyzer.html) - [Jar Analyzer](./jar-analyzer.html) - [Nexus Analyzer](./nexus-analyzer.html) - [Nuspec Analyzer](./nuspec-analyzer.html) +- [OpenSSL Analyzer](./openssl-analyzer.html) - [Python Analyzer](./python-analyzer.html) diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index fa715273e..7a179cc2f 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -4,7 +4,9 @@ OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities). Dependency-check can currently be used to scan Java, .NET, and Python applications (and their dependent libraries) to identify known vulnerable -components. +components. In addition, Dependency-check can be used to scan some source +code, including OpenSSL source code and source code for projects that use +Autoconf. The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of diff --git a/src/site/site.xml b/src/site/site.xml index 3b918c0ac..6d0a9d3ed 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -124,6 +124,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Nuspec Analyzer + + Autoconf Analyzer + + + OpenSSL Analyzer + From a7abe97ca0d5b010e76c96ff1013dc895e5b2f1f Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Thu, 9 Jul 2015 17:13:03 -0400 Subject: [PATCH 08/28] OpenSSL: Forgot to 'git add' new files in previous commit. Former-commit-id: 7219edc255d239995d5bbb5cbe587e999a7160a8 --- src/site/markdown/analyzers/autoconf-analyzer.md | 11 +++++++++++ src/site/markdown/analyzers/openssl-analyzer.md | 10 ++++++++++ 2 files changed, 21 insertions(+) create mode 100644 src/site/markdown/analyzers/autoconf-analyzer.md create mode 100644 src/site/markdown/analyzers/openssl-analyzer.md diff --git a/src/site/markdown/analyzers/autoconf-analyzer.md b/src/site/markdown/analyzers/autoconf-analyzer.md new file mode 100644 index 000000000..1a9badb37 --- /dev/null +++ b/src/site/markdown/analyzers/autoconf-analyzer.md @@ -0,0 +1,11 @@ +Autoconf Analyzer +================= + +OWASP dependency-check includes an analyzer that will scan Autoconf project +configuration files. The analyzer will collect as much information it can +about the project. The information collected is internally referred to as +evidence and is grouped into vendor, product, and version buckets. Other +analyzers later use this evidence to identify any Common Platform Enumeration +(CPE) identifiers that apply. + +File names scanned: configure, configure.in, configure.ac diff --git a/src/site/markdown/analyzers/openssl-analyzer.md b/src/site/markdown/analyzers/openssl-analyzer.md new file mode 100644 index 000000000..0f7ef81c7 --- /dev/null +++ b/src/site/markdown/analyzers/openssl-analyzer.md @@ -0,0 +1,10 @@ +OpenSSL Analyzer +================ + +OWASP dependency-check includes an analyzer that will scan OpenSSL source code +files for the OpenSSL version information. The information collected is +internally referred to as evidence and is grouped into vendor, product, and +version buckets. Other analyzers later use this evidence to identify any +Common Platform Enumeration (CPE) identifiers that apply. + +File names scanned: opensslv.h \ No newline at end of file From 0372167f25ad5278b118caa15aad0d44e2a743cc Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Jul 2015 06:02:46 -0400 Subject: [PATCH 09/28] updated documentation to resolve issue #268 Former-commit-id: 78f6158c5c053a7595dd2dc702c015c257a2a00f --- dependency-check-cli/src/site/markdown/arguments.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index ca2beb9b6..e1ee9dbc7 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -21,6 +21,10 @@ Advanced Options ================ Short | Argument Name        | Parameter | Description | Default Value -------|-----------------------|-----------------|----------------------------------------------------------------------------------|------------------- + | \-\-cveUrl12Modified | \ | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml + | \-\-cveUrl20Modified | \ | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml + | \-\-cveUrl12Base | \ | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml + | \-\-cveUrl20Base | \ | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml \-P | \-\-propertyfile | \ | Specifies a file that contains properties to use instead of applicaion defaults. |   | \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. |   | \-\-disablePyDist | | Sets whether the Python Distribution Analyzer will be used. | false From 52cdff14bd41fe6a8a62bb4af6d53744f2844c9b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Jul 2015 06:04:55 -0400 Subject: [PATCH 10/28] minor update Former-commit-id: 074158f04f25d94c003f970a0d7c4b4c0180fc0b --- .../src/site/markdown/configuration.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 0767e3d54..7534f128c 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -64,12 +64,12 @@ Advanced Configuration The following properties can be configured in the plugin. However, they are less frequently changed. One exception may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. -Property | Description | Default Value ----------------------|-------------------------------------------------------------------------|------------------ -cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml -cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml -cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml -cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml +Property | Description | Default Value +---------------------|--------------------------------------------------------------------------|------------------ +cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml +cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml +cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. |   databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   From 44c795cd4f2b9ff75adfa5d2587fd14f8e452198 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Jul 2015 07:15:08 -0400 Subject: [PATCH 11/28] patched to resolve issue #261 Former-commit-id: 44ace36f4a02885134a0af0fb44d11d351d8c7f6 --- .../dependencycheck-base-suppression.xml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml index 9e151f75e..40ae34dc0 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml @@ -138,4 +138,19 @@ com.microsoft.bingads:microsoft.bingads:.* cpe:/a:microsoft:bing + + + .*jersey.* + cpe:/a:oracle:glassfish_server + cpe:/a:oracle:glassfish + + + + .*\bhk2\b.* + cpe:/a:oracle:glassfish + \ No newline at end of file From 726aa7b894038cfad8534730d511f8cc9b486bb2 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 14 Jul 2015 07:41:19 -0400 Subject: [PATCH 12/28] changed tooltip header on evidence count Former-commit-id: fdf92f87a81d985fd01b19d5ce04517c81608a62 --- .../src/main/resources/templates/HtmlReport.vsl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl index e1b217a47..979d16327 100644 --- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl @@ -560,7 +560,7 @@ arising out of or in connection with the use of this tool, the analysis performe Highest Severity CVE Count CPE Confidence - Evidence Count + Evidence Count #foreach($dependency in $dependencies) #set($lnkcnt=$lnkcnt+1) From 68f1c1a54ca1b6b6e07d1a6d4d258213698fcb9e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 14 Jul 2015 07:48:07 -0400 Subject: [PATCH 13/28] changed display code so that all evidence is shown instead of just the used evidence Former-commit-id: e01f14f244960ddccbd859bf50c0603abe5170d1 --- .../dependency/EvidenceCollection.java | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java index edfd300e4..17336daee 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java @@ -141,13 +141,13 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. - * This is a way of combining evidence from multiple sources to boost the confidence of the given evidence. + * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. This is a way + * of combining evidence from multiple sources to boost the confidence of the given evidence. * - * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the - * package names within the JAR file we may add these package names to the "weighted" strings collection to boost - * the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the - * collection AND in the weighted strings; as such, we will boost the confidence of the term Apache. + * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package + * names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the + * Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted + * strings; as such, we will boost the confidence of the term Apache. * * @param str to add to the weighting collection. */ @@ -156,8 +156,8 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in - * another location. + * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another + * location. * * @return Set */ @@ -322,11 +322,11 @@ public class EvidenceCollection implements Serializable, Iterable { final Set ret = new TreeSet(); for (EvidenceCollection col : ec) { for (Evidence e : col) { - if (e.isUsed()) { - final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null); - newEvidence.setUsed(true); - ret.add(newEvidence); - } + //if (e.isUsed()) { + final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null); + newEvidence.setUsed(true); + ret.add(newEvidence); + //} } } return ret; @@ -357,11 +357,11 @@ public class EvidenceCollection implements Serializable, Iterable { /** *

- * Takes a string that may contain a fully qualified domain and it will return the string having removed the query - * string, the protocol, the sub-domain of 'www', and the file extension of the path.

+ * Takes a string that may contain a fully qualified domain and it will return the string having removed the query string, the + * protocol, the sub-domain of 'www', and the file extension of the path.

*

- * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file - * extension, etc. may produce false positives. + * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file extension, etc. + * may produce false positives. * *

* Example, given the following input:

From dffb2887d605bc8a413974a175bb176323b4d376 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 14 Jul 2015 08:00:42 -0400 Subject: [PATCH 14/28] added task to copy xsd to the site Former-commit-id: ec6bffd48bc2b98cb5b992ebcc0862e89897c255 --- pom.xml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/pom.xml b/pom.xml index 6aefafccf..8a83bab9e 100644 --- a/pom.xml +++ b/pom.xml @@ -245,6 +245,11 @@ Copyright (c) 2012 - Jeremy Long maven-surefire-plugin 2.18.1 + + org.apache.maven.plugins + maven-antrun-plugin + 1.8 + @@ -336,6 +341,27 @@ Copyright (c) 2012 - Jeremy Long true + + + false + org.apache.maven.plugins + maven-antrun-plugin + 1.8 + + + copy-xsd + compile + + run + + + + + + + + + From a24813b6786e626ea9a8a1d1175c4d5e10cf0ba6 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 14 Jul 2015 08:01:22 -0400 Subject: [PATCH 15/28] updated schema and xml report to include the confidence and type of evidence Former-commit-id: 774764585a15d8d78a615f20f91c3a8aaaf4abb2 --- ...encyCheck.xsd => dependency-check.1.3.xsd} | 4 +++- .../main/resources/templates/XmlReport.vsl | 20 ++++++++++++++++--- 2 files changed, 20 insertions(+), 4 deletions(-) rename dependency-check-core/src/main/resources/schema/{DependencyCheck.xsd => dependency-check.1.3.xsd} (98%) diff --git a/dependency-check-core/src/main/resources/schema/DependencyCheck.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd similarity index 98% rename from dependency-check-core/src/main/resources/schema/DependencyCheck.xsd rename to dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd index 896d1ab3e..aef762057 100644 --- a/dependency-check-core/src/main/resources/schema/DependencyCheck.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd @@ -1,5 +1,5 @@ - + @@ -111,6 +111,8 @@ + + diff --git a/dependency-check-core/src/main/resources/templates/XmlReport.vsl b/dependency-check-core/src/main/resources/templates/XmlReport.vsl index 7a7049a0a..d771e1b2f 100644 --- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl @@ -18,7 +18,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. @author Jeremy Long @version 1.1 *# - + $version #foreach($prop in $properties.getMetaData().entrySet()) @@ -68,8 +68,22 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end -#foreach($evidence in $dependency.getEvidenceForDisplay()) - +#foreach($evidence in $dependency.getVendorEvidence()) + + $enc.xml($evidence.getSource()) + $enc.xml($evidence.getName()) + $enc.xml($evidence.getValue().trim()) + +#end +#foreach($evidence in $dependency.getProductEvidence()) + + $enc.xml($evidence.getSource()) + $enc.xml($evidence.getName()) + $enc.xml($evidence.getValue().trim()) + +#end +#foreach($evidence in $dependency.getVersionEvidence()) + $enc.xml($evidence.getSource()) $enc.xml($evidence.getName()) $enc.xml($evidence.getValue().trim()) From 2d92c9d240c8833129f374498075995ceb8a472c Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 14 Jul 2015 18:00:45 -0400 Subject: [PATCH 16/28] Commented out first instance of cpe.url, and moved 2nd instance up. Assumption: the 2nd value was being used. Former-commit-id: 2cae0ca086b2fb666d883dc1a3fbcb174465aa2b --- .../src/test/resources/dependencycheck.properties | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index 84c3597be..bac90d541 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -40,7 +40,8 @@ data.driver_name=org.h2.Driver data.driver_path= # the path to the cpe xml file -cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz +#cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz +cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz # the path to the cpe meta data file. cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta @@ -61,8 +62,6 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml cpe.validfordays=30 -cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz - # the URL for searching Nexus for SHA-1 hashes and whether it's enabled analyzer.nexus.enabled=true From 2413dc9a41b4378e96d4a2478f1c50b68e92376a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 15 Jul 2015 08:18:02 -0400 Subject: [PATCH 17/28] corrected package Former-commit-id: 3d7e08e0730cb6c03eb43221dc77afc3b1a3c2d3 --- .../org/owasp/dependencycheck/ant/logging/package-info.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java index c3f3714b3..24e973f95 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java @@ -1,4 +1,4 @@ /** * This package includes the Ant task definitions. */ -package org.owasp.dependencycheck.taskdefs; +package org.owasp.dependencycheck.ant.logging; From aeabaf8513ef5e5efeafa43cd647ada6f321210e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Thu, 16 Jul 2015 06:51:40 -0400 Subject: [PATCH 18/28] fixed failing test due to renaming the schema Former-commit-id: 2cbc4b84cb28e72c163cde3b2d1e5f8c66ae5b42 --- .../reporting/ReportGeneratorIntegrationTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java index a5f212609..28dace177 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java @@ -147,7 +147,7 @@ public class ReportGeneratorIntegrationTest extends BaseTest { engine.cleanup(); - InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/DependencyCheck.xsd"); + InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.3.xsd"); StreamSource xsdSource = new StreamSource(xsdStream); StreamSource xmlSource = new StreamSource(new File(writeTo)); SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); From fe0035fe0e51d37b6d3f06490fd3948febd0cc12 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Thu, 16 Jul 2015 07:00:17 -0400 Subject: [PATCH 19/28] fixed namespaces Former-commit-id: 8f6f3361021b2efc1843ae93ed1bab44e5f053a4 --- .../src/main/resources/schema/dependency-check.1.3.xsd | 2 +- .../src/main/resources/templates/XmlReport.vsl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd index aef762057..232d1c424 100644 --- a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd @@ -1,5 +1,5 @@ - + diff --git a/dependency-check-core/src/main/resources/templates/XmlReport.vsl b/dependency-check-core/src/main/resources/templates/XmlReport.vsl index d771e1b2f..78dc468d6 100644 --- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl @@ -18,7 +18,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. @author Jeremy Long @version 1.1 *# - + $version #foreach($prop in $properties.getMetaData().entrySet()) From 6a2ed238227218f906c9d0479d3df4a63621f9f0 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Fri, 17 Jul 2015 08:24:33 -0400 Subject: [PATCH 20/28] switched to debug logging in test Former-commit-id: 4d42f08ac2fdc58ce1eeb4ab3f27d1efa72a6a46 --- dependency-check-core/src/test/resources/logback-test.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/test/resources/logback-test.xml b/dependency-check-core/src/test/resources/logback-test.xml index a1c62eae5..a3cc87b96 100644 --- a/dependency-check-core/src/test/resources/logback-test.xml +++ b/dependency-check-core/src/test/resources/logback-test.xml @@ -7,11 +7,11 @@ [%level] %msg%n - + - + \ No newline at end of file From 0ae228d6f830c88c48b7c719701ae87ec1604fc2 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Fri, 17 Jul 2015 08:45:33 -0400 Subject: [PATCH 21/28] added try/catch to tests to correctly close the db Former-commit-id: 8f71f57a7724340a8526a35bd0e42748f02530c5 --- .../DatabasePropertiesIntegrationTest.java | 112 +++++++++++------- 1 file changed, 71 insertions(+), 41 deletions(-) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java index 0d5d4112f..04e66f086 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java @@ -34,14 +34,20 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { */ @Test public void testIsEmpty() throws Exception { - CveDB cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - boolean expResult = false; - boolean result = instance.isEmpty(); - //no exception means the call worked... whether or not it is empty depends on if the db is new - //assertEquals(expResult, result); - cveDB.close(); + CveDB cveDB = null; + try { + cveDB = new CveDB(); + cveDB.open(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + boolean expResult = false; + boolean result = instance.isEmpty(); + //no exception means the call worked... whether or not it is empty depends on if the db is new + //assertEquals(expResult, result); + } finally { + if (cveDB != null) { + cveDB.close(); + } + } } /** @@ -54,18 +60,24 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { long expected = 1337; updatedValue.setId(key); updatedValue.setTimestamp(expected); - CveDB cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - instance.save(updatedValue); - //reload the properties - cveDB.close(); - cveDB = new CveDB(); - cveDB.open(); - instance = cveDB.getDatabaseProperties(); - cveDB.close(); - long results = Long.parseLong(instance.getProperty("NVD CVE " + key)); - assertEquals(expected, results); + CveDB cveDB = null; + try { + cveDB = new CveDB(); + cveDB.open(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + instance.save(updatedValue); + //reload the properties + cveDB.close(); + cveDB = new CveDB(); + cveDB.open(); + instance = cveDB.getDatabaseProperties(); + long results = Long.parseLong(instance.getProperty("NVD CVE " + key)); + assertEquals(expected, results); + } finally { + if (cveDB != null) { + cveDB.close(); + } + } } /** @@ -75,13 +87,19 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { public void testGetProperty_String_String() throws Exception { String key = "doesn't exist"; String defaultValue = "default"; - CveDB cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - cveDB.close(); - String expResult = "default"; - String result = instance.getProperty(key, defaultValue); - assertEquals(expResult, result); + CveDB cveDB = null; + try { + cveDB = new CveDB(); + cveDB.open(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + String expResult = "default"; + String result = instance.getProperty(key, defaultValue); + assertEquals(expResult, result); + } finally { + if (cveDB != null) { + cveDB.close(); + } + } } /** @@ -90,14 +108,20 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { @Test public void testGetProperty_String() throws DatabaseException { String key = "version"; - CveDB cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - cveDB.close(); - String result = instance.getProperty(key); - double version = Double.parseDouble(result); - assertTrue(version >= 2.8); - assertTrue(version <= 10); + CveDB cveDB = null; + try { + cveDB = new CveDB(); + cveDB.open(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + String result = instance.getProperty(key); + double version = Double.parseDouble(result); + assertTrue(version >= 2.8); + assertTrue(version <= 10); + } finally { + if (cveDB != null) { + cveDB.close(); + } + } } /** @@ -105,11 +129,17 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { */ @Test public void testGetProperties() throws DatabaseException { - CveDB cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - cveDB.close(); - Properties result = instance.getProperties(); - assertTrue(result.size() > 0); + CveDB cveDB = null; + try { + cveDB = new CveDB(); + cveDB.open(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + Properties result = instance.getProperties(); + assertTrue(result.size() > 0); + } finally { + if (cveDB != null) { + cveDB.close(); + } + } } } From 8cd68c7c16347bdbdbd9bc3ab7fe506d5b69483d Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Fri, 17 Jul 2015 08:45:43 -0400 Subject: [PATCH 22/28] improved logging Former-commit-id: 5b6741a1d561cbf4c20ef98907ce99a2b245b42e --- .../data/nvdcve/BaseDBTestCase.java | 15 ++++++++++----- .../src/test/resources/logback-test.xml | 3 +++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java index 76fe5cecd..83560d0c9 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java @@ -27,6 +27,7 @@ import java.util.zip.ZipInputStream; import org.junit.Before; import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** @@ -37,6 +38,8 @@ public abstract class BaseDBTestCase extends BaseTest { protected final static int BUFFER_SIZE = 2048; + private final static Logger LOGGER = LoggerFactory.getLogger(BaseDBTestCase.class); + @Before public void setUp() throws Exception { ensureDBExists(); @@ -46,7 +49,9 @@ public abstract class BaseDBTestCase extends BaseTest { java.io.File dataPath = Settings.getDataDirectory(); String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME); + LOGGER.trace("DB file name {}", fileName); java.io.File dataFile = new File(dataPath, fileName); + LOGGER.trace("Ensuring {} exists", dataFile.toString()); if (!dataPath.exists() || !dataFile.exists()) { dataPath.mkdirs(); FileInputStream fis = null; @@ -75,7 +80,7 @@ public abstract class BaseDBTestCase extends BaseTest { dest.write(data, 0, count); } } catch (Throwable ex) { - LoggerFactory.getLogger(BaseDBTestCase.class).error("", ex); + LOGGER.error("", ex); } finally { try { if (dest != null) { @@ -83,14 +88,14 @@ public abstract class BaseDBTestCase extends BaseTest { dest.close(); } } catch (Throwable ex) { - LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); + LOGGER.trace("", ex); } try { if (fos != null) { fos.close(); } } catch (Throwable ex) { - LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); + LOGGER.trace("", ex); } } } @@ -100,14 +105,14 @@ public abstract class BaseDBTestCase extends BaseTest { zin.close(); } } catch (Throwable ex) { - LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); + LOGGER.trace("", ex); } try { if (fis != null) { fis.close(); } } catch (Throwable ex) { - LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); + LOGGER.trace("", ex); } } } diff --git a/dependency-check-core/src/test/resources/logback-test.xml b/dependency-check-core/src/test/resources/logback-test.xml index a3cc87b96..97d2b4f91 100644 --- a/dependency-check-core/src/test/resources/logback-test.xml +++ b/dependency-check-core/src/test/resources/logback-test.xml @@ -11,6 +11,9 @@ + + +