github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-04-30 20:24:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'upmaster' into remove-dependency-extension-property

Browse Source 
Former-commit-id: b06adaf9fa3031c27be08523b9689ae58d0cc322
This commit is contained in:
Dale Visser
2015-07-19 08:06:43 -04:00
parent 005e401c7f dc466f1480
commit 1b8dc71980
32 changed files with 703 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -154,9 +154,11 @@ public class CPEAnalyzer implements Analyzer {
public void close() {
if (cpe != null) {
cpe.close();
cpe = null;
}
if (cve != null) {
cve.close();
cve = null;
}
}

172
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java Normal file
View File

@@ -0,0 +1,172 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* Used to analyze OpenSSL source code present in the file system.
*
* @author Dale Visser <dvisser@ida.org>
*/
public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
private static final int HEXADECIMAL = 16;
/**
* Filename to analyze. All other .h files get removed from consideration.
*/
private static final String OPENSSLV_H = "opensslv.h";
/**
* Filter that detects files named "__init__.py".
*/
private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build();
private static final Pattern VERSION_PATTERN = Pattern.compile(
"define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL
| Pattern.CASE_INSENSITIVE);
private static final int MAJOR_OFFSET = 28;
private static final long MINOR_MASK = 0x0ff00000L;
private static final int MINOR_OFFSET = 20;
private static final long FIX_MASK = 0x000ff000L;
private static final int FIX_OFFSET = 12;
private static final long PATCH_MASK = 0x00000ff0L;
private static final int PATCH_OFFSET = 4;
private static final int NUM_LETTERS = 26;
private static final int STATUS_MASK = 0x0000000f;
static String getOpenSSLVersion(long openSSLVersionConstant) {
long major = openSSLVersionConstant >>> MAJOR_OFFSET;
long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET;
String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" :
String.valueOf((char) (patchLevel + 'a' - 1));
int statusCode = (int) (openSSLVersionConstant & STATUS_MASK);
String status = 0xf == statusCode ? "" :
(0 == statusCode ? "-dev" : "-beta" + statusCode);
return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status);
}
/**
* Returns the name of the Python Package Analyzer.
*
* @return the name of the analyzer
*/
@Override
public String getName() {
return "OpenSSL Source Analyzer";
}
/**
* Tell that we are used for information collection.
*
* @return INFORMATION_COLLECTION
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return AnalysisPhase.INFORMATION_COLLECTION;
}
/**
* Returns the set of supported file extensions.
*
* @return the set of supported file extensions
*/
@Override
protected FileFilter getFileFilter() {
return OPENSSLV_FILTER;
}
/**
* No-op initializer implementation.
*
* @throws Exception never thrown
*/
@Override
protected void initializeFileTypeAnalyzer() throws Exception {
// Nothing to do here.
}
/**
* Analyzes python packages and adds evidence to the dependency.
*
* @param dependency the dependency being analyzed
* @param engine the engine being used to perform the scan
* @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
throws AnalysisException {
final File file = dependency.getActualFile();
final String parentName = file.getParentFile().getName();
boolean found = false;
final String contents = getFileContents(file);
if (!contents.isEmpty()) {
final Matcher matcher = VERSION_PATTERN.matcher(contents);
if (matcher.find()) {
dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant",
getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH);
found = true;
}
}
if (found) {
dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H);
dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST);
dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST);
} else {
engine.getDependencies().remove(dependency);
}
}
/**
* Retrieves the contents of a given file.
*
* @param actualFile the file to read
* @return the contents of the file
* @throws AnalysisException thrown if there is an IO Exception
*/
private String getFileContents(final File actualFile)
throws AnalysisException {
String contents;
try {
contents = FileUtils.readFileToString(actualFile).trim();
} catch (IOException e) {
throw new AnalysisException(
"Problem occurred while reading dependency file.", e);
}
return contents;
}
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_OPENSSL_ENABLED;
}
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java
View File

@@ -58,6 +58,8 @@ public abstract class BaseUpdater {
if (cveDB != null) {
try {
cveDB.close();
cveDB = null;
properties = null;
} catch (Throwable ignore) {
LOGGER.trace("Error closing the database", ignore);
}
@@ -76,11 +78,11 @@ public abstract class BaseUpdater {
try {
cveDB = new CveDB();
cveDB.open();
properties = cveDB.getDatabaseProperties();
} catch (DatabaseException ex) {
closeDataStores();
LOGGER.debug("Database Exception opening databases", ex);
throw new UpdateException("Error updating the database, please see the log file for more details.");
}
properties = cveDB.getDatabaseProperties();
}
}

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
View File

@@ -97,7 +97,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
if (updateNeeded) {
LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
updateToVersion);
updateToVersion);
}
} catch (DatabaseException ex) {
LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
@@ -115,8 +115,8 @@ public class EngineVersionCheck implements CachedWebDataSource {
* @param properties the database properties object
* @param currentVersion the current version of dependency-check
* @return <code>true</code> if a newer version of the database has been released; otherwise <code>false</code>
* @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the
* local database.
* @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the local
* database.
*/
protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
String currentVersion) throws UpdateException {
@@ -172,6 +172,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
if (cveDB != null) {
try {
cveDB.close();
cveDB = null;
} catch (Throwable ignore) {
LOGGER.trace("Error closing the cveDB", ignore);
}

34
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -141,13 +141,13 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
/**
* Adds term to the weighting collection. The terms added here are used later to boost the score of other terms.
* This is a way of combining evidence from multiple sources to boost the confidence of the given evidence.
* Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. This is a way
* of combining evidence from multiple sources to boost the confidence of the given evidence.
*
* Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the
* package names within the JAR file we may add these package names to the "weighted" strings collection to boost
* the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the
* collection AND in the weighted strings; as such, we will boost the confidence of the term Apache.
* Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package
* names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the
* Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted
* strings; as such, we will boost the confidence of the term Apache.
*
* @param str to add to the weighting collection.
*/
@@ -156,8 +156,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
/**
* Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in
* another location.
* Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
* location.
*
* @return Set<String>
*/
@@ -322,11 +322,11 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
final Set<Evidence> ret = new TreeSet<Evidence>();
for (EvidenceCollection col : ec) {
for (Evidence e : col) {
if (e.isUsed()) {
final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null);
newEvidence.setUsed(true);
ret.add(newEvidence);
}
//if (e.isUsed()) {
final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null);
newEvidence.setUsed(true);
ret.add(newEvidence);
//}
}
}
return ret;
@@ -357,11 +357,11 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
/**
* <p>
* Takes a string that may contain a fully qualified domain and it will return the string having removed the query
* string, the protocol, the sub-domain of 'www', and the file extension of the path.</p>
* Takes a string that may contain a fully qualified domain and it will return the string having removed the query string, the
* protocol, the sub-domain of 'www', and the file extension of the path.</p>
* <p>
* This is useful for checking if the evidence contains a specific string. The presence of the protocol, file
* extension, etc. may produce false positives.
* This is useful for checking if the evidence contains a specific string. The presence of the protocol, file extension, etc.
* may produce false positives.
*
* <p>
* Example, given the following input:</p>

3
dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
View File

@@ -14,4 +14,5 @@ org.owasp.dependencycheck.analyzer.NuspecAnalyzer
org.owasp.dependencycheck.analyzer.AssemblyAnalyzer
org.owasp.dependencycheck.analyzer.PythonDistributionAnalyzer
org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer
org.owasp.dependencycheck.analyzer.AutoconfAnalyzer
org.owasp.dependencycheck.analyzer.AutoconfAnalyzer
org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer

15
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -138,4 +138,19 @@
<gav regex="true">com.microsoft.bingads:microsoft.bingads:.*</gav>
<cpe>cpe:/a:microsoft:bing</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Oracle Jersey is flagged as glassfish.
]]></notes>
<gav regex="true">.*jersey.*</gav>
<cpe>cpe:/a:oracle:glassfish_server</cpe>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Oracle HK2 is flagged as glassfish.
]]></notes>
<gav regex="true">.*\bhk2\b.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
</suppressions>

4
dependency-check-core/src/main/resources/schema/DependencyCheck.xsd → dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd
View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<xs:element name="analysis">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
@@ -111,6 +111,8 @@
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="value" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required" />
<xs:attribute name="confidence" type="xs:string" use="required" />
</xs:complexType>
</xs:element>
</xs:sequence>

2
dependency-check-core/src/main/resources/templates/HtmlReport.vsl
View File

@@ -560,7 +560,7 @@ arising out of or in connection with the use of this tool, the analysis performe
<th class="sortable" data-sort="int" title="The highest CVE Severity">Highest Severity</th>
<th class="sortable" data-sort="int" title="The number of Common Vulnerability and Exposure (CVE) entries">CVE Count</th>
<th class="sortable" data-sort="string" title="The confidence rating dependency-check has for the identified CPE">CPE Confidence</th>
<th class="sortable" data-sort="int" title="The count of evidence used to identify the CPE">Evidence Count</th>
<th class="sortable" data-sort="int" title="The count of evidence collected to identify the CPE">Evidence Count</th>
</tr></thead>
#foreach($dependency in $dependencies)
#set($lnkcnt=$lnkcnt+1)

20
dependency-check-core/src/main/resources/templates/XmlReport.vsl
View File

@@ -18,7 +18,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@author Jeremy Long <jeremy.long@owasp.org>
@version 1.1
*#<?xml version="1.0"?>
<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<scanInfo>
<engineVersion>$version</engineVersion>
#foreach($prop in $properties.getMetaData().entrySet())
@@ -68,8 +68,22 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</relatedDependencies>
#end
<evidenceCollected>
#foreach($evidence in $dependency.getEvidenceForDisplay())
<evidence>
#foreach($evidence in $dependency.getVendorEvidence())
<evidence type="vendor" confidence="$enc.xml($evidence.getConfidence().toString())">
<source>$enc.xml($evidence.getSource())</source>
<name>$enc.xml($evidence.getName())</name>
<value>$enc.xml($evidence.getValue().trim())</value>
</evidence>
#end
#foreach($evidence in $dependency.getProductEvidence())
<evidence type="product" confidence="$enc.xml($evidence.getConfidence().toString())">
<source>$enc.xml($evidence.getSource())</source>
<name>$enc.xml($evidence.getName())</name>
<value>$enc.xml($evidence.getValue().trim())</value>
</evidence>
#end
#foreach($evidence in $dependency.getVersionEvidence())
<evidence type="version" confidence="$enc.xml($evidence.getConfidence().toString())">
<source>$enc.xml($evidence.getSource())</source>
<name>$enc.xml($evidence.getName())</name>
<value>$enc.xml($evidence.getValue().trim())</value>

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
View File

@@ -94,7 +94,7 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
try {
//callDetermineCPE_full("struts2-core-2.3.16.3.jar", "cpe:/a:apache:struts:2.3.16.3", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("hazelcast-2.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:vmware:springsource_spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);

1
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
View File

@@ -111,7 +111,6 @@ public class HintAnalyzerTest extends BaseTest {
assertTrue(evidence.contains(springTest3));
//assertTrue(evidence.contains(springTest4));
//assertTrue(evidence.contains(springTest5));
}
}

119
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java Normal file
View File

@@ -0,0 +1,119 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import java.io.File;
import static org.hamcrest.CoreMatchers.containsString;
import static org.junit.Assert.*;
/**
* Unit tests for OpenSSLAnalyzerAnalyzer.
*
* @author Dale Visser <dvisser@ida.org>
*/
public class OpenSSLAnalyzerTest extends BaseTest {
/**
* The package analyzer to test.
*/
OpenSSLAnalyzer analyzer;
/**
* Setup the PtyhonPackageAnalyzer.
*
* @throws Exception if there is a problem
*/
@Before
public void setUp() throws Exception {
analyzer = new OpenSSLAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
}
/**
* Cleanup any resources used.
*
* @throws Exception if there is a problem
*/
@After
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
}
/**
* Test of getName method, of class OpenSSLAnalyzer.
*/
@Test
public void testGetName() {
assertEquals("Analyzer name wrong.", "OpenSSL Source Analyzer",
analyzer.getName());
}
/**
* Test of supportsExtension method, of class PythonPackageAnalyzer.
*/
@Test
public void testAccept() {
assertTrue("Should support files named \"opensslv.h\".",
analyzer.accept(new File("opensslv.h")));
}
@Test
public void testVersionConstantExamples() {
final long[] constants = {0x1000203fL
, 0x00903000
, 0x00903001
, 0x00903002l
, 0x0090300f
, 0x0090301f
, 0x0090400f
, 0x102031af};
final String[] versions = {"1.0.2c",
"0.9.3-dev",
"0.9.3-beta1",
"0.9.3-beta2",
"0.9.3",
"0.9.3a",
"0.9.4",
"1.2.3z"};
assertEquals(constants.length, versions.length);
for (int i = 0; i < constants.length; i++) {
assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i]));
}
}
@Test
public void testOpenSSLVersionHeaderFile() throws AnalysisException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this,
"openssl/opensslv.h"));
analyzer.analyze(result, null);
assertThat(result.getProductEvidence().toString(), containsString("OpenSSL"));
assertThat(result.getVendorEvidence().toString(), containsString("OpenSSL"));
assertThat(result.getVersionEvidence().toString(), containsString("1.0.2c"));
}
}

16
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java
View File

@@ -27,6 +27,7 @@ import java.util.zip.ZipInputStream;
import org.junit.Before;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
@@ -37,6 +38,8 @@ public abstract class BaseDBTestCase extends BaseTest {
protected final static int BUFFER_SIZE = 2048;
private final static Logger LOGGER = LoggerFactory.getLogger(BaseDBTestCase.class);
@Before
public void setUp() throws Exception {
ensureDBExists();
@@ -46,8 +49,11 @@ public abstract class BaseDBTestCase extends BaseTest {
java.io.File dataPath = Settings.getDataDirectory();
String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME);
LOGGER.trace("DB file name {}", fileName);
java.io.File dataFile = new File(dataPath, fileName);
LOGGER.trace("Ensuring {} exists", dataFile.toString());
if (!dataPath.exists() || !dataFile.exists()) {
LOGGER.trace("Extracting database to {}", dataPath.toString());
dataPath.mkdirs();
FileInputStream fis = null;
ZipInputStream zin = null;
@@ -75,7 +81,7 @@ public abstract class BaseDBTestCase extends BaseTest {
dest.write(data, 0, count);
}
} catch (Throwable ex) {
LoggerFactory.getLogger(BaseDBTestCase.class).error("", ex);
LOGGER.error("", ex);
} finally {
try {
if (dest != null) {
@@ -83,14 +89,14 @@ public abstract class BaseDBTestCase extends BaseTest {
dest.close();
}
} catch (Throwable ex) {
LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex);
LOGGER.trace("", ex);
}
try {
if (fos != null) {
fos.close();
}
} catch (Throwable ex) {
LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex);
LOGGER.trace("", ex);
}
}
}
@@ -100,14 +106,14 @@ public abstract class BaseDBTestCase extends BaseTest {
zin.close();
}
} catch (Throwable ex) {
LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex);
LOGGER.trace("", ex);
}
try {
if (fis != null) {
fis.close();
}
} catch (Throwable ex) {
LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex);
LOGGER.trace("", ex);
}
}
}

111
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
View File

@@ -39,10 +39,16 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
*/
@Test
public void testOpen() throws Exception {
CveDB instance = new CveDB();
instance.open();
instance.commit();
instance.close();
CveDB instance = null;
try {
instance = new CveDB();
instance.open();
instance.commit();
} finally {
if (instance != null) {
instance.close();
}
}
}
/**
@@ -50,15 +56,18 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
*/
@Test
public void testGetCPEs() throws Exception {
CveDB instance = new CveDB();
CveDB instance = null;
try {
instance = new CveDB();
String vendor = "apache";
String product = "struts";
instance.open();
Set<VulnerableSoftware> result = instance.getCPEs(vendor, product);
assertTrue(result.size() > 5);
} finally {
instance.close();
if (instance != null) {
instance.close();
}
}
}
@@ -68,9 +77,10 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
@Test
public void testGetVulnerabilities() throws Exception {
String cpeStr = "cpe:/a:apache:struts:2.1.2";
CveDB instance = new CveDB();
CveDB instance = null;
List<Vulnerability> results;
try {
instance = new CveDB();
instance.open();
results = instance.getVulnerabilities(cpeStr);
assertTrue(results.size() > 5);
@@ -99,7 +109,9 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
assertTrue("Expected " + expected + ", but was not identified", found);
} finally {
instance.close();
if (instance != null) {
instance.close();
}
}
}
@@ -108,56 +120,61 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
*/
@Test
public void testGetMatchingSoftware() throws Exception {
CveDB instance = null;
HashMap<String, Boolean> versions = new HashMap<String, Boolean>();
DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE);
try {
instance = new CveDB();
Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNull(results);
CveDB instance = new CveDB();
Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNotNull(results);
Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNotNull(results);
Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
versions.clear();
versions.clear();
versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE);
identifiedVersion = new DependencyVersion("3.2.2");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey());
Assert.assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("3.2.12");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNull(results);
identifiedVersion = new DependencyVersion("3.2.2");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey());
Assert.assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("3.2.12");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNull(results);
identifiedVersion = new DependencyVersion("4.0.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
Assert.assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("4.1.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNull(results);
identifiedVersion = new DependencyVersion("4.0.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
Assert.assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("4.1.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNull(results);
versions.clear();
versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
identifiedVersion = new DependencyVersion("1.6.3");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNotNull(results);
versions.clear();
versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
identifiedVersion = new DependencyVersion("1.6.3");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNotNull(results);
} finally {
if (instance != null) {
instance.close();
}
}
}
}

112
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
View File

@@ -34,14 +34,20 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
*/
@Test
public void testIsEmpty() throws Exception {
CveDB cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
boolean expResult = false;
boolean result = instance.isEmpty();
//no exception means the call worked... whether or not it is empty depends on if the db is new
//assertEquals(expResult, result);
cveDB.close();
CveDB cveDB = null;
try {
cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
boolean expResult = false;
boolean result = instance.isEmpty();
//no exception means the call worked... whether or not it is empty depends on if the db is new
//assertEquals(expResult, result);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
}
/**
@@ -54,18 +60,24 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
long expected = 1337;
updatedValue.setId(key);
updatedValue.setTimestamp(expected);
CveDB cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
instance.save(updatedValue);
//reload the properties
cveDB.close();
cveDB = new CveDB();
cveDB.open();
instance = cveDB.getDatabaseProperties();
cveDB.close();
long results = Long.parseLong(instance.getProperty("NVD CVE " + key));
assertEquals(expected, results);
CveDB cveDB = null;
try {
cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
instance.save(updatedValue);
//reload the properties
cveDB.close();
cveDB = new CveDB();
cveDB.open();
instance = cveDB.getDatabaseProperties();
long results = Long.parseLong(instance.getProperty("NVD CVE " + key));
assertEquals(expected, results);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
}
/**
@@ -75,13 +87,19 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
public void testGetProperty_String_String() throws Exception {
String key = "doesn't exist";
String defaultValue = "default";
CveDB cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
cveDB.close();
String expResult = "default";
String result = instance.getProperty(key, defaultValue);
assertEquals(expResult, result);
CveDB cveDB = null;
try {
cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
String expResult = "default";
String result = instance.getProperty(key, defaultValue);
assertEquals(expResult, result);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
}
/**
@@ -90,14 +108,20 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
@Test
public void testGetProperty_String() throws DatabaseException {
String key = "version";
CveDB cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
cveDB.close();
String result = instance.getProperty(key);
double version = Double.parseDouble(result);
assertTrue(version >= 2.8);
assertTrue(version <= 10);
CveDB cveDB = null;
try {
cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
String result = instance.getProperty(key);
double version = Double.parseDouble(result);
assertTrue(version >= 2.8);
assertTrue(version <= 10);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
}
/**
@@ -105,11 +129,17 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
*/
@Test
public void testGetProperties() throws DatabaseException {
CveDB cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
cveDB.close();
Properties result = instance.getProperties();
assertTrue(result.size() > 0);
CveDB cveDB = null;
try {
cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
Properties result = instance.getProperties();
assertTrue(result.size() > 0);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java
View File

@@ -147,7 +147,7 @@ public class ReportGeneratorIntegrationTest extends BaseTest {
engine.cleanup();
InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/DependencyCheck.xsd");
InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.3.xsd");
StreamSource xsdSource = new StreamSource(xsdStream);
StreamSource xmlSource = new StreamSource(new File(writeTo));
SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);

5
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -40,7 +40,8 @@ data.driver_name=org.h2.Driver
data.driver_path=
# the path to the cpe xml file
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
#cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
# the path to the cpe meta data file.
cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
@@ -61,8 +62,6 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cpe.validfordays=30
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true

9
dependency-check-core/src/test/resources/logback-test.xml
View File

@@ -7,11 +7,14 @@
<pattern>[%level] %msg%n</pattern>
</encoder>
</appender>
<root level="INFO">
<root level="DEBUG">
<appender-ref ref="console"/>
</root>
<logger name="org.owasp.dependencycheck.analyzer.AssemblyAnalyzerTest" additivity="false" level="WARN">
<logger name="org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase" additivity="false" level="TRACE">
<appender-ref ref="console"/>
</logger>
<!--logger name="org.owasp.dependencycheck.analyzer.AssemblyAnalyzerTest" additivity="false" level="WARN">
<appender-ref ref="console"/>
</logger>
<logger name="org.owasp.dependencycheck.data.central.CentralSearchTest" additivity="false" level="WARN">
@@ -19,5 +22,5 @@
</logger>
<logger name="org.owasp.dependencycheck.data.nexus.NexusSearchTest" additivity="false" level="WARN">
<appender-ref ref="console"/>
</logger>
</logger-->
</configuration>

97
dependency-check-core/src/test/resources/openssl/opensslv.h Normal file
View File

@@ -0,0 +1,97 @@
#ifndef HEADER_OPENSSLV_H
# define HEADER_OPENSSLV_H
#ifdef __cplusplus
extern "C" {
#endif
/*-
* Numeric release version identifier:
* MNNFFPPS: major minor fix patch status
* The status nibble has one of the values 0 for development, 1 to e for betas
* 1 to 14, and f for release. The patch level is exactly that.
* For example:
* 0.9.3-dev 0x00903000
* 0.9.3-beta1 0x00903001
* 0.9.3-beta2-dev 0x00903002
* 0.9.3-beta2 0x00903002 (same as ...beta2-dev)
* 0.9.3 0x0090300f
* 0.9.3a 0x0090301f
* 0.9.4 0x0090400f
* 1.2.3z 0x102031af
*
* For continuity reasons (because 0.9.5 is already out, and is coded
* 0x00905100), between 0.9.5 and 0.9.6 the coding of the patch level
* part is slightly different, by setting the highest bit. This means
* that 0.9.5a looks like this: 0x0090581f. At 0.9.6, we can start
* with 0x0090600S...
*
* (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.)
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x1000203fL
# ifdef OPENSSL_FIPS
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c-fips 12 Jun 2015"
# else
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c 12 Jun 2015"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
* versioning. That kind of versioning works a bit differently between
* operating systems. The most usual scheme is to set a major and a minor
* number, and have the runtime loader check that the major number is equal
* to what it was at application link time, while the minor number has to
* be greater or equal to what it was at application link time. With this
* scheme, the version number is usually part of the file name, like this:
*
* libcrypto.so.0.9
*
* Some unixen also make a softlink with the major verson number only:
*
* libcrypto.so.0
*
* On Tru64 and IRIX 6.x it works a little bit differently. There, the
* shared library version is stored in the file, and is actually a series
* of versions, separated by colons. The rightmost version present in the
* library when linking an application is stored in the application to be
* matched at run time. When the application is run, a check is done to
* see if the library version stored in the application matches any of the
* versions in the version string of the library itself.
* This version string can be constructed in any way, depending on what
* kind of matching is desired. However, to implement the same scheme as
* the one used in the other unixen, all compatible versions, from lowest
* to highest, should be part of the string. Consecutive builds would
* give the following versions strings:
*
* 3.0
* 3.0:3.1
* 3.0:3.1:3.2
* 4.0
* 4.0:4.1
*
* Notice how version 4 is completely incompatible with version, and
* therefore give the breach you can see.
*
* There may be other schemes as well that I haven't yet discovered.
*
* So, here's the way it works here: first of all, the library version
* number doesn't need at all to match the overall OpenSSL version.
* However, it's nice and more understandable if it actually does.
* The current library version is stored in the macro SHLIB_VERSION_NUMBER,
* which is just a piece of text in the format "M.m.e" (Major, minor, edit).
* For the sake of Tru64, IRIX, and any other OS that behaves in similar ways,
* we need to keep a history of version numbers, which is done in the
* macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and
* should only keep the versions that are binary compatible with the current.
*/
# define SHLIB_VERSION_HISTORY ""
# define SHLIB_VERSION_NUMBER "1.0.0"
#ifdef __cplusplus
}
#endif
#endif /* HEADER_OPENSSLV_H */