github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-24 01:51:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'upmaster' into remove-dependency-extension-property

Browse Source 
Former-commit-id: b06adaf9fa3031c27be08523b9689ae58d0cc322
This commit is contained in:
Dale Visser
2015-07-19 08:06:43 -04:00
parent 005e401c7f dc466f1480
commit 1b8dc71980
32 changed files with 703 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java
View File

@@ -1,4 +1,4 @@
/** /**
* This package includes the Ant task definitions. * This package includes the Ant task definitions.
*/ */
package org.owasp.dependencycheck.taskdefs; package org.owasp.dependencycheck.ant.logging;

12
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -64,12 +64,12 @@ Advanced Configuration
The following properties can be configured in the plugin. However, they are less frequently changed. One exception The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
Property | Description | Default Value Property | Description | Default Value
---------------------|-------------------------------------------------------------------------|------------------ ---------------------|--------------------------------------------------------------------------|------------------
cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. |   dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. |  
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   databaseDriverName | The name of the database driver. Example: org.h2.Driver. |  
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |  

10
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -250,9 +250,6 @@ public class App {
final String suppressionFile = cli.getSuppressionFile(); final String suppressionFile = cli.getSuppressionFile();
final boolean jarDisabled = cli.isJarDisabled(); final boolean jarDisabled = cli.isJarDisabled();
final boolean archiveDisabled = cli.isArchiveDisabled(); final boolean archiveDisabled = cli.isArchiveDisabled();
final boolean pyDistDisabled = cli.isPythonDistributionDisabled();
final boolean pyPkgDisabled = cli.isPythonPackageDisabled();
final boolean autoconfDisabled = cli.isAutoconfDisabled();
final boolean assemblyDisabled = cli.isAssemblyDisabled(); final boolean assemblyDisabled = cli.isAssemblyDisabled();
final boolean nuspecDisabled = cli.isNuspecDisabled(); final boolean nuspecDisabled = cli.isNuspecDisabled();
final boolean centralDisabled = cli.isCentralDisabled(); final boolean centralDisabled = cli.isCentralDisabled();
@@ -320,11 +317,12 @@ public class App {
//File Type Analyzer Settings //File Type Analyzer Settings
Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled);
Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled);
Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !pyDistDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !pyPkgDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !cli.isPythonPackageDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !autoconfDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled);
Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled);
Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !centralDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !centralDisabled);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled);

17
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -367,6 +367,9 @@ public final class CliParser {
.withLongOpt(ARGUMENT.DISABLE_AUTOCONF) .withLongOpt(ARGUMENT.DISABLE_AUTOCONF)
.withDescription("Disable the Autoconf Analyzer.").create(); .withDescription("Disable the Autoconf Analyzer.").create();
final Option disableOpenSSLAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_OPENSSL)
.withDescription("Disable the OpenSSL Analyzer.").create();
final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL) final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL)
.withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable " .withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
+ "the Nexus Analyzer.").create(); + "the Nexus Analyzer.").create();
@@ -396,6 +399,7 @@ public final class CliParser {
.addOption(disablePythonDistributionAnalyzer) .addOption(disablePythonDistributionAnalyzer)
.addOption(disablePythonPackageAnalyzer) .addOption(disablePythonPackageAnalyzer)
.addOption(disableAutoconfAnalyzer) .addOption(disableAutoconfAnalyzer)
.addOption(disableOpenSSLAnalyzer)
.addOption(disableNuspecAnalyzer) .addOption(disableNuspecAnalyzer)
.addOption(disableCentralAnalyzer) .addOption(disableCentralAnalyzer)
.addOption(disableNexusAnalyzer) .addOption(disableNexusAnalyzer)
@@ -521,6 +525,15 @@ public final class CliParser {
return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS); return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS);
} }
/**
* Returns true if the disableOpenSSL command line argument was specified.
*
* @return true if the disableOpenSSL command line argument was specified; otherwise false
*/
public boolean isOpenSSLDisabled() {
return (line != null) && line.hasOption(ARGUMENT.DISABLE_OPENSSL);
}
/** /**
* Returns true if the disableCentral command line argument was specified. * Returns true if the disableCentral command line argument was specified.
* *
@@ -1033,6 +1046,10 @@ public final class CliParser {
* Disables the Nexus Analyzer. * Disables the Nexus Analyzer.
*/ */
public static final String DISABLE_NEXUS = "disableNexus"; public static final String DISABLE_NEXUS = "disableNexus";
/**
* Disables the OpenSSL Analyzer.
*/
public static final String DISABLE_OPENSSL = "disableOpenSSL";
/** /**
* The URL of the nexus server. * The URL of the nexus server.
*/ */

5
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -21,11 +21,16 @@ Advanced Options
================ ================
Short | Argument Name        | Parameter | Description | Default Value Short | Argument Name        | Parameter | Description | Default Value
-------|-----------------------|-----------------|----------------------------------------------------------------------------------|------------------- -------|-----------------------|-----------------|----------------------------------------------------------------------------------|-------------------
| \-\-cveUrl12Modified | \<url\> | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml
| \-\-cveUrl20Modified | \<url\> | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
| \-\-cveUrl12Base | \<url\> | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
| \-\-cveUrl20Base | \<url\> | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
\-P | \-\-propertyfile | \<file\> | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp; \-P | \-\-propertyfile | \<file\> | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp;
| \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp; | \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp;
| \-\-disablePyDist | | Sets whether the Python Distribution Analyzer will be used. | false | \-\-disablePyDist | | Sets whether the Python Distribution Analyzer will be used. | false
| \-\-disablePyPkg | | Sets whether the Python Package Analyzer will be used. | false | \-\-disablePyPkg | | Sets whether the Python Package Analyzer will be used. | false
| \-\-disableAutoconf | | Sets whether the Autoconf Analyzer will be used. | false | \-\-disableAutoconf | | Sets whether the Autoconf Analyzer will be used. | false
| \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false
| \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false | \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp; | \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
| \-\-disableJar | | Sets whether the Jar Analyzer will be used. | false | \-\-disableJar | | Sets whether the Jar Analyzer will be used. | false

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -154,9 +154,11 @@ public class CPEAnalyzer implements Analyzer {
public void close() { public void close() {
if (cpe != null) { if (cpe != null) {
cpe.close(); cpe.close();
cpe = null;
} }
if (cve != null) { if (cve != null) {
cve.close(); cve.close();
cve = null;
} }
} }

172
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java Normal file
View File

@@ -0,0 +1,172 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* Used to analyze OpenSSL source code present in the file system.
*
* @author Dale Visser <dvisser@ida.org>
*/
public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
private static final int HEXADECIMAL = 16;
/**
* Filename to analyze. All other .h files get removed from consideration.
*/
private static final String OPENSSLV_H = "opensslv.h";
/**
* Filter that detects files named "__init__.py".
*/
private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build();
private static final Pattern VERSION_PATTERN = Pattern.compile(
"define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL
| Pattern.CASE_INSENSITIVE);
private static final int MAJOR_OFFSET = 28;
private static final long MINOR_MASK = 0x0ff00000L;
private static final int MINOR_OFFSET = 20;
private static final long FIX_MASK = 0x000ff000L;
private static final int FIX_OFFSET = 12;
private static final long PATCH_MASK = 0x00000ff0L;
private static final int PATCH_OFFSET = 4;
private static final int NUM_LETTERS = 26;
private static final int STATUS_MASK = 0x0000000f;
static String getOpenSSLVersion(long openSSLVersionConstant) {
long major = openSSLVersionConstant >>> MAJOR_OFFSET;
long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET;
String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" :
String.valueOf((char) (patchLevel + 'a' - 1));
int statusCode = (int) (openSSLVersionConstant & STATUS_MASK);
String status = 0xf == statusCode ? "" :
(0 == statusCode ? "-dev" : "-beta" + statusCode);
return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status);
}
/**
* Returns the name of the Python Package Analyzer.
*
* @return the name of the analyzer
*/
@Override
public String getName() {
return "OpenSSL Source Analyzer";
}
/**
* Tell that we are used for information collection.
*
* @return INFORMATION_COLLECTION
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return AnalysisPhase.INFORMATION_COLLECTION;
}
/**
* Returns the set of supported file extensions.
*
* @return the set of supported file extensions
*/
@Override
protected FileFilter getFileFilter() {
return OPENSSLV_FILTER;
}
/**
* No-op initializer implementation.
*
* @throws Exception never thrown
*/
@Override
protected void initializeFileTypeAnalyzer() throws Exception {
// Nothing to do here.
}
/**
* Analyzes python packages and adds evidence to the dependency.
*
* @param dependency the dependency being analyzed
* @param engine the engine being used to perform the scan
* @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
throws AnalysisException {
final File file = dependency.getActualFile();
final String parentName = file.getParentFile().getName();
boolean found = false;
final String contents = getFileContents(file);
if (!contents.isEmpty()) {
final Matcher matcher = VERSION_PATTERN.matcher(contents);
if (matcher.find()) {
dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant",
getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH);
found = true;
}
}
if (found) {
dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H);
dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST);
dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST);
} else {
engine.getDependencies().remove(dependency);
}
}
/**
* Retrieves the contents of a given file.
*
* @param actualFile the file to read
* @return the contents of the file
* @throws AnalysisException thrown if there is an IO Exception
*/
private String getFileContents(final File actualFile)
throws AnalysisException {
String contents;
try {
contents = FileUtils.readFileToString(actualFile).trim();
} catch (IOException e) {
throw new AnalysisException(
"Problem occurred while reading dependency file.", e);
}
return contents;
}
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_OPENSSL_ENABLED;
}
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java
View File

@@ -58,6 +58,8 @@ public abstract class BaseUpdater {
if (cveDB != null) { if (cveDB != null) {
try { try {
cveDB.close(); cveDB.close();
cveDB = null;
properties = null;
} catch (Throwable ignore) { } catch (Throwable ignore) {
LOGGER.trace("Error closing the database", ignore); LOGGER.trace("Error closing the database", ignore);
} }
@@ -76,11 +78,11 @@ public abstract class BaseUpdater {
try { try {
cveDB = new CveDB(); cveDB = new CveDB();
cveDB.open(); cveDB.open();
properties = cveDB.getDatabaseProperties();
} catch (DatabaseException ex) { } catch (DatabaseException ex) {
closeDataStores(); closeDataStores();
LOGGER.debug("Database Exception opening databases", ex); LOGGER.debug("Database Exception opening databases", ex);
throw new UpdateException("Error updating the database, please see the log file for more details."); throw new UpdateException("Error updating the database, please see the log file for more details.");
} }
properties = cveDB.getDatabaseProperties();
} }
} }

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
View File

@@ -97,7 +97,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion); final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
if (updateNeeded) { if (updateNeeded) {
LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.", LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
updateToVersion); updateToVersion);
} }
} catch (DatabaseException ex) { } catch (DatabaseException ex) {
LOGGER.debug("Database Exception opening databases to retrieve properties", ex); LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
@@ -115,8 +115,8 @@ public class EngineVersionCheck implements CachedWebDataSource {
* @param properties the database properties object * @param properties the database properties object
* @param currentVersion the current version of dependency-check * @param currentVersion the current version of dependency-check
* @return <code>true</code> if a newer version of the database has been released; otherwise <code>false</code> * @return <code>true</code> if a newer version of the database has been released; otherwise <code>false</code>
* @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the * @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the local
* local database. * database.
*/ */
protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties, protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
String currentVersion) throws UpdateException { String currentVersion) throws UpdateException {
@@ -172,6 +172,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
if (cveDB != null) { if (cveDB != null) {
try { try {
cveDB.close(); cveDB.close();
cveDB = null;
} catch (Throwable ignore) { } catch (Throwable ignore) {
LOGGER.trace("Error closing the cveDB", ignore); LOGGER.trace("Error closing the cveDB", ignore);
} }

34
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -141,13 +141,13 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
} }
/** /**
* Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. This is a way
* This is a way of combining evidence from multiple sources to boost the confidence of the given evidence. * of combining evidence from multiple sources to boost the confidence of the given evidence.
* *
* Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package
* package names within the JAR file we may add these package names to the "weighted" strings collection to boost * names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the
* the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the * Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted
* collection AND in the weighted strings; as such, we will boost the confidence of the term Apache. * strings; as such, we will boost the confidence of the term Apache.
* *
* @param str to add to the weighting collection. * @param str to add to the weighting collection.
*/ */
@@ -156,8 +156,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
} }
/** /**
* Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
* another location. * location.
* *
* @return Set<String> * @return Set<String>
*/ */
@@ -322,11 +322,11 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
final Set<Evidence> ret = new TreeSet<Evidence>(); final Set<Evidence> ret = new TreeSet<Evidence>();
for (EvidenceCollection col : ec) { for (EvidenceCollection col : ec) {
for (Evidence e : col) { for (Evidence e : col) {
if (e.isUsed()) { //if (e.isUsed()) {
final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null); final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null);
newEvidence.setUsed(true); newEvidence.setUsed(true);
ret.add(newEvidence); ret.add(newEvidence);
} //}
} }
} }
return ret; return ret;
@@ -357,11 +357,11 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
/** /**
* <p> * <p>
* Takes a string that may contain a fully qualified domain and it will return the string having removed the query * Takes a string that may contain a fully qualified domain and it will return the string having removed the query string, the
* string, the protocol, the sub-domain of 'www', and the file extension of the path.</p> * protocol, the sub-domain of 'www', and the file extension of the path.</p>
* <p> * <p>
* This is useful for checking if the evidence contains a specific string. The presence of the protocol, file * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file extension, etc.
* extension, etc. may produce false positives. * may produce false positives.
* *
* <p> * <p>
* Example, given the following input:</p> * Example, given the following input:</p>

1
dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
View File

@@ -15,3 +15,4 @@ org.owasp.dependencycheck.analyzer.AssemblyAnalyzer
org.owasp.dependencycheck.analyzer.PythonDistributionAnalyzer org.owasp.dependencycheck.analyzer.PythonDistributionAnalyzer
org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer
org.owasp.dependencycheck.analyzer.AutoconfAnalyzer org.owasp.dependencycheck.analyzer.AutoconfAnalyzer
org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer

15
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -138,4 +138,19 @@
<gav regex="true">com.microsoft.bingads:microsoft.bingads:.*</gav> <gav regex="true">com.microsoft.bingads:microsoft.bingads:.*</gav>
<cpe>cpe:/a:microsoft:bing</cpe> <cpe>cpe:/a:microsoft:bing</cpe>
</suppress> </suppress>
<suppress base="true">
<notes><![CDATA[
Oracle Jersey is flagged as glassfish.
]]></notes>
<gav regex="true">.*jersey.*</gav>
<cpe>cpe:/a:oracle:glassfish_server</cpe>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Oracle HK2 is flagged as glassfish.
]]></notes>
<gav regex="true">.*\bhk2\b.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
</suppressions> </suppressions>

4
dependency-check-core/src/main/resources/schema/DependencyCheck.xsd → dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd
View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2"> <xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<xs:element name="analysis"> <xs:element name="analysis">
<xs:complexType> <xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded"> <xs:sequence minOccurs="0" maxOccurs="unbounded">
@@ -111,6 +111,8 @@
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" /> <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="value" type="xs:string" minOccurs="1" maxOccurs="1" /> <xs:element name="value" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence> </xs:sequence>
<xs:attribute name="type" type="xs:string" use="required" />
<xs:attribute name="confidence" type="xs:string" use="required" />
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
</xs:sequence> </xs:sequence>

2
dependency-check-core/src/main/resources/templates/HtmlReport.vsl
View File

@@ -560,7 +560,7 @@ arising out of or in connection with the use of this tool, the analysis performe
<th class="sortable" data-sort="int" title="The highest CVE Severity">Highest Severity</th> <th class="sortable" data-sort="int" title="The highest CVE Severity">Highest Severity</th>
<th class="sortable" data-sort="int" title="The number of Common Vulnerability and Exposure (CVE) entries">CVE Count</th> <th class="sortable" data-sort="int" title="The number of Common Vulnerability and Exposure (CVE) entries">CVE Count</th>
<th class="sortable" data-sort="string" title="The confidence rating dependency-check has for the identified CPE">CPE Confidence</th> <th class="sortable" data-sort="string" title="The confidence rating dependency-check has for the identified CPE">CPE Confidence</th>
<th class="sortable" data-sort="int" title="The count of evidence used to identify the CPE">Evidence Count</th> <th class="sortable" data-sort="int" title="The count of evidence collected to identify the CPE">Evidence Count</th>
</tr></thead> </tr></thead>
#foreach($dependency in $dependencies) #foreach($dependency in $dependencies)
#set($lnkcnt=$lnkcnt+1) #set($lnkcnt=$lnkcnt+1)

20
dependency-check-core/src/main/resources/templates/XmlReport.vsl
View File

@@ -18,7 +18,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@author Jeremy Long <jeremy.long@owasp.org> @author Jeremy Long <jeremy.long@owasp.org>
@version 1.1 @version 1.1
*#<?xml version="1.0"?> *#<?xml version="1.0"?>
<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2"> <analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<scanInfo> <scanInfo>
<engineVersion>$version</engineVersion> <engineVersion>$version</engineVersion>
#foreach($prop in $properties.getMetaData().entrySet()) #foreach($prop in $properties.getMetaData().entrySet())
@@ -68,8 +68,22 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</relatedDependencies> </relatedDependencies>
#end #end
<evidenceCollected> <evidenceCollected>
#foreach($evidence in $dependency.getEvidenceForDisplay()) #foreach($evidence in $dependency.getVendorEvidence())
<evidence> <evidence type="vendor" confidence="$enc.xml($evidence.getConfidence().toString())">
<source>$enc.xml($evidence.getSource())</source>
<name>$enc.xml($evidence.getName())</name>
<value>$enc.xml($evidence.getValue().trim())</value>
</evidence>
#end
#foreach($evidence in $dependency.getProductEvidence())
<evidence type="product" confidence="$enc.xml($evidence.getConfidence().toString())">
<source>$enc.xml($evidence.getSource())</source>
<name>$enc.xml($evidence.getName())</name>
<value>$enc.xml($evidence.getValue().trim())</value>
</evidence>
#end
#foreach($evidence in $dependency.getVersionEvidence())
<evidence type="version" confidence="$enc.xml($evidence.getConfidence().toString())">
<source>$enc.xml($evidence.getSource())</source> <source>$enc.xml($evidence.getSource())</source>
<name>$enc.xml($evidence.getName())</name> <name>$enc.xml($evidence.getName())</name>
<value>$enc.xml($evidence.getValue().trim())</value> <value>$enc.xml($evidence.getValue().trim())</value>

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
View File

@@ -94,7 +94,7 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
try { try {
//callDetermineCPE_full("struts2-core-2.3.16.3.jar", "cpe:/a:apache:struts:2.3.16.3", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); //callDetermineCPE_full("struts2-core-2.3.16.3.jar", "cpe:/a:apache:struts:2.3.16.3", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("hazelcast-2.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("hazelcast-2.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:vmware:springsource_spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);

1
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
View File

@@ -111,7 +111,6 @@ public class HintAnalyzerTest extends BaseTest {
assertTrue(evidence.contains(springTest3)); assertTrue(evidence.contains(springTest3));
//assertTrue(evidence.contains(springTest4)); //assertTrue(evidence.contains(springTest4));
//assertTrue(evidence.contains(springTest5)); //assertTrue(evidence.contains(springTest5));
} }
} }

119
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java Normal file
View File

@@ -0,0 +1,119 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import java.io.File;
import static org.hamcrest.CoreMatchers.containsString;
import static org.junit.Assert.*;
/**
* Unit tests for OpenSSLAnalyzerAnalyzer.
*
* @author Dale Visser <dvisser@ida.org>
*/
public class OpenSSLAnalyzerTest extends BaseTest {
/**
* The package analyzer to test.
*/
OpenSSLAnalyzer analyzer;
/**
* Setup the PtyhonPackageAnalyzer.
*
* @throws Exception if there is a problem
*/
@Before
public void setUp() throws Exception {
analyzer = new OpenSSLAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
}
/**
* Cleanup any resources used.
*
* @throws Exception if there is a problem
*/
@After
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
}
/**
* Test of getName method, of class OpenSSLAnalyzer.
*/
@Test
public void testGetName() {
assertEquals("Analyzer name wrong.", "OpenSSL Source Analyzer",
analyzer.getName());
}
/**
* Test of supportsExtension method, of class PythonPackageAnalyzer.
*/
@Test
public void testAccept() {
assertTrue("Should support files named \"opensslv.h\".",
analyzer.accept(new File("opensslv.h")));
}
@Test
public void testVersionConstantExamples() {
final long[] constants = {0x1000203fL
, 0x00903000
, 0x00903001
, 0x00903002l
, 0x0090300f
, 0x0090301f
, 0x0090400f
, 0x102031af};
final String[] versions = {"1.0.2c",
"0.9.3-dev",
"0.9.3-beta1",
"0.9.3-beta2",
"0.9.3",
"0.9.3a",
"0.9.4",
"1.2.3z"};
assertEquals(constants.length, versions.length);
for (int i = 0; i < constants.length; i++) {
assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i]));
}
}
@Test
public void testOpenSSLVersionHeaderFile() throws AnalysisException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this,
"openssl/opensslv.h"));
analyzer.analyze(result, null);
assertThat(result.getProductEvidence().toString(), containsString("OpenSSL"));
assertThat(result.getVendorEvidence().toString(), containsString("OpenSSL"));
assertThat(result.getVersionEvidence().toString(), containsString("1.0.2c"));
}
}

16
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java
View File

@@ -27,6 +27,7 @@ import java.util.zip.ZipInputStream;
import org.junit.Before; import org.junit.Before;
import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
/** /**
@@ -37,6 +38,8 @@ public abstract class BaseDBTestCase extends BaseTest {
protected final static int BUFFER_SIZE = 2048; protected final static int BUFFER_SIZE = 2048;
private final static Logger LOGGER = LoggerFactory.getLogger(BaseDBTestCase.class);
@Before @Before
public void setUp() throws Exception { public void setUp() throws Exception {
ensureDBExists(); ensureDBExists();
@@ -46,8 +49,11 @@ public abstract class BaseDBTestCase extends BaseTest {
java.io.File dataPath = Settings.getDataDirectory(); java.io.File dataPath = Settings.getDataDirectory();
String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME); String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME);
LOGGER.trace("DB file name {}", fileName);
java.io.File dataFile = new File(dataPath, fileName); java.io.File dataFile = new File(dataPath, fileName);
LOGGER.trace("Ensuring {} exists", dataFile.toString());
if (!dataPath.exists() || !dataFile.exists()) { if (!dataPath.exists() || !dataFile.exists()) {
LOGGER.trace("Extracting database to {}", dataPath.toString());
dataPath.mkdirs(); dataPath.mkdirs();
FileInputStream fis = null; FileInputStream fis = null;
ZipInputStream zin = null; ZipInputStream zin = null;
@@ -75,7 +81,7 @@ public abstract class BaseDBTestCase extends BaseTest {
dest.write(data, 0, count); dest.write(data, 0, count);
} }
} catch (Throwable ex) { } catch (Throwable ex) {
LoggerFactory.getLogger(BaseDBTestCase.class).error("", ex); LOGGER.error("", ex);
} finally { } finally {
try { try {
if (dest != null) { if (dest != null) {
@@ -83,14 +89,14 @@ public abstract class BaseDBTestCase extends BaseTest {
dest.close(); dest.close();
} }
} catch (Throwable ex) { } catch (Throwable ex) {
LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); LOGGER.trace("", ex);
} }
try { try {
if (fos != null) { if (fos != null) {
fos.close(); fos.close();
} }
} catch (Throwable ex) { } catch (Throwable ex) {
LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); LOGGER.trace("", ex);
} }
} }
} }
@@ -100,14 +106,14 @@ public abstract class BaseDBTestCase extends BaseTest {
zin.close(); zin.close();
} }
} catch (Throwable ex) { } catch (Throwable ex) {
LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); LOGGER.trace("", ex);
} }
try { try {
if (fis != null) { if (fis != null) {
fis.close(); fis.close();
} }
} catch (Throwable ex) { } catch (Throwable ex) {
LoggerFactory.getLogger(BaseDBTestCase.class).trace("", ex); LOGGER.trace("", ex);
} }
} }
} }

111
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
View File

@@ -39,10 +39,16 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
*/ */
@Test @Test
public void testOpen() throws Exception { public void testOpen() throws Exception {
CveDB instance = new CveDB(); CveDB instance = null;
instance.open(); try {
instance.commit(); instance = new CveDB();
instance.close(); instance.open();
instance.commit();
} finally {
if (instance != null) {
instance.close();
}
}
} }
/** /**
@@ -50,15 +56,18 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
*/ */
@Test @Test
public void testGetCPEs() throws Exception { public void testGetCPEs() throws Exception {
CveDB instance = new CveDB(); CveDB instance = null;
try { try {
instance = new CveDB();
String vendor = "apache"; String vendor = "apache";
String product = "struts"; String product = "struts";
instance.open(); instance.open();
Set<VulnerableSoftware> result = instance.getCPEs(vendor, product); Set<VulnerableSoftware> result = instance.getCPEs(vendor, product);
assertTrue(result.size() > 5); assertTrue(result.size() > 5);
} finally { } finally {
instance.close(); if (instance != null) {
instance.close();
}
} }
} }
@@ -68,9 +77,10 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
@Test @Test
public void testGetVulnerabilities() throws Exception { public void testGetVulnerabilities() throws Exception {
String cpeStr = "cpe:/a:apache:struts:2.1.2"; String cpeStr = "cpe:/a:apache:struts:2.1.2";
CveDB instance = new CveDB(); CveDB instance = null;
List<Vulnerability> results; List<Vulnerability> results;
try { try {
instance = new CveDB();
instance.open(); instance.open();
results = instance.getVulnerabilities(cpeStr); results = instance.getVulnerabilities(cpeStr);
assertTrue(results.size() > 5); assertTrue(results.size() > 5);
@@ -99,7 +109,9 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
assertTrue("Expected " + expected + ", but was not identified", found); assertTrue("Expected " + expected + ", but was not identified", found);
} finally { } finally {
instance.close(); if (instance != null) {
instance.close();
}
} }
} }
@@ -108,56 +120,61 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
*/ */
@Test @Test
public void testGetMatchingSoftware() throws Exception { public void testGetMatchingSoftware() throws Exception {
CveDB instance = null;
HashMap<String, Boolean> versions = new HashMap<String, Boolean>(); HashMap<String, Boolean> versions = new HashMap<String, Boolean>();
DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o"); DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE); versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE);
try {
instance = new CveDB();
Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNull(results);
CveDB instance = new CveDB(); versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE);
Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNull(results); Assert.assertNotNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE); Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE); versions.clear();
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNotNull(results);
Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
versions.clear(); versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE); versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE); versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE); versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE); identifiedVersion = new DependencyVersion("3.2.2");
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE); results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE); Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey());
versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE); Assert.assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("3.2.12");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNull(results);
identifiedVersion = new DependencyVersion("3.2.2"); identifiedVersion = new DependencyVersion("4.0.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey()); Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
Assert.assertTrue(results.getValue()); Assert.assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("3.2.12"); identifiedVersion = new DependencyVersion("4.1.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNull(results); Assert.assertNull(results);
identifiedVersion = new DependencyVersion("4.0.0"); versions.clear();
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
Assert.assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("4.1.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNull(results);
versions.clear();
versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
identifiedVersion = new DependencyVersion("1.6.3");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNotNull(results);
versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
identifiedVersion = new DependencyVersion("1.6.3");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNotNull(results);
} finally {
if (instance != null) {
instance.close();
}
}
} }
} }

112
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
View File

@@ -34,14 +34,20 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
*/ */
@Test @Test
public void testIsEmpty() throws Exception { public void testIsEmpty() throws Exception {
CveDB cveDB = new CveDB(); CveDB cveDB = null;
cveDB.open(); try {
DatabaseProperties instance = cveDB.getDatabaseProperties(); cveDB = new CveDB();
boolean expResult = false; cveDB.open();
boolean result = instance.isEmpty(); DatabaseProperties instance = cveDB.getDatabaseProperties();
//no exception means the call worked... whether or not it is empty depends on if the db is new boolean expResult = false;
//assertEquals(expResult, result); boolean result = instance.isEmpty();
cveDB.close(); //no exception means the call worked... whether or not it is empty depends on if the db is new
//assertEquals(expResult, result);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
} }
/** /**
@@ -54,18 +60,24 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
long expected = 1337; long expected = 1337;
updatedValue.setId(key); updatedValue.setId(key);
updatedValue.setTimestamp(expected); updatedValue.setTimestamp(expected);
CveDB cveDB = new CveDB(); CveDB cveDB = null;
cveDB.open(); try {
DatabaseProperties instance = cveDB.getDatabaseProperties(); cveDB = new CveDB();
instance.save(updatedValue); cveDB.open();
//reload the properties DatabaseProperties instance = cveDB.getDatabaseProperties();
cveDB.close(); instance.save(updatedValue);
cveDB = new CveDB(); //reload the properties
cveDB.open(); cveDB.close();
instance = cveDB.getDatabaseProperties(); cveDB = new CveDB();
cveDB.close(); cveDB.open();
long results = Long.parseLong(instance.getProperty("NVD CVE " + key)); instance = cveDB.getDatabaseProperties();
assertEquals(expected, results); long results = Long.parseLong(instance.getProperty("NVD CVE " + key));
assertEquals(expected, results);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
} }
/** /**
@@ -75,13 +87,19 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
public void testGetProperty_String_String() throws Exception { public void testGetProperty_String_String() throws Exception {
String key = "doesn't exist"; String key = "doesn't exist";
String defaultValue = "default"; String defaultValue = "default";
CveDB cveDB = new CveDB(); CveDB cveDB = null;
cveDB.open(); try {
DatabaseProperties instance = cveDB.getDatabaseProperties(); cveDB = new CveDB();
cveDB.close(); cveDB.open();
String expResult = "default"; DatabaseProperties instance = cveDB.getDatabaseProperties();
String result = instance.getProperty(key, defaultValue); String expResult = "default";
assertEquals(expResult, result); String result = instance.getProperty(key, defaultValue);
assertEquals(expResult, result);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
} }
/** /**
@@ -90,14 +108,20 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
@Test @Test
public void testGetProperty_String() throws DatabaseException { public void testGetProperty_String() throws DatabaseException {
String key = "version"; String key = "version";
CveDB cveDB = new CveDB(); CveDB cveDB = null;
cveDB.open(); try {
DatabaseProperties instance = cveDB.getDatabaseProperties(); cveDB = new CveDB();
cveDB.close(); cveDB.open();
String result = instance.getProperty(key); DatabaseProperties instance = cveDB.getDatabaseProperties();
double version = Double.parseDouble(result); String result = instance.getProperty(key);
assertTrue(version >= 2.8); double version = Double.parseDouble(result);
assertTrue(version <= 10); assertTrue(version >= 2.8);
assertTrue(version <= 10);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
} }
/** /**
@@ -105,11 +129,17 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
*/ */
@Test @Test
public void testGetProperties() throws DatabaseException { public void testGetProperties() throws DatabaseException {
CveDB cveDB = new CveDB(); CveDB cveDB = null;
cveDB.open(); try {
DatabaseProperties instance = cveDB.getDatabaseProperties(); cveDB = new CveDB();
cveDB.close(); cveDB.open();
Properties result = instance.getProperties(); DatabaseProperties instance = cveDB.getDatabaseProperties();
assertTrue(result.size() > 0); Properties result = instance.getProperties();
assertTrue(result.size() > 0);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
} }
} }

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java
View File

@@ -147,7 +147,7 @@ public class ReportGeneratorIntegrationTest extends BaseTest {
engine.cleanup(); engine.cleanup();
InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/DependencyCheck.xsd"); InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.3.xsd");
StreamSource xsdSource = new StreamSource(xsdStream); StreamSource xsdSource = new StreamSource(xsdStream);
StreamSource xmlSource = new StreamSource(new File(writeTo)); StreamSource xmlSource = new StreamSource(new File(writeTo));
SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);

5
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -40,7 +40,8 @@ data.driver_name=org.h2.Driver
data.driver_path= data.driver_path=
# the path to the cpe xml file # the path to the cpe xml file
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz #cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
# the path to the cpe meta data file. # the path to the cpe meta data file.
cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
@@ -61,8 +62,6 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cpe.validfordays=30 cpe.validfordays=30
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true analyzer.nexus.enabled=true

9
dependency-check-core/src/test/resources/logback-test.xml
View File

@@ -7,11 +7,14 @@
<pattern>[%level] %msg%n</pattern> <pattern>[%level] %msg%n</pattern>
</encoder> </encoder>
</appender> </appender>
<root level="INFO"> <root level="DEBUG">
<appender-ref ref="console"/> <appender-ref ref="console"/>
</root> </root>
<logger name="org.owasp.dependencycheck.analyzer.AssemblyAnalyzerTest" additivity="false" level="WARN"> <logger name="org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase" additivity="false" level="TRACE">
<appender-ref ref="console"/>
</logger>
<!--logger name="org.owasp.dependencycheck.analyzer.AssemblyAnalyzerTest" additivity="false" level="WARN">
<appender-ref ref="console"/> <appender-ref ref="console"/>
</logger> </logger>
<logger name="org.owasp.dependencycheck.data.central.CentralSearchTest" additivity="false" level="WARN"> <logger name="org.owasp.dependencycheck.data.central.CentralSearchTest" additivity="false" level="WARN">
@@ -19,5 +22,5 @@
</logger> </logger>
<logger name="org.owasp.dependencycheck.data.nexus.NexusSearchTest" additivity="false" level="WARN"> <logger name="org.owasp.dependencycheck.data.nexus.NexusSearchTest" additivity="false" level="WARN">
<appender-ref ref="console"/> <appender-ref ref="console"/>
</logger> </logger-->
</configuration> </configuration>

97
dependency-check-core/src/test/resources/openssl/opensslv.h Normal file
View File

@@ -0,0 +1,97 @@
#ifndef HEADER_OPENSSLV_H
# define HEADER_OPENSSLV_H
#ifdef __cplusplus
extern "C" {
#endif
/*-
* Numeric release version identifier:
* MNNFFPPS: major minor fix patch status
* The status nibble has one of the values 0 for development, 1 to e for betas
* 1 to 14, and f for release. The patch level is exactly that.
* For example:
* 0.9.3-dev 0x00903000
* 0.9.3-beta1 0x00903001
* 0.9.3-beta2-dev 0x00903002
* 0.9.3-beta2 0x00903002 (same as ...beta2-dev)
* 0.9.3 0x0090300f
* 0.9.3a 0x0090301f
* 0.9.4 0x0090400f
* 1.2.3z 0x102031af
*
* For continuity reasons (because 0.9.5 is already out, and is coded
* 0x00905100), between 0.9.5 and 0.9.6 the coding of the patch level
* part is slightly different, by setting the highest bit. This means
* that 0.9.5a looks like this: 0x0090581f. At 0.9.6, we can start
* with 0x0090600S...
*
* (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.)
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x1000203fL
# ifdef OPENSSL_FIPS
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c-fips 12 Jun 2015"
# else
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c 12 Jun 2015"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
* versioning. That kind of versioning works a bit differently between
* operating systems. The most usual scheme is to set a major and a minor
* number, and have the runtime loader check that the major number is equal
* to what it was at application link time, while the minor number has to
* be greater or equal to what it was at application link time. With this
* scheme, the version number is usually part of the file name, like this:
*
* libcrypto.so.0.9
*
* Some unixen also make a softlink with the major verson number only:
*
* libcrypto.so.0
*
* On Tru64 and IRIX 6.x it works a little bit differently. There, the
* shared library version is stored in the file, and is actually a series
* of versions, separated by colons. The rightmost version present in the
* library when linking an application is stored in the application to be
* matched at run time. When the application is run, a check is done to
* see if the library version stored in the application matches any of the
* versions in the version string of the library itself.
* This version string can be constructed in any way, depending on what
* kind of matching is desired. However, to implement the same scheme as
* the one used in the other unixen, all compatible versions, from lowest
* to highest, should be part of the string. Consecutive builds would
* give the following versions strings:
*
* 3.0
* 3.0:3.1
* 3.0:3.1:3.2
* 4.0
* 4.0:4.1
*
* Notice how version 4 is completely incompatible with version, and
* therefore give the breach you can see.
*
* There may be other schemes as well that I haven't yet discovered.
*
* So, here's the way it works here: first of all, the library version
* number doesn't need at all to match the overall OpenSSL version.
* However, it's nice and more understandable if it actually does.
* The current library version is stored in the macro SHLIB_VERSION_NUMBER,
* which is just a piece of text in the format "M.m.e" (Major, minor, edit).
* For the sake of Tru64, IRIX, and any other OS that behaves in similar ways,
* we need to keep a history of version numbers, which is done in the
* macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and
* should only keep the versions that are binary compatible with the current.
*/
# define SHLIB_VERSION_HISTORY ""
# define SHLIB_VERSION_NUMBER "1.0.0"
#ifdef __cplusplus
}
#endif
#endif /* HEADER_OPENSSLV_H */

4
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -225,6 +225,10 @@ public final class Settings {
* The properties key for whether the Central analyzer is enabled. * The properties key for whether the Central analyzer is enabled.
*/ */
public static final String ANALYZER_CENTRAL_ENABLED = "analyzer.central.enabled"; public static final String ANALYZER_CENTRAL_ENABLED = "analyzer.central.enabled";
/**
* The properties key for whether the OpenSSL analyzer is enabled.
*/
public static final String ANALYZER_OPENSSL_ENABLED = "analyzer.openssl.enabled";
/** /**
* The properties key for the Central search URL. * The properties key for the Central search URL.
*/ */

26
pom.xml
View File

@@ -245,6 +245,11 @@ Copyright (c) 2012 - Jeremy Long
<artifactId>maven-surefire-plugin</artifactId> <artifactId>maven-surefire-plugin</artifactId>
<version>2.18.1</version> <version>2.18.1</version>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<version>1.8</version>
</plugin>
</plugins> </plugins>
</pluginManagement> </pluginManagement>
<plugins> <plugins>
@@ -336,6 +341,27 @@ Copyright (c) 2012 - Jeremy Long
<skipDeploy>true</skipDeploy> <skipDeploy>true</skipDeploy>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<inherited>false</inherited>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<version>1.8</version>
<executions>
<execution>
<id>copy-xsd</id>
<phase>compile</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target name="copy xsd to site">
<copy file="dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd" todir="target/site/"/>
</target>
</configuration>
</execution>
</executions>
</plugin>
</plugins> </plugins>
</build> </build>
<reporting> <reporting>

11
src/site/markdown/analyzers/autoconf-analyzer.md Normal file
View File

@@ -0,0 +1,11 @@
Autoconf Analyzer
=================
OWASP dependency-check includes an analyzer that will scan Autoconf project
configuration files. The analyzer will collect as much information it can
about the project. The information collected is internally referred to as
evidence and is grouped into vendor, product, and version buckets. Other
analyzers later use this evidence to identify any Common Platform Enumeration
(CPE) identifiers that apply.
File names scanned: configure, configure.in, configure.ac

2
src/site/markdown/analyzers/index.md
View File

@@ -5,8 +5,10 @@ to extract identification information from the files analyzed.
- [Archive Analyzer](./archive-analyzer.html) - [Archive Analyzer](./archive-analyzer.html)
- [Assembly Analyzer](./assembly-analyzer.html) - [Assembly Analyzer](./assembly-analyzer.html)
- [Autoconf Analyzer](./autoconf-analyzer.html)
- [Central Analyzer](./central-analyzer.html) - [Central Analyzer](./central-analyzer.html)
- [Jar Analyzer](./jar-analyzer.html) - [Jar Analyzer](./jar-analyzer.html)
- [Nexus Analyzer](./nexus-analyzer.html) - [Nexus Analyzer](./nexus-analyzer.html)
- [Nuspec Analyzer](./nuspec-analyzer.html) - [Nuspec Analyzer](./nuspec-analyzer.html)
- [OpenSSL Analyzer](./openssl-analyzer.html)
- [Python Analyzer](./python-analyzer.html) - [Python Analyzer](./python-analyzer.html)

10
src/site/markdown/analyzers/openssl-analyzer.md Normal file
View File

@@ -0,0 +1,10 @@
OpenSSL Analyzer
================
OWASP dependency-check includes an analyzer that will scan OpenSSL source code
files for the OpenSSL version information. The information collected is
internally referred to as evidence and is grouped into vendor, product, and
version buckets. Other analyzers later use this evidence to identify any
Common Platform Enumeration (CPE) identifiers that apply.
File names scanned: opensslv.h

4
src/site/markdown/index.md
View File

@@ -4,7 +4,9 @@ OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry:
[A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities). [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
Dependency-check can currently be used to scan Java, .NET, and Python Dependency-check can currently be used to scan Java, .NET, and Python
applications (and their dependent libraries) to identify known vulnerable applications (and their dependent libraries) to identify known vulnerable
components. components. In addition, Dependency-check can be used to scan some source
code, including OpenSSL source code and source code for projects that use
Autoconf.
The problem with using known vulnerable components was covered in a paper by The problem with using known vulnerable components was covered in a paper by
Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of

6
src/site/site.xml
View File

@@ -124,6 +124,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<item name="Nuspec Analyzer" href="./analyzers/nuspec-analyzer.html"> <item name="Nuspec Analyzer" href="./analyzers/nuspec-analyzer.html">
<description>Nuspec Analyzer</description> <description>Nuspec Analyzer</description>
</item> </item>
<item name="Autoconf Analyzer" href="./analyzers/autoconf-analyzer.html">
<description>Autoconf Analyzer</description>
</item>
<item name="OpenSSL Analyzer" href="./analyzers/openssl-analyzer.html">
<description>OpenSSL Analyzer</description>
</item>
</item> </item>
<item collapse="true" name="Modules" href="./modules.html"> <item collapse="true" name="Modules" href="./modules.html">
<item name="dependency-check-cli" href="./dependency-check-cli/index.html"> <item name="dependency-check-cli" href="./dependency-check-cli/index.html">