From 69ebb53a059ff86abd7a14ce44f39ee94c1ab2dc Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Wed, 26 Mar 2014 23:02:17 -0400 Subject: [PATCH 1/2] Squashed commit of the following: commit 1d1a06a5ae7ea4f6e3adbf5a4b8163eba50562a3 Author: Will Stranathan Date: Wed Mar 26 22:59:15 2014 -0400 Updated unit tests and logging commit bb00174e62c9657809d6e5a9cde7c7308d905593 Author: Will Stranathan Date: Wed Mar 26 22:20:28 2014 -0400 Updated GrokAssembly to not fail if the vendor can't be gotten commit 27f7c9366acca8abbff9c6e9fa9ce1a1329da887 Author: Will Stranathan Date: Wed Mar 26 22:18:33 2014 -0400 Updated unit test to not care about version number Former-commit-id: e700a5f81b7b0f6d6ccf392e846723e67fff591c --- .../analyzer/AssemblyAnalyzer.java | 15 ++++- .../src/main/resources/GrokAssembly.exe | Bin 5120 -> 5632 bytes .../analyzer/AssemblyAnalyzerTest.java | 55 +++++++++++++++--- 3 files changed, 61 insertions(+), 9 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 4857e8f5d..52f5f3911 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -71,7 +71,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { /** * Logger */ - private static final Logger LOG = Logger.getLogger(AbstractAnalyzer.class.getName()); + private static final Logger LOG = Logger.getLogger(AssemblyAnalyzer.class.getName()); /** * Builds the beginnings of a List for ProcessBuilder @@ -113,6 +113,19 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { final ProcessBuilder pb = new ProcessBuilder(args); try { final Process proc = pb.start(); + int rc = 0; + try { + rc = proc.waitFor(); + } catch (InterruptedException ie) { + return; + } + if (rc == 3) { + LOG.info(dependency.getActualFilePath() + " is not a valid assembly"); + return; + } else if (rc != 0) { + LOG.warning("Return code " + rc + " from GrokAssembly"); + } + final Document doc = builder.parse(proc.getInputStream()); final XPath xpath = XPathFactory.newInstance().newXPath(); diff --git a/dependency-check-core/src/main/resources/GrokAssembly.exe b/dependency-check-core/src/main/resources/GrokAssembly.exe index 9c395259e102267f61e693c41e80889a2bd5b815..3324e28e858916827baf2c4e25c9ec4bb505dd8f 100755 GIT binary patch delta 1768 zcmZ8iTTEO<82;w$p54RQa^Re$3oR@h*Z>Q-WD9Mwi$yLiP+Fxbz1XIqa@oK}+(Qpr zZ4=WaRnv+VCDX)|1~oqTU?0?AOuW2Q)1>;MCdQ;uRH}&@AAB*!*fjXhEYy}s=9_=M z|1vY*%*mOF&fNFP`I@VKzC1Y;n}7R|Q5*yI38E9&-AM_e?V+wfg&hHYD*!xl4j-Q{j2o3ov=Y!8%i~@g zQuvUvlXdXRN>whZ6YZveDP=DG5^ab@1H?F+2uk(DmyC*r7NWGg-qt}CH8)7Hj-Te5 zdrp{?qiYT=sOM|FBWi^f+>dFD((&@O%JjsuYqg3*XfZ)y)XdQk^vcAjMRvhgv=WQb z8hWWyLYSqb@}O#}$wpe;ROiy62W+{I@9ylwR6`5SW(vM*FUvyMx@FoNOs_2cz2^RL zC#Ap%iTF~n{#{v`duwAznTXi3F)YB=MJRB#Zghs%odr%g`GWpXP)jt4o%l^{A?VZG zhV_V?X8N3pdkdIa>0?37)J*?ey5o!0)z!SZ%e~@6_vqg$%52pCFp)z4Cusa%|1J8m zcxH9W1jrZEoG^0GeI#txn4p1Qs1HzYA=O1V-4avQ_yaU1h!>Ksw`*jyi)*EzPO|C7 zXa=nF-NcJJbUCbhaBnxuyFsrDPi=3GH}ebLqV_i^Dsl$cL{Ih;>XE^$o6d|+i%Qoi z{UX(j92~?kTAFr*NZ-N!-84?p{26}3TW^MGMnz;78>r`|x`kcgO=>LXXIG%ZVzY#0 z662ED$$FTM!_uCS_9f|kSK>{{LlH4GipXu0_^`wY$-gY|Es38=yeaXP#E?hiZnHgm zJvzobXT|rpcKo~y#VDn+5Ah$>a?h;d^4n@ht^v0ZK|iWk6iL*vN<4xctXVRx7{)Qy zh9j6@9caJ_79l*%dT;`-v3}ouxF!JuAy}g&Cp%NcTyecs*@pFk^OS~a*MdI&-49&QO3xpo_I$?nQMHpoN5|%T; zN0>@SXp(#@D<}JYHpoulD7-UyNd`)=Nb1mWND;s*?6u~ygtYGE-dyVN`&i3(Dto-g zbsZN6Qm3+q-E=nPqCb;uZ9)DGVV9E`9nM0!9!zIae7DwZh_wADvlvWeY2eRmqnmrv zlc@nG+v}XnjP;xvO-*IfPG;#>tx>V7hv8xz({z$aq>v#yiwW3xnl5A-HZKY^76y7r zdEvH!D!w&vxh&X4&S_$v#0Ys#3s0?$5zYg(#VaeT=a#OW?R)VXbN|Ju^B?i+f!c9c zVHJu|QQ@Vp&hWuwP$SzgR4^+hkXd0L*-5kAZ!6&nE2((G)((#i!)wFp5zw#N2wO=C z*1|@Kzd*B8%d}!vm;$XNd3f8Vzv(kdto=8Hx&txZWo}hEWBh30`#i4L+%V1rut@hJ op6uel(yK;0D@r0kB5X$-+vs(+Ed5+mt0<4RFPYY#Y(DP)56-|B@c;k- delta 1341 zcmZ9MTWFj`6vxk*{cihZ^CjQ6aW^q;-OZ-WCfg0$o8673ZCcT`UPG)#X*5VgRw1jK zK6oR$f{H|2Oh*t?iZ>9isB9H{XhD23K3L3CEh)j^lMe+25k%vEW<%2CgZa&W&YW{* z=FHC4w%0OmyxR3zdu)VOzavzn9Mv-JuKzhz^HlQ&E}XN8Fd1 zU`e7yp*Zl6Zm#~ zG-~^{Z=EXbpI=#7X%uHsop#%X^8Kc=te3CDT~xQdZ4n>@$uA7E7)Npop+mcsl?XMW z4pi_%v~FmW0czbokCDpa%Y@l8I3bAA(?l21PvFwiBPS}Q$;YQu#BR7n;GI4;LI-f4 z$VBPej~%%c{k<4Z$QR9?YzIaN)=e#xLc?9_Mb%g}HBU4m7tCDsU;30>3Uk0Nb+gj@ zw0?kRpeHpy(w2Fxf7bk4vsI|5y_$DxKB+mQ`GMvI%}e4B;Zh{jr+&zd0)W_ygJZ<8 z(4c(B>J04^56Sb^{%R2~DosbImoqd(dpJiA(sAAeUE={7rZ@RE=y&-jmFR2e5?$bX z=vlg??Z0YX<@*q&bc(hM#_S<1I16r}w>96>9M=3;^DE77tGfG6^9PWrpMIn%aDiS1 zFVipJGA)6>Yx|$*`{^HT4>5B;HF1&0=^z=k#(4{EV`DfvK0Gfnv}$0K3tFt(OrlXf zT2DI`%j4l8`C0hUdbisvWI2+N-$!1+^PsZ}ubf4=KLLYQY3B&aw3!ndP7O_j3fnn6pCh&5s QtwPjpuKR6Qc{XqV59bre!2kdN diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java index 19c1f57ed..0aa96abd3 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java @@ -17,14 +17,17 @@ */ package org.owasp.dependencycheck.analyzer; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; +import static org.junit.Assume.assumeFalse; + import java.io.File; import java.util.logging.Level; import java.util.logging.Logger; + import org.junit.After; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; import org.junit.Assume; -import static org.junit.Assume.assumeFalse; import org.junit.Before; import org.junit.Test; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; @@ -75,7 +78,21 @@ public class AssemblyAnalyzerTest { File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath()); Dependency d = new Dependency(f); analyzer.analyze(d, null); - assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.0.5176.23901", Confidence.HIGHEST))); + boolean foundVendor = false; + for (Evidence e : d.getVendorEvidence().getEvidence("grokassembly", "vendor")) { + if ("OWASP".equals(e.getValue())) { + foundVendor = true; + } + } + assertTrue(foundVendor); + + boolean foundProduct = false; + for (Evidence e : d.getProductEvidence().getEvidence("grokassembly", "product")) { + if ("GrokAssembly".equals(e.getValue())) { + foundProduct = true; + } + } + assertTrue(foundProduct); } @Test @@ -88,15 +105,29 @@ public class AssemblyAnalyzerTest { assertTrue(d.getProductEvidence().getEvidence().contains(new Evidence("grokassembly", "product", "log4net", Confidence.HIGH))); } - @Test(expected = AnalysisException.class) - public void testNonexistent() throws Exception { + @Test + public void testNonexistent() { + Level oldLevel = Logger.getLogger(AssemblyAnalyzer.class.getName()).getLevel(); + Level oldDependency = Logger.getLogger(Dependency.class.getName()).getLevel(); + // Tweak the log level so the warning doesn't show in the console + Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(Level.OFF); + Logger.getLogger(Dependency.class.getName()).setLevel(Level.OFF); File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath()); File test = new File(f.getParent(), "nonexistent.dll"); Dependency d = new Dependency(test); - analyzer.analyze(d, null); + + try { + analyzer.analyze(d, null); + fail("Expected an AnalysisException"); + } catch (AnalysisException ae) { + assertEquals("File does not exist", ae.getMessage()); + } finally { + Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(oldLevel); + Logger.getLogger(Dependency.class.getName()).setLevel(oldDependency); + } } - @Test(expected = AnalysisException.class) + @Test public void testWithSettingMono() throws Exception { //This test doesn't work on Windows. @@ -113,12 +144,20 @@ public class AssemblyAnalyzerTest { Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, "/yooser/bine/mono"); } + Level oldLevel = Logger.getLogger(AssemblyAnalyzer.class.getName()).getLevel(); try { + // Tweak the logging to swallow the warning when testing + Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(Level.OFF); // Have to make a NEW analyzer because during setUp, it would have gotten the correct one AssemblyAnalyzer aanalyzer = new AssemblyAnalyzer(); aanalyzer.supportsExtension("dll"); aanalyzer.initialize(); + fail("Expected an AnalysisException"); + } catch (AnalysisException ae) { + assertEquals("An error occured with the .NET AssemblyAnalyzer", ae.getMessage()); } finally { + // Recover the logger + Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(oldLevel); // Now recover the way we came in. If we had to set a System property, delete it. Otherwise, // reset the old value if (oldValue == null) { From 53e67dfb2764b254081292e88e541c78b38e183b Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Thu, 27 Mar 2014 17:34:45 -0400 Subject: [PATCH 2/2] Updated waitFor semantics Former-commit-id: 1080c4eca42029535508f2503ac0a76e853a7fcc --- .../analyzer/AssemblyAnalyzer.java | 44 ++++++++++++------ .../src/main/resources/GrokAssembly.exe | Bin 5632 -> 5632 bytes 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 52f5f3911..6f6ee4291 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -17,20 +17,24 @@ */ package org.owasp.dependencycheck.analyzer; +import java.io.BufferedReader; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; +import java.io.InputStreamReader; import java.util.ArrayList; import java.util.List; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; + import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.xpath.XPath; import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; + import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; @@ -113,19 +117,13 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { final ProcessBuilder pb = new ProcessBuilder(args); try { final Process proc = pb.start(); + // Try evacuating the error stream + final BufferedReader rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream())); + String line = null; + while ((line = rdr.readLine()) != null) { + LOG.warning("Error from GrokAssembly: " + line); + } int rc = 0; - try { - rc = proc.waitFor(); - } catch (InterruptedException ie) { - return; - } - if (rc == 3) { - LOG.info(dependency.getActualFilePath() + " is not a valid assembly"); - return; - } else if (rc != 0) { - LOG.warning("Return code " + rc + " from GrokAssembly"); - } - final Document doc = builder.parse(proc.getInputStream()); final XPath xpath = XPathFactory.newInstance().newXPath(); @@ -153,6 +151,19 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { product, Confidence.HIGH)); } + try { + rc = proc.waitFor(); + } catch (InterruptedException ie) { + return; + } + if (rc == 3) { + LOG.info(dependency.getActualFilePath() + " is not a valid assembly"); + return; + } else if (rc != 0) { + LOG.warning("Return code " + rc + " from GrokAssembly"); + } + + } catch (IOException ioe) { throw new AnalysisException(ioe); } catch (SAXException saxe) { @@ -208,7 +219,14 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { // Now, need to see if GrokAssembly actually runs from this location. final List args = buildArgumentList(); try { - final Process p = new ProcessBuilder(args).start(); + final ProcessBuilder pb = new ProcessBuilder(args); + final Process p = pb.start(); + // Try evacuating the error stream + final BufferedReader rdr = new BufferedReader(new InputStreamReader(p.getErrorStream())); + String line = null; + while ((line = rdr.readLine()) != null) { + // We expect this to complain + } final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream()); final XPath xpath = XPathFactory.newInstance().newXPath(); final String error = xpath.evaluate("/assembly/error", doc); diff --git a/dependency-check-core/src/main/resources/GrokAssembly.exe b/dependency-check-core/src/main/resources/GrokAssembly.exe index 3324e28e858916827baf2c4e25c9ec4bb505dd8f..0cea03759a903de123293b159454387cbaf52851 100755 GIT binary patch delta 1379 zcmZ8gZD?Cn7=GV#bCY{-)0^I#m{w!DWa+x3OGiU3q_b-qzqV4aNY}~Av{VeW3f>tb zI9HlZ5$4CldWIjJBKk+C2ukpW!eHXB{jxHDD0BE@4h3-vf)t0~b52{GJ@7u~eV_L^ z@A+OTE)`!sVHj`Rviw3?bQYICIOwkKA{r;OQKJ3EayBlrJR`cI@@ZboP*G)&fC)0` z+;$?%CNgwPVfk3B&+QcXn~0pARG&d>EbkXXoRg=;wnn>CKFJuET**5S?8#x2Rf`iH z2_lHCT2;B0asw1~I-K%-8~PT6`6!?@-wKR}>{U>lcM-G)F<>3aRNVB;!5)t?xx8q|FW(~=j;dq{q7)!zDdQFh=fJyv=BAglJ#Rz*T7 zZrCb2`=9K#Ah|XB)n?WX+L4P#l5wky3m`AzSu63dRlB&Uu)J{4A%{ZUooavG|2wxU zO0;oq^371k+>Iy}?x{QoCEB~NyJ5e>!Z2)@1$xCFfc*(m+uv+BFzUx~o`ZG4#{s}2 z+T?#kr0T?F+T6K!0i|+_L_ecHg@=%vtk>oroqJr3Sb!`Fb#7{sPT-Dl^px8-HFgL3 z*AX9)$IYF)Qi#-gl&Oi-yTJWxU&YE)j_4VA!R&4PO&^j&Hv8;Q7b|~Q<2{;rn4br8 zTw_!7-)jCZ%?P2gd5xn&RhZMbsPVMM&oy4qcvYiqY&RSlGN#o-PpqE?P%W&D+EMUM z`F1#EJRqv_YKLP)sUxC*&Z}1xY7FK+mUEWP8zKb8BeH2<+zl({)>@n;d4d0kT+FOSz zwui^Nm3*q1v%)M7+m+aX>XY?*YxDJLjpnNL8Tr1w5T2~oC!VM`b54(tK{PMFj4t52 zQSig94|NTn+5hUbXFnbL_~0q|V(X4+7H){xbxmSF3zz&t7;ecMh-5_iX1^qiwBKuF zNGaGagfissRZuZAl=e$tt+bnn*p_elo}cv#kozTMWQV&Jqc!#WHkw4= yW+pMp(rsI8nLRdvug-+N`C8iuw+`Z<`l&<%RHlLEWp9TNnW3ha_>GtQBL4sul+QT; delta 1655 zcmZ8hU2Icj7=FHU`g7W@$Mtk{ldapC%|cW=(*^9%XKUkLtvIY5je2LqX}gO~d3Nw> z@WW04zlQ)_*$8;eW|LX1rK^E(V`Y;M`!#P^+blZ0D_YHTI!xNl0VlMJ`PU3Uq$6aU z5<+=6`>kNn#9TT`v%QlQ4L8nMCrI0H&q|d!VZ&j=@M5hGWv#@V`x#~0B&}*ygtIR# z)p|sRmJ*`r*iMSLPbH=;>Y?x0Nu=2$T<(++i%hDF`(ysLMs|<+FXj_lY&FMED|5vB zi8*JD*R5Ag%Njo$?w>2Zkdq+gluLLpso^fHj;N3kkFE}jh~*C(a@MYPCYPNdr;@&S zFi{;hvg_rX!I&`@4;XI4a)=QNI91+#y}o@r{q+y6u~h~=7;bTmLnP%Ik5MkI(c9vy z$S2t;z+H47WgVX1c>8%@ zm(OzX%0}yW`B+p_Y0E49zzwh9&rAo!4TNEd^TY~;O^VqpdPEpQN}o~sW##=y;a$Z; zlQEBJGPhCT9))9ye?#F13cpf#SK)%fgf4TNx9B_dFplbHzQ(<1=HwwR3_@lx*3jZJqY{UXyC+gxFF(UpV#>IVNrI36|`1ujmE521!Qh!1W zh)FyP-^}8o`pa+?JPmxI6h5gh9am(P_AvL}{Iy^}w2bD8hkIPtaWR;iEDpK(V$Mb1 zM6tC6i?0paoQda;6ro&CsQFN3K-FyXh>DIgSx}rlhCN#)y|HsVlv6=fAV_ zx6brlxEBPBDy#pn6)3B0$Xl7NFk3Tmv0Nv!FZkm1wD4lc%2-JTT5a?gF@cg^*E!Z*DCCZhj86fB z0=xUXdnLb^*`