diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java index 1716388b1..ab77388dd 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java @@ -36,6 +36,10 @@ public enum AnalysisPhase { * Information collection phase. */ INFORMATION_COLLECTION, + /** + * Post information collection phase. + */ + POST_INFORMATION_COLLECTION, /** * Pre identifier analysis phase. */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index 6e0968e3a..8f8415dca 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -84,7 +84,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { /** * The phase that this analyzer is intended to run in. */ - private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS; + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.FINAL; /** * Returns the name of the analyzer. @@ -130,7 +130,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { * file. */ @Override - public void analyze(Dependency ignore, Engine engine) throws AnalysisException { + public synchronized void analyze(Dependency ignore, Engine engine) throws AnalysisException { if (!analyzed) { analyzed = true; final Set dependenciesToRemove = new HashSet(); @@ -162,6 +162,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { } } else if (cpeIdentifiersMatch(dependency, nextDependency) && hasSameBasePath(dependency, nextDependency) + && vulnCountMatches(dependency, nextDependency) && fileNameMatch(dependency, nextDependency)) { if (isCore(dependency, nextDependency)) { mergeDependencies(dependency, nextDependency, dependenciesToRemove); @@ -169,20 +170,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { mergeDependencies(nextDependency, dependency, dependenciesToRemove); break; //since we merged into the next dependency - skip forward to the next in mainIterator } - } else if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) { - if (main == dependency) { - mergeDependencies(dependency, nextDependency, dependenciesToRemove); - } else { - mergeDependencies(nextDependency, dependency, dependenciesToRemove); - break; //since we merged into the next dependency - skip forward to the next in mainIterator - } - } else if ((main = getMainSwiftDependency(dependency, nextDependency)) != null) { - if (main == dependency) { - mergeDependencies(dependency, nextDependency, dependenciesToRemove); - } else { - mergeDependencies(nextDependency, dependency, dependenciesToRemove); - break; //since we merged into the next dependency - skip forward to the next in mainIterator - } } } } @@ -224,7 +211,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { * @return a string representing the base path. */ private String getBaseRepoPath(final String path) { - int pos = path.indexOf("repository" + File.separator) + 11; + int pos; + if (path.contains("local-repo")) { + pos = path.indexOf("local-repo" + File.separator) + 11; + } else { + pos = path.indexOf("repository" + File.separator) + 11; + } if (pos < 0) { return path; } @@ -317,6 +309,19 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { return matches; } + /** + * Returns true if the two dependencies have the same vulnerability count. + * + * @param dependency1 a dependency2 to compare + * @param dependency2 a dependency2 to compare + * @return true if the two dependencies have the same vulnerability count + */ + private boolean vulnCountMatches(Dependency dependency1, Dependency dependency2) { + return dependency1.getVulnerabilities() != null && dependency2.getVulnerabilities() != null + && dependency1.getVulnerabilities().size() == dependency2.getVulnerabilities().size(); + + } + /** * Determines if the two dependencies have the same base path. * @@ -341,7 +346,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { return true; } - if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) { + if (left.matches(".*[/\\\\](repository|local-repo)[/\\\\].*") && right.matches(".*[/\\\\](repository|local-repo)[/\\\\].*")) { left = getBaseRepoPath(left); right = getBaseRepoPath(right); } @@ -357,96 +362,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { return false; } - /** - * Bundling Ruby gems that are identified from different .gemspec files but - * denote the same package path. This happens when Ruby bundler installs an - * application's dependencies by running "bundle install". - * - * @param dependency1 dependency to compare - * @param dependency2 dependency to compare - * @return true if the the dependencies being analyzed appear to be the - * same; otherwise false - */ - private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) { - if (dependency1 == null || dependency2 == null - || !dependency1.getFileName().endsWith(".gemspec") - || !dependency2.getFileName().endsWith(".gemspec") - || dependency1.getPackagePath() == null - || dependency2.getPackagePath() == null) { - return false; - } - return dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath()); - } - - /** - * Ruby gems installed by "bundle install" can have zero or more *.gemspec - * files, all of which have the same packagePath and should be grouped. If - * one of these gemspec is from /specifications/*.gemspec, because - * it is a stub with fully resolved gem meta-data created by Ruby bundler, - * this dependency should be the main one. Otherwise, use dependency2 as - * main. - * - * This method returns null if any dependency is not from *.gemspec, or the - * two do not have the same packagePath. In this case, they should not be - * grouped. - * - * @param dependency1 dependency to compare - * @param dependency2 dependency to compare - * @return the main dependency; or null if a gemspec is not included in the - * analysis - */ - private Dependency getMainGemspecDependency(Dependency dependency1, Dependency dependency2) { - if (isSameRubyGem(dependency1, dependency2)) { - final File lFile = dependency1.getActualFile(); - final File left = lFile.getParentFile(); - if (left != null && left.getName().equalsIgnoreCase("specifications")) { - return dependency1; - } - return dependency2; - } - return null; - } - - /** - * Bundling same swift dependencies with the same packagePath but identified - * by different analyzers. - * - * @param dependency1 dependency to test - * @param dependency2 dependency to test - * @return true if the dependencies appear to be the same; - * otherwise false - */ - private boolean isSameSwiftPackage(Dependency dependency1, Dependency dependency2) { - if (dependency1 == null || dependency2 == null - || (!dependency1.getFileName().endsWith(".podspec") - && !dependency1.getFileName().equals("Package.swift")) - || (!dependency2.getFileName().endsWith(".podspec") - && !dependency2.getFileName().equals("Package.swift")) - || dependency1.getPackagePath() == null - || dependency2.getPackagePath() == null) { - return false; - } - return dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath()); - } - - /** - * Determines which of the swift dependencies should be considered the - * primary. - * - * @param dependency1 the first swift dependency to compare - * @param dependency2 the second swift dependency to compare - * @return the primary swift dependency - */ - private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) { - if (isSameSwiftPackage(dependency1, dependency2)) { - if (dependency1.getFileName().endsWith(".podspec")) { - return dependency1; - } - return dependency2; - } - return null; - } - /** * This is likely a very broken attempt at determining if the 'left' * dependency is the 'core' library in comparison to the 'right' library. @@ -469,10 +384,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { || !rightName.contains("core") && leftName.contains("core") || !rightName.contains("kernel") && leftName.contains("kernel")) { returnVal = true; -// } else if (leftName.matches(".*struts2\\-core.*") && rightName.matches(".*xwork\\-core.*")) { -// returnVal = true; -// } else if (rightName.matches(".*struts2\\-core.*") && leftName.matches(".*xwork\\-core.*")) { -// returnVal = false; } else { /* * considered splitting the names up and comparing the components, @@ -577,4 +488,5 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer { private boolean containedInWar(String filePath) { return filePath == null ? false : filePath.matches(".*\\.(ear|war)[\\\\/].*"); } + } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java new file mode 100644 index 000000000..3ffbaeced --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java @@ -0,0 +1,270 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2012 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import java.io.File; +import java.util.HashSet; +import java.util.Iterator; +import java.util.ListIterator; +import java.util.Set; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + *

+ * This analyzer will merge dependencies, created from different source, into a + * single dependency.

+ * + * @author Jeremy Long + */ +public class DependencyMergingAnalyzer extends AbstractAnalyzer { + + // + /** + * The Logger. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(DependencyMergingAnalyzer.class); + /** + * a flag indicating if this analyzer has run. This analyzer only runs once. + */ + private boolean analyzed = false; + + /** + * Returns a flag indicating if this analyzer has run. This analyzer only + * runs once. Note this is currently only used in the unit tests. + * + * @return a flag indicating if this analyzer has run. This analyzer only + * runs once + */ + protected boolean getAnalyzed() { + return analyzed; + } + + // + // + /** + * The name of the analyzer. + */ + private static final String ANALYZER_NAME = "Dependency Merging Analyzer"; + /** + * The phase that this analyzer is intended to run in. + */ + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION; + + /** + * Returns the name of the analyzer. + * + * @return the name of the analyzer. + */ + @Override + public String getName() { + return ANALYZER_NAME; + } + + /** + * Returns the phase that the analyzer is intended to run in. + * + * @return the phase that the analyzer is intended to run in. + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return ANALYSIS_PHASE; + } + + /** + * Does not support parallel processing as it only runs once and then + * operates on all dependencies. + * + * @return whether or not parallel processing is enabled + * @see #analyze(Dependency, Engine) + */ + @Override + public boolean supportsParallelProcessing() { + return false; + } + // + + /** + * Analyzes a set of dependencies. If they have been found to be the same + * dependency created by more multiple FileTypeAnalyzers (i.e. a gemspec + * dependency and a dependency from the Bundle Audit Analyzer. The + * dependencies are then merged into a single reportable item. + * + * @param ignore this analyzer ignores the dependency being analyzed + * @param engine the engine that is scanning the dependencies + * @throws AnalysisException is thrown if there is an error reading the JAR + * file. + */ + @Override + public synchronized void analyze(Dependency ignore, Engine engine) throws AnalysisException { + if (!analyzed) { + analyzed = true; + final Set dependenciesToRemove = new HashSet(); + final ListIterator mainIterator = engine.getDependencies().listIterator(); + //for (Dependency nextDependency : engine.getDependencies()) { + while (mainIterator.hasNext()) { + final Dependency dependency = mainIterator.next(); + if (mainIterator.hasNext() && !dependenciesToRemove.contains(dependency)) { + final ListIterator subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex()); + while (subIterator.hasNext()) { + final Dependency nextDependency = subIterator.next(); + Dependency main = null; + if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) { + if (main == dependency) { + mergeDependencies(dependency, nextDependency, dependenciesToRemove); + } else { + mergeDependencies(nextDependency, dependency, dependenciesToRemove); + break; //since we merged into the next dependency - skip forward to the next in mainIterator + } + } else if ((main = getMainSwiftDependency(dependency, nextDependency)) != null) { + if (main == dependency) { + mergeDependencies(dependency, nextDependency, dependenciesToRemove); + } else { + mergeDependencies(nextDependency, dependency, dependenciesToRemove); + break; //since we merged into the next dependency - skip forward to the next in mainIterator + } + } + } + } + } + //removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions + // was difficult because of the inner iterator. + engine.getDependencies().removeAll(dependenciesToRemove); + } + } + + /** + * Adds the relatedDependency to the dependency's related dependencies. + * + * @param dependency the main dependency + * @param relatedDependency a collection of dependencies to be removed from + * the main analysis loop, this is the source of dependencies to remove + * @param dependenciesToRemove a collection of dependencies that will be + * removed from the main analysis loop, this function adds to this + * collection + */ + private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set dependenciesToRemove) { + dependency.addRelatedDependency(relatedDependency); + dependency.getVendorEvidence().getEvidence().addAll(relatedDependency.getVendorEvidence().getEvidence()); + dependency.getProductEvidence().getEvidence().addAll(relatedDependency.getProductEvidence().getEvidence()); + dependency.getVersionEvidence().getEvidence().addAll(relatedDependency.getVersionEvidence().getEvidence()); + + final Iterator i = relatedDependency.getRelatedDependencies().iterator(); + while (i.hasNext()) { + dependency.addRelatedDependency(i.next()); + i.remove(); + } + if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) { + dependency.addAllProjectReferences(relatedDependency.getProjectReferences()); + } + dependenciesToRemove.add(relatedDependency); + } + + /** + * Bundling Ruby gems that are identified from different .gemspec files but + * denote the same package path. This happens when Ruby bundler installs an + * application's dependencies by running "bundle install". + * + * @param dependency1 dependency to compare + * @param dependency2 dependency to compare + * @return true if the the dependencies being analyzed appear to be the + * same; otherwise false + */ + private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) { + if (dependency1 == null || dependency2 == null + || !dependency1.getFileName().endsWith(".gemspec") + || !dependency2.getFileName().endsWith(".gemspec") + || dependency1.getPackagePath() == null + || dependency2.getPackagePath() == null) { + return false; + } + return dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath()); + } + + /** + * Ruby gems installed by "bundle install" can have zero or more *.gemspec + * files, all of which have the same packagePath and should be grouped. If + * one of these gemspec is from /specifications/*.gemspec, because + * it is a stub with fully resolved gem meta-data created by Ruby bundler, + * this dependency should be the main one. Otherwise, use dependency2 as + * main. + * + * This method returns null if any dependency is not from *.gemspec, or the + * two do not have the same packagePath. In this case, they should not be + * grouped. + * + * @param dependency1 dependency to compare + * @param dependency2 dependency to compare + * @return the main dependency; or null if a gemspec is not included in the + * analysis + */ + private Dependency getMainGemspecDependency(Dependency dependency1, Dependency dependency2) { + if (isSameRubyGem(dependency1, dependency2)) { + final File lFile = dependency1.getActualFile(); + final File left = lFile.getParentFile(); + if (left != null && left.getName().equalsIgnoreCase("specifications")) { + return dependency1; + } + return dependency2; + } + return null; + } + + /** + * Bundling same swift dependencies with the same packagePath but identified + * by different file type analyzers. + * + * @param dependency1 dependency to test + * @param dependency2 dependency to test + * @return true if the dependencies appear to be the same; + * otherwise false + */ + private boolean isSameSwiftPackage(Dependency dependency1, Dependency dependency2) { + if (dependency1 == null || dependency2 == null + || (!dependency1.getFileName().endsWith(".podspec") + && !dependency1.getFileName().equals("Package.swift")) + || (!dependency2.getFileName().endsWith(".podspec") + && !dependency2.getFileName().equals("Package.swift")) + || dependency1.getPackagePath() == null + || dependency2.getPackagePath() == null) { + return false; + } + return dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath()); + } + + /** + * Determines which of the swift dependencies should be considered the + * primary. + * + * @param dependency1 the first swift dependency to compare + * @param dependency2 the second swift dependency to compare + * @return the primary swift dependency + */ + private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) { + if (isSameSwiftPackage(dependency1, dependency2)) { + if (dependency1.getFileName().endsWith(".podspec")) { + return dependency1; + } + return dependency2; + } + return null; + } +} diff --git a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index 674d1d0f7..41d1e9ce1 100644 --- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -6,6 +6,7 @@ org.owasp.dependencycheck.analyzer.CPEAnalyzer org.owasp.dependencycheck.analyzer.FalsePositiveAnalyzer org.owasp.dependencycheck.analyzer.CpeSuppressionAnalyzer org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer +org.owasp.dependencycheck.analyzer.DependencyMergingAnalyzer org.owasp.dependencycheck.analyzer.NvdCveAnalyzer org.owasp.dependencycheck.analyzer.VulnerabilitySuppressionAnalyzer org.owasp.dependencycheck.analyzer.CentralAnalyzer diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml index 70b1c71e7..61041a9f1 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml @@ -460,4 +460,18 @@ .* CVE-2007-6059 + + + com\.fasterxml\.jackson\.core:jackson.* + CVE-2016-3720 + + + + com\.fasterxml\.jackson\.dataformat:jackson(?!\-dataformat\-xml).* + CVE-2016-3720 + diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java index 7b3f81383..c4ba3357b 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java @@ -53,7 +53,7 @@ public class DependencyBundlingAnalyzerTest extends BaseTest { @Test public void testGetAnalysisPhase() { DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer(); - AnalysisPhase expResult = AnalysisPhase.PRE_FINDING_ANALYSIS; + AnalysisPhase expResult = AnalysisPhase.FINAL; AnalysisPhase result = instance.getAnalysisPhase(); assertEquals(expResult, result); } diff --git a/dependency-check-maven/src/it/618-aggregator-purge/invoker.properties b/dependency-check-maven/src/it/618-aggregator-purge/invoker.properties index b93b3959f..adb5bc444 100644 --- a/dependency-check-maven/src/it/618-aggregator-purge/invoker.properties +++ b/dependency-check-maven/src/it/618-aggregator-purge/invoker.properties @@ -16,6 +16,5 @@ # Copyright (c) 2014 Jeremy Long. All Rights Reserved. # -invoker.goals.1 = ${project.groupId}:${project.artifactId}:${project.version}:update-only -invoker.postBuildHookScript.1 = save-nvd-cve.groovy -invoker.goals.2 = ${project.groupId}:${project.artifactId}:${project.version}:purge +invoker.goals.1 = ${project.groupId}:${project.artifactId}:${project.version}:update-only -DdataDirectory=./data -Dcve.startyear=2016 +invoker.goals.2 = ${project.groupId}:${project.artifactId}:${project.version}:purge -DdataDirectory=./data diff --git a/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy b/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy new file mode 100644 index 000000000..77ed8d9d6 --- /dev/null +++ b/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy @@ -0,0 +1,29 @@ +/* + * This file is part of dependency-check-maven. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2016 Jeremy Long. All Rights Reserved. + */ + +import java.nio.charset.Charset; +import org.apache.commons.io.FileUtils; +import org.apache.commons.lang.StringUtils; + + +// Analyse number of "Checking for updates" +String log = FileUtils.readFileToString(new File(basedir, "build.log"), Charset.defaultCharset().name()); +if (!StringUtils.contains(log, "Database file purged; local copy of the NVD has been removed")) { + System.out.println("The database was not purged."); + return false; +} diff --git a/dependency-check-maven/src/it/629-jackson-datafromat/invoker.properties b/dependency-check-maven/src/it/629-jackson-datafromat/invoker.properties new file mode 100644 index 000000000..3fc1810a0 --- /dev/null +++ b/dependency-check-maven/src/it/629-jackson-datafromat/invoker.properties @@ -0,0 +1,19 @@ +# +# This file is part of dependency-check-maven. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Copyright (c) 2014 Jeremy Long. All Rights Reserved. +# + +invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e -Dformat=ALL diff --git a/dependency-check-maven/src/it/629-jackson-datafromat/pom.xml b/dependency-check-maven/src/it/629-jackson-datafromat/pom.xml new file mode 100644 index 000000000..f1e6cd154 --- /dev/null +++ b/dependency-check-maven/src/it/629-jackson-datafromat/pom.xml @@ -0,0 +1,47 @@ + + + + 4.0.0 + org.owasp.test + test-dataformat-jackson + 1.0.0-SNAPSHOT + jar + + + com.fasterxml.jackson.core + jackson-databind + 2.4.5 + + + com.fasterxml.jackson.core + jackson-annotations + 2.4.5 + + + com.fasterxml.jackson.dataformat + jackson-dataformat-cbor + 2.4.5 + + + com.fasterxml.jackson.dataformat + jackson-dataformat-xml + 2.4.5 + + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/618-aggregator-purge/save-nvd-cve.groovy b/dependency-check-maven/src/it/629-jackson-datafromat/postbuild.groovy similarity index 66% rename from dependency-check-maven/src/it/618-aggregator-purge/save-nvd-cve.groovy rename to dependency-check-maven/src/it/629-jackson-datafromat/postbuild.groovy index 7ed8b07c4..17401a332 100644 --- a/dependency-check-maven/src/it/618-aggregator-purge/save-nvd-cve.groovy +++ b/dependency-check-maven/src/it/629-jackson-datafromat/postbuild.groovy @@ -16,9 +16,9 @@ * Copyright (c) 2014 Jeremy Long. All Rights Reserved. */ -import java.nio.charset.Charset; import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; +import java.nio.charset.Charset; // Save NVD-CVE for next IT (if not already done) File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); @@ -27,3 +27,16 @@ if (datasDwl.exists() && !datasSave.exists()){ System.out.println("Save NVD-CVE into backup"); FileUtils.copyFile(datasDwl, datasSave); } + + + + +// Check to see if jackson-dataformat-xml-2.4.5.jar was identified. +//TODO change this to xpath and check for CVE-2016-3720 +String log = FileUtils.readFileToString(new File(basedir, "target/dependency-check-report.xml"), Charset.defaultCharset().name()); +int count = StringUtils.countMatches(log, "jackson-dataformat-xml-2.4.5.jar"); +if (count == 0){ + System.out.println(String.format("The update should be unique, it is %s", count)); + return false; + //throw new Exception(String.format("The update should be unique, it is %s", count)); +} diff --git a/dependency-check-maven/src/it/618-aggregator-purge/prebuild.groovy b/dependency-check-maven/src/it/629-jackson-datafromat/prebuild.groovy similarity index 100% rename from dependency-check-maven/src/it/618-aggregator-purge/prebuild.groovy rename to dependency-check-maven/src/it/629-jackson-datafromat/prebuild.groovy diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/XmlUtils.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/XmlUtils.java index d948b700f..734fcbb27 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/XmlUtils.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/XmlUtils.java @@ -77,7 +77,9 @@ public final class XmlUtils { factory.setValidating(true); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + //setting the following unfortunately breaks reading the old suppression files (version 1). + //factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + final SAXParser saxParser = factory.newSAXParser(); saxParser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA); saxParser.setProperty(JAXP_SCHEMA_SOURCE, schemaStream);