mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-20 16:24:11 +01:00
added a vulnerability suppression analyzer test case
Former-commit-id: d90596a3493f1fd557222fac0568955b5ab58b4f
This commit is contained in:
Jeremy Long
@@ -0,0 +1,127 @@
|
|||||||
|
/*
|
||||||
|
* This file is part of dependency-check-core.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
|
||||||
|
*/
|
||||||
|
package org.owasp.dependencycheck.analyzer;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
|
import org.junit.After;
|
||||||
|
import org.junit.AfterClass;
|
||||||
|
import org.junit.Before;
|
||||||
|
import org.junit.BeforeClass;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.owasp.dependencycheck.Engine;
|
||||||
|
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
|
||||||
|
import org.owasp.dependencycheck.dependency.Dependency;
|
||||||
|
import org.owasp.dependencycheck.utils.Settings;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Testing the vulnerability suppression analyzer.
|
||||||
|
*
|
||||||
|
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||||
|
*/
|
||||||
|
public class VulnerabilitySuppressionAnalyzerTest extends AbstractDatabaseTestCase {
|
||||||
|
|
||||||
|
public VulnerabilitySuppressionAnalyzerTest() {
|
||||||
|
}
|
||||||
|
|
||||||
|
@BeforeClass
|
||||||
|
public static void setUpClass() {
|
||||||
|
}
|
||||||
|
|
||||||
|
@AfterClass
|
||||||
|
public static void tearDownClass() {
|
||||||
|
}
|
||||||
|
private boolean update = true;
|
||||||
|
private boolean nexus = false;
|
||||||
|
|
||||||
|
@Before
|
||||||
|
@Override
|
||||||
|
public void setUp() throws Exception {
|
||||||
|
super.setUp();
|
||||||
|
update = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
|
||||||
|
nexus = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
|
||||||
|
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||||
|
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
@After
|
||||||
|
@Override
|
||||||
|
public void tearDown() throws Exception {
|
||||||
|
super.tearDown();
|
||||||
|
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, update);
|
||||||
|
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexus);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test of getName method, of class VulnerabilitySuppressionAnalyzer.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testGetName() {
|
||||||
|
VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
|
||||||
|
String expResult = "Vulnerability Suppression Analyzer";
|
||||||
|
String result = instance.getName();
|
||||||
|
assertEquals(expResult, result);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test of getAnalysisPhase method, of class VulnerabilitySuppressionAnalyzer.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testGetAnalysisPhase() {
|
||||||
|
VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
|
||||||
|
AnalysisPhase expResult = AnalysisPhase.POST_FINDING_ANALYSIS;;
|
||||||
|
AnalysisPhase result = instance.getAnalysisPhase();
|
||||||
|
assertEquals(expResult, result);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test of analyze method, of class VulnerabilitySuppressionAnalyzer.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testAnalyze() throws Exception {
|
||||||
|
|
||||||
|
File file = new File(this.getClass().getClassLoader().getResource("FileHelpers.2.0.0.0.nupkg").getPath());
|
||||||
|
File suppression = new File(this.getClass().getClassLoader().getResource("FileHelpers.2.0.0.0.suppression.xml").getPath());
|
||||||
|
|
||||||
|
Engine engine = new Engine();
|
||||||
|
engine.scan(file);
|
||||||
|
engine.analyzeDependencies();
|
||||||
|
Dependency dependency = getDependency(engine, file);
|
||||||
|
assertTrue(dependency.getVulnerabilities().size() > 0);
|
||||||
|
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
|
||||||
|
VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
|
||||||
|
instance.initialize();
|
||||||
|
instance.analyze(dependency, engine);
|
||||||
|
assertTrue(dependency.getVulnerabilities().size() == 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Retrieves a specific dependency from the engine.
|
||||||
|
*
|
||||||
|
* @param engine the engine
|
||||||
|
* @param file the dependency to retrieve
|
||||||
|
* @return the dependency
|
||||||
|
*/
|
||||||
|
private Dependency getDependency(Engine engine, File file) {
|
||||||
|
for (Dependency d : engine.getDependencies()) {
|
||||||
|
if (d.getFileName().equals(file.getName())) {
|
||||||
|
return d;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
Binary file not shown.
@@ -0,0 +1,10 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
|
||||||
|
<suppress>
|
||||||
|
<notes><![CDATA[
|
||||||
|
file name: FileHelpers.2.0.0.0.nupkg
|
||||||
|
]]></notes>
|
||||||
|
<sha1>30FB37D6163CF16E3BA740343BECDD14D5457619</sha1>
|
||||||
|
<cve>CVE-2007-1536</cve>
|
||||||
|
</suppress>
|
||||||
|
</suppressions>
|
||||||
Reference in New Issue
Block a user