From c7adb1bb65cb4bc407198bb96faca2ee3611e0c9 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 4 Apr 2017 09:58:19 -0400 Subject: [PATCH 01/16] fix for issue #684 --- .../main/resources/dependencycheck-base-suppression.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml index 34e1d4118..70266886e 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml @@ -545,4 +545,13 @@ ^javax\.servlet:servlet-api:.*$ cpe:/a:sun:one_application_server + + + ^org\.apache\.tomcat\.embed:tomcat-embed.*$ + CVE-2017-6056 + CVE-2016-6325 + CVE-2016-5425 + From f289bcd285fc7682badd9e70da38e1cedb679ef3 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 4 Apr 2017 10:03:19 -0400 Subject: [PATCH 02/16] fixed false positive per issue #691 --- .../main/resources/dependencycheck-base-suppression.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml index 70266886e..481048c12 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml @@ -554,4 +554,11 @@ CVE-2016-6325 CVE-2016-5425 + + + ^org\.springframework\.boot:spring-boot-starter-data-jpa:.*$ + CVE-2016-6652 + From 44ddad8101c0428eeabb0ad8ea11b3fe384cc07e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 12 Apr 2017 10:24:51 -0400 Subject: [PATCH 03/16] updated for maven thread safety --- .../src/it/617-hierarchical-cross-deps/invoker.properties | 2 +- .../main/java/org/owasp/dependencycheck/maven/CheckMojo.java | 2 +- .../main/java/org/owasp/dependencycheck/maven/PurgeMojo.java | 2 +- .../main/java/org/owasp/dependencycheck/maven/UpdateMojo.java | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/dependency-check-maven/src/it/617-hierarchical-cross-deps/invoker.properties b/dependency-check-maven/src/it/617-hierarchical-cross-deps/invoker.properties index 317af6f63..1368a7b72 100644 --- a/dependency-check-maven/src/it/617-hierarchical-cross-deps/invoker.properties +++ b/dependency-check-maven/src/it/617-hierarchical-cross-deps/invoker.properties @@ -16,4 +16,4 @@ # Copyright (c) 2014 Jeremy Long. All Rights Reserved. # -invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e +invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e -T 2 diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java index b566cc306..3571a60b4 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java @@ -40,7 +40,7 @@ import org.owasp.dependencycheck.utils.Settings; @Mojo( name = "check", defaultPhase = LifecyclePhase.VERIFY, - threadSafe = false, + threadSafe = true, requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME, requiresOnline = true ) diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java index 490ffe45c..87f551140 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java @@ -35,7 +35,7 @@ import org.owasp.dependencycheck.utils.Settings; @Mojo( name = "purge", defaultPhase = LifecyclePhase.GENERATE_RESOURCES, - threadSafe = false, + threadSafe = true, requiresDependencyResolution = ResolutionScope.NONE, requiresOnline = true, aggregator = true diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java index ec0e6928d..4d8fc11b1 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java @@ -37,7 +37,7 @@ import org.owasp.dependencycheck.utils.Settings; @Mojo( name = "update-only", defaultPhase = LifecyclePhase.GENERATE_RESOURCES, - threadSafe = false, + threadSafe = true, requiresDependencyResolution = ResolutionScope.NONE, requiresOnline = true, aggregator = true From f473e63a61a2613681a0733f2232564d4326066e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 23 Apr 2017 07:05:31 -0400 Subject: [PATCH 04/16] added test case and added locking mechanism so only one update can run at any given time --- .../data/update/NvdCveUpdater.java | 73 ++++++++++++++++++- dependency-check-maven/pom.xml | 3 + .../invoker.properties | 2 +- .../src/it/690-threadsafety/first/pom.xml | 35 +++++++++ .../src/it/690-threadsafety/fourth/pom.xml | 35 +++++++++ .../fourth/src/main/webapp/WEB-INF/web.xml | 26 +++++++ .../it/690-threadsafety/invoker.properties | 19 +++++ .../src/it/690-threadsafety/pom.xml | 31 ++++++++ .../src/it/690-threadsafety/postbuild.groovy | 28 +++++++ .../src/it/690-threadsafety/prebuild.groovy | 28 +++++++ .../src/it/690-threadsafety/second/pom.xml | 35 +++++++++ .../second/src/main/webapp/WEB-INF/web.xml | 26 +++++++ .../src/it/690-threadsafety/third/pom.xml | 35 +++++++++ .../third/src/main/webapp/WEB-INF/web.xml | 26 +++++++ 14 files changed, 399 insertions(+), 3 deletions(-) create mode 100644 dependency-check-maven/src/it/690-threadsafety/first/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/fourth/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/fourth/src/main/webapp/WEB-INF/web.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/invoker.properties create mode 100644 dependency-check-maven/src/it/690-threadsafety/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/postbuild.groovy create mode 100644 dependency-check-maven/src/it/690-threadsafety/prebuild.groovy create mode 100644 dependency-check-maven/src/it/690-threadsafety/second/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/second/src/main/webapp/WEB-INF/web.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/third/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/third/src/main/webapp/WEB-INF/web.xml diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index 2ae21797c..c6b20c12b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -17,6 +17,9 @@ */ package org.owasp.dependencycheck.data.update; +import java.io.File; +import java.io.IOException; +import java.io.RandomAccessFile; import java.net.MalformedURLException; import java.util.Calendar; import java.util.HashMap; @@ -24,6 +27,8 @@ import java.util.HashSet; import java.util.Map; import java.util.Set; import java.net.URL; +import java.nio.channels.FileLock; +import java.util.Date; import java.util.concurrent.Callable; import java.util.concurrent.ExecutionException; import java.util.concurrent.ExecutorService; @@ -31,6 +36,7 @@ import java.util.concurrent.Executors; import java.util.concurrent.Future; import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeoutException; +import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; @@ -95,7 +101,7 @@ public class NvdCveUpdater implements CachedWebDataSource { * database */ @Override - public void update() throws UpdateException { + public synchronized void update() throws UpdateException { try { if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) { return; @@ -113,8 +119,40 @@ public class NvdCveUpdater implements CachedWebDataSource { if (!autoUpdate) { return; } - initializeExecutorServices(); + FileLock lock = null; + RandomAccessFile ulFile = null; + File lockFile = null; try { + if (ConnectionFactory.isH2Connection()) { + final File dir = Settings.getDataDirectory(); + lockFile = new File(dir, "odc.update.lock"); + if (lockFile.isFile() && getFileAge(lockFile) > 5 && !lockFile.delete()) { + LOGGER.warn("An old db update lock file was found but the system was unable to delete the file. Consider manually deleting " + lockFile.getAbsolutePath()); + } + int ctr = 0; + do { + try { + if (!lockFile.exists() && lockFile.createNewFile()) { + ulFile = new RandomAccessFile(lockFile, "rw"); + lock = ulFile.getChannel().lock(); + } + } catch (IOException ex) { + LOGGER.trace("Expected error as another thread has likely locked the file", ex); + } + if (lock == null || !lock.isValid()) { + try { + LOGGER.debug(String.format("Sleeping thread %s for 5 seconds because we could not obtain the update lock.", Thread.currentThread().getName())); + Thread.sleep(5000); + } catch (InterruptedException ex) { + LOGGER.trace("ignorable error, sleep was interrupted.", ex); + } + } + } while (++ctr < 100 && (lock == null || !lock.isValid())); + if (lock == null || !lock.isValid()) { + throw new UpdateException("Unable to obtain the update lock, skipping the database update. Skippinig the database update."); + } + } + initializeExecutorServices(); cveDb = CveDB.getInstance(); dbProperties = cveDb.getDatabaseProperties(); @@ -137,12 +175,43 @@ public class NvdCveUpdater implements CachedWebDataSource { throw new UpdateException("Unable to download the NVD CVE data.", ex); } catch (DatabaseException ex) { throw new UpdateException("Database Exception, unable to update the data to use the most current data.", ex); + } catch (IOException ex) { + throw new UpdateException("Database Exception", ex); } finally { shutdownExecutorServices(); cveDb.close(); + if (lock != null) { + try { + lock.release(); + } catch (IOException ex) { + LOGGER.trace("Ignorable exception", ex); + } + } + if (ulFile != null) { + try { + ulFile.close(); + } catch (IOException ex) { + LOGGER.trace("Ignorable exception", ex); + } + } + if (lockFile != null) { + lockFile.delete(); + } } } + /** + * Returns the age of the file in minutes. + * + * @param file the file to calculate the age + * @return the age of the file + */ + private long getFileAge(File file) { + final Date d = new Date(); + final long modified = file.lastModified(); + return (d.getTime() - modified) / 1000 / 60; + } + /** * Initialize the executor services for download and processing of the NVD * CVE XML data. diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index 498bdcb94..905f53374 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -245,6 +245,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. maven-invoker-plugin 2.0.0 + + 690-threadsafety/pom.xml + ${project.build.directory}/it target/local-repo diff --git a/dependency-check-maven/src/it/617-hierarchical-cross-deps/invoker.properties b/dependency-check-maven/src/it/617-hierarchical-cross-deps/invoker.properties index 1368a7b72..317af6f63 100644 --- a/dependency-check-maven/src/it/617-hierarchical-cross-deps/invoker.properties +++ b/dependency-check-maven/src/it/617-hierarchical-cross-deps/invoker.properties @@ -16,4 +16,4 @@ # Copyright (c) 2014 Jeremy Long. All Rights Reserved. # -invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e -T 2 +invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e diff --git a/dependency-check-maven/src/it/690-threadsafety/first/pom.xml b/dependency-check-maven/src/it/690-threadsafety/first/pom.xml new file mode 100644 index 000000000..8cddd68e2 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/first/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + first + jar + + + log4j + log4j + 1.2.17 + + + diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth/pom.xml b/dependency-check-maven/src/it/690-threadsafety/fourth/pom.xml new file mode 100644 index 000000000..9d000b344 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/fourth/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + fourth + jar + + + log4j + log4j + 1.2.17 + + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/fourth/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 000000000..65c96051c --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/fourth/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,26 @@ + + + + test-app + + index.html + + + diff --git a/dependency-check-maven/src/it/690-threadsafety/invoker.properties b/dependency-check-maven/src/it/690-threadsafety/invoker.properties new file mode 100644 index 000000000..75f5eb6d8 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/invoker.properties @@ -0,0 +1,19 @@ +# +# This file is part of dependency-check-maven. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Copyright (c) 2014 Jeremy Long. All Rights Reserved. +# + +invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e -T 4 diff --git a/dependency-check-maven/src/it/690-threadsafety/pom.xml b/dependency-check-maven/src/it/690-threadsafety/pom.xml new file mode 100644 index 000000000..9872389f0 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/pom.xml @@ -0,0 +1,31 @@ + + + + 4.0.0 + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + pom + + first + second + third + fourth + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/postbuild.groovy b/dependency-check-maven/src/it/690-threadsafety/postbuild.groovy new file mode 100644 index 000000000..09ea6f264 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/postbuild.groovy @@ -0,0 +1,28 @@ +/* + * This file is part of dependency-check-maven. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ + +import org.apache.commons.io.FileUtils; +import org.apache.commons.lang.StringUtils; + +// Save NVD-CVE for next IT (if not already done) +File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); +File datasSave = new File("target/nvd-cve-backup", "dc.h2.db"); +if (datasDwl.exists() && !datasSave.exists()){ + System.out.println("Save NVD-CVE into backup"); + FileUtils.copyFile(datasDwl, datasSave); +} diff --git a/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy b/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy new file mode 100644 index 000000000..c1e9eda11 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy @@ -0,0 +1,28 @@ +/* + * This file is part of dependency-check-maven. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ + +import org.apache.commons.io.FileUtils; + +// Load NVD-CVE if not exist and had been saved in a previous IT +File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); +File datasSave = new File("target/nvd-cve-backup", "dc.h2.db"); + +if (!datasDwl.exists() && datasSave.exists()){ + System.out.println("Load NVD-CVE from backup"); + FileUtils.copyFile(datasSave, datasDwl); +} diff --git a/dependency-check-maven/src/it/690-threadsafety/second/pom.xml b/dependency-check-maven/src/it/690-threadsafety/second/pom.xml new file mode 100644 index 000000000..ed04073ef --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/second/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + second + jar + + + log4j + log4j + 1.2.17 + + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/second/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/second/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 000000000..65c96051c --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/second/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,26 @@ + + + + test-app + + index.html + + + diff --git a/dependency-check-maven/src/it/690-threadsafety/third/pom.xml b/dependency-check-maven/src/it/690-threadsafety/third/pom.xml new file mode 100644 index 000000000..062992fbb --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/third/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + third + jar + + + log4j + log4j + 1.2.17 + + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/third/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/third/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 000000000..65c96051c --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/third/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,26 @@ + + + + test-app + + index.html + + + From 31d7379a397a8afdcb5b7969be196382802879e7 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 23 Apr 2017 07:22:53 -0400 Subject: [PATCH 05/16] minor updates and added documentation --- .../data/update/NvdCveUpdater.java | 45 ++++++++++++------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index c6b20c12b..60b577582 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -95,28 +95,16 @@ public class NvdCveUpdater implements CachedWebDataSource { /** * Downloads the latest NVD CVE XML file from the web and imports it into - * the current CVE Database. + * the current CVE Database. A lock on a file is obtained in an attempt to + * prevent more then one thread/JVM from updating the database at the same + * time. This method may sleep upto 5 minutes. * * @throws UpdateException is thrown if there is an error updating the * database */ @Override public synchronized void update() throws UpdateException { - try { - if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) { - return; - } - } catch (InvalidSettingException ex) { - LOGGER.trace("invalid setting UPDATE_NVDCVE_ENABLED", ex); - } - - boolean autoUpdate = true; - try { - autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE); - } catch (InvalidSettingException ex) { - LOGGER.debug("Invalid setting for auto-update; using true."); - } - if (!autoUpdate) { + if (isUpdateConfiguredFalse()) { return; } FileLock lock = null; @@ -147,7 +135,7 @@ public class NvdCveUpdater implements CachedWebDataSource { LOGGER.trace("ignorable error, sleep was interrupted.", ex); } } - } while (++ctr < 100 && (lock == null || !lock.isValid())); + } while (++ctr < 60 && (lock == null || !lock.isValid())); if (lock == null || !lock.isValid()) { throw new UpdateException("Unable to obtain the update lock, skipping the database update. Skippinig the database update."); } @@ -200,6 +188,29 @@ public class NvdCveUpdater implements CachedWebDataSource { } } + /** + * Checks if the system is configured NOT to update. + * + * @return false if the system is configured to perform an update; otherwise + * true + */ + private boolean isUpdateConfiguredFalse() { + try { + if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) { + return true; + } + } catch (InvalidSettingException ex) { + LOGGER.trace("invalid setting UPDATE_NVDCVE_ENABLED", ex); + } + boolean autoUpdate = true; + try { + autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE); + } catch (InvalidSettingException ex) { + LOGGER.debug("Invalid setting for auto-update; using true."); + } + return !autoUpdate; + } + /** * Returns the age of the file in minutes. * From 865db1b6c3d4118ff47b38013048998759d3e096 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 23 Apr 2017 08:04:54 -0400 Subject: [PATCH 06/16] nop --- .../org/owasp/dependencycheck/data/update/NvdCveUpdater.java | 1 + 1 file changed, 1 insertion(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index 60b577582..7dec5d391 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -140,6 +140,7 @@ public class NvdCveUpdater implements CachedWebDataSource { throw new UpdateException("Unable to obtain the update lock, skipping the database update. Skippinig the database update."); } } + initializeExecutorServices(); cveDb = CveDB.getInstance(); dbProperties = cveDb.getDatabaseProperties(); From a67e421a5d21f08be4553b5ec7a3fa0672db3355 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 23 Apr 2017 08:44:24 -0400 Subject: [PATCH 07/16] nop --- .../org/owasp/dependencycheck/data/update/NvdCveUpdater.java | 1 - 1 file changed, 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index 7dec5d391..60b577582 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -140,7 +140,6 @@ public class NvdCveUpdater implements CachedWebDataSource { throw new UpdateException("Unable to obtain the update lock, skipping the database update. Skippinig the database update."); } } - initializeExecutorServices(); cveDb = CveDB.getInstance(); dbProperties = cveDb.getDatabaseProperties(); From f94cf106a67ec7036d4e0b54c5da5e78ee155b66 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 25 Apr 2017 08:01:09 -0400 Subject: [PATCH 08/16] re-route invoker logs so the results can be viewed in travis --- dependency-check-maven/pom.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index 905f53374..1ea2b6cd6 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -245,6 +245,8 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. maven-invoker-plugin 2.0.0 + + true 690-threadsafety/pom.xml From 68134278673a4884388c166e86426e4566d13e8e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 26 Apr 2017 07:30:01 -0400 Subject: [PATCH 09/16] updated invoker plugin to use 2 threads --- dependency-check-maven/pom.xml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index 1ea2b6cd6..e9ee1cb66 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -245,10 +245,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. maven-invoker-plugin 2.0.0 - - true + + + 2 690-threadsafety/pom.xml + 618-aggregator-purge/pom.xml ${project.build.directory}/it target/local-repo From 3786f6ebc7ec0e30ac6653f0457f97a3c2465336 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 26 Apr 2017 07:30:33 -0400 Subject: [PATCH 10/16] removed un-needed code from invoker build scripts --- .../617-hierarchical-cross-deps/postbuild.groovy | 11 +---------- .../it/617-hierarchical-cross-deps/prebuild.groovy | 11 ----------- .../src/it/618-aggregator-purge/postbuild.groovy | 1 + .../it/618-aggregator-update-only/postbuild.groovy | 10 +--------- .../it/618-aggregator-update-only/prebuild.groovy | 10 ---------- .../src/it/629-jackson-dataformat/postbuild.groovy | 14 ++------------ .../src/it/629-jackson-dataformat/prebuild.groovy | 11 ----------- .../src/it/690-threadsafety/postbuild.groovy | 13 +++++++------ .../src/it/690-threadsafety/prebuild.groovy | 11 ----------- 9 files changed, 12 insertions(+), 80 deletions(-) diff --git a/dependency-check-maven/src/it/617-hierarchical-cross-deps/postbuild.groovy b/dependency-check-maven/src/it/617-hierarchical-cross-deps/postbuild.groovy index 09ea6f264..007821d3e 100644 --- a/dependency-check-maven/src/it/617-hierarchical-cross-deps/postbuild.groovy +++ b/dependency-check-maven/src/it/617-hierarchical-cross-deps/postbuild.groovy @@ -16,13 +16,4 @@ * Copyright (c) 2014 Jeremy Long. All Rights Reserved. */ -import org.apache.commons.io.FileUtils; -import org.apache.commons.lang.StringUtils; - -// Save NVD-CVE for next IT (if not already done) -File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); -File datasSave = new File("target/nvd-cve-backup", "dc.h2.db"); -if (datasDwl.exists() && !datasSave.exists()){ - System.out.println("Save NVD-CVE into backup"); - FileUtils.copyFile(datasDwl, datasSave); -} +return true; \ No newline at end of file diff --git a/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy b/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy index c1e9eda11..9eff4bb5c 100644 --- a/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy +++ b/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy @@ -15,14 +15,3 @@ * * Copyright (c) 2014 Jeremy Long. All Rights Reserved. */ - -import org.apache.commons.io.FileUtils; - -// Load NVD-CVE if not exist and had been saved in a previous IT -File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); -File datasSave = new File("target/nvd-cve-backup", "dc.h2.db"); - -if (!datasDwl.exists() && datasSave.exists()){ - System.out.println("Load NVD-CVE from backup"); - FileUtils.copyFile(datasSave, datasDwl); -} diff --git a/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy b/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy index 77ed8d9d6..bf3b3246e 100644 --- a/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy +++ b/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy @@ -27,3 +27,4 @@ if (!StringUtils.contains(log, "Database file purged; local copy of the NVD has System.out.println("The database was not purged."); return false; } +return true; \ No newline at end of file diff --git a/dependency-check-maven/src/it/618-aggregator-update-only/postbuild.groovy b/dependency-check-maven/src/it/618-aggregator-update-only/postbuild.groovy index 389ddb710..a3aa62c8e 100644 --- a/dependency-check-maven/src/it/618-aggregator-update-only/postbuild.groovy +++ b/dependency-check-maven/src/it/618-aggregator-update-only/postbuild.groovy @@ -20,19 +20,11 @@ import java.nio.charset.Charset; import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; -// Save NVD-CVE for next IT (if not already done) -File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); -File datasSave = new File("target/nvd-cve-backup", "dc.h2.db"); -if (datasDwl.exists() && !datasSave.exists()){ - System.out.println("Save NVD-CVE into backup"); - FileUtils.copyFile(datasDwl, datasSave); -} - // Analyse number of "Checking for updates" String log = FileUtils.readFileToString(new File(basedir, "build.log"), Charset.defaultCharset().name()); int count = StringUtils.countMatches(log, "Checking for updates"); if (count > 1){ System.out.println(String.format("The update should be unique, it is %s", count)); return false; - //throw new Exception(String.format("The update should be unique, it is %s", count)); } +return true; diff --git a/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy b/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy index c1e9eda11..3071d8668 100644 --- a/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy +++ b/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy @@ -16,13 +16,3 @@ * Copyright (c) 2014 Jeremy Long. All Rights Reserved. */ -import org.apache.commons.io.FileUtils; - -// Load NVD-CVE if not exist and had been saved in a previous IT -File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); -File datasSave = new File("target/nvd-cve-backup", "dc.h2.db"); - -if (!datasDwl.exists() && datasSave.exists()){ - System.out.println("Load NVD-CVE from backup"); - FileUtils.copyFile(datasSave, datasDwl); -} diff --git a/dependency-check-maven/src/it/629-jackson-dataformat/postbuild.groovy b/dependency-check-maven/src/it/629-jackson-dataformat/postbuild.groovy index 17401a332..acb7cb3a5 100644 --- a/dependency-check-maven/src/it/629-jackson-dataformat/postbuild.groovy +++ b/dependency-check-maven/src/it/629-jackson-dataformat/postbuild.groovy @@ -19,16 +19,6 @@ import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; import java.nio.charset.Charset; - -// Save NVD-CVE for next IT (if not already done) -File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); -File datasSave = new File("target/nvd-cve-backup", "dc.h2.db"); -if (datasDwl.exists() && !datasSave.exists()){ - System.out.println("Save NVD-CVE into backup"); - FileUtils.copyFile(datasDwl, datasSave); -} - - // Check to see if jackson-dataformat-xml-2.4.5.jar was identified. @@ -36,7 +26,7 @@ if (datasDwl.exists() && !datasSave.exists()){ String log = FileUtils.readFileToString(new File(basedir, "target/dependency-check-report.xml"), Charset.defaultCharset().name()); int count = StringUtils.countMatches(log, "jackson-dataformat-xml-2.4.5.jar"); if (count == 0){ - System.out.println(String.format("The update should be unique, it is %s", count)); + System.out.println(String.format("jackson-dataformat-xml was identified %s times, expected 1", count)); return false; - //throw new Exception(String.format("The update should be unique, it is %s", count)); } +return true; diff --git a/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy b/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy index c1e9eda11..9eff4bb5c 100644 --- a/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy +++ b/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy @@ -15,14 +15,3 @@ * * Copyright (c) 2014 Jeremy Long. All Rights Reserved. */ - -import org.apache.commons.io.FileUtils; - -// Load NVD-CVE if not exist and had been saved in a previous IT -File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); -File datasSave = new File("target/nvd-cve-backup", "dc.h2.db"); - -if (!datasDwl.exists() && datasSave.exists()){ - System.out.println("Load NVD-CVE from backup"); - FileUtils.copyFile(datasSave, datasDwl); -} diff --git a/dependency-check-maven/src/it/690-threadsafety/postbuild.groovy b/dependency-check-maven/src/it/690-threadsafety/postbuild.groovy index 09ea6f264..8c1b639fa 100644 --- a/dependency-check-maven/src/it/690-threadsafety/postbuild.groovy +++ b/dependency-check-maven/src/it/690-threadsafety/postbuild.groovy @@ -16,13 +16,14 @@ * Copyright (c) 2014 Jeremy Long. All Rights Reserved. */ +import java.nio.charset.Charset; import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; -// Save NVD-CVE for next IT (if not already done) -File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); -File datasSave = new File("target/nvd-cve-backup", "dc.h2.db"); -if (datasDwl.exists() && !datasSave.exists()){ - System.out.println("Save NVD-CVE into backup"); - FileUtils.copyFile(datasDwl, datasSave); +String log = FileUtils.readFileToString(new File(basedir, "build.log"), Charset.defaultCharset().name()); +int count = StringUtils.countMatches(log, "Download Started for NVD CVE - 2002"); +if (count > 1){ + System.out.println(String.format("NVD CVE was downloaded %s times, should be 0 or 1 times", count)); + return false; } +return true; \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy b/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy index c1e9eda11..9eff4bb5c 100644 --- a/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy +++ b/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy @@ -15,14 +15,3 @@ * * Copyright (c) 2014 Jeremy Long. All Rights Reserved. */ - -import org.apache.commons.io.FileUtils; - -// Load NVD-CVE if not exist and had been saved in a previous IT -File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db"); -File datasSave = new File("target/nvd-cve-backup", "dc.h2.db"); - -if (!datasDwl.exists() && datasSave.exists()){ - System.out.println("Load NVD-CVE from backup"); - FileUtils.copyFile(datasSave, datasDwl); -} From d252d0f29f87e8e734ef76a928628256cf968d0e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 26 Apr 2017 08:50:06 -0400 Subject: [PATCH 11/16] fixed threading issue --- .../org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java index fd2437d2b..7780c7a54 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java @@ -245,11 +245,12 @@ public final class CpeMemoryIndex { * @throws IOException is thrown if there is an issue with the underlying * Index */ - public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException { + public synchronized TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException { if (searchString == null || searchString.trim().isEmpty()) { throw new ParseException("Query is null or empty"); } LOGGER.debug(searchString); + resetFieldAnalyzer(); final Query query = queryParser.parse(searchString); return search(query, maxQueryResults); } @@ -263,7 +264,7 @@ public final class CpeMemoryIndex { * @throws CorruptIndexException thrown if the Index is corrupt * @throws IOException thrown if there is an IOException */ - public TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException { + public synchronized TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException { resetFieldAnalyzer(); return indexSearcher.search(query, maxQueryResults); } From 1371dacdaa3fb6822d5ba429b13a9a022662a77a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 26 Apr 2017 08:50:39 -0400 Subject: [PATCH 12/16] expanded test case to identify/fix threading issue --- .../src/it/690-threadsafety/first-a/pom.xml | 35 +++++++++++++++++++ .../src/it/690-threadsafety/first-b/pom.xml | 35 +++++++++++++++++++ .../src/it/690-threadsafety/fourth-a/pom.xml | 35 +++++++++++++++++++ .../fourth-a/src/main/webapp/WEB-INF/web.xml | 26 ++++++++++++++ .../src/it/690-threadsafety/fourth-b/pom.xml | 35 +++++++++++++++++++ .../fourth-b/src/main/webapp/WEB-INF/web.xml | 26 ++++++++++++++ .../it/690-threadsafety/invoker.properties | 2 +- .../src/it/690-threadsafety/pom.xml | 8 +++++ .../src/it/690-threadsafety/second-a/pom.xml | 35 +++++++++++++++++++ .../second-a/src/main/webapp/WEB-INF/web.xml | 26 ++++++++++++++ .../src/it/690-threadsafety/second-b/pom.xml | 35 +++++++++++++++++++ .../second-b/src/main/webapp/WEB-INF/web.xml | 26 ++++++++++++++ .../src/it/690-threadsafety/third-a/pom.xml | 35 +++++++++++++++++++ .../third-a/src/main/webapp/WEB-INF/web.xml | 26 ++++++++++++++ .../src/it/690-threadsafety/third-b/pom.xml | 35 +++++++++++++++++++ .../third-b/src/main/webapp/WEB-INF/web.xml | 26 ++++++++++++++ 16 files changed, 445 insertions(+), 1 deletion(-) create mode 100644 dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/first-b/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/fourth-a/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/fourth-a/src/main/webapp/WEB-INF/web.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/fourth-b/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/fourth-b/src/main/webapp/WEB-INF/web.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/second-a/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/second-a/src/main/webapp/WEB-INF/web.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/second-b/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/second-b/src/main/webapp/WEB-INF/web.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/third-a/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/third-a/src/main/webapp/WEB-INF/web.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/third-b/pom.xml create mode 100644 dependency-check-maven/src/it/690-threadsafety/third-b/src/main/webapp/WEB-INF/web.xml diff --git a/dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml b/dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml new file mode 100644 index 000000000..8e32ab8a6 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + first-a + jar + + + log4j + log4j + 1.2.17 + + + diff --git a/dependency-check-maven/src/it/690-threadsafety/first-b/pom.xml b/dependency-check-maven/src/it/690-threadsafety/first-b/pom.xml new file mode 100644 index 000000000..a5243f958 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/first-b/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + first-b + jar + + + log4j + log4j + 1.2.17 + + + diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth-a/pom.xml b/dependency-check-maven/src/it/690-threadsafety/fourth-a/pom.xml new file mode 100644 index 000000000..1320efbf5 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/fourth-a/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + fourth-a + jar + + + log4j + log4j + 1.2.17 + + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth-a/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/fourth-a/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 000000000..65c96051c --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/fourth-a/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,26 @@ + + + + test-app + + index.html + + + diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth-b/pom.xml b/dependency-check-maven/src/it/690-threadsafety/fourth-b/pom.xml new file mode 100644 index 000000000..c45db6287 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/fourth-b/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + fourth-b + jar + + + log4j + log4j + 1.2.17 + + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth-b/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/fourth-b/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 000000000..65c96051c --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/fourth-b/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,26 @@ + + + + test-app + + index.html + + + diff --git a/dependency-check-maven/src/it/690-threadsafety/invoker.properties b/dependency-check-maven/src/it/690-threadsafety/invoker.properties index 75f5eb6d8..c96f2c736 100644 --- a/dependency-check-maven/src/it/690-threadsafety/invoker.properties +++ b/dependency-check-maven/src/it/690-threadsafety/invoker.properties @@ -16,4 +16,4 @@ # Copyright (c) 2014 Jeremy Long. All Rights Reserved. # -invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e -T 4 +invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e -T 8 diff --git a/dependency-check-maven/src/it/690-threadsafety/pom.xml b/dependency-check-maven/src/it/690-threadsafety/pom.xml index 9872389f0..1fbe16021 100644 --- a/dependency-check-maven/src/it/690-threadsafety/pom.xml +++ b/dependency-check-maven/src/it/690-threadsafety/pom.xml @@ -27,5 +27,13 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. second third fourth + first-a + second-a + third-a + fourth-a + first-b + second-b + third-b + fourth-b \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/second-a/pom.xml b/dependency-check-maven/src/it/690-threadsafety/second-a/pom.xml new file mode 100644 index 000000000..ddd40f9ae --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/second-a/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + second-a + jar + + + log4j + log4j + 1.2.17 + + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/second-a/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/second-a/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 000000000..65c96051c --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/second-a/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,26 @@ + + + + test-app + + index.html + + + diff --git a/dependency-check-maven/src/it/690-threadsafety/second-b/pom.xml b/dependency-check-maven/src/it/690-threadsafety/second-b/pom.xml new file mode 100644 index 000000000..b5398f613 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/second-b/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + second-b + jar + + + log4j + log4j + 1.2.17 + + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/second-b/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/second-b/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 000000000..65c96051c --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/second-b/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,26 @@ + + + + test-app + + index.html + + + diff --git a/dependency-check-maven/src/it/690-threadsafety/third-a/pom.xml b/dependency-check-maven/src/it/690-threadsafety/third-a/pom.xml new file mode 100644 index 000000000..6470df160 --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/third-a/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + third-a + jar + + + log4j + log4j + 1.2.17 + + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/third-a/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/third-a/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 000000000..65c96051c --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/third-a/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,26 @@ + + + + test-app + + index.html + + + diff --git a/dependency-check-maven/src/it/690-threadsafety/third-b/pom.xml b/dependency-check-maven/src/it/690-threadsafety/third-b/pom.xml new file mode 100644 index 000000000..2c589607c --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/third-b/pom.xml @@ -0,0 +1,35 @@ + + + + 4.0.0 + + org.owasp.test + threaded-parent + 1.0.0-SNAPSHOT + + third-b + jar + + + log4j + log4j + 1.2.17 + + + \ No newline at end of file diff --git a/dependency-check-maven/src/it/690-threadsafety/third-b/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/third-b/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 000000000..65c96051c --- /dev/null +++ b/dependency-check-maven/src/it/690-threadsafety/third-b/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,26 @@ + + + + test-app + + index.html + + + From 116ef264e1defe069141e9085959f8a3de24731a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 26 Apr 2017 08:59:53 -0400 Subject: [PATCH 13/16] updated failing test case to expect the correct exception --- .../owasp/dependencycheck/data/central/CentralSearchTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java index a3710f2f3..a23f4e866 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java @@ -8,7 +8,7 @@ import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.FileNotFoundException; +import java.io.IOException; import java.net.URL; import java.util.List; @@ -50,7 +50,7 @@ public class CentralSearchTest extends BaseTest { // This test does generate network traffic and communicates with a host // you may not be able to reach. Remove the @Ignore annotation if you want to // test it anyway - @Test(expected = FileNotFoundException.class) + @Test(expected = IOException.class) public void testMissingSha1() throws Exception { searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); } From c0f41c461b5fca37e48bb4f9937d5a0fb4fa6225 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 29 Apr 2017 09:32:58 -0400 Subject: [PATCH 14/16] reverted the threadsafe flag as the plugin is not threadsafe --- .../main/java/org/owasp/dependencycheck/maven/CheckMojo.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java index 3571a60b4..b566cc306 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java @@ -40,7 +40,7 @@ import org.owasp.dependencycheck.utils.Settings; @Mojo( name = "check", defaultPhase = LifecyclePhase.VERIFY, - threadSafe = true, + threadSafe = false, requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME, requiresOnline = true ) From 4543835a0d25092d492b4b2528eb3a70e8008897 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 29 Apr 2017 09:33:52 -0400 Subject: [PATCH 15/16] reset threadcount to zero as the plugin is not yet threadsafe --- .../src/it/690-threadsafety/invoker.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-maven/src/it/690-threadsafety/invoker.properties b/dependency-check-maven/src/it/690-threadsafety/invoker.properties index c96f2c736..697b15bf3 100644 --- a/dependency-check-maven/src/it/690-threadsafety/invoker.properties +++ b/dependency-check-maven/src/it/690-threadsafety/invoker.properties @@ -16,4 +16,4 @@ # Copyright (c) 2014 Jeremy Long. All Rights Reserved. # -invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e -T 8 +invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -X -T 1 From d2a8645dd4bb9eb227d341f8089ce1a0581925e5 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 29 Apr 2017 09:39:30 -0400 Subject: [PATCH 16/16] expanded test cases to include additional dependencies --- .../src/it/690-threadsafety/first-a/pom.xml | 35 +++++++++++++++++++ .../src/it/690-threadsafety/first/pom.xml | 35 +++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml b/dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml index 8e32ab8a6..09edb1412 100644 --- a/dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml +++ b/dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml @@ -31,5 +31,40 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. log4j 1.2.17 + + org.apache.tomcat.embed + tomcat-embed-core + 8.5.11 + + + org.springframework.boot + spring-boot-starter-data-jpa + 1.5.2.RELEASE + + + org.apache.james + apache-mime4j-dom + 0.7.2 + + + org.glassfish.grizzly + grizzly-framework + 2.3.10 + + + io.jsonwebtoken + jjwt + 0.7.0 + + + com.thoughtworks.xstream + xstream + 1.4.1 + + + org.apache.commons + commons-collections4 + 4.1 + diff --git a/dependency-check-maven/src/it/690-threadsafety/first/pom.xml b/dependency-check-maven/src/it/690-threadsafety/first/pom.xml index 8cddd68e2..558d5c132 100644 --- a/dependency-check-maven/src/it/690-threadsafety/first/pom.xml +++ b/dependency-check-maven/src/it/690-threadsafety/first/pom.xml @@ -31,5 +31,40 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. log4j 1.2.17 + + org.apache.tomcat.embed + tomcat-embed-core + 8.5.11 + + + org.springframework.boot + spring-boot-starter-data-jpa + 1.5.2.RELEASE + + + org.apache.james + apache-mime4j-dom + 0.7.2 + + + org.glassfish.grizzly + grizzly-framework + 2.3.10 + + + io.jsonwebtoken + jjwt + 0.7.0 + + + com.thoughtworks.xstream + xstream + 1.4.1 + + + org.apache.commons + commons-collections4 + 4.1 +