Merge branch 'master' of https://github.com/stevespringett/DependencyCheck into stevespringett-master

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java

@@ -0,0 +1,73 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2017 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nsp;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import javax.json.Json;
+import javax.json.JsonObject;
+import javax.json.JsonObjectBuilder;
+import javax.json.JsonReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.util.List;
+
+public class NspSearchTest extends BaseTest {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(NspSearchTest.class);
+    private NspSearch searcher;
+
+    @Before
+    public void setUp() throws Exception {
+        String url = Settings.getString(Settings.KEYS.ANALYZER_NSP_URL);
+        LOGGER.debug(url);
+        searcher = new NspSearch(new URL(url));
+    }
+
+    //@Test
+    //todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET
+    public void testNspSearchPositive() throws Exception {
+        InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json");
+        try (JsonReader jsonReader = Json.createReader(in)) {
+            final JsonObject packageJson = jsonReader.readObject();
+            final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson);
+            final JsonObjectBuilder builder = Json.createObjectBuilder();
+            final JsonObject nspPayload = builder.add("package", sanitizedJson).build();
+            final List<Advisory> advisories = searcher.submitPackage(nspPayload);
+            Assert.assertTrue(advisories.size() > 0);
+        }
+    }
+
+    //@Test(expected = IOException.class)
+    //todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET
+    public void testNspSearchNegative() throws Exception {
+        InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json");
+        try (JsonReader jsonReader = Json.createReader(in)) {
+            final JsonObject packageJson = jsonReader.readObject();
+            final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson);
+            searcher.submitPackage(sanitizedJson);
+        }
+    }
+
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java

@@ -0,0 +1,65 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2017 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nsp;
+
+import org.junit.Assert;
+import org.junit.Test;
+import javax.json.Json;
+import javax.json.JsonObject;
+import javax.json.JsonObjectBuilder;
+
+public class SanitizePackageTest {
+
+    @Test
+    public void testSanitizer() throws Exception {
+        JsonObjectBuilder builder = Json.createObjectBuilder();
+        builder
+                .add("name", "my app")
+                .add("version", "1.0.0")
+                .add("description", "my app does amazing things")
+                .add("keywords", "best, app, ever")
+                .add("homepage", "http://example.com")
+                .add("bugs", "http://example.com/bugs")
+                .add("license", "Apache-2.0")
+                .add("main", "myscript")
+                .add("dependencies", "{ \"foo\" : \"1.0.0 - 2.9999.9999\"}")
+                .add("devDependencies", "{ \"foo\" : \"1.0.0 - 2.9999.9999\"}")
+                .add("peerDependencies", "{ \"foo\" : \"1.0.0 - 2.9999.9999\"}")
+                .add("bundledDependencies", "{ \"foo\" : \"1.0.0 - 2.9999.9999\"}")
+                .add("optionalDependencies", "{ \"foo\" : \"1.0.0 - 2.9999.9999\"}");
+
+        JsonObject packageJson = builder.build();
+        JsonObject sanitized = SanitizePackage.sanitize(packageJson);
+
+        Assert.assertTrue(sanitized.containsKey("name"));
+        Assert.assertTrue(sanitized.containsKey("version"));
+        Assert.assertTrue(sanitized.containsKey("dependencies"));
+        Assert.assertTrue(sanitized.containsKey("devDependencies"));
+        Assert.assertTrue(sanitized.containsKey("peerDependencies"));
+        Assert.assertTrue(sanitized.containsKey("bundledDependencies"));
+        Assert.assertTrue(sanitized.containsKey("optionalDependencies"));
+
+        Assert.assertFalse(sanitized.containsKey("description"));
+        Assert.assertFalse(sanitized.containsKey("keywords"));
+        Assert.assertFalse(sanitized.containsKey("homepage"));
+        Assert.assertFalse(sanitized.containsKey("bugs"));
+        Assert.assertFalse(sanitized.containsKey("license"));
+        Assert.assertFalse(sanitized.containsKey("main"));
+    }
+
+}

dependency-check-core/src/test/resources/dependencycheck.properties

@@ -73,6 +73,9 @@ analyzer.nexus.proxy=true
 analyzer.central.enabled=true
 analyzer.central.url=https://search.maven.org/solrsearch/select
 
+# the URL for searching api.nodesecurity.io
+analyzer.nsp.url=https://api.nodesecurity.io/check
+
 # the number of nested archives that will be searched.
 archive.scan.depth=3
 
@@ -84,6 +87,7 @@ analyzer.experimental.enabled=true
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true
+analyzer.nsp.package.enabled=true
 analyzer.composer.lock.enabled=true
 analyzer.python.distribution.enabled=true
 analyzer.python.package.enabled=true

dependency-check-core/src/test/resources/nsp/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "owasp-nodejs-goat",
+  "private": true,
+  "version": "1.3.0",
+  "description": "A tool to learn OWASP Top 10 for node.js developers",
+  "main": "server.js",
+  "dependencies": {
+    "bcrypt-nodejs": "0.0.3",
+    "body-parser": "^1.15.1",
+    "consolidate": "^0.14.1",
+    "csurf": "^1.8.3",
+    "dont-sniff-mimetype": "^1.0.0",
+    "express": "^4.13.4",
+    "express-session": "^1.13.0",
+    "forever": "^0.15.1",
+    "helmet": "^2.0.0",
+    "marked": "0.3.5",
+    "mongodb": "^2.1.18",
+    "serve-favicon": "^2.3.0",
+    "swig": "^1.4.2",
+    "underscore": "^1.8.3"
+  },
+  "comments": {
+    "//": "do not upgrade the marked package version it is set by purpose",
+    "//": "to be a vulnerable package to demonstrate an xss introduced through",
+    "//": "a9 insecure components"
+  },
+  "engines": {
+    "node": "4.4.x",
+    "npm": "2.15.x"
+  },
+  "scripts": {
+    "start": "node server.js",
+    "test": "node node_modules/grunt-cli/bin/grunt test",
+    "db:seed": "grunt db-reset",
+    "precommit": "grunt precommit"
+  },
+  "devDependencies": {
+    "async": "^2.0.0-rc.4",
+    "grunt": "^1.0.1",
+    "grunt-cli": "^1.2.0",
+    "grunt-concurrent": "^2.3.0",
+    "grunt-contrib-jshint": "^1.0.0",
+    "grunt-contrib-watch": "^1.0.0",
+    "grunt-env": "latest",
+    "grunt-jsbeautifier": "^0.2.12",
+    "grunt-mocha-test": "^0.12.7",
+    "grunt-nodemon": "^0.4.2",
+    "grunt-if": "https://github.com/binarymist/grunt-if/tarball/master",
+    "grunt-npm-install": "^0.3.0",
+    "grunt-retire": "^0.3.12",
+    "mocha": "^2.4.5",
+    "selenium-webdriver": "^2.53.2",
+    "should": "^8.3.1",
+    "zaproxy": "^0.2.0"
+  },
+  "repository": "https://github.com/OWASP/NodejsGoat",
+  "license": "Apache 2.0"
+}