From 8127dc2620008bc6c39b620dd0a7ac71ece257f4 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 7 Jul 2015 15:51:33 -0400 Subject: [PATCH 1/8] OpenSSL: Initial skeleton of OpenSSLAnalyzer and unit test suite. Fixed package imports in PythonPackageAnalyzerTest.java Former-commit-id: b27fa07cde451c0a19e5ce3f2d46701f02dda47e --- .../analyzer/OpenSSLAnalyzer.java | 150 ++++++++++++++++++ .../analyzer/OpenSSLAnalyzerTest.java | 96 +++++++++++ .../analyzer/PythonPackageAnalyzerTest.java | 13 +- 3 files changed, 252 insertions(+), 7 deletions(-) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java new file mode 100644 index 000000000..d05b57e80 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -0,0 +1,150 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.apache.commons.io.FileUtils; +import org.apache.commons.io.filefilter.NameFileFilter; +import org.apache.commons.io.filefilter.SuffixFileFilter; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.utils.Settings; +import org.owasp.dependencycheck.utils.UrlStringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.File; +import java.io.FileFilter; +import java.io.IOException; +import java.net.MalformedURLException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +/** + * Used to analyze OpenSSL source code present in the file system. + * + * @author Dale Visser + */ +public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { + + /** + * Used when compiling file scanning regex patterns. + */ + private static final int REGEX_OPTIONS = Pattern.DOTALL + | Pattern.CASE_INSENSITIVE; + + /** + * The logger. + */ + private static final Logger LOGGER = LoggerFactory + .getLogger(OpenSSLAnalyzer.class); + + /** + * Filename extensions for files to be analyzed. + */ + private static final Set EXTENSIONS = Collections + .unmodifiableSet(Collections.singleton("h")); + + /** + * Filter that detects files named "__init__.py". + */ + private static final FileFilter OPENSSLV_FILTER = new NameFileFilter("opensslv.h"); + + /** + * Returns the name of the Python Package Analyzer. + * + * @return the name of the analyzer + */ + @Override + public String getName() { + return "OpenSSL Source Analyzer"; + } + + /** + * Tell that we are used for information collection. + * + * @return INFORMATION_COLLECTION + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return AnalysisPhase.INFORMATION_COLLECTION; + } + + /** + * Returns the set of supported file extensions. + * + * @return the set of supported file extensions + */ + @Override + protected Set getSupportedExtensions() { + return EXTENSIONS; + } + + /** + * No-op initializer implementation. + * + * @throws Exception never thrown + */ + @Override + protected void initializeFileTypeAnalyzer() throws Exception { + // Nothing to do here. + } + + /** + * Analyzes python packages and adds evidence to the dependency. + * + * @param dependency the dependency being analyzed + * @param engine the engine being used to perform the scan + * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency + */ + @Override + protected void analyzeFileType(Dependency dependency, Engine engine) + throws AnalysisException { + final File file = dependency.getActualFile(); + final File parent = file.getParentFile(); + final String parentName = parent.getName(); + boolean found = false; +// if (INIT_PY_FILTER.accept(file)) { +// for (final File sourcefile : parent.listFiles(PY_FILTER)) { +// found |= analyzeFileContents(dependency, sourcefile); +// } +// } + if (found) { + dependency.setDisplayFileName(parentName + "/__init__.py"); + dependency.getProductEvidence().addEvidence(file.getName(), + "PackageName", parentName, Confidence.MEDIUM); + } else { + // copy, alter and set in case some other thread is iterating over + final List deps = new ArrayList( + engine.getDependencies()); + deps.remove(dependency); + engine.setDependencies(deps); + } + } + + @Override + protected String getAnalyzerEnabledSettingKey() { + return "fixme"; + } +} \ No newline at end of file diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java new file mode 100644 index 000000000..839bbee8a --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -0,0 +1,96 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.apache.commons.lang.StringUtils; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; + +import java.util.Arrays; +import java.util.HashSet; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +/** + * Unit tests for OpenSSLAnalyzerAnalyzer. + * + * @author Dale Visser + */ +public class OpenSSLAnalyzerTest extends BaseTest { + + /** + * The package analyzer to test. + */ + OpenSSLAnalyzer analyzer; + + /** + * Setup the PtyhonPackageAnalyzer. + * + * @throws Exception if there is a problem + */ + @Before + public void setUp() throws Exception { + analyzer = new OpenSSLAnalyzer(); + analyzer.setFilesMatched(true); + analyzer.initialize(); + } + + /** + * Cleanup any resources used. + * + * @throws Exception if there is a problem + */ + @After + public void tearDown() throws Exception { + analyzer.close(); + analyzer = null; + } + + /** + * Test of getName method, of class OpenSSLAnalyzer. + */ + @Test + public void testGetName() { + assertEquals("Analyzer name wrong.", "OpenSSL Source Analyzer", + analyzer.getName()); + } + + /** + * Test of getSupportedExtensions method, of class OpenSSLAnalyzer. + */ + @Test + public void testGetSupportedExtensions() { + final String[] expected = {"h"}; + assertEquals("Supported extensions should just have the following: " + + StringUtils.join(expected, ", "), + new HashSet(Arrays.asList(expected)), + analyzer.getSupportedExtensions()); + } + + /** + * Test of supportsExtension method, of class PythonPackageAnalyzer. + */ + @Test + public void testSupportsExtension() { + assertTrue("Should support \"h\" extension.", + analyzer.supportsExtension("h")); + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java index 0b13dd153..d77a8380c 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java @@ -17,15 +17,8 @@ */ package org.owasp.dependencycheck.analyzer; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - -import java.util.Arrays; -import java.util.HashSet; - import org.apache.commons.lang.StringUtils; import org.junit.After; -import static org.junit.Assert.assertTrue; import org.junit.Before; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; @@ -33,6 +26,12 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; +import java.util.Arrays; +import java.util.HashSet; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + /** * Unit tests for PythonPackageAnalyzer. * From ad0b6c28baf2cea622a06a8e4c7d53b78f35381c Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 7 Jul 2015 16:48:38 -0400 Subject: [PATCH 2/8] Added long hexadecimal to version string conversion function, and passing unit test. Former-commit-id: 846e2a3c07016974c396770397304875fd36b7f6 --- .../analyzer/OpenSSLAnalyzer.java | 31 ++++++++++++++----- .../analyzer/OpenSSLAnalyzerTest.java | 24 ++++++++++++++ 2 files changed, 47 insertions(+), 8 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index d05b57e80..38438aa08 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -17,28 +17,20 @@ */ package org.owasp.dependencycheck.analyzer; -import org.apache.commons.io.FileUtils; import org.apache.commons.io.filefilter.NameFileFilter; -import org.apache.commons.io.filefilter.SuffixFileFilter; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.EvidenceCollection; -import org.owasp.dependencycheck.utils.Settings; -import org.owasp.dependencycheck.utils.UrlStringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; -import java.io.IOException; -import java.net.MalformedURLException; import java.util.ArrayList; import java.util.Collections; import java.util.List; import java.util.Set; -import java.util.regex.Matcher; import java.util.regex.Pattern; /** @@ -71,6 +63,29 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { */ private static final FileFilter OPENSSLV_FILTER = new NameFileFilter("opensslv.h"); + private static final int MAJOR_OFFSET = 28; + private static final long MINOR_MASK = 0x0ff00000L; + private static final int MINOR_OFFSET = 20; + private static final long FIX_MASK = 0x000ff000L; + private static final int FIX_OFFSET = 12; + private static final long PATCH_MASK = 0x00000ff0L; + private static final int PATCH_OFFSET = 4; + private static final int NUM_LETTERS = 26; + private static final int STATUS_MASK = 0x0000000f; + + static String getOpenSSLVersion(long openSSLVersionConstant) { + long major = openSSLVersionConstant >>> MAJOR_OFFSET; + long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET; + long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET; + long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET; + String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" : + String.valueOf((char) (patchLevel + 'a' - 1)); + int statusCode = (int) (openSSLVersionConstant & STATUS_MASK); + String status = 0xf == statusCode ? "" : + (0 == statusCode ? "-dev" : "-beta" + statusCode); + return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status); + } + /** * Returns the name of the Python Package Analyzer. * diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java index 839bbee8a..1464e8658 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -93,4 +93,28 @@ public class OpenSSLAnalyzerTest extends BaseTest { assertTrue("Should support \"h\" extension.", analyzer.supportsExtension("h")); } + + @Test + public void testVersionConstantExamples() { + final long[] constants = {0x1000203fL + , 0x00903000 + , 0x00903001 + , 0x00903002l + , 0x0090300f + , 0x0090301f + , 0x0090400f + , 0x102031af}; + final String[] versions = {"1.0.2c", + "0.9.3-dev", + "0.9.3-beta1", + "0.9.3-beta2", + "0.9.3", + "0.9.3a", + "0.9.4", + "1.2.3z"}; + assertEquals(constants.length, versions.length); + for (int i = 0; i < constants.length; i++) { + assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i])); + } + } } From c214b704599cd200a2280c26b128cf5fcfd9079a Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 7 Jul 2015 17:37:31 -0400 Subject: [PATCH 3/8] OpenSSL: Analyzer unit test passes. Former-commit-id: 06d36762375a5fc55bc7f30a7857713ce332fceb --- .../analyzer/OpenSSLAnalyzer.java | 64 ++++++++---- .../analyzer/OpenSSLAnalyzerTest.java | 17 +++- .../src/test/resources/openssl/opensslv.h | 97 +++++++++++++++++++ 3 files changed, 158 insertions(+), 20 deletions(-) create mode 100644 dependency-check-core/src/test/resources/openssl/opensslv.h diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index 38438aa08..b2333ddd6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -17,6 +17,7 @@ */ package org.owasp.dependencycheck.analyzer; +import org.apache.commons.io.FileUtils; import org.apache.commons.io.filefilter.NameFileFilter; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; @@ -27,10 +28,12 @@ import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; +import java.io.IOException; import java.util.ArrayList; import java.util.Collections; import java.util.List; import java.util.Set; +import java.util.regex.Matcher; import java.util.regex.Pattern; /** @@ -40,29 +43,32 @@ import java.util.regex.Pattern; */ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { + private static final int HEXADECIMAL = 16; + /** + * Filename to analyze. All other .h files get removed from consideration. + */ + private static final String OPENSSLV_H = "opensslv.h"; /** * Used when compiling file scanning regex patterns. */ private static final int REGEX_OPTIONS = Pattern.DOTALL | Pattern.CASE_INSENSITIVE; - /** * The logger. */ private static final Logger LOGGER = LoggerFactory .getLogger(OpenSSLAnalyzer.class); - /** * Filename extensions for files to be analyzed. */ private static final Set EXTENSIONS = Collections .unmodifiableSet(Collections.singleton("h")); - /** * Filter that detects files named "__init__.py". */ - private static final FileFilter OPENSSLV_FILTER = new NameFileFilter("opensslv.h"); - + private static final FileFilter OPENSSLV_FILTER = new NameFileFilter(OPENSSLV_H); + private static final Pattern VERSION_PATTERN = Pattern.compile( + "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", REGEX_OPTIONS); private static final int MAJOR_OFFSET = 28; private static final long MINOR_MASK = 0x0ff00000L; private static final int MINOR_OFFSET = 20; @@ -140,24 +146,46 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { final File parent = file.getParentFile(); final String parentName = parent.getName(); boolean found = false; -// if (INIT_PY_FILTER.accept(file)) { -// for (final File sourcefile : parent.listFiles(PY_FILTER)) { -// found |= analyzeFileContents(dependency, sourcefile); -// } -// } + if (OPENSSLV_FILTER.accept(file)) { + final String contents = getFileContents(file); + if (!contents.isEmpty()) { + final Matcher matcher = VERSION_PATTERN.matcher(contents); + while (matcher.find()) { + dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant", + getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH); + found = true; + } + } + } if (found) { - dependency.setDisplayFileName(parentName + "/__init__.py"); - dependency.getProductEvidence().addEvidence(file.getName(), - "PackageName", parentName, Confidence.MEDIUM); + dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H); + dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST); + dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST); } else { - // copy, alter and set in case some other thread is iterating over - final List deps = new ArrayList( - engine.getDependencies()); - deps.remove(dependency); - engine.setDependencies(deps); + engine.getDependencies().remove(dependency); } } + /** + * Retrieves the contents of a given file. + * + * @param actualFile the file to read + * @return the contents of the file + * @throws AnalysisException thrown if there is an IO Exception + */ + private String getFileContents(final File actualFile) + throws AnalysisException { + String contents = ""; + try { + contents = FileUtils.readFileToString(actualFile).trim(); + } catch (IOException e) { + throw new AnalysisException( + "Problem occured while reading dependency file.", e); + } + return contents; + } + + @Override protected String getAnalyzerEnabledSettingKey() { return "fixme"; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java index 1464e8658..d81df57a8 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -22,12 +22,14 @@ import org.junit.After; import org.junit.Before; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; import java.util.Arrays; import java.util.HashSet; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; /** * Unit tests for OpenSSLAnalyzerAnalyzer. @@ -117,4 +119,15 @@ public class OpenSSLAnalyzerTest extends BaseTest { assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i])); } } + + @Test + public void testOpenSSLVersionHeaderFile() throws AnalysisException { + final Dependency result = new Dependency(BaseTest.getResourceAsFile( + this, + "openssl/opensslv.h")); + analyzer.analyze(result, null); + assertThat(result.getProductEvidence().toString(), containsString("OpenSSL")); + assertThat(result.getVendorEvidence().toString(), containsString("OpenSSL")); + assertThat(result.getVersionEvidence().toString(), containsString("1.0.2c")); + } } diff --git a/dependency-check-core/src/test/resources/openssl/opensslv.h b/dependency-check-core/src/test/resources/openssl/opensslv.h new file mode 100644 index 000000000..7cc19dc51 --- /dev/null +++ b/dependency-check-core/src/test/resources/openssl/opensslv.h @@ -0,0 +1,97 @@ +#ifndef HEADER_OPENSSLV_H +# define HEADER_OPENSSLV_H + +#ifdef __cplusplus +extern "C" { +#endif + +/*- + * Numeric release version identifier: + * MNNFFPPS: major minor fix patch status + * The status nibble has one of the values 0 for development, 1 to e for betas + * 1 to 14, and f for release. The patch level is exactly that. + * For example: + * 0.9.3-dev 0x00903000 + * 0.9.3-beta1 0x00903001 + * 0.9.3-beta2-dev 0x00903002 + * 0.9.3-beta2 0x00903002 (same as ...beta2-dev) + * 0.9.3 0x0090300f + * 0.9.3a 0x0090301f + * 0.9.4 0x0090400f + * 1.2.3z 0x102031af + * + * For continuity reasons (because 0.9.5 is already out, and is coded + * 0x00905100), between 0.9.5 and 0.9.6 the coding of the patch level + * part is slightly different, by setting the highest bit. This means + * that 0.9.5a looks like this: 0x0090581f. At 0.9.6, we can start + * with 0x0090600S... + * + * (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.) + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +# define OPENSSL_VERSION_NUMBER 0x1000203fL +# ifdef OPENSSL_FIPS +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c-fips 12 Jun 2015" +# else +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c 12 Jun 2015" +# endif +# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT + +/*- + * The macros below are to be used for shared library (.so, .dll, ...) + * versioning. That kind of versioning works a bit differently between + * operating systems. The most usual scheme is to set a major and a minor + * number, and have the runtime loader check that the major number is equal + * to what it was at application link time, while the minor number has to + * be greater or equal to what it was at application link time. With this + * scheme, the version number is usually part of the file name, like this: + * + * libcrypto.so.0.9 + * + * Some unixen also make a softlink with the major verson number only: + * + * libcrypto.so.0 + * + * On Tru64 and IRIX 6.x it works a little bit differently. There, the + * shared library version is stored in the file, and is actually a series + * of versions, separated by colons. The rightmost version present in the + * library when linking an application is stored in the application to be + * matched at run time. When the application is run, a check is done to + * see if the library version stored in the application matches any of the + * versions in the version string of the library itself. + * This version string can be constructed in any way, depending on what + * kind of matching is desired. However, to implement the same scheme as + * the one used in the other unixen, all compatible versions, from lowest + * to highest, should be part of the string. Consecutive builds would + * give the following versions strings: + * + * 3.0 + * 3.0:3.1 + * 3.0:3.1:3.2 + * 4.0 + * 4.0:4.1 + * + * Notice how version 4 is completely incompatible with version, and + * therefore give the breach you can see. + * + * There may be other schemes as well that I haven't yet discovered. + * + * So, here's the way it works here: first of all, the library version + * number doesn't need at all to match the overall OpenSSL version. + * However, it's nice and more understandable if it actually does. + * The current library version is stored in the macro SHLIB_VERSION_NUMBER, + * which is just a piece of text in the format "M.m.e" (Major, minor, edit). + * For the sake of Tru64, IRIX, and any other OS that behaves in similar ways, + * we need to keep a history of version numbers, which is done in the + * macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and + * should only keep the versions that are binary compatible with the current. + */ +# define SHLIB_VERSION_HISTORY "" +# define SHLIB_VERSION_NUMBER "1.0.0" + + +#ifdef __cplusplus +} +#endif +#endif /* HEADER_OPENSSLV_H */ From 30087b5e79e93441034dbe33b1eaf4f87d1bf456 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 7 Jul 2015 17:48:50 -0400 Subject: [PATCH 4/8] OpenSSL: Minor code edits/refactoring. Former-commit-id: 5c0247772406b55a0e1e7219b83389a5ed0605f4 --- .../analyzer/OpenSSLAnalyzer.java | 20 ++++--------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index b2333ddd6..a5d6ec993 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -23,15 +23,11 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; import java.io.IOException; -import java.util.ArrayList; import java.util.Collections; -import java.util.List; import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -48,16 +44,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { * Filename to analyze. All other .h files get removed from consideration. */ private static final String OPENSSLV_H = "opensslv.h"; - /** - * Used when compiling file scanning regex patterns. - */ - private static final int REGEX_OPTIONS = Pattern.DOTALL - | Pattern.CASE_INSENSITIVE; - /** - * The logger. - */ - private static final Logger LOGGER = LoggerFactory - .getLogger(OpenSSLAnalyzer.class); + /** * Filename extensions for files to be analyzed. */ @@ -68,7 +55,8 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { */ private static final FileFilter OPENSSLV_FILTER = new NameFileFilter(OPENSSLV_H); private static final Pattern VERSION_PATTERN = Pattern.compile( - "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", REGEX_OPTIONS); + "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL + | Pattern.CASE_INSENSITIVE); private static final int MAJOR_OFFSET = 28; private static final long MINOR_MASK = 0x0ff00000L; private static final int MINOR_OFFSET = 20; @@ -180,7 +168,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { contents = FileUtils.readFileToString(actualFile).trim(); } catch (IOException e) { throw new AnalysisException( - "Problem occured while reading dependency file.", e); + "Problem occurred while reading dependency file.", e); } return contents; } From a3ad598004dfa69574ae5b7c55948c619102ac44 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 8 Jul 2015 14:07:17 -0400 Subject: [PATCH 5/8] OpenSSL: Untested changes to get command-line working. Former-commit-id: f81a410bba6cbc1b71cb7d5fef121eb4f52a780b --- .../java/org/owasp/dependencycheck/App.java | 10 ++++------ .../org/owasp/dependencycheck/CliParser.java | 17 +++++++++++++++++ .../src/site/markdown/arguments.md | 1 + .../analyzer/OpenSSLAnalyzer.java | 3 ++- .../org.owasp.dependencycheck.analyzer.Analyzer | 3 ++- .../owasp/dependencycheck/utils/Settings.java | 4 ++++ 6 files changed, 30 insertions(+), 8 deletions(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index d068d435b..346ca8be2 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -250,9 +250,6 @@ public class App { final String suppressionFile = cli.getSuppressionFile(); final boolean jarDisabled = cli.isJarDisabled(); final boolean archiveDisabled = cli.isArchiveDisabled(); - final boolean pyDistDisabled = cli.isPythonDistributionDisabled(); - final boolean pyPkgDisabled = cli.isPythonPackageDisabled(); - final boolean autoconfDisabled = cli.isAutoconfDisabled(); final boolean assemblyDisabled = cli.isAssemblyDisabled(); final boolean nuspecDisabled = cli.isNuspecDisabled(); final boolean centralDisabled = cli.isCentralDisabled(); @@ -316,11 +313,12 @@ public class App { //File Type Analyzer Settings Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !pyDistDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !pyPkgDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !autoconfDisabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !cli.isPythonPackageDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !centralDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 313537ab3..ebf57e7dc 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -339,6 +339,9 @@ public final class CliParser { .withLongOpt(ARGUMENT.DISABLE_AUTOCONF) .withDescription("Disable the Autoconf Analyzer.").create(); + final Option disableOpenSSLAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_OPENSSL) + .withDescription("Disable the OpenSSL Analyzer.").create(); + final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL) .withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable " + "the Nexus Analyzer.") @@ -385,6 +388,7 @@ public final class CliParser { .addOption(disablePythonDistributionAnalyzer) .addOption(disablePythonPackageAnalyzer) .addOption(disableAutoconfAnalyzer) + .addOption(disableOpenSSLAnalyzer) .addOption(disableNuspecAnalyzer) .addOption(disableCentralAnalyzer) .addOption(disableNexusAnalyzer) @@ -510,6 +514,15 @@ public final class CliParser { return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS); } + /** + * Returns true if the disableOpenSSL command line argument was specified. + * + * @return true if the disableOpenSSL command line argument was specified; otherwise false + */ + public boolean isOpenSSLDisabled() { + return (line != null) && line.hasOption(ARGUMENT.DISABLE_OPENSSL); + } + /** * Returns true if the disableCentral command line argument was specified. * @@ -970,6 +983,10 @@ public final class CliParser { * Disables the Nexus Analyzer. */ public static final String DISABLE_NEXUS = "disableNexus"; + /** + * Disables the OpenSSL Analyzer. + */ + public static final String DISABLE_OPENSSL = "disableOpenSSL"; /** * The URL of the nexus server. */ diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index ca2beb9b6..84e900db6 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -26,6 +26,7 @@ Short | Argument Name        | Paramete | \-\-disablePyDist | | Sets whether the Python Distribution Analyzer will be used. | false | \-\-disablePyPkg | | Sets whether the Python Package Analyzer will be used. | false | \-\-disableAutoconf | | Sets whether the Autoconf Analyzer will be used. | false + | \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false | \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   | \-\-disableJar | | Sets whether the Jar Analyzer will be used. | false diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index a5d6ec993..92420a027 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -23,6 +23,7 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.Settings; import java.io.File; import java.io.FileFilter; @@ -176,6 +177,6 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { @Override protected String getAnalyzerEnabledSettingKey() { - return "fixme"; + return Settings.KEYS.ANALYZER_OPENSSL_ENABLED; } } \ No newline at end of file diff --git a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index 6a3bae2bf..31a22eb0f 100644 --- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -14,4 +14,5 @@ org.owasp.dependencycheck.analyzer.NuspecAnalyzer org.owasp.dependencycheck.analyzer.AssemblyAnalyzer org.owasp.dependencycheck.analyzer.PythonDistributionAnalyzer org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer -org.owasp.dependencycheck.analyzer.AutoconfAnalyzer \ No newline at end of file +org.owasp.dependencycheck.analyzer.AutoconfAnalyzer +org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer \ No newline at end of file diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 884263202..654416171 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -217,6 +217,10 @@ public final class Settings { * The properties key for whether the Central analyzer is enabled. */ public static final String ANALYZER_CENTRAL_ENABLED = "analyzer.central.enabled"; + /** + * The properties key for whether the OpenSSL analyzer is enabled. + */ + public static final String ANALYZER_OPENSSL_ENABLED = "analyzer.openssl.enabled"; /** * The properties key for the Central search URL. */ From 433c2e59162e82a2b8124a0b2e5d91d37cfca5bf Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Thu, 9 Jul 2015 16:35:04 -0400 Subject: [PATCH 6/8] OpenSSL: Updates to use FileFilter instead of file extension. Former-commit-id: 974bc28171b5b3ac3e772c93447489e1afb797f1 --- .../analyzer/OpenSSLAnalyzer.java | 36 +++++++------------ .../analyzer/OpenSSLAnalyzerTest.java | 24 +++---------- 2 files changed, 18 insertions(+), 42 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index 92420a027..2940fed57 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -18,18 +18,16 @@ package org.owasp.dependencycheck.analyzer; import org.apache.commons.io.FileUtils; -import org.apache.commons.io.filefilter.NameFileFilter; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; import java.io.File; import java.io.FileFilter; import java.io.IOException; -import java.util.Collections; -import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -46,15 +44,10 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { */ private static final String OPENSSLV_H = "opensslv.h"; - /** - * Filename extensions for files to be analyzed. - */ - private static final Set EXTENSIONS = Collections - .unmodifiableSet(Collections.singleton("h")); /** * Filter that detects files named "__init__.py". */ - private static final FileFilter OPENSSLV_FILTER = new NameFileFilter(OPENSSLV_H); + private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build(); private static final Pattern VERSION_PATTERN = Pattern.compile( "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL | Pattern.CASE_INSENSITIVE); @@ -107,8 +100,8 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { * @return the set of supported file extensions */ @Override - protected Set getSupportedExtensions() { - return EXTENSIONS; + protected FileFilter getFileFilter() { + return OPENSSLV_FILTER; } /** @@ -132,18 +125,15 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { final File file = dependency.getActualFile(); - final File parent = file.getParentFile(); - final String parentName = parent.getName(); + final String parentName = file.getParentFile().getName(); boolean found = false; - if (OPENSSLV_FILTER.accept(file)) { - final String contents = getFileContents(file); - if (!contents.isEmpty()) { - final Matcher matcher = VERSION_PATTERN.matcher(contents); - while (matcher.find()) { - dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant", - getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH); - found = true; - } + final String contents = getFileContents(file); + if (!contents.isEmpty()) { + final Matcher matcher = VERSION_PATTERN.matcher(contents); + if (matcher.find()) { + dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant", + getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH); + found = true; } } if (found) { @@ -164,7 +154,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { */ private String getFileContents(final File actualFile) throws AnalysisException { - String contents = ""; + String contents; try { contents = FileUtils.readFileToString(actualFile).trim(); } catch (IOException e) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java index d81df57a8..c5fcc289e 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -17,7 +17,6 @@ */ package org.owasp.dependencycheck.analyzer; -import org.apache.commons.lang.StringUtils; import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -25,11 +24,10 @@ import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; -import java.util.Arrays; -import java.util.HashSet; +import java.io.File; +import static org.hamcrest.CoreMatchers.containsString; import static org.junit.Assert.*; -import static org.hamcrest.CoreMatchers.*; /** * Unit tests for OpenSSLAnalyzerAnalyzer. @@ -75,25 +73,13 @@ public class OpenSSLAnalyzerTest extends BaseTest { analyzer.getName()); } - /** - * Test of getSupportedExtensions method, of class OpenSSLAnalyzer. - */ - @Test - public void testGetSupportedExtensions() { - final String[] expected = {"h"}; - assertEquals("Supported extensions should just have the following: " - + StringUtils.join(expected, ", "), - new HashSet(Arrays.asList(expected)), - analyzer.getSupportedExtensions()); - } - /** * Test of supportsExtension method, of class PythonPackageAnalyzer. */ @Test - public void testSupportsExtension() { - assertTrue("Should support \"h\" extension.", - analyzer.supportsExtension("h")); + public void testAccept() { + assertTrue("Should support files named \"opensslv.h\".", + analyzer.accept(new File("opensslv.h"))); } @Test From 5354137c763429ef1b944e945080d8ba7f8d3d4e Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Thu, 9 Jul 2015 17:11:06 -0400 Subject: [PATCH 7/8] OpenSSL: Site doc additions, including about Autoconf analyzer. Former-commit-id: 35253cfbf5cfcf04b2f3fe39f0891cd0bf1155b4 --- src/site/markdown/analyzers/index.md | 2 ++ src/site/markdown/index.md | 4 +++- src/site/site.xml | 6 ++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 524c75941..30dfb3a21 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -5,8 +5,10 @@ to extract identification information from the files analyzed. - [Archive Analyzer](./archive-analyzer.html) - [Assembly Analyzer](./assembly-analyzer.html) +- [Autoconf Analyzer](./autoconf-analyzer.html) - [Central Analyzer](./central-analyzer.html) - [Jar Analyzer](./jar-analyzer.html) - [Nexus Analyzer](./nexus-analyzer.html) - [Nuspec Analyzer](./nuspec-analyzer.html) +- [OpenSSL Analyzer](./openssl-analyzer.html) - [Python Analyzer](./python-analyzer.html) diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index fa715273e..7a179cc2f 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -4,7 +4,9 @@ OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities). Dependency-check can currently be used to scan Java, .NET, and Python applications (and their dependent libraries) to identify known vulnerable -components. +components. In addition, Dependency-check can be used to scan some source +code, including OpenSSL source code and source code for projects that use +Autoconf. The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of diff --git a/src/site/site.xml b/src/site/site.xml index 3b918c0ac..6d0a9d3ed 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -124,6 +124,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Nuspec Analyzer + + Autoconf Analyzer + + + OpenSSL Analyzer + From a7abe97ca0d5b010e76c96ff1013dc895e5b2f1f Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Thu, 9 Jul 2015 17:13:03 -0400 Subject: [PATCH 8/8] OpenSSL: Forgot to 'git add' new files in previous commit. Former-commit-id: 7219edc255d239995d5bbb5cbe587e999a7160a8 --- src/site/markdown/analyzers/autoconf-analyzer.md | 11 +++++++++++ src/site/markdown/analyzers/openssl-analyzer.md | 10 ++++++++++ 2 files changed, 21 insertions(+) create mode 100644 src/site/markdown/analyzers/autoconf-analyzer.md create mode 100644 src/site/markdown/analyzers/openssl-analyzer.md diff --git a/src/site/markdown/analyzers/autoconf-analyzer.md b/src/site/markdown/analyzers/autoconf-analyzer.md new file mode 100644 index 000000000..1a9badb37 --- /dev/null +++ b/src/site/markdown/analyzers/autoconf-analyzer.md @@ -0,0 +1,11 @@ +Autoconf Analyzer +================= + +OWASP dependency-check includes an analyzer that will scan Autoconf project +configuration files. The analyzer will collect as much information it can +about the project. The information collected is internally referred to as +evidence and is grouped into vendor, product, and version buckets. Other +analyzers later use this evidence to identify any Common Platform Enumeration +(CPE) identifiers that apply. + +File names scanned: configure, configure.in, configure.ac diff --git a/src/site/markdown/analyzers/openssl-analyzer.md b/src/site/markdown/analyzers/openssl-analyzer.md new file mode 100644 index 000000000..0f7ef81c7 --- /dev/null +++ b/src/site/markdown/analyzers/openssl-analyzer.md @@ -0,0 +1,10 @@ +OpenSSL Analyzer +================ + +OWASP dependency-check includes an analyzer that will scan OpenSSL source code +files for the OpenSSL version information. The information collected is +internally referred to as evidence and is grouped into vendor, product, and +version buckets. Other analyzers later use this evidence to identify any +Common Platform Enumeration (CPE) identifiers that apply. + +File names scanned: opensslv.h \ No newline at end of file