github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-25 10:32:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'jabbrwcky-batch-update'

Browse Source
This commit is contained in:
Jeremy Long
2016-06-05 06:33:45 -04:00
parent 63d24737dd 310ca967a1
commit 52f269a289
8 changed files with 404 additions and 128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -68,9 +68,18 @@ public class CveDB {
*/ */
private ResourceBundle statementBundle = null; private ResourceBundle statementBundle = null;
/**
* <<<<<<< HEAD Creates a new CveDB object and opens the database
* connection. Note, the connection must be closed by the caller by calling
* the close method. ======= Does the underlying connection support batch
* operations?
*/
private boolean batchSupported;
/** /**
* Creates a new CveDB object and opens the database connection. Note, the * Creates a new CveDB object and opens the database connection. Note, the
* connection must be closed by the caller by calling the close method. * connection must be closed by the caller by calling the close method.
* >>>>>>> e79da72711dc0f326fcdce52deab89e37c0d8230
* *
* @throws DatabaseException thrown if there is an exception opening the * @throws DatabaseException thrown if there is an exception opening the
* database. * database.
@@ -81,6 +90,7 @@ public class CveDB {
open(); open();
try { try {
final String databaseProductName = conn.getMetaData().getDatabaseProductName(); final String databaseProductName = conn.getMetaData().getDatabaseProductName();
batchSupported = conn.getMetaData().supportsBatchUpdates();
LOGGER.debug("Database dialect: {}", databaseProductName); LOGGER.debug("Database dialect: {}", databaseProductName);
final Locale dbDialect = new Locale(databaseProductName); final Locale dbDialect = new Locale(databaseProductName);
statementBundle = ResourceBundle.getBundle("data/dbStatements", dbDialect); statementBundle = ResourceBundle.getBundle("data/dbStatements", dbDialect);
@@ -388,6 +398,7 @@ public class CveDB {
ResultSet rsR = null; ResultSet rsR = null;
ResultSet rsS = null; ResultSet rsS = null;
Vulnerability vuln = null; Vulnerability vuln = null;
try { try {
psV = getConnection().prepareStatement(statementBundle.getString("SELECT_VULNERABILITY")); psV = getConnection().prepareStatement(statementBundle.getString("SELECT_VULNERABILITY"));
psV.setString(1, cve); psV.setString(1, cve);
@@ -493,6 +504,7 @@ public class CveDB {
} }
DBUtils.closeResultSet(rs); DBUtils.closeResultSet(rs);
rs = null; rs = null;
if (vulnerabilityId != 0) { if (vulnerabilityId != 0) {
if (vuln.getDescription().contains("** REJECT **")) { if (vuln.getDescription().contains("** REJECT **")) {
deleteVulnerability.setInt(1, vulnerabilityId); deleteVulnerability.setInt(1, vulnerabilityId);
@@ -534,13 +546,24 @@ public class CveDB {
rs = null; rs = null;
} }
} }
insertReference.setInt(1, vulnerabilityId);
for (Reference r : vuln.getReferences()) { for (Reference r : vuln.getReferences()) {
insertReference.setInt(1, vulnerabilityId);
insertReference.setString(2, r.getName()); insertReference.setString(2, r.getName());
insertReference.setString(3, r.getUrl()); insertReference.setString(3, r.getUrl());
insertReference.setString(4, r.getSource()); insertReference.setString(4, r.getSource());
insertReference.execute();
if (batchSupported) {
insertReference.addBatch();
} else {
insertReference.execute();
}
} }
if (batchSupported) {
insertReference.executeBatch();
}
for (VulnerableSoftware s : vuln.getVulnerableSoftware()) { for (VulnerableSoftware s : vuln.getVulnerableSoftware()) {
int cpeProductId = 0; int cpeProductId = 0;
selectCpeId.setString(1, s.getName()); selectCpeId.setString(1, s.getName());
@@ -569,22 +592,30 @@ public class CveDB {
insertSoftware.setInt(1, vulnerabilityId); insertSoftware.setInt(1, vulnerabilityId);
insertSoftware.setInt(2, cpeProductId); insertSoftware.setInt(2, cpeProductId);
if (s.getPreviousVersion() == null) { if (s.getPreviousVersion() == null) {
insertSoftware.setNull(3, java.sql.Types.VARCHAR); insertSoftware.setNull(3, java.sql.Types.VARCHAR);
} else { } else {
insertSoftware.setString(3, s.getPreviousVersion()); insertSoftware.setString(3, s.getPreviousVersion());
} }
try { if (batchSupported) {
insertSoftware.execute(); insertSoftware.addBatch();
} catch (SQLException ex) { } else {
if (ex.getMessage().contains("Duplicate entry")) { try {
final String msg = String.format("Duplicate software key identified in '%s:%s'", vuln.getName(), s.getName()); insertSoftware.execute();
LOGGER.debug(msg, ex); } catch (SQLException ex) {
} else { if (ex.getMessage().contains("Duplicate entry")) {
throw ex; final String msg = String.format("Duplicate software key identified in '%s:%s'", vuln.getName(), s.getName());
LOGGER.debug(msg, ex);
} else {
throw ex;
}
} }
} }
} }
if (batchSupported) {
insertSoftware.executeBatch();
}
} catch (SQLException ex) { } catch (SQLException ex) {
final String msg = String.format("Error updating '%s'", vuln.getName()); final String msg = String.format("Error updating '%s'", vuln.getName());
LOGGER.debug(msg, ex); LOGGER.debug(msg, ex);

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java
View File

@@ -254,17 +254,16 @@ public class NvdCve20Handler extends DefaultHandler {
* @throws IOException thrown if there is an IOException with the CPE Index * @throws IOException thrown if there is an IOException with the CPE Index
*/ */
private void saveEntry(Vulnerability vuln) throws DatabaseException, CorruptIndexException, IOException { private void saveEntry(Vulnerability vuln) throws DatabaseException, CorruptIndexException, IOException {
if (cveDB == null) {
return;
}
final String cveName = vuln.getName(); final String cveName = vuln.getName();
if (prevVersionVulnMap.containsKey(cveName)) { if (prevVersionVulnMap != null && prevVersionVulnMap.containsKey(cveName)) {
final List<VulnerableSoftware> vulnSoftware = prevVersionVulnMap.get(cveName); final List<VulnerableSoftware> vulnSoftware = prevVersionVulnMap.get(cveName);
for (VulnerableSoftware vs : vulnSoftware) { for (VulnerableSoftware vs : vulnSoftware) {
vuln.updateVulnerableSoftware(vs); vuln.updateVulnerableSoftware(vs);
} }
} }
cveDB.updateVulnerability(vuln); if (cveDB != null) {
cveDB.updateVulnerability(vuln);
}
} }
// <editor-fold defaultstate="collapsed" desc="The Element Class that maintains state information about the current node"> // <editor-fold defaultstate="collapsed" desc="The Element Class that maintains state information about the current node">

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
View File

@@ -180,23 +180,14 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
final int max = (left.length <= right.length) ? left.length : right.length; final int max = (left.length <= right.length) ? left.length : right.length;
if (max > 0) { if (max > 0) {
for (int i = 0; result == 0 && i < max; i++) { for (int i = 0; result == 0 && i < max; i++) {
final String[] subLeft = left[i].split("\\."); final String[] subLeft = left[i].split("(\\.|-)");
final String[] subRight = right[i].split("\\."); final String[] subRight = right[i].split("(\\.|-)");
final int subMax = (subLeft.length <= subRight.length) ? subLeft.length : subRight.length; final int subMax = (subLeft.length <= subRight.length) ? subLeft.length : subRight.length;
if (subMax > 0) { if (subMax > 0) {
for (int x = 0; result == 0 && x < subMax; x++) { for (int x = 0; result == 0 && x < subMax; x++) {
if (isPositiveInteger(subLeft[x]) && isPositiveInteger(subRight[x])) { if (isPositiveInteger(subLeft[x]) && isPositiveInteger(subRight[x])) {
try { try {
result = Long.valueOf(subLeft[x]).compareTo(Long.valueOf(subRight[x])); result = Long.valueOf(subLeft[x]).compareTo(Long.valueOf(subRight[x]));
// final long iLeft = Long.parseLong(subLeft[x]);
// final long iRight = Long.parseLong(subRight[x]);
// if (iLeft != iRight) {
// if (iLeft > iRight) {
// result = 2;
// } else {
// result = -2;
// }
// }
} catch (NumberFormatException ex) { } catch (NumberFormatException ex) {
//ignore the exception - they obviously aren't numbers //ignore the exception - they obviously aren't numbers
if (!subLeft[x].equalsIgnoreCase(subRight[x])) { if (!subLeft[x].equalsIgnoreCase(subRight[x])) {

33
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_2_0_HandlerTest.java
View File

@@ -19,6 +19,8 @@ package org.owasp.dependencycheck.data.update.nvd;
import org.owasp.dependencycheck.data.update.nvd.NvdCve20Handler; import org.owasp.dependencycheck.data.update.nvd.NvdCve20Handler;
import java.io.File; import java.io.File;
import java.util.List;
import java.util.Map;
import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory; import javax.xml.parsers.SAXParserFactory;
import org.junit.After; import org.junit.After;
@@ -28,6 +30,7 @@ import org.junit.Before;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
/** /**
* *
@@ -49,12 +52,42 @@ public class NvdCve_2_0_HandlerTest extends BaseTest {
saxParser.parse(file, instance); saxParser.parse(file, instance);
} catch (Throwable ex) { } catch (Throwable ex) {
ex.printStackTrace();
results = ex; results = ex;
} }
assertTrue("Exception thrown during parse of 2012 CVE version 2.0?", results == null); assertTrue("Exception thrown during parse of 2012 CVE version 2.0?", results == null);
if (results != null) { if (results != null) {
System.err.println(results); System.err.println(results);
} }
}
@Test
public void testParserWithPreviousVersion() {
Throwable results = null;
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
File file12 = BaseTest.getResourceAsFile(this, "cve-1.2-2008_4411.xml");
final NvdCve12Handler cve12Handler = new NvdCve12Handler();
saxParser.parse(file12, cve12Handler);
final Map<String, List<VulnerableSoftware>> prevVersionVulnMap = cve12Handler.getVulnerabilities();
//File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2.0-2012.xml").getPath());
File file20 = BaseTest.getResourceAsFile(this, "cve-2.0-2008_4411.xml");
NvdCve20Handler instance = new NvdCve20Handler();
instance.setPrevVersionVulnMap(prevVersionVulnMap);
saxParser.parse(file20, instance);
assertTrue(instance.getTotalNumberOfEntries()==1);
} catch (Throwable ex) {
results = ex;
}
assertTrue("Exception thrown during parse of 2012 CVE version 2.0?", results == null);
if (results != null) {
System.err.println(results);
}
} }
} }

195
dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerabilityTest.java
View File

@@ -17,6 +17,7 @@
*/ */
package org.owasp.dependencycheck.dependency; package org.owasp.dependencycheck.dependency;
import java.util.Set;
import org.junit.After; import org.junit.After;
import org.junit.AfterClass; import org.junit.AfterClass;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
@@ -31,7 +32,7 @@ import org.owasp.dependencycheck.BaseTest;
* *
* @author Jens Hausherr * @author Jens Hausherr
*/ */
public class VulnerabilityTest extends BaseTest { public class VulnerabilityTest extends BaseTest {
/** /**
* Test of equals method, of class VulnerableSoftware. * Test of equals method, of class VulnerableSoftware.
@@ -49,90 +50,112 @@ public class VulnerabilityTest extends BaseTest {
@Test @Test
public void testDpulicateVersionsWithPreviousVersion() { public void testDpulicateVersionsWithPreviousVersion() {
Vulnerability obj = new Vulnerability(); Vulnerability obj = new Vulnerability();
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.0",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-103%28a%29", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.1",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-118", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.2",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.3.132", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.10",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.12-200", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.11",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.2-127", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.12",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.9", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.13",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.10", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.14",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.11", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.15",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.12-118", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.16",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.4-143", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.17",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-109", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.18",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.6-156", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.19",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.4", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.20",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.3", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.21",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.22",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.10-186", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.23",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.6", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.0",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.5", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.0:alpha",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.5-146", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.1",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.8", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.10",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.7", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.10a",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.2", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.11",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.2", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.12",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.1", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.13",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.8-177", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.15",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.1", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.19",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.0", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.1a",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.7-168", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.2",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-103", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.3",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.11-197", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.4",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.9-178", null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.5.0.21",null); obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.12-200", "1");
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.6",null); assertEquals(31, obj.getVulnerableSoftware().size());
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.9",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.21",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.22",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.23",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.24",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.24a",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.25",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.30",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.32",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.33",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.36",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.37",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.38",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.3a",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.41",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.42",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.44",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.45",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.4a",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.50",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.51",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.52",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.54",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.56",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.23a","1");
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.3",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.4",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.5",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.5a",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.6",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.7",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.9",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.11",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.12",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.14",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.15",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.16",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.17",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.18",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.19",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.20",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.21",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.22",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.23",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.23a",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:6.0.0",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:6.0.1",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:6.0.2",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:6.0.3",null);
obj.addVulnerableSoftware("cpe:/a:mysql:mysql:6.0.4",null);
assertEquals(82, obj.getVulnerableSoftware().size());
} }
@Test
public void testSoftwareSorting() {
Vulnerability obj = new Vulnerability();
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-103%28a%29", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-118", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.3.132", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.12-200", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.2-127", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.9", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.10", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.11", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.12-118", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.4-143", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-109", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.6-156", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.4", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.3", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.10-186", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.6", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.5", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.5-146", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.8", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.7", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.2", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.2", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.1", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.8-177", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.1", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.0.0", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.7-168", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.0-103", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.11-197", null);
obj.addVulnerableSoftware("cpe:/a:hp:system_management_homepage:2.1.9-178", null);
Set<VulnerableSoftware> software = obj.getVulnerableSoftware();
VulnerableSoftware vs[] = software.toArray(new VulnerableSoftware[software.size()]);
assertTrue("cpe:/a:hp:system_management_homepage:2.0.0".equals(vs[0].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.0.1".equals(vs[1].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.0.2".equals(vs[2].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1".equals(vs[3].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.0-103".equals(vs[4].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.0-103%28a%29".equals(vs[5].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.0-109".equals(vs[6].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.0-118".equals(vs[7].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.1".equals(vs[8].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.2".equals(vs[9].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.2-127".equals(vs[10].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.3".equals(vs[11].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.3.132".equals(vs[12].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.4".equals(vs[13].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.4-143".equals(vs[14].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.5".equals(vs[15].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.5-146".equals(vs[16].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.6".equals(vs[17].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.6-156".equals(vs[18].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.7".equals(vs[19].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.7-168".equals(vs[20].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.8".equals(vs[21].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.8-177".equals(vs[22].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.9".equals(vs[23].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.9-178".equals(vs[24].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.10".equals(vs[25].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.10-186".equals(vs[26].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.11".equals(vs[27].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.11-197".equals(vs[28].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.12-118".equals(vs[29].getName()));
assertTrue("cpe:/a:hp:system_management_homepage:2.1.12-200".equals(vs[30].getName()));
}
} }

59
dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
View File

@@ -31,7 +31,7 @@ import org.owasp.dependencycheck.BaseTest;
* *
* @author Jeremy Long * @author Jeremy Long
*/ */
public class VulnerableSoftwareTest extends BaseTest { public class VulnerableSoftwareTest extends BaseTest {
/** /**
* Test of equals method, of class VulnerableSoftware. * Test of equals method, of class VulnerableSoftware.
@@ -93,25 +93,52 @@ public class VulnerableSoftwareTest extends BaseTest {
} }
@Test @Test
public void testCompareToNonNumerical(){ public void testCompareToNonNumerical() {
VulnerableSoftware vs = new VulnerableSoftware(); VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe("cpe:/a:mysql:mysql:5.1.23a"); vs.setCpe("cpe:/a:mysql:mysql:5.1.23a");
VulnerableSoftware vs1 = new VulnerableSoftware(); VulnerableSoftware vs1 = new VulnerableSoftware();
vs1.setCpe("cpe:/a:mysql:mysql:5.1.23a"); vs1.setCpe("cpe:/a:mysql:mysql:5.1.23a");
vs1.setPreviousVersion("1"); vs1.setPreviousVersion("1");
assertEquals(0, vs.compareTo(vs1)); assertEquals(0, vs.compareTo(vs1));
assertEquals(0, vs1.compareTo(vs)); assertEquals(0, vs1.compareTo(vs));
}
@Test
public void testCompareToComplex() {
VulnerableSoftware vs = new VulnerableSoftware();
VulnerableSoftware vs1 = new VulnerableSoftware();
vs.setCpe("2.1");
vs1.setCpe("2.1.10");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("cpe:/a:hp:system_management_homepage:2.1.1");
vs1.setCpe("cpe:/a:hp:system_management_homepage:2.1.10");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("10");
vs1.setCpe("10-186");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("2.1.10");
vs1.setCpe("2.1.10-186");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("cpe:/a:hp:system_management_homepage:2.1.10");
vs1.setCpe("cpe:/a:hp:system_management_homepage:2.1.10-186");
assertTrue(vs.compareTo(vs1) < 0);
//assertTrue(vs1.compareTo(vs)>0);
} }
@Test @Test
public void testEqualsPreviousVersion() { public void testEqualsPreviousVersion() {
VulnerableSoftware vs = new VulnerableSoftware(); VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe("cpe:/a:mysql:mysql:5.1.23a"); vs.setCpe("cpe:/a:mysql:mysql:5.1.23a");
VulnerableSoftware vs1 = new VulnerableSoftware(); VulnerableSoftware vs1 = new VulnerableSoftware();
vs1.setCpe("cpe:/a:mysql:mysql:5.1.23a"); vs1.setCpe("cpe:/a:mysql:mysql:5.1.23a");
vs1.setPreviousVersion("1"); vs1.setPreviousVersion("1");
assertEquals(vs,vs1); assertEquals(vs, vs1);
assertEquals(vs1,vs); assertEquals(vs1, vs);
} }

57
dependency-check-core/src/test/resources/cve-1.2-2008_4411.xml Normal file
View File

@@ -0,0 +1,57 @@
<?xml version='1.0' encoding='UTF-8'?>
<nvd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://nvd.nist.gov/feeds/cve/1.2" nvd_xml_version="1.2" pub_date="2016-05-28" xsi:schemaLocation="http://nvd.nist.gov/feeds/cve/1.2 http://nvd.nist.gov/schema/nvdcve_1.2.1.xsd">
<entry type="CVE" name="CVE-2008-4411" seq="2008-4411" published="2008-10-13" modified="2011-03-07" severity="Medium" CVSS_version="2.0" CVSS_score="4.3" CVSS_base_score="4.3" CVSS_impact_subscore="2.9" CVSS_exploit_subscore="8.6" CVSS_vector="(AV:N/AC:M/Au:N/C:N/I:P/A:N)">
<desc>
<descript source="cve">Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 2.1.15.210 on Linux and Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-1663.</descript>
</desc>
<loss_types>
<int/>
</loss_types>
<range>
<network/>
</range>
<refs>
<ref source="BID" url="http://www.securityfocus.com/bid/31663" patch="1">31663</ref>
<ref source="XF" url="http://xforce.iss.net/xforce/xfdb/45754">smh-unspecified-xss(45754)</ref>
<ref source="VUPEN" url="http://www.vupen.com/english/advisories/2008/2778">ADV-2008-2778</ref>
<ref source="SECTRACK" url="http://securitytracker.com/id?1021015">1021015</ref>
<ref source="SREASON" url="http://securityreason.com/securityalert/4398">4398</ref>
</refs>
<vuln_soft>
<prod name="system_management_homepage" vendor="hp">
<vers num="2.0.0"/>
<vers num="2.0.1"/>
<vers num="2.0.2"/>
<vers num="2.1"/>
<vers num="2.1.0-103"/>
<vers num="2.1.0-103(a)"/>
<vers num="2.1.0-109"/>
<vers num="2.1.0-118"/>
<vers num="2.1.1"/>
<vers num="2.1.10"/>
<vers num="2.1.10-186"/>
<vers num="2.1.11"/>
<vers num="2.1.11-197"/>
<vers num="2.1.12-118"/>
<vers num="2.1.12-200" prev="1"/>
<vers num="2.1.2"/>
<vers num="2.1.2-127"/>
<vers num="2.1.3"/>
<vers num="2.1.3.132"/>
<vers num="2.1.4"/>
<vers num="2.1.4-143"/>
<vers num="2.1.5"/>
<vers num="2.1.5-146"/>
<vers num="2.1.6"/>
<vers num="2.1.6-156"/>
<vers num="2.1.7"/>
<vers num="2.1.7-168"/>
<vers num="2.1.8"/>
<vers num="2.1.8-177"/>
<vers num="2.1.9"/>
<vers num="2.1.9-178"/>
</prod>
</vuln_soft>
</entry>
</nvd>

115
dependency-check-core/src/test/resources/cve-2.0-2008_4411.xml Normal file
View File

@@ -0,0 +1,115 @@
<?xml version='1.0' encoding='UTF-8'?>
<nvd xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:patch="http://scap.nist.gov/schema/patch/0.1" xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" pub_date="2016-05-28T04:10:38" nvd_xml_version="2.0" xsi:schemaLocation="http://scap.nist.gov/schema/patch/0.1 http://nvd.nist.gov/schema/patch_0.1.xsd http://scap.nist.gov/schema/feed/vulnerability/2.0 http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd http://scap.nist.gov/schema/scap-core/0.1 http://nvd.nist.gov/schema/scap-core_0.1.xsd">
<entry id="CVE-2008-4411">
<vuln:vulnerable-configuration id="http://nvd.nist.gov/">
<cpe-lang:logical-test operator="OR" negate="false">
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.0.1"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.0.2"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.11"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.10"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.0.0"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.3"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.2"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.1"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.3.132"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.8"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.4"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.5"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.6"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.7"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.9"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.12-200"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.11-197"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.10-186"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.9-178"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.8-177"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.7-168"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.6-156"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.5-146"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.4-143"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.2-127"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.12-118"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.0-118"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.0-109"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.0-103%28a%29"/>
<cpe-lang:fact-ref name="cpe:/a:hp:system_management_homepage:2.1.0-103"/>
</cpe-lang:logical-test>
</vuln:vulnerable-configuration>
<vuln:vulnerable-software-list>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.0-103%28a%29</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.0-118</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.3.132</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.12-200</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.2-127</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.9</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.10</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.11</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.12-118</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.4-143</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.0-109</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.6-156</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.4</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.3</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.10-186</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.6</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.5</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.5-146</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.8</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.7</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.2</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.0.2</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.1</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.8-177</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.0.1</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.0.0</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.7-168</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.0-103</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.11-197</vuln:product>
<vuln:product>cpe:/a:hp:system_management_homepage:2.1.9-178</vuln:product>
</vuln:vulnerable-software-list>
<vuln:cve-id>CVE-2008-4411</vuln:cve-id>
<vuln:published-datetime>2008-10-13T16:00:02.277-04:00</vuln:published-datetime>
<vuln:last-modified-datetime>2011-03-07T22:12:25.097-05:00</vuln:last-modified-datetime>
<vuln:cvss>
<cvss:base_metrics>
<cvss:score>4.3</cvss:score>
<cvss:access-vector>NETWORK</cvss:access-vector>
<cvss:access-complexity>MEDIUM</cvss:access-complexity>
<cvss:authentication>NONE</cvss:authentication>
<cvss:confidentiality-impact>NONE</cvss:confidentiality-impact>
<cvss:integrity-impact>PARTIAL</cvss:integrity-impact>
<cvss:availability-impact>NONE</cvss:availability-impact>
<cvss:source>http://nvd.nist.gov</cvss:source>
<cvss:generated-on-datetime>2008-10-14T10:57:00.000-04:00</cvss:generated-on-datetime>
</cvss:base_metrics>
</vuln:cvss>
<vuln:cwe id="CWE-79"/>
<vuln:references xml:lang="en" reference_type="PATCH">
<vuln:source>BID</vuln:source>
<vuln:reference href="http://www.securityfocus.com/bid/31663" xml:lang="en">31663</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="UNKNOWN">
<vuln:source>XF</vuln:source>
<vuln:reference href="http://xforce.iss.net/xforce/xfdb/45754" xml:lang="en">smh-unspecified-xss(45754)</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="UNKNOWN">
<vuln:source>VUPEN</vuln:source>
<vuln:reference href="http://www.vupen.com/english/advisories/2008/2778" xml:lang="en">ADV-2008-2778</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="UNKNOWN">
<vuln:source>SECTRACK</vuln:source>
<vuln:reference href="http://securitytracker.com/id?1021015" xml:lang="en">1021015</vuln:reference>
</vuln:references>
<vuln:references xml:lang="en" reference_type="UNKNOWN">
<vuln:source>SREASON</vuln:source>
<vuln:reference href="http://securityreason.com/securityalert/4398" xml:lang="en">4398</vuln:reference>
</vuln:references>
<vuln:summary>Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 2.1.15.210 on Linux and Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-1663.</vuln:summary>
</entry>
</nvd>