github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-15 00:03:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #680 from jeremylong/cvedb

Browse Source 
Cvedb
This commit is contained in:
Jeremy Long
2017-03-11 14:45:49 -05:00
committed by GitHub
parent a7b6f37503 dfc6d952bd
commit 5540397456
29 changed files with 341 additions and 738 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
View File

@@ -944,16 +944,13 @@ public class Check extends Update {
DatabaseProperties prop = null;
CveDB cve = null;
try {
cve = new CveDB();
cve.open();
cve = CveDB.getInstance();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
//TODO shouldn't this be a fatal exception
log("Unable to retrieve DB Properties", ex, Project.MSG_DEBUG);
} finally {
if (cve != null) {
cve.close();
}
}
final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop);
reporter.generateReports(reportOutputDirectory, reportFormat);

11
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -284,15 +284,8 @@ public class App {
final List<Dependency> dependencies = engine.getDependencies();
DatabaseProperties prop = null;
CveDB cve = null;
try {
cve = new CveDB();
cve.open();
prop = cve.getDatabaseProperties();
} finally {
if (cve != null) {
cve.close();
}
}
cve = CveDB.getInstance();
prop = cve.getDatabaseProperties();
final ReportGenerator report = new ReportGenerator(applicationName, dependencies, engine.getAnalyzers(), prop);
try {
report.generateReports(reportDirectory, outputFormat);

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java
View File

@@ -34,7 +34,7 @@ import java.util.concurrent.Callable;
*
* @author Stefan Neuhaus
*/
class AnalysisTask implements Callable<Void> {
public class AnalysisTask implements Callable<Void> {
/**
* Instance of the logger.

46
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -71,7 +71,7 @@ public class Engine implements FileFilter {
/**
* A Map of analyzers grouped by Analysis phase.
*/
private final Map<AnalysisPhase, List<Analyzer>> analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
private final Map<AnalysisPhase, List<Analyzer>> analyzers = new EnumMap<>(AnalysisPhase.class);
/**
* A Map of analyzers grouped by Analysis phase.
@@ -126,6 +126,11 @@ public class Engine implements FileFilter {
* Properly cleans up resources allocated during analysis.
*/
public void cleanup() {
try {
CveDB.getInstance().closeDatabase();
} catch (DatabaseException ex) {
LOGGER.trace("Error closing the database", ex);
}
ConnectionFactory.cleanup();
}
@@ -140,7 +145,7 @@ public class Engine implements FileFilter {
for (AnalysisPhase phase : AnalysisPhase.values()) {
analyzers.put(phase, new ArrayList<Analyzer>());
}
final AnalyzerService service = new AnalyzerService(serviceClassLoader);
final List<Analyzer> iterator = service.getAnalyzers();
for (Analyzer a : iterator) {
@@ -213,7 +218,7 @@ public class Engine implements FileFilter {
* @since v1.4.4
*/
public List<Dependency> scan(String[] paths, String projectReference) {
final List<Dependency> deps = new ArrayList<Dependency>();
final List<Dependency> deps = new ArrayList<>();
for (String path : paths) {
final List<Dependency> d = scan(path, projectReference);
if (d != null) {
@@ -384,7 +389,7 @@ public class Engine implements FileFilter {
*/
protected List<Dependency> scanDirectory(File dir, String projectReference) {
final File[] files = dir.listFiles();
final List<Dependency> deps = new ArrayList<Dependency>();
final List<Dependency> deps = new ArrayList<>();
if (files != null) {
for (File f : files) {
if (f.isDirectory()) {
@@ -504,7 +509,7 @@ public class Engine implements FileFilter {
} catch (DatabaseException ex) {
throwFatalExceptionCollection("Unable to connect to the dependency-check database.", ex, exceptions);
}
LOGGER.debug("\n----------------------------------------------------\nBEGIN ANALYSIS\n----------------------------------------------------");
LOGGER.info("Analysis Started");
final long analysisStart = System.currentTimeMillis();
@@ -512,7 +517,7 @@ public class Engine implements FileFilter {
// analysis phases
for (AnalysisPhase phase : AnalysisPhase.values()) {
final List<Analyzer> analyzerList = analyzers.get(phase);
for (final Analyzer analyzer : analyzerList) {
final long analyzerStart = System.currentTimeMillis();
try {
@@ -521,10 +526,10 @@ public class Engine implements FileFilter {
exceptions.add(ex);
continue;
}
if (analyzer.isEnabled()) {
executeAnalysisTasks(analyzer, exceptions);
final long analyzerDurationMillis = System.currentTimeMillis() - analyzerStart;
final long analyzerDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(analyzerDurationMillis);
LOGGER.info("Finished {} ({} seconds)", analyzer.getName(), analyzerDurationSeconds);
@@ -535,12 +540,12 @@ public class Engine implements FileFilter {
}
for (AnalysisPhase phase : AnalysisPhase.values()) {
final List<Analyzer> analyzerList = analyzers.get(phase);
for (Analyzer a : analyzerList) {
closeAnalyzer(a);
}
}
LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------");
final long analysisDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - analysisStart);
LOGGER.info("Analysis Complete ({} seconds)", analysisDurationSeconds);
@@ -561,7 +566,7 @@ public class Engine implements FileFilter {
LOGGER.debug("Starting {}", analyzer.getName());
final List<AnalysisTask> analysisTasks = getAnalysisTasks(analyzer, exceptions);
final ExecutorService executorService = getExecutorService(analyzer);
try {
final List<Future<Void>> results = executorService.invokeAll(analysisTasks, 10, TimeUnit.MINUTES);
@@ -608,9 +613,7 @@ public class Engine implements FileFilter {
*/
protected ExecutorService getExecutorService(Analyzer analyzer) {
if (analyzer.supportsParallelProcessing()) {
// just a fair trade-off that should be reasonable for all analyzer types
final int maximumNumberOfThreads = 4 * Runtime.getRuntime().availableProcessors();
final int maximumNumberOfThreads = Runtime.getRuntime().availableProcessors();
LOGGER.debug("Parallel processing with up to {} threads: {}.", maximumNumberOfThreads, analyzer.getName());
return Executors.newFixedThreadPool(maximumNumberOfThreads);
} else {
@@ -692,7 +695,7 @@ public class Engine implements FileFilter {
* @return a list of Analyzers
*/
public List<Analyzer> getAnalyzers() {
final List<Analyzer> ret = new ArrayList<Analyzer>();
final List<Analyzer> ret = new ArrayList<>();
for (AnalysisPhase phase : AnalysisPhase.values()) {
final List<Analyzer> analyzerList = analyzers.get(phase);
ret.addAll(analyzerList);
@@ -749,16 +752,9 @@ public class Engine implements FileFilter {
* database
*/
private void ensureDataExists() throws NoDataException, DatabaseException {
final CveDB cve = new CveDB();
try {
cve.open();
if (!cve.dataExists()) {
throw new NoDataException("No documents exist");
}
} catch (DatabaseException ex) {
throw new NoDataException(ex.getMessage(), ex);
} finally {
cve.close();
final CveDB cve = CveDB.getInstance();
if (!cve.dataExists()) {
throw new NoDataException("No documents exist");
}
}

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
View File

@@ -844,22 +844,17 @@ public class DependencyCheckScanAgent {
DatabaseProperties prop = null;
CveDB cve = null;
try {
cve = new CveDB();
cve.open();
cve = CveDB.getInstance();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
//TODO shouldn't this throw an exception or return?
LOGGER.debug("Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
}
}
final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
try {
r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
} catch (IOException ex) {
LOGGER.error(
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
LOGGER.error("Unexpected exception occurred during analysis; please see the verbose error log for more details.");
LOGGER.debug("", ex);
} catch (Throwable ex) {
LOGGER.error(

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -163,8 +163,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
*/
public void open() throws IOException, DatabaseException {
if (!isOpen()) {
cve = new CveDB();
cve.open();
cve = CveDB.getInstance();
cpe = CpeMemoryIndex.getInstance();
try {
final long creationStart = System.currentTimeMillis();
@@ -187,10 +186,6 @@ public class CPEAnalyzer extends AbstractAnalyzer {
cpe.close();
cpe = null;
}
if (cve != null) {
cve.close();
cve = null;
}
}
public boolean isOpen() {

17
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
View File

@@ -60,8 +60,7 @@ public class NvdCveAnalyzer extends AbstractAnalyzer {
* loaded
*/
public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
cveDB = new CveDB();
cveDB.open();
cveDB = CveDB.getInstance();
}
/**
@@ -69,7 +68,6 @@ public class NvdCveAnalyzer extends AbstractAnalyzer {
*/
@Override
public void closeAnalyzer() {
cveDB.close();
cveDB = null;
}
@@ -82,19 +80,6 @@ public class NvdCveAnalyzer extends AbstractAnalyzer {
return cveDB != null;
}
/**
* Ensures that the CVE Database is closed.
*
* @throws Throwable an exception raised by this method
*/
@Override
protected void finalize() throws Throwable {
super.finalize();
if (isOpen()) {
close();
}
}
/**
* Analyzes a dependency and attempts to determine if there are any CPE
* identifiers for this dependency.

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
View File

@@ -145,8 +145,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
@Override
public void initializeFileTypeAnalyzer() throws InitializationException {
try {
cvedb = new CveDB();
cvedb.open();
cvedb = CveDB.getInstance();
} catch (DatabaseException ex) {
LOGGER.warn("Exception opening the database");
LOGGER.debug("error", ex);
@@ -160,7 +159,6 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
} catch (AnalysisException ae) {
setEnabled(false);
cvedb.close();
cvedb = null;
final String msg = String.format("Exception from bundle-audit process: %s. Disabling %s", ae.getCause(), ANALYZER_NAME);
throw new InitializationException(msg, ae);

72
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -51,15 +51,19 @@ import org.slf4j.LoggerFactory;
import static org.owasp.dependencycheck.data.nvdcve.CveDB.PreparedStatementCveDb.*;
/**
* The database holding information about the NVD CVE data.
* This class is safe to be accessed from multiple threads in parallel, however
* internally only one connection will be used.
* The database holding information about the NVD CVE data. This class is safe
* to be accessed from multiple threads in parallel, however internally only one
* connection will be used.
*
* @author Jeremy Long
*/
@ThreadSafe
public final class CveDB {
/**
* Singleton instance of the CveDB.
*/
private static CveDB INSTANCE = null;
/**
* The logger.
*/
@@ -76,10 +80,10 @@ public final class CveDB {
* Database properties object containing the 'properties' from the database
* table.
*/
private final DatabaseProperties databaseProperties;
private DatabaseProperties databaseProperties;
/**
* Does the underlying connection support batch operations?
* Currently we do not support batch execution.
* Does the underlying connection support batch operations? Currently we do
* not support batch execution.
*/
private final boolean batchSupported = false;
/**
@@ -116,6 +120,19 @@ public final class CveDB {
UPDATE_VULNERABILITY
}
/**
* Gets the CveDB singleton object.
*
* @return the CveDB singleton
* @throws DatabaseException thrown if there is a database error
*/
public synchronized static CveDB getInstance() throws DatabaseException {
if (INSTANCE == null) {
INSTANCE = new CveDB();
}
return INSTANCE;
}
/**
* Creates a new CveDB object and opens the database connection. Note, the
* connection must be closed by the caller by calling the close method.
@@ -123,12 +140,12 @@ public final class CveDB {
* @throws DatabaseException thrown if there is an exception opening the
* database.
*/
public CveDB() throws DatabaseException {
open();
private CveDB() throws DatabaseException {
openDatabase();
final String databaseProductName = determineDatabaseProductName();
statementBundle = databaseProductName != null ?
ResourceBundle.getBundle("data/dbStatements", new Locale(databaseProductName)) :
ResourceBundle.getBundle("data/dbStatements");
statementBundle = databaseProductName != null
? ResourceBundle.getBundle("data/dbStatements", new Locale(databaseProductName))
: ResourceBundle.getBundle("data/dbStatements");
preparedStatements = prepareStatements();
databaseProperties = new DatabaseProperties(this);
}
@@ -165,7 +182,7 @@ public final class CveDB {
* @throws DatabaseException thrown if there is an error opening the
* database connection
*/
public synchronized void open() throws DatabaseException {
public synchronized void openDatabase() throws DatabaseException {
if (!isOpen()) {
connection = ConnectionFactory.getConnection();
}
@@ -175,7 +192,7 @@ public final class CveDB {
* Closes the DB4O database. Close should be called on this object when it
* is done being used.
*/
public synchronized void close() {
public synchronized void closeDatabase() {
if (isOpen()) {
closeStatements();
try {
@@ -188,6 +205,7 @@ public final class CveDB {
LOGGER.debug("", ex);
}
connection = null;
INSTANCE = null;
}
}
@@ -204,7 +222,8 @@ public final class CveDB {
* Prepares all statements to be used and returns them.
*
* @return the prepared statements
* @throws DatabaseException thrown if there is an error preparing the statements
* @throws DatabaseException thrown if there is an error preparing the
* statements
*/
private EnumMap<PreparedStatementCveDb, PreparedStatement> prepareStatements()
throws DatabaseException {
@@ -239,7 +258,8 @@ public final class CveDB {
/**
* Returns the specified prepared statement.
*
* @param key the prepared statement from {@link PreparedStatementCveDb} to return
* @param key the prepared statement from {@link PreparedStatementCveDb} to
* return
* @return the prepared statement
* @throws SQLException thrown if a SQL Exception occurs
*/
@@ -270,7 +290,7 @@ public final class CveDB {
@SuppressWarnings("FinalizeDeclaration")
protected void finalize() throws Throwable {
LOGGER.debug("Entering finalize");
close();
closeDatabase();
super.finalize();
}
@@ -283,6 +303,16 @@ public final class CveDB {
return databaseProperties;
}
/**
* Used within the unit tests to reload the database properties.
*
* @return the database properties
*/
protected DatabaseProperties reloadProperties() {
databaseProperties = new DatabaseProperties(this);
return databaseProperties;
}
/**
* Searches the CPE entries in the database and retrieves all entries for a
* given vendor and product combination. The returned list will include all
@@ -294,7 +324,7 @@ public final class CveDB {
* @return a set of vulnerable software
*/
public synchronized Set<VulnerableSoftware> getCPEs(String vendor, String product) {
final Set<VulnerableSoftware> cpe = new HashSet<VulnerableSoftware>();
final Set<VulnerableSoftware> cpe = new HashSet<>();
ResultSet rs = null;
try {
final PreparedStatement ps = getPreparedStatement(SELECT_CPE_ENTRIES);
@@ -324,13 +354,13 @@ public final class CveDB {
* data from the DB
*/
public synchronized Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
final Set<Pair<String, String>> data = new HashSet<Pair<String, String>>();
final Set<Pair<String, String>> data = new HashSet<>();
ResultSet rs = null;
try {
final PreparedStatement ps = getPreparedStatement(SELECT_VENDOR_PRODUCT_LIST);
rs = ps.executeQuery();
while (rs.next()) {
data.add(new Pair<String, String>(rs.getString(1), rs.getString(2)));
data.add(new Pair<>(rs.getString(1), rs.getString(2)));
}
} catch (SQLException ex) {
final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
@@ -410,7 +440,7 @@ public final class CveDB {
LOGGER.trace("", ex);
}
final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
final List<Vulnerability> vulnerabilities = new ArrayList<>();
ResultSet rs = null;
try {
@@ -420,7 +450,7 @@ public final class CveDB {
rs = ps.executeQuery();
String currentCVE = "";
final Map<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
final Map<String, Boolean> vulnSoftware = new HashMap<>();
while (rs.next()) {
final String cveId = rs.getString(1);
if (!currentCVE.equals(cveId)) { //check for match and add

88
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java
View File

@@ -1,88 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
*
* @author Jeremy Long
*/
public abstract class BaseUpdater {
/**
* Static logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(BaseUpdater.class);
/**
* Information about the timestamps and URLs for data that needs to be updated.
*/
private DatabaseProperties properties;
/**
* Reference to the Cve Database.
*/
private CveDB cveDB = null;
protected CveDB getCveDB() {
return cveDB;
}
protected DatabaseProperties getProperties() {
return properties;
}
/**
* Closes the CVE and CPE data stores.
*/
protected void closeDataStores() {
if (cveDB != null) {
try {
cveDB.close();
cveDB = null;
properties = null;
} catch (Throwable ignore) {
LOGGER.trace("Error closing the database", ignore);
}
}
}
/**
* Opens the data store.
*
* @throws UpdateException thrown if a data store cannot be opened
*/
protected final void openDataStores() throws UpdateException {
if (cveDB != null) {
return;
}
try {
cveDB = new CveDB();
cveDB.open();
properties = cveDB.getDatabaseProperties();
} catch (DatabaseException ex) {
closeDataStores();
LOGGER.debug("Database Exception opening databases", ex);
throw new UpdateException("Error updating the database, please see the log file for more details.");
}
}
}

212
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java
View File

@@ -53,110 +53,110 @@ import org.xml.sax.SAXException;
* @author Jeremy Long
*/
@Deprecated
public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
/**
* Static logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(CpeUpdater.class);
@Override
public void update() throws UpdateException {
/*
//the following could be used if this were ever used.
try {
if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
return;
}
} catch (InvalidSettingException ex) {
LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex);
}
*/
try {
openDataStores();
if (updateNeeded()) {
LOGGER.info("Updating the Common Platform Enumeration (CPE)");
final File xml = downloadCpe();
final List<Cpe> cpes = processXML(xml);
getCveDB().deleteUnusedCpe();
for (Cpe cpe : cpes) {
getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct());
}
final long now = System.currentTimeMillis();
getProperties().save(LAST_CPE_UPDATE, Long.toString(now));
LOGGER.info("CPE update complete");
}
} finally {
closeDataStores();
}
}
/**
* Downloads the CPE XML file.
*
* @return the file reference to the CPE.xml file
* @throws UpdateException thrown if there is an issue downloading the XML
* file
*/
private File downloadCpe() throws UpdateException {
File xml;
final URL url;
try {
url = new URL(Settings.getString(Settings.KEYS.CPE_URL));
xml = File.createTempFile("cpe", ".xml", Settings.getTempDirectory());
Downloader.fetchFile(url, xml);
if (url.toExternalForm().endsWith(".xml.gz")) {
ExtractionUtil.extractGzip(xml);
}
} catch (MalformedURLException ex) {
throw new UpdateException("Invalid CPE URL", ex);
} catch (DownloadFailedException ex) {
throw new UpdateException("Unable to download CPE XML file", ex);
} catch (IOException ex) {
throw new UpdateException("Unable to create temporary file to download CPE", ex);
}
return xml;
}
/**
* Parses the CPE XML file to return a list of CPE entries.
*
* @param xml the CPE data file
* @return the list of CPE entries
* @throws UpdateException thrown if there is an issue with parsing the XML
* file
*/
private List<Cpe> processXML(final File xml) throws UpdateException {
try {
final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
final CPEHandler handler = new CPEHandler();
saxParser.parse(xml, handler);
return handler.getData();
} catch (ParserConfigurationException ex) {
throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Issue", ex);
} catch (SAXException ex) {
throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Exception", ex);
} catch (IOException ex) {
throw new UpdateException("Unable to parse CPE XML file due to IO Failure", ex);
}
}
/**
* Checks to find the last time the CPE data was refreshed and if it needs
* to be updated.
*
* @return true if the CPE data should be refreshed
*/
private boolean updateNeeded() {
final long now = System.currentTimeMillis();
final int days = Settings.getInt(Settings.KEYS.CPE_MODIFIED_VALID_FOR_DAYS, 30);
long timestamp = 0;
final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
if (ts != null && ts.matches("^[0-9]+$")) {
timestamp = Long.parseLong(ts);
}
return !DateUtil.withinDateRange(timestamp, now, days);
}
public class CpeUpdater { //extends BaseUpdater implements CachedWebDataSource {
//
// /**
// * Static logger.
// */
// private static final Logger LOGGER = LoggerFactory.getLogger(CpeUpdater.class);
//
// @Override
// public void update() throws UpdateException {
// /*
// //the following could be used if this were ever used.
// try {
// if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
// return;
// }
// } catch (InvalidSettingException ex) {
// LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex);
// }
// */
//
// try {
// openDataStores();
// if (updateNeeded()) {
// LOGGER.info("Updating the Common Platform Enumeration (CPE)");
// final File xml = downloadCpe();
// final List<Cpe> cpes = processXML(xml);
// getCveDB().deleteUnusedCpe();
// for (Cpe cpe : cpes) {
// getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct());
// }
// final long now = System.currentTimeMillis();
// getProperties().save(LAST_CPE_UPDATE, Long.toString(now));
// LOGGER.info("CPE update complete");
// }
// } finally {
// closeDataStores();
// }
// }
//
// /**
// * Downloads the CPE XML file.
// *
// * @return the file reference to the CPE.xml file
// * @throws UpdateException thrown if there is an issue downloading the XML
// * file
// */
// private File downloadCpe() throws UpdateException {
// File xml;
// final URL url;
// try {
// url = new URL(Settings.getString(Settings.KEYS.CPE_URL));
// xml = File.createTempFile("cpe", ".xml", Settings.getTempDirectory());
// Downloader.fetchFile(url, xml);
// if (url.toExternalForm().endsWith(".xml.gz")) {
// ExtractionUtil.extractGzip(xml);
// }
//
// } catch (MalformedURLException ex) {
// throw new UpdateException("Invalid CPE URL", ex);
// } catch (DownloadFailedException ex) {
// throw new UpdateException("Unable to download CPE XML file", ex);
// } catch (IOException ex) {
// throw new UpdateException("Unable to create temporary file to download CPE", ex);
// }
// return xml;
// }
//
// /**
// * Parses the CPE XML file to return a list of CPE entries.
// *
// * @param xml the CPE data file
// * @return the list of CPE entries
// * @throws UpdateException thrown if there is an issue with parsing the XML
// * file
// */
// private List<Cpe> processXML(final File xml) throws UpdateException {
// try {
// final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
// final CPEHandler handler = new CPEHandler();
// saxParser.parse(xml, handler);
// return handler.getData();
// } catch (ParserConfigurationException ex) {
// throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Issue", ex);
// } catch (SAXException ex) {
// throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Exception", ex);
// } catch (IOException ex) {
// throw new UpdateException("Unable to parse CPE XML file due to IO Failure", ex);
// }
// }
//
// /**
// * Checks to find the last time the CPE data was refreshed and if it needs
// * to be updated.
// *
// * @return true if the CPE data should be refreshed
// */
// private boolean updateNeeded() {
// final long now = System.currentTimeMillis();
// final int days = Settings.getInt(Settings.KEYS.CPE_MODIFIED_VALID_FOR_DAYS, 30);
// long timestamp = 0;
// final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
// if (ts != null && ts.matches("^[0-9]+$")) {
// timestamp = Long.parseLong(ts);
// }
// return !DateUtil.withinDateRange(timestamp, now, days);
// }
}

37
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
View File

@@ -57,11 +57,6 @@ public class EngineVersionCheck implements CachedWebDataSource {
* The property key indicating when the last version check occurred.
*/
public static final String CURRENT_ENGINE_RELEASE = "CurrentEngineRelease";
/**
* Reference to the Cve Database.
*/
private CveDB cveDB = null;
/**
* The version retrieved from the database properties or web to check
* against.
@@ -109,9 +104,8 @@ public class EngineVersionCheck implements CachedWebDataSource {
* user has not configured them to point to an internal source).
*/
if (enabled && autoupdate && original != null && original.equals(current)) {
openDatabase();
LOGGER.debug("Begin Engine Version Check");
final DatabaseProperties properties = cveDB.getDatabaseProperties();
final DatabaseProperties properties = CveDB.getInstance().getDatabaseProperties();
final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
final long now = System.currentTimeMillis();
updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
@@ -130,8 +124,6 @@ public class EngineVersionCheck implements CachedWebDataSource {
throw new UpdateException("Error occurred updating database properties.");
} catch (InvalidSettingException ex) {
LOGGER.debug("Unable to determine if autoupdate is enabled", ex);
} finally {
closeDatabase();
}
}
@@ -181,33 +173,6 @@ public class EngineVersionCheck implements CachedWebDataSource {
return false;
}
/**
* Opens the CVE and CPE data stores.
*
* @throws DatabaseException thrown if a data store cannot be opened
*/
protected final void openDatabase() throws DatabaseException {
if (cveDB != null) {
return;
}
cveDB = new CveDB();
cveDB.open();
}
/**
* Closes the CVE and CPE data stores.
*/
protected void closeDatabase() {
if (cveDB != null) {
try {
cveDB.close();
cveDB = null;
} catch (Throwable ignore) {
LOGGER.trace("Error closing the cveDB", ignore);
}
}
}
/**
* Retrieves the current released version number from the github
* documentation site.

68
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -53,7 +53,7 @@ import org.slf4j.LoggerFactory;
*
* @author Jeremy Long
*/
public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
public class NvdCveUpdater implements CachedWebDataSource {
/**
* The logger.
@@ -62,20 +62,24 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
/**
* The thread pool size to use for CPU-intense tasks.
*/
private static final int PROCESSING_THREAD_POOL_SIZE = 1;
private static final int PROCESSING_THREAD_POOL_SIZE = Runtime.getRuntime().availableProcessors();
/**
* The thread pool size to use when downloading files.
*/
private static final int DOWNLOAD_THREAD_POOL_SIZE = Settings.getInt(Settings.KEYS.MAX_DOWNLOAD_THREAD_POOL_SIZE, 50);
private static final int DOWNLOAD_THREAD_POOL_SIZE = Math.round(1.5f * Runtime.getRuntime().availableProcessors());
/**
* ExecutorService for CPU-intense processing tasks.
*/
private ExecutorService processingExecutorService = null;
/**
* ExecutorService for tasks that involve blocking activities and are not very CPU-intense, e.g. downloading files.
* ExecutorService for tasks that involve blocking activities and are not
* very CPU-intense, e.g. downloading files.
*/
private ExecutorService downloadExecutorService = null;
private CveDB cveDb = null;
private DatabaseProperties dbProperties = null;
/**
* Downloads the latest NVD CVE XML file from the web and imports it into
* the current CVE Database.
@@ -94,20 +98,25 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
try {
initializeExecutorServices();
openDataStores();
boolean autoUpdate = true;
try {
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
} catch (InvalidSettingException ex) {
LOGGER.debug("Invalid setting for auto-update; using true.");
}
if (autoUpdate && checkUpdate()) {
if (!autoUpdate) {
return;
}
initializeExecutorServices();
cveDb = CveDB.getInstance();
dbProperties = cveDb.getDatabaseProperties();
if (checkUpdate()) {
final UpdateableNvdCve updateable = getUpdatesNeeded();
if (updateable.isUpdateNeeded()) {
performUpdate(updateable);
}
getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(System.currentTimeMillis()));
dbProperties.save(DatabaseProperties.LAST_CHECKED, Long.toString(System.currentTimeMillis()));
}
} catch (MalformedURLException ex) {
throw new UpdateException("NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.", ex);
@@ -119,9 +128,10 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
"If you are behind a proxy you may need to configure dependency-check to use the proxy.");
}
throw new UpdateException("Unable to download the NVD CVE data.", ex);
} catch (DatabaseException ex) {
throw new UpdateException("Database Exception, unable to update the data to use the most current data.", ex);
} finally {
shutdownExecutorServices();
closeDataStores();
}
}
@@ -159,7 +169,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
if (dataExists() && 0 < validForHours) {
// ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
final long msValid = validForHours * 60L * 60L * 1000L;
final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
final long lastChecked = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_CHECKED, "0"));
final long now = System.currentTimeMillis();
proceed = (now - lastChecked) > msValid;
if (!proceed) {
@@ -177,17 +187,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
* @return true if the database contains data
*/
private boolean dataExists() {
CveDB cve = null;
try {
cve = new CveDB();
cve.open();
final CveDB cve = CveDB.getInstance();
return cve.dataExists();
} catch (DatabaseException ex) {
return false;
} finally {
if (cve != null) {
cve.close();
}
}
}
@@ -214,16 +218,16 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
LOGGER.info("NVD CVE requires several updates; this could take a couple of minutes.");
}
final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<Future<Future<ProcessTask>>>(maxUpdates);
final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<>(maxUpdates);
for (NvdCveInfo cve : updateable) {
if (cve.getNeedsUpdate()) {
final DownloadTask call = new DownloadTask(cve, processingExecutorService, getCveDB(), Settings.getInstance());
final DownloadTask call = new DownloadTask(cve, processingExecutorService, cveDb, Settings.getInstance());
downloadFutures.add(downloadExecutorService.submit(call));
}
}
//next, move the future future processTasks to just future processTasks
final Set<Future<ProcessTask>> processFutures = new HashSet<Future<ProcessTask>>(maxUpdates);
final Set<Future<ProcessTask>> processFutures = new HashSet<>(maxUpdates);
for (Future<Future<ProcessTask>> future : downloadFutures) {
Future<ProcessTask> task;
try {
@@ -259,9 +263,9 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
if (maxUpdates >= 1) { //ensure the modified file date gets written (we may not have actually updated it)
getProperties().save(updateable.get(MODIFIED));
dbProperties.save(updateable.get(MODIFIED));
LOGGER.info("Begin database maintenance.");
getCveDB().cleanupDatabase();
cveDb.cleanupDatabase();
LOGGER.info("End database maintenance.");
}
}
@@ -297,19 +301,19 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
if (updates == null) {
throw new DownloadFailedException("Unable to retrieve the timestamps of the currently published NVD CVE data");
}
if (!getProperties().isEmpty()) {
if (dbProperties != null && !dbProperties.isEmpty()) {
try {
final int startYear = Settings.getInt(Settings.KEYS.CVE_START_YEAR, 2002);
final int endYear = Calendar.getInstance().get(Calendar.YEAR);
boolean needsFullUpdate = false;
for (int y = startYear; y <= endYear; y++) {
final long val = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE + y, "0"));
final long val = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_UPDATED_BASE + y, "0"));
if (val == 0) {
needsFullUpdate = true;
}
}
final long lastUpdated = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED, "0"));
final long lastUpdated = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_UPDATED, "0"));
final long now = System.currentTimeMillis();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
if (!needsFullUpdate && lastUpdated == updates.getTimeStamp(MODIFIED)) {
@@ -329,7 +333,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
} else {
long currentTimestamp = 0;
try {
currentTimestamp = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE
currentTimestamp = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_UPDATED_BASE
+ entry.getId(), "0"));
} catch (NumberFormatException ex) {
LOGGER.debug("Error parsing '{}' '{}' from nvdcve.lastupdated",
@@ -364,7 +368,6 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
private UpdateableNvdCve retrieveCurrentTimestampsFromWeb()
throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException {
final int start = Settings.getInt(Settings.KEYS.CVE_START_YEAR);
final int end = Calendar.getInstance().get(Calendar.YEAR);
@@ -392,16 +395,17 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
*
* @param startYear the first year whose item to check for the timestamp
* @param endYear the last year whose item to check for the timestamp
* @return the timestamps from the currently published nvdcve downloads page
* @return the timestamps from the currently published NVD CVE downloads
* page
* @throws MalformedURLException thrown if the URL for the NVD CCE Meta data
* is incorrect.
* @throws DownloadFailedException thrown if there is an error downloading
* the nvd cve meta data file
* the NVD CVE meta data file
*/
private Map<String, Long> retrieveLastModifiedDates(int startYear, int endYear)
throws MalformedURLException, DownloadFailedException {
final Set<String> urls = new HashSet<String>();
final Set<String> urls = new HashSet<>();
final String baseUrl20 = Settings.getString(Settings.KEYS.CVE_SCHEMA_2_0);
for (int i = startYear; i <= endYear; i++) {
final String url = String.format(baseUrl20, i);
@@ -409,14 +413,14 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
urls.add(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
final Map<String, Future<Long>> timestampFutures = new HashMap<String, Future<Long>>();
final Map<String, Future<Long>> timestampFutures = new HashMap<>();
for (String url : urls) {
final TimestampRetriever timestampRetriever = new TimestampRetriever(url);
final Future<Long> future = downloadExecutorService.submit(timestampRetriever);
timestampFutures.put(url, future);
}
final Map<String, Long> lastModifiedDates = new HashMap<String, Long>();
final Map<String, Long> lastModifiedDates = new HashMap<>();
for (String url : urls) {
final Future<Long> timestampFuture = timestampFutures.get(url);
final long timestamp;

1
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -1,7 +1,6 @@
application.name=${pom.name}
application.version=${pom.version}
autoupdate=true
max.download.threads=50
# the url to obtain the current engine version from
engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt

11
dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java
View File

@@ -24,7 +24,9 @@ import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import org.junit.AfterClass;
import org.junit.Before;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -42,8 +44,13 @@ public abstract class BaseDBTestCase extends BaseTest {
private final static Logger LOGGER = LoggerFactory.getLogger(BaseDBTestCase.class);
@Before
public void setUp() throws Exception {
ensureDBExists();
public void setUpDb() throws Exception {
ensureDBExists();
}
@AfterClass
public static void tearDownClass() throws Exception {
CveDB.getInstance().closeDatabase();
}
public static void ensureDBExists() throws Exception {

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
View File

@@ -71,10 +71,8 @@ public class EngineIntegrationTest extends BaseDBTestCase {
throw ex;
}
}
CveDB cveDB = new CveDB();
cveDB.open();
CveDB cveDB = CveDB.getInstance();
DatabaseProperties dbProp = cveDB.getDatabaseProperties();
cveDB.close();
ReportGenerator rg = new ReportGenerator("DependencyCheck", instance.getDependencies(), instance.getAnalyzers(), dbProp);
rg.generateReports("./target/", "ALL");
instance.cleanup();

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java
View File

@@ -60,10 +60,8 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
*
* @throws Exception if there is a problem
*/
@Override
@Before
public void setUp() throws Exception {
super.setUp();
analyzer = new CMakeAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
View File

@@ -54,10 +54,8 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase {
*
* @throws Exception thrown if there is a problem
*/
@Override
@Before
public void setUp() throws Exception {
super.setUp();
analyzer = new ComposerLockAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java
View File

@@ -65,10 +65,8 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
*
* @throws Exception thrown if there is a problem
*/
@Override
@Before
public void setUp() throws Exception {
super.setUp();
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);

178
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
View File

@@ -47,15 +47,10 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
public void testOpen() {
CveDB instance = null;
try {
instance = new CveDB();
instance.open();
instance = CveDB.getInstance();
instance.commit();
} catch (DatabaseException | SQLException ex) {
fail(ex.getMessage());
} finally {
if (instance != null) {
instance.close();
}
}
}
@@ -64,19 +59,11 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
*/
@Test
public void testGetCPEs() throws Exception {
CveDB instance = null;
try {
instance = new CveDB();
String vendor = "apache";
String product = "struts";
instance.open();
Set<VulnerableSoftware> result = instance.getCPEs(vendor, product);
assertTrue(result.size() > 5);
} finally {
if (instance != null) {
instance.close();
}
}
CveDB instance = CveDB.getInstance();
String vendor = "apache";
String product = "struts";
Set<VulnerableSoftware> result = instance.getCPEs(vendor, product);
assertTrue(result.size() > 5);
}
/**
@@ -84,18 +71,9 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
*/
@Test
public void testgetVulnerability() throws Exception {
CveDB instance = null;
try {
instance = new CveDB();
instance.open();
Vulnerability result = instance.getVulnerability("CVE-2014-0094");
assertEquals("The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to \"manipulate\" the ClassLoader via the class parameter, which is passed to the getClass method.", result.getDescription());
} finally {
if (instance != null) {
instance.close();
}
}
CveDB instance = CveDB.getInstance();
Vulnerability result = instance.getVulnerability("CVE-2014-0094");
assertEquals("The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to \"manipulate\" the ClassLoader via the class parameter, which is passed to the getClass method.", result.getDescription());
}
/**
@@ -104,42 +82,34 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
@Test
public void testGetVulnerabilities() throws Exception {
String cpeStr = "cpe:/a:apache:struts:2.1.2";
CveDB instance = null;
CveDB instance = CveDB.getInstance();
List<Vulnerability> results;
try {
instance = new CveDB();
instance.open();
results = instance.getVulnerabilities(cpeStr);
assertTrue(results.size() > 5);
cpeStr = "cpe:/a:jruby:jruby:1.6.3";
results = instance.getVulnerabilities(cpeStr);
assertTrue(results.size() > 1);
boolean found = false;
String expected = "CVE-2011-4838";
for (Vulnerability v : results) {
if (expected.equals(v.getName())) {
found = true;
break;
}
}
assertTrue("Expected " + expected + ", but was not identified", found);
results = instance.getVulnerabilities(cpeStr);
assertTrue(results.size() > 5);
cpeStr = "cpe:/a:jruby:jruby:1.6.3";
results = instance.getVulnerabilities(cpeStr);
assertTrue(results.size() > 1);
found = false;
expected = "CVE-2012-5370";
for (Vulnerability v : results) {
if (expected.equals(v.getName())) {
found = true;
break;
}
}
assertTrue("Expected " + expected + ", but was not identified", found);
} finally {
if (instance != null) {
instance.close();
boolean found = false;
String expected = "CVE-2011-4838";
for (Vulnerability v : results) {
if (expected.equals(v.getName())) {
found = true;
break;
}
}
assertTrue("Expected " + expected + ", but was not identified", found);
found = false;
expected = "CVE-2012-5370";
for (Vulnerability v : results) {
if (expected.equals(v.getName())) {
found = true;
break;
}
}
assertTrue("Expected " + expected + ", but was not identified", found);
}
/**
@@ -147,61 +117,53 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
*/
@Test
public void testGetMatchingSoftware() throws Exception {
CveDB instance = null;
Map<String, Boolean> versions = new HashMap<String, Boolean>();
CveDB instance = CveDB.getInstance();
Map<String, Boolean> versions = new HashMap<>();
DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE);
try {
instance = new CveDB();
Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
assertNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
assertNull(results);
Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
assertNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
assertNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
assertNotNull(results);
assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
assertNotNull(results);
assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
versions.clear();
versions.clear();
versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE);
identifiedVersion = new DependencyVersion("3.2.2");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey());
assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("3.2.12");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertNull(results);
identifiedVersion = new DependencyVersion("3.2.2");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey());
assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("3.2.12");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertNull(results);
identifiedVersion = new DependencyVersion("4.0.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("4.1.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertNull(results);
identifiedVersion = new DependencyVersion("4.0.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("4.1.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertNull(results);
versions.clear();
versions.clear();
versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
identifiedVersion = new DependencyVersion("1.6.3");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertNotNull(results);
} finally {
if (instance != null) {
instance.close();
}
}
versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
identifiedVersion = new DependencyVersion("1.6.3");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertNotNull(results);
}
}

25
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySQLTest.java
View File

@@ -34,38 +34,20 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
*/
public class CveDBMySQLTest extends BaseTest {
/**
* Pretty useless tests of open, commit, and close methods, of class CveDB.
*/
@Test
public void testOpen() {
try {
CveDB instance = new CveDB();
instance.open();
instance.close();
} catch (DatabaseException ex) {
System.out.println("Unable to connect to the My SQL database; verify that the db server is running and that the schema has been generated");
fail(ex.getMessage());
}
}
/**
* Test of getCPEs method, of class CveDB.
*/
@Test
public void testGetCPEs() throws Exception {
CveDB instance = new CveDB();
CveDB instance = CveDB.getInstance();
try {
String vendor = "apache";
String product = "struts";
instance.open();
Set<VulnerableSoftware> result = instance.getCPEs(vendor, product);
assertTrue("Has data been loaded into the MySQL DB? if not consider using the CLI to populate it", result.size() > 5);
} catch (Exception ex) {
System.out.println("Unable to access the My SQL database; verify that the db server is running and that the schema has been generated");
throw ex;
} finally {
instance.close();
}
}
@@ -75,16 +57,13 @@ public class CveDBMySQLTest extends BaseTest {
@Test
public void testGetVulnerabilities() throws Exception {
String cpeStr = "cpe:/a:apache:struts:2.1.2";
CveDB instance = new CveDB();
CveDB instance = CveDB.getInstance();
try {
instance.open();
List<Vulnerability> result = instance.getVulnerabilities(cpeStr);
assertTrue(result.size() > 5);
} catch (Exception ex) {
System.out.println("Unable to access the My SQL database; verify that the db server is running and that the schema has been generated");
throw ex;
} finally {
instance.close();
}
}
}

96
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
View File

@@ -36,19 +36,11 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
*/
@Test
public void testIsEmpty() throws Exception {
CveDB cveDB = null;
try {
cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
assertNotNull(instance);
//no exception means the call worked... whether or not it is empty depends on if the db is new
//assertEquals(expResult, result);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
CveDB cveDB = CveDB.getInstance();
DatabaseProperties instance = cveDB.getDatabaseProperties();
assertNotNull(instance);
//no exception means the call worked... whether or not it is empty depends on if the db is new
//assertEquals(expResult, result);
}
/**
@@ -61,24 +53,12 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
long expected = 1337;
updatedValue.setId(key);
updatedValue.setTimestamp(expected);
CveDB cveDB = null;
try {
cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
instance.save(updatedValue);
//reload the properties
cveDB.close();
cveDB = new CveDB();
cveDB.open();
instance = cveDB.getDatabaseProperties();
long results = Long.parseLong(instance.getProperty("NVD CVE " + key));
assertEquals(expected, results);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
CveDB cveDB = CveDB.getInstance();
DatabaseProperties instance = cveDB.getDatabaseProperties();
instance.save(updatedValue);
instance = cveDB.reloadProperties();
long results = Long.parseLong(instance.getProperty("NVD CVE " + key));
assertEquals(expected, results);
}
/**
@@ -88,19 +68,11 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
public void testGetProperty_String_String() throws Exception {
String key = "doesn't exist";
String defaultValue = "default";
CveDB cveDB = null;
try {
cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
String expResult = "default";
String result = instance.getProperty(key, defaultValue);
assertEquals(expResult, result);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
CveDB cveDB = CveDB.getInstance();
DatabaseProperties instance = cveDB.getDatabaseProperties();
String expResult = "default";
String result = instance.getProperty(key, defaultValue);
assertEquals(expResult, result);
}
/**
@@ -109,20 +81,12 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
@Test
public void testGetProperty_String() throws DatabaseException {
String key = "version";
CveDB cveDB = null;
try {
cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
String result = instance.getProperty(key);
double version = Double.parseDouble(result);
assertTrue(version >= 2.8);
assertTrue(version <= 10);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
CveDB cveDB = CveDB.getInstance();
DatabaseProperties instance = cveDB.getDatabaseProperties();
String result = instance.getProperty(key);
double version = Double.parseDouble(result);
assertTrue(version >= 2.8);
assertTrue(version <= 10);
}
/**
@@ -130,17 +94,9 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
*/
@Test
public void testGetProperties() throws DatabaseException {
CveDB cveDB = null;
try {
cveDB = new CveDB();
cveDB.open();
DatabaseProperties instance = cveDB.getDatabaseProperties();
Properties result = instance.getProperties();
assertTrue(result.size() > 0);
} finally {
if (cveDB != null) {
cveDB.close();
}
}
CveDB cveDB = CveDB.getInstance();
DatabaseProperties instance = cveDB.getDatabaseProperties();
Properties result = instance.getProperties();
assertTrue(result.size() > 0);
}
}

108
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java
View File

@@ -1,108 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import org.junit.Test;
import org.owasp.dependencycheck.BaseDBTestCase;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
/**
*
* @author Jeremy Long
*/
public class BaseUpdaterTest extends BaseDBTestCase {
/**
* Test of getCveDB method, of class BaseUpdater.
*/
@Test
public void testGetCveDB() {
BaseUpdater instance = new BaseUpdaterImpl();
CveDB expResult = null;
CveDB result = instance.getCveDB();
assertEquals(expResult, result);
}
/**
* Test of getProperties method, of class BaseUpdater.
*
* @throws org.owasp.dependencycheck.data.update.exception.UpdateException
* thrown if there is an error getting the properties
*/
@Test
public void testGetProperties() throws UpdateException {
BaseUpdater instance = null;
try {
instance = new BaseUpdaterImpl();
instance.openDataStores();
DatabaseProperties result = instance.getProperties();
assertTrue(result.getProperties().keySet().size() > 1);
} finally {
if (instance != null) {
instance.closeDataStores();
}
}
}
/**
* Test of closeDataStores method, of class BaseUpdater.
*/
@Test
public void testCloseDataStores() {
BaseUpdater instance = null;
try {
instance = new BaseUpdaterImpl();
instance.openDataStores();
} catch (UpdateException ex) {
fail(ex.getMessage());
} finally {
if (instance != null) {
instance.closeDataStores();
}
}
}
/**
* Test of openDataStores method, of class BaseUpdater.
*/
@Test
public void testOpenDataStores() {
BaseUpdater instance = null;
try {
instance = new BaseUpdaterImpl();
instance.openDataStores();
} catch (UpdateException ex) {
fail(ex.getMessage());
} finally {
if (instance != null) {
instance.closeDataStores();
}
}
}
public class BaseUpdaterImpl extends BaseUpdater {
}
}

40
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/CpeUpdaterIntegrationTest.java
View File

@@ -1,40 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
* @author jeremy
*/
public class CpeUpdaterIntegrationTest extends BaseTest {
/**
* Test of update method, of class CpeUpdater.
*/
@Test
public void testUpdate() throws Exception {
//commented out as the current code base does not utilize the CpeU[pdater.
// CpeUpdater instance = new CpeUpdater();
// instance.update();
}
}

11
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveUpdaterIntegrationTest.java
View File

@@ -28,7 +28,7 @@ import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
*
* @author Jeremy Long
*/
public class NvdCveUpdaterIntegrationTest extends BaseTest {
public class NvdCveUpdaterIntegrationTest extends BaseTest {
public NvdCveUpdater getUpdater() {
NvdCveUpdater instance = new NvdCveUpdater();
@@ -55,12 +55,7 @@ import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
@Test
public void testUpdatesNeeded() throws Exception {
NvdCveUpdater instance = getUpdater();
try {
instance.openDataStores();
UpdateableNvdCve result = instance.getUpdatesNeeded();
assertNotNull(result);
} finally {
instance.closeDataStores();
}
UpdateableNvdCve result = instance.getUpdatesNeeded();
assertNotNull(result);
}
}

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java
View File

@@ -144,10 +144,8 @@ public class ReportGeneratorIntegrationTest extends BaseDBTestCase {
engine.scan(jetty);
engine.analyzeDependencies();
CveDB cveDB = new CveDB();
cveDB.open();
CveDB cveDB = CveDB.getInstance();
DatabaseProperties dbProp = cveDB.getDatabaseProperties();
cveDB.close();
ReportGenerator generator = new ReportGenerator("Test Report", engine.getDependencies(), engine.getAnalyzers(), dbProp);
generator.generateReport(templateName, writeTo);

1
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -1,7 +1,6 @@
application.name=${pom.name}
application.version=${pom.version}
autoupdate=true
max.download.threads=50
# the url to obtain the current engine version from
engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt

9
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -1029,19 +1029,14 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*/
protected void writeReports(Engine engine, MavenProject p, File outputDir) throws ReportException {
DatabaseProperties prop = null;
CveDB cve = null;
try {
cve = new CveDB();
cve.open();
final CveDB cve = CveDB.getInstance();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
//TODO shouldn't this throw an exception?
if (getLog().isDebugEnabled()) {
getLog().debug("Unable to retrieve DB Properties", ex);
}
} finally {
if (cve != null) {
cve.close();
}
}
final ReportGenerator r = new ReportGenerator(p.getName(), engine.getDependencies(), engine.getAnalyzers(), prop);
try {

1
dependency-check-utils/src/test/resources/dependencycheck.properties
View File

@@ -1,7 +1,6 @@
application.name=${pom.name}
application.version=${pom.version}
autoupdate=true
max.download.threads=50
# the url to obtain the current engine version from
engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt