From ae5a7660921ca10dbe4e3907c2c54dcacf244ce2 Mon Sep 17 00:00:00 2001 From: Jens Hausherr Date: Fri, 27 May 2016 15:07:59 +0200 Subject: [PATCH 1/6] Limit split to fix #503 --- .../dependencycheck/dependency/VulnerableSoftware.java | 2 +- .../dependency/VulnerableSoftwareTest.java | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java index 521cff011..3b0e0d440 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java @@ -73,7 +73,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp public void parseName(String cpeName) throws UnsupportedEncodingException { this.name = cpeName; if (cpeName != null && cpeName.length() > 7) { - final String[] data = cpeName.substring(7).split(":"); + final String[] data = cpeName.substring(7).split(":", 4); if (data.length >= 1) { this.setVendor(urlDecode(data[0])); } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java index 5fa12af18..69e38fd15 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java @@ -78,4 +78,14 @@ public class VulnerableSoftwareTest extends BaseTest { result = instance.compareTo(vs); assertEquals(expResult, result); } + + @Test + public void testParseCPE() { + VulnerableSoftware vs = new VulnerableSoftware(); + /* Version for test taken from CVE-2008-2079 */ + vs.setCpe("cpe:/a:mysql:mysql:5.0.0:alpha"); + assertEquals("mysql", vs.getVendor()); + assertEquals("mysql", vs.getProduct()); + assertEquals("5.0.0:alpha", vs.getVersion()); + } } From 6d70c92795e723a5b813f53f48f97849afa00e87 Mon Sep 17 00:00:00 2001 From: Jens Hausherr Date: Fri, 3 Jun 2016 09:41:48 +0200 Subject: [PATCH 2/6] Add to String-Method to Reference --- .../java/org/owasp/dependencycheck/dependency/Reference.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java index e8db33f17..3d4b2ee26 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java @@ -97,6 +97,11 @@ public class Reference implements Serializable, Comparable { this.source = source; } + @Override + public String toString() { + return "Reference: { name='"+this.name+"', url='"+this.url+"', source='"+this.source+"' }"; + } + @Override public boolean equals(Object obj) { if (obj == null) { From f3d3a2585696e82ede5910327baf5496be6bc94a Mon Sep 17 00:00:00 2001 From: Jens Hausherr Date: Fri, 3 Jun 2016 09:50:05 +0200 Subject: [PATCH 3/6] Add more test cases --- .../dependency/VulnerabilityTest.java | 138 ++++++++++++++++++ .../dependency/VulnerableSoftwareTest.java | 46 +++++- 2 files changed, 179 insertions(+), 5 deletions(-) create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerabilityTest.java diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerabilityTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerabilityTest.java new file mode 100644 index 000000000..550540b67 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerabilityTest.java @@ -0,0 +1,138 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2013 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.dependency; + +import org.junit.After; +import org.junit.AfterClass; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertFalse; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; + +/** + * + * @author Jens Hausherr + */ +public class VulnerabilityTest extends BaseTest { + + /** + * Test of equals method, of class VulnerableSoftware. + */ + @Test + public void testDuplicateVersions() { + Vulnerability obj = new Vulnerability(); + + obj.addVulnerableSoftware("cpe:/a:mortbay:jetty:6.1.0"); + obj.addVulnerableSoftware("cpe:/a:mortbay:jetty:6.1.1"); + obj.addVulnerableSoftware("cpe:/a:mortbay:jetty:6.1.0"); + + assertEquals(2, obj.getVulnerableSoftware().size()); + } + + @Test + public void testDpulicateVersionsWithPreviousVersion() { + Vulnerability obj = new Vulnerability(); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.0",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.1",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.2",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.10",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.11",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.12",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.13",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.14",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.15",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.16",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.17",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.18",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.19",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.20",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.21",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.22",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:4.1.23",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.0",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.0:alpha",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.1",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.10",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.10a",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.11",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.12",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.13",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.15",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.19",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.1a",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.2",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.3",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.4",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.5.0.21",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.6",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.9",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.21",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.22",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.23",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.24",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.24a",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.25",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.30",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.32",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.33",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.36",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.37",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.38",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.3a",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.41",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.42",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.44",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.45",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.4a",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.50",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.51",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.52",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.54",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.0.56",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.23a","1"); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.3",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.4",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.5",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.5a",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.6",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.7",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.9",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.11",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.12",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.14",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.15",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.16",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.17",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.18",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.19",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.20",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.21",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.22",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.23",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:5.1.23a",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:6.0.0",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:6.0.1",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:6.0.2",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:6.0.3",null); + obj.addVulnerableSoftware("cpe:/a:mysql:mysql:6.0.4",null); + assertEquals(82, obj.getVulnerableSoftware().size()); + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java index 69e38fd15..8789d25d1 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java @@ -20,6 +20,8 @@ package org.owasp.dependencycheck.dependency; import org.junit.After; import org.junit.AfterClass; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertFalse; import org.junit.Before; import org.junit.BeforeClass; import org.junit.Test; @@ -40,9 +42,20 @@ public class VulnerableSoftwareTest extends BaseTest { obj.setCpe("cpe:/a:mortbay:jetty:6.1.0"); VulnerableSoftware instance = new VulnerableSoftware(); instance.setCpe("cpe:/a:mortbay:jetty:6.1"); - boolean expResult = false; - boolean result = instance.equals(obj); - assertEquals(expResult, result); + assertFalse(instance.equals(obj)); + } + + /** + * Test of equals method, of class VulnerableSoftware. + */ + @Test + public void testEquals2() { + VulnerableSoftware obj = new VulnerableSoftware(); + obj.setCpe("cpe:/a:mortbay:jetty:6.1.0"); + VulnerableSoftware instance = new VulnerableSoftware(); + instance.setCpe("cpe:/a:mortbay:jetty:6.1.0"); + obj.setPreviousVersion("1"); + assertTrue(instance.equals(obj)); } /** @@ -79,13 +92,36 @@ public class VulnerableSoftwareTest extends BaseTest { assertEquals(expResult, result); } + @Test + public void testCompareToNonNumerical(){ + VulnerableSoftware vs = new VulnerableSoftware(); + vs.setCpe("cpe:/a:mysql:mysql:5.1.23a"); + VulnerableSoftware vs1 = new VulnerableSoftware(); + vs1.setCpe("cpe:/a:mysql:mysql:5.1.23a"); + vs1.setPreviousVersion("1"); + assertEquals(0, vs.compareTo(vs1)); + assertEquals(0, vs1.compareTo(vs)); + } + + @Test + public void testEqualsPreviousVersion() { + VulnerableSoftware vs = new VulnerableSoftware(); + vs.setCpe("cpe:/a:mysql:mysql:5.1.23a"); + VulnerableSoftware vs1 = new VulnerableSoftware(); + vs1.setCpe("cpe:/a:mysql:mysql:5.1.23a"); + vs1.setPreviousVersion("1"); + assertEquals(vs,vs1); + assertEquals(vs1,vs); + + } + @Test public void testParseCPE() { VulnerableSoftware vs = new VulnerableSoftware(); /* Version for test taken from CVE-2008-2079 */ - vs.setCpe("cpe:/a:mysql:mysql:5.0.0:alpha"); + vs.setCpe("cpe:/a:mysql:mysql:5.1.23a"); assertEquals("mysql", vs.getVendor()); assertEquals("mysql", vs.getProduct()); - assertEquals("5.0.0:alpha", vs.getVersion()); + assertEquals("5.1.23a", vs.getVersion()); } } From fccd683b500f81bb5d4bd26369d49d7d4d84a197 Mon Sep 17 00:00:00 2001 From: Jens Hausherr Date: Fri, 3 Jun 2016 09:52:35 +0200 Subject: [PATCH 4/6] add toString() for Vulnerability --- .../dependency/Vulnerability.java | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index 9fc097401..6d7b55d0f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -18,7 +18,6 @@ package org.owasp.dependencycheck.dependency; import java.io.Serializable; -import java.util.Set; import java.util.SortedSet; import java.util.TreeSet; @@ -33,6 +32,7 @@ public class Vulnerability implements Serializable, Comparable { * The serial version uid. */ private static final long serialVersionUID = 307319490326651052L; + /** * The name of the vulnerability. */ @@ -383,6 +383,24 @@ public class Vulnerability implements Serializable, Comparable { return hash; } + @Override + public String toString() { + StringBuilder sb = new StringBuilder("Vulnerability "); + sb.append(this.name); + sb.append("\nReferences:\n"); + for (Iterator i = this.references.iterator(); i.hasNext();) { + sb.append("=> "); + sb.append(i.next()); + sb.append("\n"); + } + sb.append("\nSoftware:\n"); + for (Iterator i = this.vulnerableSoftware.iterator(); i.hasNext();) { + sb.append("=> "); + sb.append(i.next()); + sb.append("\n"); + } + return sb.toString(); + } /** * Compares two vulnerabilities. * From 578dc63652734dbac31f2ab6d01ee9fb51b55685 Mon Sep 17 00:00:00 2001 From: Jens Hausherr Date: Fri, 3 Jun 2016 09:54:25 +0200 Subject: [PATCH 5/6] Vulnerable Software: Compact toString() output; remove accessor calls for own properties --- .../dependencycheck/dependency/VulnerableSoftware.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java index 3b0e0d440..3e46581e6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java @@ -73,7 +73,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp public void parseName(String cpeName) throws UnsupportedEncodingException { this.name = cpeName; if (cpeName != null && cpeName.length() > 7) { - final String[] data = cpeName.substring(7).split(":", 4); + final String[] data = cpeName.substring(7).split(":"); if (data.length >= 1) { this.setVendor(urlDecode(data[0])); } @@ -138,7 +138,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp return false; } final VulnerableSoftware other = (VulnerableSoftware) obj; - if ((this.getName() == null) ? (other.getName() != null) : !this.getName().equals(other.getName())) { + if ((this.name == null) ? (other.getName() != null) : !this.name.equals(other.getName())) { return false; } return true; @@ -152,7 +152,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp @Override public int hashCode() { int hash = 7; - hash = 83 * hash + (this.getName() != null ? this.getName().hashCode() : 0); + hash = 83 * hash + (this.name != null ? this.name.hashCode() : 0); return hash; } @@ -163,7 +163,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp */ @Override public String toString() { - return "VulnerableSoftware{ name=" + name + ", previousVersion=" + previousVersion + '}'; + return "VulnerableSoftware{" + name + "[" + previousVersion + "]}"; } /** @@ -175,7 +175,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp @Override public int compareTo(VulnerableSoftware vs) { int result = 0; - final String[] left = this.getName().split(":"); + final String[] left = this.name.split(":"); final String[] right = vs.getName().split(":"); final int max = (left.length <= right.length) ? left.length : right.length; if (max > 0) { From 1ba081959ba3afda67595d229cc2b14b01311f21 Mon Sep 17 00:00:00 2001 From: Jens Hausherr Date: Fri, 3 Jun 2016 10:09:28 +0200 Subject: [PATCH 6/6] Accidentially dropped some imports --- .../org/owasp/dependencycheck/dependency/Vulnerability.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index 6d7b55d0f..ed278076b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -18,8 +18,10 @@ package org.owasp.dependencycheck.dependency; import java.io.Serializable; +import java.util.Set; import java.util.SortedSet; import java.util.TreeSet; +import java.util.Iterator; /** * Contains the information about a vulnerability.