github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

moved to new package

Browse Source 
Former-commit-id: df0c16afe8fac4250e83fbbf66e48eee0ff2df5c
This commit is contained in:
Jeremy Long
2014-01-03 14:20:12 -05:00
parent 71f40856dc
commit 66996ec1d3
5 changed files with 945 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/InvalidDataException.java Normal file
View File

@@ -0,0 +1,52 @@
/*
* This file is part of dependency-check-core.
*
* Dependency-check-core is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-check-core is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* dependency-check-core. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
/**
* An InvalidDataDataException is a generic exception used when trying to load
* the NVD CVE meta data.
*
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class InvalidDataException extends Exception {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 1L;
/**
* Creates an InvalidDataException.
*
* @param msg the exception message
*/
public InvalidDataException(String msg) {
super(msg);
}
/**
* Creates an InvalidDataException.
*
* @param msg the exception message
* @param ex the cause of the exception
*/
public InvalidDataException(String msg, Exception ex) {
super(msg, ex);
}
}

247
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCve12Handler.java Normal file
View File

@@ -0,0 +1,247 @@
/*
* This file is part of dependency-check-core.
*
* Dependency-check-core is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-check-core is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* dependency-check-core. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.xml.sax.Attributes;
import org.xml.sax.SAXException;
import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.helpers.DefaultHandler;
/**
* A SAX Handler that will parse the NVD CVE XML (schema version 1.2). This
* parses the xml and retrieves a listing of CPEs that have previous versions
* specified. The previous version information is not in the 2.0 version of the
* schema and is useful to ensure accurate identification (or at least
* complete).
*
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class NvdCve12Handler extends DefaultHandler {
/**
* the supported schema version.
*/
private static final String CURRENT_SCHEMA_VERSION = "1.2";
/**
* the current vulnerability.
*/
private String vulnerability;
/**
* a list of vulnerable software.
*/
private List<VulnerableSoftware> software;
/**
* the vendor name.
*/
private String vendor;
/**
* the product name.
*/
private String product;
/**
* if the nvd cve should be skipped because it was rejected.
*/
private boolean skip = false;
/**
* flag indicating if there is a previous version.
*/
private boolean hasPreviousVersion = false;
/**
* The current element.
*/
private final Element current = new Element();
/**
* a map of vulnerabilities.
*/
private Map<String, List<VulnerableSoftware>> vulnerabilities;
/**
* Get the value of vulnerabilities.
*
* @return the value of vulnerabilities
*/
public Map<String, List<VulnerableSoftware>> getVulnerabilities() {
return vulnerabilities;
}
@Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
current.setNode(qName);
if (current.isEntryNode()) {
vendor = null;
product = null;
hasPreviousVersion = false;
final String reject = attributes.getValue("reject");
skip = "1".equals(reject);
if (!skip) {
vulnerability = attributes.getValue("name");
software = new ArrayList<VulnerableSoftware>();
} else {
vulnerability = null;
software = null;
}
} else if (!skip && current.isProdNode()) {
vendor = attributes.getValue("vendor");
product = attributes.getValue("name");
} else if (!skip && current.isVersNode()) {
final String prev = attributes.getValue("prev");
if (prev != null && "1".equals(prev)) {
hasPreviousVersion = true;
final String edition = attributes.getValue("edition");
final String num = attributes.getValue("num");
/*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
purposes this is good enough as we won't use this if we don't find a corresponding "a"
in the nvd cve 2.0. */
String cpe = "cpe:/a:" + vendor + ":" + product;
if (num != null) {
cpe += ":" + num;
}
if (edition != null) {
cpe += ":" + edition;
}
final VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe(cpe);
vs.setPreviousVersion(prev);
software.add(vs);
}
} else if (current.isNVDNode()) {
final String nvdVer = attributes.getValue("nvd_xml_version");
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
}
vulnerabilities = new HashMap<String, List<VulnerableSoftware>>();
}
}
@Override
public void endElement(String uri, String localName, String qName) throws SAXException {
current.setNode(qName);
if (current.isEntryNode()) {
if (!skip && hasPreviousVersion) {
vulnerabilities.put(vulnerability, software);
}
vulnerability = null;
software = null;
}
}
// <editor-fold defaultstate="collapsed" desc="The Element Class that maintains state information about the current node">
/**
* A simple class to maintain information about the current element while
* parsing the NVD CVE XML.
*/
protected static class Element {
/**
* A node type in the NVD CVE Schema 1.2.
*/
public static final String NVD = "nvd";
/**
* A node type in the NVD CVE Schema 1.2.
*/
public static final String ENTRY = "entry";
/**
* A node type in the NVD CVE Schema 1.2.
*/
public static final String VULN_SOFTWARE = "vuln_soft";
/**
* A node type in the NVD CVE Schema 1.2.
*/
public static final String PROD = "prod";
/**
* A node type in the NVD CVE Schema 1.2.
*/
public static final String VERS = "vers";
/**
* The name of the current node.
*/
private String node;
/**
* Gets the value of node.
*
* @return the value of node
*/
public String getNode() {
return this.node;
}
/**
* Sets the value of node.
*
* @param node new value of node
*/
public void setNode(String node) {
this.node = node;
}
/**
* Checks if the handler is at the NVD node.
*
* @return true or false
*/
public boolean isNVDNode() {
return NVD.equals(node);
}
/**
* Checks if the handler is at the ENTRY node.
*
* @return true or false
*/
public boolean isEntryNode() {
return ENTRY.equals(node);
}
/**
* Checks if the handler is at the VULN_SOFTWARE node.
*
* @return true or false
*/
public boolean isVulnSoftwareNode() {
return VULN_SOFTWARE.equals(node);
}
/**
* Checks if the handler is at the PROD node.
*
* @return true or false
*/
public boolean isProdNode() {
return PROD.equals(node);
}
/**
* Checks if the handler is at the VERS node.
*
* @return true or false
*/
public boolean isVersNode() {
return VERS.equals(node);
}
}
// </editor-fold>
}

496
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCve20Handler.java Normal file
View File

@@ -0,0 +1,496 @@
/*
* This file is part of dependency-check-core.
*
* Dependency-check-core is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-check-core is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* dependency-check-core. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.lucene.index.CorruptIndexException;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.dependency.Reference;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.xml.sax.Attributes;
import org.xml.sax.SAXException;
import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.helpers.DefaultHandler;
/**
* A SAX Handler that will parse the NVD CVE XML (schema version 2.0).
*
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class NvdCve20Handler extends DefaultHandler {
/**
* the current supported schema version.
*/
private static final String CURRENT_SCHEMA_VERSION = "2.0";
/**
* the current element.
*/
private final Element current = new Element();
/**
* the text of the node.
*/
private StringBuilder nodeText;
/**
* the vulnerability.
*/
private Vulnerability vulnerability;
/**
* a reference for the cve.
*/
private Reference reference;
/**
* flag indicating whether the application has a cpe.
*/
private boolean hasApplicationCpe = false;
/**
* The total number of entries parsed.
*/
private int totalNumberOfEntries;
/**
* Get the value of totalNumberOfEntries.
*
* @return the value of totalNumberOfEntries
*/
public int getTotalNumberOfEntries() {
return totalNumberOfEntries;
}
/**
* The total number of application entries parsed.
*/
private int totalNumberOfApplicationEntries;
/**
* Get the value of totalNumberOfApplicationEntries.
*
* @return the value of totalNumberOfApplicationEntries
*/
public int getTotalNumberOfApplicationEntries() {
return totalNumberOfApplicationEntries;
}
@Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
current.setNode(qName);
if (current.isEntryNode()) {
hasApplicationCpe = false;
vulnerability = new Vulnerability();
vulnerability.setName(attributes.getValue("id"));
} else if (current.isVulnProductNode()) {
nodeText = new StringBuilder(100);
} else if (current.isVulnReferencesNode()) {
final String lang = attributes.getValue("xml:lang");
if ("en".equals(lang)) {
reference = new Reference();
} else {
reference = null;
}
} else if (reference != null && current.isVulnReferenceNode()) {
reference.setUrl(attributes.getValue("href"));
nodeText = new StringBuilder(130);
} else if (reference != null && current.isVulnSourceNode()) {
nodeText = new StringBuilder(30);
} else if (current.isVulnSummaryNode()) {
nodeText = new StringBuilder(500);
} else if (current.isNVDNode()) {
final String nvdVer = attributes.getValue("nvd_xml_version");
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
}
} else if (current.isVulnCWENode()) {
vulnerability.setCwe(attributes.getValue("id"));
} else if (current.isCVSSScoreNode()) {
nodeText = new StringBuilder(5);
} else if (current.isCVSSAccessVectorNode()) {
nodeText = new StringBuilder(20);
} else if (current.isCVSSAccessComplexityNode()) {
nodeText = new StringBuilder(20);
} else if (current.isCVSSAuthenticationNode()) {
nodeText = new StringBuilder(20);
} else if (current.isCVSSAvailabilityImpactNode()) {
nodeText = new StringBuilder(20);
} else if (current.isCVSSConfidentialityImpactNode()) {
nodeText = new StringBuilder(20);
} else if (current.isCVSSIntegrityImpactNode()) {
nodeText = new StringBuilder(20);
}
}
@Override
public void characters(char[] ch, int start, int length) throws SAXException {
if (nodeText != null) {
nodeText.append(ch, start, length);
}
}
@Override
public void endElement(String uri, String localName, String qName) throws SAXException {
current.setNode(qName);
if (current.isEntryNode()) {
totalNumberOfEntries += 1;
if (hasApplicationCpe) {
totalNumberOfApplicationEntries += 1;
try {
saveEntry(vulnerability);
} catch (DatabaseException ex) {
throw new SAXException(ex);
} catch (CorruptIndexException ex) {
throw new SAXException(ex);
} catch (IOException ex) {
throw new SAXException(ex);
}
}
vulnerability = null;
} else if (current.isCVSSScoreNode()) {
try {
final float score = Float.parseFloat(nodeText.toString());
vulnerability.setCvssScore(score);
} catch (NumberFormatException ex) {
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, "Error parsing CVSS Score.");
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.FINE, null, ex);
}
nodeText = null;
} else if (current.isCVSSAccessVectorNode()) {
vulnerability.setCvssAccessVector(nodeText.toString());
nodeText = null;
} else if (current.isCVSSAccessComplexityNode()) {
vulnerability.setCvssAccessComplexity(nodeText.toString());
nodeText = null;
} else if (current.isCVSSAuthenticationNode()) {
vulnerability.setCvssAuthentication(nodeText.toString());
nodeText = null;
} else if (current.isCVSSAvailabilityImpactNode()) {
vulnerability.setCvssAvailabilityImpact(nodeText.toString());
nodeText = null;
} else if (current.isCVSSConfidentialityImpactNode()) {
vulnerability.setCvssConfidentialityImpact(nodeText.toString());
nodeText = null;
} else if (current.isCVSSIntegrityImpactNode()) {
vulnerability.setCvssIntegrityImpact(nodeText.toString());
nodeText = null;
} else if (current.isVulnProductNode()) {
final String cpe = nodeText.toString();
if (cpe.startsWith("cpe:/a:")) {
hasApplicationCpe = true;
vulnerability.addVulnerableSoftware(cpe);
}
nodeText = null;
} else if (reference != null && current.isVulnReferencesNode()) {
vulnerability.addReference(reference);
reference = null;
} else if (reference != null && current.isVulnReferenceNode()) {
reference.setName(nodeText.toString());
nodeText = null;
} else if (reference != null && current.isVulnSourceNode()) {
reference.setSource(nodeText.toString());
nodeText = null;
} else if (current.isVulnSummaryNode()) {
vulnerability.setDescription(nodeText.toString());
if (nodeText.indexOf("** REJECT **") >= 0) {
hasApplicationCpe = true; //ensure we process this to delete the vuln
}
nodeText = null;
}
}
/**
* the cve database.
*/
private CveDB cveDB;
/**
* Sets the cveDB.
*
* @param db a reference to the CveDB
*/
public void setCveDB(CveDB db) {
cveDB = db;
}
/**
* A list of CVE entries and associated VulnerableSoftware entries that
* contain previous entries.
*/
private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
/**
* Sets the prevVersionVulnMap.
*
* @param map the map of vulnerable software with previous versions being
* vulnerable
*/
public void setPrevVersionVulnMap(Map<String, List<VulnerableSoftware>> map) {
prevVersionVulnMap = map;
}
/**
* Saves a vulnerability to the CVE Database.
*
* @param vuln the vulnerability to store in the database
* @throws DatabaseException thrown if there is an error writing to the
* database
* @throws CorruptIndexException is thrown if the CPE Index is corrupt
* @throws IOException thrown if there is an IOException with the CPE Index
*/
private void saveEntry(Vulnerability vuln) throws DatabaseException, CorruptIndexException, IOException {
if (cveDB == null) {
return;
}
final String cveName = vuln.getName();
if (prevVersionVulnMap.containsKey(cveName)) {
final List<VulnerableSoftware> vulnSoftware = prevVersionVulnMap.get(cveName);
for (VulnerableSoftware vs : vulnSoftware) {
vuln.updateVulnerableSoftware(vs);
}
}
cveDB.updateVulnerability(vuln);
}
// <editor-fold defaultstate="collapsed" desc="The Element Class that maintains state information about the current node">
/**
* A simple class to maintain information about the current element while
* parsing the NVD CVE XML.
*/
protected static class Element {
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String NVD = "nvd";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String ENTRY = "entry";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_PRODUCT = "vuln:product";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_REFERENCES = "vuln:references";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_SOURCE = "vuln:source";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_REFERENCE = "vuln:reference";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_SUMMARY = "vuln:summary";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_CWE = "vuln:cwe";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_SCORE = "cvss:score";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_ACCESS_VECTOR = "cvss:access-vector";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_ACCESS_COMPLEXITY = "cvss:access-complexity";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_AUTHENTICATION = "cvss:authentication";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_CONFIDENTIALITY_IMPACT = "cvss:confidentiality-impact";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_INTEGRITY_IMPACT = "cvss:integrity-impact";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
/**
* The current node.
*/
private String node;
/**
* Gets the value of node.
*
* @return the value of node
*/
public String getNode() {
return this.node;
}
/**
* Sets the value of node.
*
* @param node new value of node
*/
public void setNode(String node) {
this.node = node;
}
/**
* Checks if the handler is at the NVD node.
*
* @return true or false
*/
public boolean isNVDNode() {
return NVD.equals(node);
}
/**
* Checks if the handler is at the ENTRY node.
*
* @return true or false
*/
public boolean isEntryNode() {
return ENTRY.equals(node);
}
/**
* Checks if the handler is at the VULN_PRODUCT node.
*
* @return true or false
*/
public boolean isVulnProductNode() {
return VULN_PRODUCT.equals(node);
}
/**
* Checks if the handler is at the REFERENCES node.
*
* @return true or false
*/
public boolean isVulnReferencesNode() {
return VULN_REFERENCES.equals(node);
}
/**
* Checks if the handler is at the REFERENCE node.
*
* @return true or false
*/
public boolean isVulnReferenceNode() {
return VULN_REFERENCE.equals(node);
}
/**
* Checks if the handler is at the VULN_SOURCE node.
*
* @return true or false
*/
public boolean isVulnSourceNode() {
return VULN_SOURCE.equals(node);
}
/**
* Checks if the handler is at the VULN_SUMMARY node.
*
* @return true or false
*/
public boolean isVulnSummaryNode() {
return VULN_SUMMARY.equals(node);
}
/**
* Checks if the handler is at the VULN_CWE node.
*
* @return true or false
*/
public boolean isVulnCWENode() {
return VULN_CWE.equals(node);
}
/**
* Checks if the handler is at the CVSS_SCORE node.
*
* @return true or false
*/
public boolean isCVSSScoreNode() {
return CVSS_SCORE.equals(node);
}
/**
* Checks if the handler is at the CVSS_ACCESS_VECTOR node.
*
* @return true or false
*/
public boolean isCVSSAccessVectorNode() {
return CVSS_ACCESS_VECTOR.equals(node);
}
/**
* Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node.
*
* @return true or false
*/
public boolean isCVSSAccessComplexityNode() {
return CVSS_ACCESS_COMPLEXITY.equals(node);
}
/**
* Checks if the handler is at the CVSS_AUTHENTICATION node.
*
* @return true or false
*/
public boolean isCVSSAuthenticationNode() {
return CVSS_AUTHENTICATION.equals(node);
}
/**
* Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node.
*
* @return true or false
*/
public boolean isCVSSConfidentialityImpactNode() {
return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
}
/**
* Checks if the handler is at the CVSS_INTEGRITY_IMPACT node.
*
* @return true or false
*/
public boolean isCVSSIntegrityImpactNode() {
return CVSS_INTEGRITY_IMPACT.equals(node);
}
/**
* Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node.
*
* @return true or false
*/
public boolean isCVSSAvailabilityImpactNode() {
return CVSS_AVAILABILITY_IMPACT.equals(node);
}
}
// </editor-fold>
}

72
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCve_1_2_HandlerTest.java Normal file
View File

@@ -0,0 +1,72 @@
/*
* This file is part of dependency-check-core.
*
* Dependency-check-core is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-check-core is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* dependency-check-core. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import org.owasp.dependencycheck.data.update.NvdCve12Handler;
import java.io.File;
import java.util.List;
import java.util.Map;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class NvdCve_1_2_HandlerTest {
public NvdCve_1_2_HandlerTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
@Test
public void testParse() throws Exception {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2012.xml").getPath());
NvdCve12Handler instance = new NvdCve12Handler();
saxParser.parse(file, instance);
Map<String, List<VulnerableSoftware>> results = instance.getVulnerabilities();
assertTrue("No vulnerable software identified with a previous version in 2012 CVE 1.2?", !results.isEmpty());
}
}

78
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCve_2_0_HandlerTest.java Normal file
View File

@@ -0,0 +1,78 @@
/*
* This file is part of dependency-check-core.
*
* Dependency-check-core is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-check-core is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* dependency-check-core. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import org.owasp.dependencycheck.data.update.NvdCve20Handler;
import java.io.File;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class NvdCve_2_0_HandlerTest {
public NvdCve_2_0_HandlerTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
@Test
public void testParse() {
Exception results = null;
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2.0-2012.xml").getPath());
NvdCve20Handler instance = new NvdCve20Handler();
saxParser.parse(file, instance);
} catch (Exception ex) {
results = ex;
}
assertTrue("Exception thrown during parse of 2012 CVE version 2.0?", results == null);
if (results != null) {
System.err.println(results);
}
}
}