From 66996ec1d3e806197e2c2f2f423b04c0b9088eeb Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Fri, 3 Jan 2014 14:20:12 -0500 Subject: [PATCH] moved to new package Former-commit-id: df0c16afe8fac4250e83fbbf66e48eee0ff2df5c --- .../data/update/InvalidDataException.java | 52 ++ .../data/update/NvdCve12Handler.java | 247 +++++++++ .../data/update/NvdCve20Handler.java | 496 ++++++++++++++++++ .../data/update/NvdCve_1_2_HandlerTest.java | 72 +++ .../data/update/NvdCve_2_0_HandlerTest.java | 78 +++ 5 files changed, 945 insertions(+) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/InvalidDataException.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCve12Handler.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCve20Handler.java create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCve_1_2_HandlerTest.java create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCve_2_0_HandlerTest.java diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/InvalidDataException.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/InvalidDataException.java new file mode 100644 index 000000000..464aa8332 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/InvalidDataException.java @@ -0,0 +1,52 @@ +/* + * This file is part of dependency-check-core. + * + * Dependency-check-core is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation, either version 3 of the License, or (at your option) any + * later version. + * + * Dependency-check-core is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * dependency-check-core. If not, see http://www.gnu.org/licenses/. + * + * Copyright (c) 2012 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.update; + +/** + * An InvalidDataDataException is a generic exception used when trying to load + * the NVD CVE meta data. + * + * @author Jeremy Long (jeremy.long@owasp.org) + */ +public class InvalidDataException extends Exception { + + /** + * The serial version UID. + */ + private static final long serialVersionUID = 1L; + + /** + * Creates an InvalidDataException. + * + * @param msg the exception message + */ + public InvalidDataException(String msg) { + super(msg); + } + + /** + * Creates an InvalidDataException. + * + * @param msg the exception message + * @param ex the cause of the exception + */ + public InvalidDataException(String msg, Exception ex) { + super(msg, ex); + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCve12Handler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCve12Handler.java new file mode 100644 index 000000000..9d5980c30 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCve12Handler.java @@ -0,0 +1,247 @@ +/* + * This file is part of dependency-check-core. + * + * Dependency-check-core is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation, either version 3 of the License, or (at your option) any + * later version. + * + * Dependency-check-core is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * dependency-check-core. If not, see http://www.gnu.org/licenses/. + * + * Copyright (c) 2012 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.update; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import org.owasp.dependencycheck.dependency.VulnerableSoftware; +import org.xml.sax.Attributes; +import org.xml.sax.SAXException; +import org.xml.sax.SAXNotSupportedException; +import org.xml.sax.helpers.DefaultHandler; + +/** + * A SAX Handler that will parse the NVD CVE XML (schema version 1.2). This + * parses the xml and retrieves a listing of CPEs that have previous versions + * specified. The previous version information is not in the 2.0 version of the + * schema and is useful to ensure accurate identification (or at least + * complete). + * + * @author Jeremy Long (jeremy.long@owasp.org) + */ +public class NvdCve12Handler extends DefaultHandler { + + /** + * the supported schema version. + */ + private static final String CURRENT_SCHEMA_VERSION = "1.2"; + /** + * the current vulnerability. + */ + private String vulnerability; + /** + * a list of vulnerable software. + */ + private List software; + /** + * the vendor name. + */ + private String vendor; + /** + * the product name. + */ + private String product; + /** + * if the nvd cve should be skipped because it was rejected. + */ + private boolean skip = false; + /** + * flag indicating if there is a previous version. + */ + private boolean hasPreviousVersion = false; + /** + * The current element. + */ + private final Element current = new Element(); + /** + * a map of vulnerabilities. + */ + private Map> vulnerabilities; + + /** + * Get the value of vulnerabilities. + * + * @return the value of vulnerabilities + */ + public Map> getVulnerabilities() { + return vulnerabilities; + } + + @Override + public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException { + current.setNode(qName); + if (current.isEntryNode()) { + vendor = null; + product = null; + hasPreviousVersion = false; + final String reject = attributes.getValue("reject"); + skip = "1".equals(reject); + if (!skip) { + vulnerability = attributes.getValue("name"); + software = new ArrayList(); + } else { + vulnerability = null; + software = null; + } + } else if (!skip && current.isProdNode()) { + + vendor = attributes.getValue("vendor"); + product = attributes.getValue("name"); + } else if (!skip && current.isVersNode()) { + final String prev = attributes.getValue("prev"); + if (prev != null && "1".equals(prev)) { + hasPreviousVersion = true; + final String edition = attributes.getValue("edition"); + final String num = attributes.getValue("num"); + + /*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our + purposes this is good enough as we won't use this if we don't find a corresponding "a" + in the nvd cve 2.0. */ + String cpe = "cpe:/a:" + vendor + ":" + product; + if (num != null) { + cpe += ":" + num; + } + if (edition != null) { + cpe += ":" + edition; + } + final VulnerableSoftware vs = new VulnerableSoftware(); + vs.setCpe(cpe); + vs.setPreviousVersion(prev); + software.add(vs); + } + } else if (current.isNVDNode()) { + final String nvdVer = attributes.getValue("nvd_xml_version"); + if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) { + throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported"); + } + vulnerabilities = new HashMap>(); + } + } + + @Override + public void endElement(String uri, String localName, String qName) throws SAXException { + current.setNode(qName); + if (current.isEntryNode()) { + if (!skip && hasPreviousVersion) { + vulnerabilities.put(vulnerability, software); + } + vulnerability = null; + software = null; + } + } + + // + /** + * A simple class to maintain information about the current element while + * parsing the NVD CVE XML. + */ + protected static class Element { + + /** + * A node type in the NVD CVE Schema 1.2. + */ + public static final String NVD = "nvd"; + /** + * A node type in the NVD CVE Schema 1.2. + */ + public static final String ENTRY = "entry"; + /** + * A node type in the NVD CVE Schema 1.2. + */ + public static final String VULN_SOFTWARE = "vuln_soft"; + /** + * A node type in the NVD CVE Schema 1.2. + */ + public static final String PROD = "prod"; + /** + * A node type in the NVD CVE Schema 1.2. + */ + public static final String VERS = "vers"; + /** + * The name of the current node. + */ + private String node; + + /** + * Gets the value of node. + * + * @return the value of node + */ + public String getNode() { + return this.node; + } + + /** + * Sets the value of node. + * + * @param node new value of node + */ + public void setNode(String node) { + this.node = node; + } + + /** + * Checks if the handler is at the NVD node. + * + * @return true or false + */ + public boolean isNVDNode() { + return NVD.equals(node); + } + + /** + * Checks if the handler is at the ENTRY node. + * + * @return true or false + */ + public boolean isEntryNode() { + return ENTRY.equals(node); + } + + /** + * Checks if the handler is at the VULN_SOFTWARE node. + * + * @return true or false + */ + public boolean isVulnSoftwareNode() { + return VULN_SOFTWARE.equals(node); + } + + /** + * Checks if the handler is at the PROD node. + * + * @return true or false + */ + public boolean isProdNode() { + return PROD.equals(node); + } + + /** + * Checks if the handler is at the VERS node. + * + * @return true or false + */ + public boolean isVersNode() { + return VERS.equals(node); + } + } + // +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCve20Handler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCve20Handler.java new file mode 100644 index 000000000..f4867af56 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCve20Handler.java @@ -0,0 +1,496 @@ +/* + * This file is part of dependency-check-core. + * + * Dependency-check-core is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation, either version 3 of the License, or (at your option) any + * later version. + * + * Dependency-check-core is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * dependency-check-core. If not, see http://www.gnu.org/licenses/. + * + * Copyright (c) 2012 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.update; + +import java.io.IOException; +import java.util.List; +import java.util.Map; +import java.util.logging.Level; +import java.util.logging.Logger; +import org.apache.lucene.index.CorruptIndexException; +import org.owasp.dependencycheck.data.nvdcve.CveDB; +import org.owasp.dependencycheck.data.nvdcve.DatabaseException; +import org.owasp.dependencycheck.dependency.Reference; +import org.owasp.dependencycheck.dependency.Vulnerability; +import org.owasp.dependencycheck.dependency.VulnerableSoftware; +import org.xml.sax.Attributes; +import org.xml.sax.SAXException; +import org.xml.sax.SAXNotSupportedException; +import org.xml.sax.helpers.DefaultHandler; + +/** + * A SAX Handler that will parse the NVD CVE XML (schema version 2.0). + * + * @author Jeremy Long (jeremy.long@owasp.org) + */ +public class NvdCve20Handler extends DefaultHandler { + + /** + * the current supported schema version. + */ + private static final String CURRENT_SCHEMA_VERSION = "2.0"; + /** + * the current element. + */ + private final Element current = new Element(); + /** + * the text of the node. + */ + private StringBuilder nodeText; + /** + * the vulnerability. + */ + private Vulnerability vulnerability; + /** + * a reference for the cve. + */ + private Reference reference; + /** + * flag indicating whether the application has a cpe. + */ + private boolean hasApplicationCpe = false; + /** + * The total number of entries parsed. + */ + private int totalNumberOfEntries; + + /** + * Get the value of totalNumberOfEntries. + * + * @return the value of totalNumberOfEntries + */ + public int getTotalNumberOfEntries() { + return totalNumberOfEntries; + } + /** + * The total number of application entries parsed. + */ + private int totalNumberOfApplicationEntries; + + /** + * Get the value of totalNumberOfApplicationEntries. + * + * @return the value of totalNumberOfApplicationEntries + */ + public int getTotalNumberOfApplicationEntries() { + return totalNumberOfApplicationEntries; + } + + @Override + public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException { + current.setNode(qName); + if (current.isEntryNode()) { + hasApplicationCpe = false; + vulnerability = new Vulnerability(); + vulnerability.setName(attributes.getValue("id")); + } else if (current.isVulnProductNode()) { + nodeText = new StringBuilder(100); + } else if (current.isVulnReferencesNode()) { + final String lang = attributes.getValue("xml:lang"); + if ("en".equals(lang)) { + reference = new Reference(); + } else { + reference = null; + } + } else if (reference != null && current.isVulnReferenceNode()) { + reference.setUrl(attributes.getValue("href")); + nodeText = new StringBuilder(130); + } else if (reference != null && current.isVulnSourceNode()) { + nodeText = new StringBuilder(30); + } else if (current.isVulnSummaryNode()) { + nodeText = new StringBuilder(500); + } else if (current.isNVDNode()) { + final String nvdVer = attributes.getValue("nvd_xml_version"); + if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) { + throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported"); + } + } else if (current.isVulnCWENode()) { + vulnerability.setCwe(attributes.getValue("id")); + } else if (current.isCVSSScoreNode()) { + nodeText = new StringBuilder(5); + } else if (current.isCVSSAccessVectorNode()) { + nodeText = new StringBuilder(20); + } else if (current.isCVSSAccessComplexityNode()) { + nodeText = new StringBuilder(20); + } else if (current.isCVSSAuthenticationNode()) { + nodeText = new StringBuilder(20); + } else if (current.isCVSSAvailabilityImpactNode()) { + nodeText = new StringBuilder(20); + } else if (current.isCVSSConfidentialityImpactNode()) { + nodeText = new StringBuilder(20); + } else if (current.isCVSSIntegrityImpactNode()) { + nodeText = new StringBuilder(20); + } + } + + @Override + public void characters(char[] ch, int start, int length) throws SAXException { + if (nodeText != null) { + nodeText.append(ch, start, length); + } + } + + @Override + public void endElement(String uri, String localName, String qName) throws SAXException { + current.setNode(qName); + if (current.isEntryNode()) { + totalNumberOfEntries += 1; + if (hasApplicationCpe) { + totalNumberOfApplicationEntries += 1; + try { + saveEntry(vulnerability); + } catch (DatabaseException ex) { + throw new SAXException(ex); + } catch (CorruptIndexException ex) { + throw new SAXException(ex); + } catch (IOException ex) { + throw new SAXException(ex); + } + } + vulnerability = null; + } else if (current.isCVSSScoreNode()) { + try { + final float score = Float.parseFloat(nodeText.toString()); + vulnerability.setCvssScore(score); + } catch (NumberFormatException ex) { + Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, "Error parsing CVSS Score."); + Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.FINE, null, ex); + } + nodeText = null; + } else if (current.isCVSSAccessVectorNode()) { + vulnerability.setCvssAccessVector(nodeText.toString()); + nodeText = null; + } else if (current.isCVSSAccessComplexityNode()) { + vulnerability.setCvssAccessComplexity(nodeText.toString()); + nodeText = null; + } else if (current.isCVSSAuthenticationNode()) { + vulnerability.setCvssAuthentication(nodeText.toString()); + nodeText = null; + } else if (current.isCVSSAvailabilityImpactNode()) { + vulnerability.setCvssAvailabilityImpact(nodeText.toString()); + nodeText = null; + } else if (current.isCVSSConfidentialityImpactNode()) { + vulnerability.setCvssConfidentialityImpact(nodeText.toString()); + nodeText = null; + } else if (current.isCVSSIntegrityImpactNode()) { + vulnerability.setCvssIntegrityImpact(nodeText.toString()); + nodeText = null; + } else if (current.isVulnProductNode()) { + final String cpe = nodeText.toString(); + if (cpe.startsWith("cpe:/a:")) { + hasApplicationCpe = true; + vulnerability.addVulnerableSoftware(cpe); + } + nodeText = null; + } else if (reference != null && current.isVulnReferencesNode()) { + vulnerability.addReference(reference); + reference = null; + } else if (reference != null && current.isVulnReferenceNode()) { + reference.setName(nodeText.toString()); + nodeText = null; + } else if (reference != null && current.isVulnSourceNode()) { + reference.setSource(nodeText.toString()); + nodeText = null; + } else if (current.isVulnSummaryNode()) { + vulnerability.setDescription(nodeText.toString()); + if (nodeText.indexOf("** REJECT **") >= 0) { + hasApplicationCpe = true; //ensure we process this to delete the vuln + } + nodeText = null; + } + } + /** + * the cve database. + */ + private CveDB cveDB; + + /** + * Sets the cveDB. + * + * @param db a reference to the CveDB + */ + public void setCveDB(CveDB db) { + cveDB = db; + } + /** + * A list of CVE entries and associated VulnerableSoftware entries that + * contain previous entries. + */ + private Map> prevVersionVulnMap; + + /** + * Sets the prevVersionVulnMap. + * + * @param map the map of vulnerable software with previous versions being + * vulnerable + */ + public void setPrevVersionVulnMap(Map> map) { + prevVersionVulnMap = map; + } + + /** + * Saves a vulnerability to the CVE Database. + * + * @param vuln the vulnerability to store in the database + * @throws DatabaseException thrown if there is an error writing to the + * database + * @throws CorruptIndexException is thrown if the CPE Index is corrupt + * @throws IOException thrown if there is an IOException with the CPE Index + */ + private void saveEntry(Vulnerability vuln) throws DatabaseException, CorruptIndexException, IOException { + if (cveDB == null) { + return; + } + final String cveName = vuln.getName(); + if (prevVersionVulnMap.containsKey(cveName)) { + final List vulnSoftware = prevVersionVulnMap.get(cveName); + for (VulnerableSoftware vs : vulnSoftware) { + vuln.updateVulnerableSoftware(vs); + } + } + cveDB.updateVulnerability(vuln); + } + + // + /** + * A simple class to maintain information about the current element while + * parsing the NVD CVE XML. + */ + protected static class Element { + + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String NVD = "nvd"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String ENTRY = "entry"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String VULN_PRODUCT = "vuln:product"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String VULN_REFERENCES = "vuln:references"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String VULN_SOURCE = "vuln:source"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String VULN_REFERENCE = "vuln:reference"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String VULN_SUMMARY = "vuln:summary"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String VULN_CWE = "vuln:cwe"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String CVSS_SCORE = "cvss:score"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String CVSS_ACCESS_VECTOR = "cvss:access-vector"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String CVSS_ACCESS_COMPLEXITY = "cvss:access-complexity"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String CVSS_AUTHENTICATION = "cvss:authentication"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String CVSS_CONFIDENTIALITY_IMPACT = "cvss:confidentiality-impact"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String CVSS_INTEGRITY_IMPACT = "cvss:integrity-impact"; + /** + * A node type in the NVD CVE Schema 2.0 + */ + public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact"; + /** + * The current node. + */ + private String node; + + /** + * Gets the value of node. + * + * @return the value of node + */ + public String getNode() { + return this.node; + } + + /** + * Sets the value of node. + * + * @param node new value of node + */ + public void setNode(String node) { + this.node = node; + } + + /** + * Checks if the handler is at the NVD node. + * + * @return true or false + */ + public boolean isNVDNode() { + return NVD.equals(node); + } + + /** + * Checks if the handler is at the ENTRY node. + * + * @return true or false + */ + public boolean isEntryNode() { + return ENTRY.equals(node); + } + + /** + * Checks if the handler is at the VULN_PRODUCT node. + * + * @return true or false + */ + public boolean isVulnProductNode() { + return VULN_PRODUCT.equals(node); + } + + /** + * Checks if the handler is at the REFERENCES node. + * + * @return true or false + */ + public boolean isVulnReferencesNode() { + return VULN_REFERENCES.equals(node); + } + + /** + * Checks if the handler is at the REFERENCE node. + * + * @return true or false + */ + public boolean isVulnReferenceNode() { + return VULN_REFERENCE.equals(node); + } + + /** + * Checks if the handler is at the VULN_SOURCE node. + * + * @return true or false + */ + public boolean isVulnSourceNode() { + return VULN_SOURCE.equals(node); + } + + /** + * Checks if the handler is at the VULN_SUMMARY node. + * + * @return true or false + */ + public boolean isVulnSummaryNode() { + return VULN_SUMMARY.equals(node); + } + + /** + * Checks if the handler is at the VULN_CWE node. + * + * @return true or false + */ + public boolean isVulnCWENode() { + return VULN_CWE.equals(node); + } + + /** + * Checks if the handler is at the CVSS_SCORE node. + * + * @return true or false + */ + public boolean isCVSSScoreNode() { + return CVSS_SCORE.equals(node); + } + + /** + * Checks if the handler is at the CVSS_ACCESS_VECTOR node. + * + * @return true or false + */ + public boolean isCVSSAccessVectorNode() { + return CVSS_ACCESS_VECTOR.equals(node); + } + + /** + * Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node. + * + * @return true or false + */ + public boolean isCVSSAccessComplexityNode() { + return CVSS_ACCESS_COMPLEXITY.equals(node); + } + + /** + * Checks if the handler is at the CVSS_AUTHENTICATION node. + * + * @return true or false + */ + public boolean isCVSSAuthenticationNode() { + return CVSS_AUTHENTICATION.equals(node); + } + + /** + * Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node. + * + * @return true or false + */ + public boolean isCVSSConfidentialityImpactNode() { + return CVSS_CONFIDENTIALITY_IMPACT.equals(node); + } + + /** + * Checks if the handler is at the CVSS_INTEGRITY_IMPACT node. + * + * @return true or false + */ + public boolean isCVSSIntegrityImpactNode() { + return CVSS_INTEGRITY_IMPACT.equals(node); + } + + /** + * Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node. + * + * @return true or false + */ + public boolean isCVSSAvailabilityImpactNode() { + return CVSS_AVAILABILITY_IMPACT.equals(node); + } + } + // +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCve_1_2_HandlerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCve_1_2_HandlerTest.java new file mode 100644 index 000000000..cbc7125f7 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCve_1_2_HandlerTest.java @@ -0,0 +1,72 @@ +/* + * This file is part of dependency-check-core. + * + * Dependency-check-core is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation, either version 3 of the License, or (at your option) any + * later version. + * + * Dependency-check-core is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * dependency-check-core. If not, see http://www.gnu.org/licenses/. + * + * Copyright (c) 2012 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.update; + +import org.owasp.dependencycheck.data.update.NvdCve12Handler; +import java.io.File; +import java.util.List; +import java.util.Map; +import javax.xml.parsers.SAXParser; +import javax.xml.parsers.SAXParserFactory; +import org.owasp.dependencycheck.dependency.VulnerableSoftware; +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import static org.junit.Assert.*; + +/** + * + * @author Jeremy Long (jeremy.long@owasp.org) + */ +public class NvdCve_1_2_HandlerTest { + + public NvdCve_1_2_HandlerTest() { + } + + @BeforeClass + public static void setUpClass() throws Exception { + } + + @AfterClass + public static void tearDownClass() throws Exception { + } + + @Before + public void setUp() { + } + + @After + public void tearDown() { + } + + @Test + public void testParse() throws Exception { + SAXParserFactory factory = SAXParserFactory.newInstance(); + SAXParser saxParser = factory.newSAXParser(); + + File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2012.xml").getPath()); + + NvdCve12Handler instance = new NvdCve12Handler(); + saxParser.parse(file, instance); + Map> results = instance.getVulnerabilities(); + assertTrue("No vulnerable software identified with a previous version in 2012 CVE 1.2?", !results.isEmpty()); + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCve_2_0_HandlerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCve_2_0_HandlerTest.java new file mode 100644 index 000000000..0069b2f41 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCve_2_0_HandlerTest.java @@ -0,0 +1,78 @@ +/* + * This file is part of dependency-check-core. + * + * Dependency-check-core is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation, either version 3 of the License, or (at your option) any + * later version. + * + * Dependency-check-core is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * dependency-check-core. If not, see http://www.gnu.org/licenses/. + * + * Copyright (c) 2012 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.update; + +import org.owasp.dependencycheck.data.update.NvdCve20Handler; +import java.io.File; +import javax.xml.parsers.SAXParser; +import javax.xml.parsers.SAXParserFactory; +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import static org.junit.Assert.*; + +/** + * + * @author Jeremy Long (jeremy.long@owasp.org) + */ +public class NvdCve_2_0_HandlerTest { + + public NvdCve_2_0_HandlerTest() { + } + + @BeforeClass + public static void setUpClass() throws Exception { + } + + @AfterClass + public static void tearDownClass() throws Exception { + } + + @Before + public void setUp() { + } + + @After + public void tearDown() { + } + + @Test + public void testParse() { + Exception results = null; + try { + SAXParserFactory factory = SAXParserFactory.newInstance(); + SAXParser saxParser = factory.newSAXParser(); + + File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2.0-2012.xml").getPath()); + + NvdCve20Handler instance = new NvdCve20Handler(); + + saxParser.parse(file, instance); + } catch (Exception ex) { + results = ex; + } + assertTrue("Exception thrown during parse of 2012 CVE version 2.0?", results == null); + if (results != null) { + System.err.println(results); + } + + } +}