diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index 05cca60f8..83b344907 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -944,16 +944,13 @@ public class Check extends Update { DatabaseProperties prop = null; CveDB cve = null; try { - cve = new CveDB(); - cve.open(); + cve = CveDB.getInstance(); prop = cve.getDatabaseProperties(); } catch (DatabaseException ex) { + //TODO shouldn't this be a fatal exception log("Unable to retrieve DB Properties", ex, Project.MSG_DEBUG); - } finally { - if (cve != null) { - cve.close(); - } } + final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop); reporter.generateReports(reportOutputDirectory, reportFormat); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index b4e33f28a..7b6d8d354 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -284,15 +284,8 @@ public class App { final List dependencies = engine.getDependencies(); DatabaseProperties prop = null; CveDB cve = null; - try { - cve = new CveDB(); - cve.open(); - prop = cve.getDatabaseProperties(); - } finally { - if (cve != null) { - cve.close(); - } - } + cve = CveDB.getInstance(); + prop = cve.getDatabaseProperties(); final ReportGenerator report = new ReportGenerator(applicationName, dependencies, engine.getAnalyzers(), prop); try { report.generateReports(reportDirectory, outputFormat); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java index 4327a80b7..ef1e00372 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java @@ -34,7 +34,7 @@ import java.util.concurrent.Callable; * * @author Stefan Neuhaus */ -class AnalysisTask implements Callable { +public class AnalysisTask implements Callable { /** * Instance of the logger. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index e502c5fae..163d9e0ff 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -71,7 +71,7 @@ public class Engine implements FileFilter { /** * A Map of analyzers grouped by Analysis phase. */ - private final Map> analyzers = new EnumMap>(AnalysisPhase.class); + private final Map> analyzers = new EnumMap<>(AnalysisPhase.class); /** * A Map of analyzers grouped by Analysis phase. @@ -126,6 +126,11 @@ public class Engine implements FileFilter { * Properly cleans up resources allocated during analysis. */ public void cleanup() { + try { + CveDB.getInstance().closeDatabase(); + } catch (DatabaseException ex) { + LOGGER.trace("Error closing the database", ex); + } ConnectionFactory.cleanup(); } @@ -140,7 +145,7 @@ public class Engine implements FileFilter { for (AnalysisPhase phase : AnalysisPhase.values()) { analyzers.put(phase, new ArrayList()); } - + final AnalyzerService service = new AnalyzerService(serviceClassLoader); final List iterator = service.getAnalyzers(); for (Analyzer a : iterator) { @@ -213,7 +218,7 @@ public class Engine implements FileFilter { * @since v1.4.4 */ public List scan(String[] paths, String projectReference) { - final List deps = new ArrayList(); + final List deps = new ArrayList<>(); for (String path : paths) { final List d = scan(path, projectReference); if (d != null) { @@ -384,7 +389,7 @@ public class Engine implements FileFilter { */ protected List scanDirectory(File dir, String projectReference) { final File[] files = dir.listFiles(); - final List deps = new ArrayList(); + final List deps = new ArrayList<>(); if (files != null) { for (File f : files) { if (f.isDirectory()) { @@ -504,7 +509,7 @@ public class Engine implements FileFilter { } catch (DatabaseException ex) { throwFatalExceptionCollection("Unable to connect to the dependency-check database.", ex, exceptions); } - + LOGGER.debug("\n----------------------------------------------------\nBEGIN ANALYSIS\n----------------------------------------------------"); LOGGER.info("Analysis Started"); final long analysisStart = System.currentTimeMillis(); @@ -512,7 +517,7 @@ public class Engine implements FileFilter { // analysis phases for (AnalysisPhase phase : AnalysisPhase.values()) { final List analyzerList = analyzers.get(phase); - + for (final Analyzer analyzer : analyzerList) { final long analyzerStart = System.currentTimeMillis(); try { @@ -521,10 +526,10 @@ public class Engine implements FileFilter { exceptions.add(ex); continue; } - + if (analyzer.isEnabled()) { executeAnalysisTasks(analyzer, exceptions); - + final long analyzerDurationMillis = System.currentTimeMillis() - analyzerStart; final long analyzerDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(analyzerDurationMillis); LOGGER.info("Finished {} ({} seconds)", analyzer.getName(), analyzerDurationSeconds); @@ -535,12 +540,12 @@ public class Engine implements FileFilter { } for (AnalysisPhase phase : AnalysisPhase.values()) { final List analyzerList = analyzers.get(phase); - + for (Analyzer a : analyzerList) { closeAnalyzer(a); } } - + LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------"); final long analysisDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - analysisStart); LOGGER.info("Analysis Complete ({} seconds)", analysisDurationSeconds); @@ -561,7 +566,7 @@ public class Engine implements FileFilter { LOGGER.debug("Starting {}", analyzer.getName()); final List analysisTasks = getAnalysisTasks(analyzer, exceptions); final ExecutorService executorService = getExecutorService(analyzer); - + try { final List> results = executorService.invokeAll(analysisTasks, 10, TimeUnit.MINUTES); @@ -610,7 +615,7 @@ public class Engine implements FileFilter { if (analyzer.supportsParallelProcessing()) { // just a fair trade-off that should be reasonable for all analyzer types final int maximumNumberOfThreads = 4 * Runtime.getRuntime().availableProcessors(); - + LOGGER.debug("Parallel processing with up to {} threads: {}.", maximumNumberOfThreads, analyzer.getName()); return Executors.newFixedThreadPool(maximumNumberOfThreads); } else { @@ -692,7 +697,7 @@ public class Engine implements FileFilter { * @return a list of Analyzers */ public List getAnalyzers() { - final List ret = new ArrayList(); + final List ret = new ArrayList<>(); for (AnalysisPhase phase : AnalysisPhase.values()) { final List analyzerList = analyzers.get(phase); ret.addAll(analyzerList); @@ -749,16 +754,9 @@ public class Engine implements FileFilter { * database */ private void ensureDataExists() throws NoDataException, DatabaseException { - final CveDB cve = new CveDB(); - try { - cve.open(); - if (!cve.dataExists()) { - throw new NoDataException("No documents exist"); - } - } catch (DatabaseException ex) { - throw new NoDataException(ex.getMessage(), ex); - } finally { - cve.close(); + final CveDB cve = CveDB.getInstance(); + if (!cve.dataExists()) { + throw new NoDataException("No documents exist"); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java index dbd540061..1cc6cf539 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java @@ -844,22 +844,17 @@ public class DependencyCheckScanAgent { DatabaseProperties prop = null; CveDB cve = null; try { - cve = new CveDB(); - cve.open(); + cve = CveDB.getInstance(); prop = cve.getDatabaseProperties(); } catch (DatabaseException ex) { + //TODO shouldn't this throw an exception or return? LOGGER.debug("Unable to retrieve DB Properties", ex); - } finally { - if (cve != null) { - cve.close(); - } } final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop); try { r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name()); } catch (IOException ex) { - LOGGER.error( - "Unexpected exception occurred during analysis; please see the verbose error log for more details."); + LOGGER.error("Unexpected exception occurred during analysis; please see the verbose error log for more details."); LOGGER.debug("", ex); } catch (Throwable ex) { LOGGER.error( diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index 39316c29f..c88f8c102 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -163,8 +163,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { */ public void open() throws IOException, DatabaseException { if (!isOpen()) { - cve = new CveDB(); - cve.open(); + cve = CveDB.getInstance(); cpe = CpeMemoryIndex.getInstance(); try { final long creationStart = System.currentTimeMillis(); @@ -187,10 +186,6 @@ public class CPEAnalyzer extends AbstractAnalyzer { cpe.close(); cpe = null; } - if (cve != null) { - cve.close(); - cve = null; - } } public boolean isOpen() { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java index 6a30d4fc9..10525ee62 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java @@ -60,8 +60,7 @@ public class NvdCveAnalyzer extends AbstractAnalyzer { * loaded */ public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException { - cveDB = new CveDB(); - cveDB.open(); + cveDB = CveDB.getInstance(); } /** @@ -69,7 +68,6 @@ public class NvdCveAnalyzer extends AbstractAnalyzer { */ @Override public void closeAnalyzer() { - cveDB.close(); cveDB = null; } @@ -82,19 +80,6 @@ public class NvdCveAnalyzer extends AbstractAnalyzer { return cveDB != null; } - /** - * Ensures that the CVE Database is closed. - * - * @throws Throwable an exception raised by this method - */ - @Override - protected void finalize() throws Throwable { - super.finalize(); - if (isOpen()) { - close(); - } - } - /** * Analyzes a dependency and attempts to determine if there are any CPE * identifiers for this dependency. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index ba47a5344..e44aa6b45 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -145,8 +145,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { @Override public void initializeFileTypeAnalyzer() throws InitializationException { try { - cvedb = new CveDB(); - cvedb.open(); + cvedb = CveDB.getInstance(); } catch (DatabaseException ex) { LOGGER.warn("Exception opening the database"); LOGGER.debug("error", ex); @@ -160,7 +159,6 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { } catch (AnalysisException ae) { setEnabled(false); - cvedb.close(); cvedb = null; final String msg = String.format("Exception from bundle-audit process: %s. Disabling %s", ae.getCause(), ANALYZER_NAME); throw new InitializationException(msg, ae); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index 2617c959d..650f84a34 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -51,15 +51,19 @@ import org.slf4j.LoggerFactory; import static org.owasp.dependencycheck.data.nvdcve.CveDB.PreparedStatementCveDb.*; /** - * The database holding information about the NVD CVE data. - * This class is safe to be accessed from multiple threads in parallel, however - * internally only one connection will be used. + * The database holding information about the NVD CVE data. This class is safe + * to be accessed from multiple threads in parallel, however internally only one + * connection will be used. * * @author Jeremy Long */ @ThreadSafe public final class CveDB { + /** + * Singleton instance of the CveDB. + */ + private static CveDB INSTANCE = null; /** * The logger. */ @@ -76,10 +80,10 @@ public final class CveDB { * Database properties object containing the 'properties' from the database * table. */ - private final DatabaseProperties databaseProperties; + private DatabaseProperties databaseProperties; /** - * Does the underlying connection support batch operations? - * Currently we do not support batch execution. + * Does the underlying connection support batch operations? Currently we do + * not support batch execution. */ private final boolean batchSupported = false; /** @@ -116,6 +120,19 @@ public final class CveDB { UPDATE_VULNERABILITY } + /** + * Gets the CveDB singleton object. + * + * @return the CveDB singleton + * @throws DatabaseException thrown if there is a database error + */ + public synchronized static CveDB getInstance() throws DatabaseException { + if (INSTANCE == null) { + INSTANCE = new CveDB(); + } + return INSTANCE; + } + /** * Creates a new CveDB object and opens the database connection. Note, the * connection must be closed by the caller by calling the close method. @@ -123,12 +140,12 @@ public final class CveDB { * @throws DatabaseException thrown if there is an exception opening the * database. */ - public CveDB() throws DatabaseException { - open(); + private CveDB() throws DatabaseException { + openDatabase(); final String databaseProductName = determineDatabaseProductName(); - statementBundle = databaseProductName != null ? - ResourceBundle.getBundle("data/dbStatements", new Locale(databaseProductName)) : - ResourceBundle.getBundle("data/dbStatements"); + statementBundle = databaseProductName != null + ? ResourceBundle.getBundle("data/dbStatements", new Locale(databaseProductName)) + : ResourceBundle.getBundle("data/dbStatements"); preparedStatements = prepareStatements(); databaseProperties = new DatabaseProperties(this); } @@ -165,7 +182,7 @@ public final class CveDB { * @throws DatabaseException thrown if there is an error opening the * database connection */ - public synchronized void open() throws DatabaseException { + public synchronized void openDatabase() throws DatabaseException { if (!isOpen()) { connection = ConnectionFactory.getConnection(); } @@ -175,7 +192,7 @@ public final class CveDB { * Closes the DB4O database. Close should be called on this object when it * is done being used. */ - public synchronized void close() { + public synchronized void closeDatabase() { if (isOpen()) { closeStatements(); try { @@ -188,6 +205,7 @@ public final class CveDB { LOGGER.debug("", ex); } connection = null; + INSTANCE = null; } } @@ -204,7 +222,8 @@ public final class CveDB { * Prepares all statements to be used and returns them. * * @return the prepared statements - * @throws DatabaseException thrown if there is an error preparing the statements + * @throws DatabaseException thrown if there is an error preparing the + * statements */ private EnumMap prepareStatements() throws DatabaseException { @@ -239,7 +258,8 @@ public final class CveDB { /** * Returns the specified prepared statement. * - * @param key the prepared statement from {@link PreparedStatementCveDb} to return + * @param key the prepared statement from {@link PreparedStatementCveDb} to + * return * @return the prepared statement * @throws SQLException thrown if a SQL Exception occurs */ @@ -270,7 +290,7 @@ public final class CveDB { @SuppressWarnings("FinalizeDeclaration") protected void finalize() throws Throwable { LOGGER.debug("Entering finalize"); - close(); + closeDatabase(); super.finalize(); } @@ -283,6 +303,16 @@ public final class CveDB { return databaseProperties; } + /** + * Used within the unit tests to reload the database properties. + * + * @return the database properties + */ + protected DatabaseProperties reloadProperties() { + databaseProperties = new DatabaseProperties(this); + return databaseProperties; + } + /** * Searches the CPE entries in the database and retrieves all entries for a * given vendor and product combination. The returned list will include all @@ -294,7 +324,7 @@ public final class CveDB { * @return a set of vulnerable software */ public synchronized Set getCPEs(String vendor, String product) { - final Set cpe = new HashSet(); + final Set cpe = new HashSet<>(); ResultSet rs = null; try { final PreparedStatement ps = getPreparedStatement(SELECT_CPE_ENTRIES); @@ -324,13 +354,13 @@ public final class CveDB { * data from the DB */ public synchronized Set> getVendorProductList() throws DatabaseException { - final Set> data = new HashSet>(); + final Set> data = new HashSet<>(); ResultSet rs = null; try { final PreparedStatement ps = getPreparedStatement(SELECT_VENDOR_PRODUCT_LIST); rs = ps.executeQuery(); while (rs.next()) { - data.add(new Pair(rs.getString(1), rs.getString(2))); + data.add(new Pair<>(rs.getString(1), rs.getString(2))); } } catch (SQLException ex) { final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details."; @@ -410,7 +440,7 @@ public final class CveDB { LOGGER.trace("", ex); } final DependencyVersion detectedVersion = parseDependencyVersion(cpe); - final List vulnerabilities = new ArrayList(); + final List vulnerabilities = new ArrayList<>(); ResultSet rs = null; try { @@ -420,7 +450,7 @@ public final class CveDB { rs = ps.executeQuery(); String currentCVE = ""; - final Map vulnSoftware = new HashMap(); + final Map vulnSoftware = new HashMap<>(); while (rs.next()) { final String cveId = rs.getString(1); if (!currentCVE.equals(cveId)) { //check for match and add diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java deleted file mode 100644 index 798b2a6db..000000000 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java +++ /dev/null @@ -1,88 +0,0 @@ -/* - * This file is part of dependency-check-core. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Copyright (c) 2015 Jeremy Long. All Rights Reserved. - */ -package org.owasp.dependencycheck.data.update; - -import org.owasp.dependencycheck.data.nvdcve.CveDB; -import org.owasp.dependencycheck.data.nvdcve.DatabaseException; -import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; -import org.owasp.dependencycheck.data.update.exception.UpdateException; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * - * @author Jeremy Long - */ -public abstract class BaseUpdater { - - /** - * Static logger. - */ - private static final Logger LOGGER = LoggerFactory.getLogger(BaseUpdater.class); - /** - * Information about the timestamps and URLs for data that needs to be updated. - */ - private DatabaseProperties properties; - /** - * Reference to the Cve Database. - */ - private CveDB cveDB = null; - - protected CveDB getCveDB() { - return cveDB; - } - - protected DatabaseProperties getProperties() { - return properties; - } - - /** - * Closes the CVE and CPE data stores. - */ - protected void closeDataStores() { - if (cveDB != null) { - try { - cveDB.close(); - cveDB = null; - properties = null; - } catch (Throwable ignore) { - LOGGER.trace("Error closing the database", ignore); - } - } - } - - /** - * Opens the data store. - * - * @throws UpdateException thrown if a data store cannot be opened - */ - protected final void openDataStores() throws UpdateException { - if (cveDB != null) { - return; - } - try { - cveDB = new CveDB(); - cveDB.open(); - properties = cveDB.getDatabaseProperties(); - } catch (DatabaseException ex) { - closeDataStores(); - LOGGER.debug("Database Exception opening databases", ex); - throw new UpdateException("Error updating the database, please see the log file for more details."); - } - } -} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java index 9abeafa7a..fbca59444 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java @@ -53,110 +53,110 @@ import org.xml.sax.SAXException; * @author Jeremy Long */ @Deprecated -public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { - - /** - * Static logger. - */ - private static final Logger LOGGER = LoggerFactory.getLogger(CpeUpdater.class); - - @Override - public void update() throws UpdateException { - /* - //the following could be used if this were ever used. - try { - if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) { - return; - } - } catch (InvalidSettingException ex) { - LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex); - } - */ - - try { - openDataStores(); - if (updateNeeded()) { - LOGGER.info("Updating the Common Platform Enumeration (CPE)"); - final File xml = downloadCpe(); - final List cpes = processXML(xml); - getCveDB().deleteUnusedCpe(); - for (Cpe cpe : cpes) { - getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct()); - } - final long now = System.currentTimeMillis(); - getProperties().save(LAST_CPE_UPDATE, Long.toString(now)); - LOGGER.info("CPE update complete"); - } - } finally { - closeDataStores(); - } - } - - /** - * Downloads the CPE XML file. - * - * @return the file reference to the CPE.xml file - * @throws UpdateException thrown if there is an issue downloading the XML - * file - */ - private File downloadCpe() throws UpdateException { - File xml; - final URL url; - try { - url = new URL(Settings.getString(Settings.KEYS.CPE_URL)); - xml = File.createTempFile("cpe", ".xml", Settings.getTempDirectory()); - Downloader.fetchFile(url, xml); - if (url.toExternalForm().endsWith(".xml.gz")) { - ExtractionUtil.extractGzip(xml); - } - - } catch (MalformedURLException ex) { - throw new UpdateException("Invalid CPE URL", ex); - } catch (DownloadFailedException ex) { - throw new UpdateException("Unable to download CPE XML file", ex); - } catch (IOException ex) { - throw new UpdateException("Unable to create temporary file to download CPE", ex); - } - return xml; - } - - /** - * Parses the CPE XML file to return a list of CPE entries. - * - * @param xml the CPE data file - * @return the list of CPE entries - * @throws UpdateException thrown if there is an issue with parsing the XML - * file - */ - private List processXML(final File xml) throws UpdateException { - try { - final SAXParser saxParser = XmlUtils.buildSecureSaxParser(); - final CPEHandler handler = new CPEHandler(); - saxParser.parse(xml, handler); - return handler.getData(); - } catch (ParserConfigurationException ex) { - throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Issue", ex); - } catch (SAXException ex) { - throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Exception", ex); - } catch (IOException ex) { - throw new UpdateException("Unable to parse CPE XML file due to IO Failure", ex); - } - } - - /** - * Checks to find the last time the CPE data was refreshed and if it needs - * to be updated. - * - * @return true if the CPE data should be refreshed - */ - private boolean updateNeeded() { - final long now = System.currentTimeMillis(); - final int days = Settings.getInt(Settings.KEYS.CPE_MODIFIED_VALID_FOR_DAYS, 30); - long timestamp = 0; - final String ts = getProperties().getProperty(LAST_CPE_UPDATE); - if (ts != null && ts.matches("^[0-9]+$")) { - timestamp = Long.parseLong(ts); - } - return !DateUtil.withinDateRange(timestamp, now, days); - } +public class CpeUpdater { //extends BaseUpdater implements CachedWebDataSource { +// +// /** +// * Static logger. +// */ +// private static final Logger LOGGER = LoggerFactory.getLogger(CpeUpdater.class); +// +// @Override +// public void update() throws UpdateException { +// /* +// //the following could be used if this were ever used. +// try { +// if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) { +// return; +// } +// } catch (InvalidSettingException ex) { +// LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex); +// } +// */ +// +// try { +// openDataStores(); +// if (updateNeeded()) { +// LOGGER.info("Updating the Common Platform Enumeration (CPE)"); +// final File xml = downloadCpe(); +// final List cpes = processXML(xml); +// getCveDB().deleteUnusedCpe(); +// for (Cpe cpe : cpes) { +// getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct()); +// } +// final long now = System.currentTimeMillis(); +// getProperties().save(LAST_CPE_UPDATE, Long.toString(now)); +// LOGGER.info("CPE update complete"); +// } +// } finally { +// closeDataStores(); +// } +// } +// +// /** +// * Downloads the CPE XML file. +// * +// * @return the file reference to the CPE.xml file +// * @throws UpdateException thrown if there is an issue downloading the XML +// * file +// */ +// private File downloadCpe() throws UpdateException { +// File xml; +// final URL url; +// try { +// url = new URL(Settings.getString(Settings.KEYS.CPE_URL)); +// xml = File.createTempFile("cpe", ".xml", Settings.getTempDirectory()); +// Downloader.fetchFile(url, xml); +// if (url.toExternalForm().endsWith(".xml.gz")) { +// ExtractionUtil.extractGzip(xml); +// } +// +// } catch (MalformedURLException ex) { +// throw new UpdateException("Invalid CPE URL", ex); +// } catch (DownloadFailedException ex) { +// throw new UpdateException("Unable to download CPE XML file", ex); +// } catch (IOException ex) { +// throw new UpdateException("Unable to create temporary file to download CPE", ex); +// } +// return xml; +// } +// +// /** +// * Parses the CPE XML file to return a list of CPE entries. +// * +// * @param xml the CPE data file +// * @return the list of CPE entries +// * @throws UpdateException thrown if there is an issue with parsing the XML +// * file +// */ +// private List processXML(final File xml) throws UpdateException { +// try { +// final SAXParser saxParser = XmlUtils.buildSecureSaxParser(); +// final CPEHandler handler = new CPEHandler(); +// saxParser.parse(xml, handler); +// return handler.getData(); +// } catch (ParserConfigurationException ex) { +// throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Issue", ex); +// } catch (SAXException ex) { +// throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Exception", ex); +// } catch (IOException ex) { +// throw new UpdateException("Unable to parse CPE XML file due to IO Failure", ex); +// } +// } +// +// /** +// * Checks to find the last time the CPE data was refreshed and if it needs +// * to be updated. +// * +// * @return true if the CPE data should be refreshed +// */ +// private boolean updateNeeded() { +// final long now = System.currentTimeMillis(); +// final int days = Settings.getInt(Settings.KEYS.CPE_MODIFIED_VALID_FOR_DAYS, 30); +// long timestamp = 0; +// final String ts = getProperties().getProperty(LAST_CPE_UPDATE); +// if (ts != null && ts.matches("^[0-9]+$")) { +// timestamp = Long.parseLong(ts); +// } +// return !DateUtil.withinDateRange(timestamp, now, days); +// } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java index 3f9eb3667..436e4b89e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java @@ -57,11 +57,6 @@ public class EngineVersionCheck implements CachedWebDataSource { * The property key indicating when the last version check occurred. */ public static final String CURRENT_ENGINE_RELEASE = "CurrentEngineRelease"; - /** - * Reference to the Cve Database. - */ - private CveDB cveDB = null; - /** * The version retrieved from the database properties or web to check * against. @@ -109,9 +104,8 @@ public class EngineVersionCheck implements CachedWebDataSource { * user has not configured them to point to an internal source). */ if (enabled && autoupdate && original != null && original.equals(current)) { - openDatabase(); LOGGER.debug("Begin Engine Version Check"); - final DatabaseProperties properties = cveDB.getDatabaseProperties(); + final DatabaseProperties properties = CveDB.getInstance().getDatabaseProperties(); final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0")); final long now = System.currentTimeMillis(); updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, ""); @@ -130,8 +124,6 @@ public class EngineVersionCheck implements CachedWebDataSource { throw new UpdateException("Error occurred updating database properties."); } catch (InvalidSettingException ex) { LOGGER.debug("Unable to determine if autoupdate is enabled", ex); - } finally { - closeDatabase(); } } @@ -181,33 +173,6 @@ public class EngineVersionCheck implements CachedWebDataSource { return false; } - /** - * Opens the CVE and CPE data stores. - * - * @throws DatabaseException thrown if a data store cannot be opened - */ - protected final void openDatabase() throws DatabaseException { - if (cveDB != null) { - return; - } - cveDB = new CveDB(); - cveDB.open(); - } - - /** - * Closes the CVE and CPE data stores. - */ - protected void closeDatabase() { - if (cveDB != null) { - try { - cveDB.close(); - cveDB = null; - } catch (Throwable ignore) { - LOGGER.trace("Error closing the cveDB", ignore); - } - } - } - /** * Retrieves the current released version number from the github * documentation site. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index 2adb2d8ea..4e2e21ebb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -24,6 +24,7 @@ import java.util.HashSet; import java.util.Map; import java.util.Set; import java.net.URL; +import java.util.Properties; import java.util.concurrent.Callable; import java.util.concurrent.ExecutionException; import java.util.concurrent.ExecutorService; @@ -53,7 +54,7 @@ import org.slf4j.LoggerFactory; * * @author Jeremy Long */ -public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { +public class NvdCveUpdater implements CachedWebDataSource { /** * The logger. @@ -72,10 +73,14 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { */ private ExecutorService processingExecutorService = null; /** - * ExecutorService for tasks that involve blocking activities and are not very CPU-intense, e.g. downloading files. + * ExecutorService for tasks that involve blocking activities and are not + * very CPU-intense, e.g. downloading files. */ private ExecutorService downloadExecutorService = null; + private CveDB cveDb = null; + private DatabaseProperties dbProperties = null; + /** * Downloads the latest NVD CVE XML file from the web and imports it into * the current CVE Database. @@ -95,7 +100,8 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { try { initializeExecutorServices(); - openDataStores(); + cveDb = CveDB.getInstance(); + dbProperties = cveDb.getDatabaseProperties(); boolean autoUpdate = true; try { autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE); @@ -107,7 +113,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { if (updateable.isUpdateNeeded()) { performUpdate(updateable); } - getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(System.currentTimeMillis())); + dbProperties.save(DatabaseProperties.LAST_CHECKED, Long.toString(System.currentTimeMillis())); } } catch (MalformedURLException ex) { throw new UpdateException("NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.", ex); @@ -119,9 +125,10 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { "If you are behind a proxy you may need to configure dependency-check to use the proxy."); } throw new UpdateException("Unable to download the NVD CVE data.", ex); + } catch (DatabaseException ex) { + throw new UpdateException("Database Exception, unable to update the data to use the most current data.", ex); } finally { shutdownExecutorServices(); - closeDataStores(); } } @@ -159,7 +166,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { if (dataExists() && 0 < validForHours) { // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec final long msValid = validForHours * 60L * 60L * 1000L; - final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0")); + final long lastChecked = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_CHECKED, "0")); final long now = System.currentTimeMillis(); proceed = (now - lastChecked) > msValid; if (!proceed) { @@ -177,17 +184,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { * @return true if the database contains data */ private boolean dataExists() { - CveDB cve = null; try { - cve = new CveDB(); - cve.open(); + final CveDB cve = CveDB.getInstance(); return cve.dataExists(); } catch (DatabaseException ex) { return false; - } finally { - if (cve != null) { - cve.close(); - } } } @@ -214,16 +215,16 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { LOGGER.info("NVD CVE requires several updates; this could take a couple of minutes."); } - final Set>> downloadFutures = new HashSet>>(maxUpdates); + final Set>> downloadFutures = new HashSet<>(maxUpdates); for (NvdCveInfo cve : updateable) { if (cve.getNeedsUpdate()) { - final DownloadTask call = new DownloadTask(cve, processingExecutorService, getCveDB(), Settings.getInstance()); + final DownloadTask call = new DownloadTask(cve, processingExecutorService, cveDb, Settings.getInstance()); downloadFutures.add(downloadExecutorService.submit(call)); } } //next, move the future future processTasks to just future processTasks - final Set> processFutures = new HashSet>(maxUpdates); + final Set> processFutures = new HashSet<>(maxUpdates); for (Future> future : downloadFutures) { Future task; try { @@ -259,9 +260,9 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { } if (maxUpdates >= 1) { //ensure the modified file date gets written (we may not have actually updated it) - getProperties().save(updateable.get(MODIFIED)); + dbProperties.save(updateable.get(MODIFIED)); LOGGER.info("Begin database maintenance."); - getCveDB().cleanupDatabase(); + cveDb.cleanupDatabase(); LOGGER.info("End database maintenance."); } } @@ -297,19 +298,19 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { if (updates == null) { throw new DownloadFailedException("Unable to retrieve the timestamps of the currently published NVD CVE data"); } - if (!getProperties().isEmpty()) { + if (dbProperties != null && !dbProperties.isEmpty()) { try { final int startYear = Settings.getInt(Settings.KEYS.CVE_START_YEAR, 2002); final int endYear = Calendar.getInstance().get(Calendar.YEAR); boolean needsFullUpdate = false; for (int y = startYear; y <= endYear; y++) { - final long val = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE + y, "0")); + final long val = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_UPDATED_BASE + y, "0")); if (val == 0) { needsFullUpdate = true; } } - final long lastUpdated = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED, "0")); + final long lastUpdated = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_UPDATED, "0")); final long now = System.currentTimeMillis(); final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7); if (!needsFullUpdate && lastUpdated == updates.getTimeStamp(MODIFIED)) { @@ -329,7 +330,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { } else { long currentTimestamp = 0; try { - currentTimestamp = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE + currentTimestamp = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_UPDATED_BASE + entry.getId(), "0")); } catch (NumberFormatException ex) { LOGGER.debug("Error parsing '{}' '{}' from nvdcve.lastupdated", @@ -364,7 +365,6 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { private UpdateableNvdCve retrieveCurrentTimestampsFromWeb() throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException { - final int start = Settings.getInt(Settings.KEYS.CVE_START_YEAR); final int end = Calendar.getInstance().get(Calendar.YEAR); @@ -392,16 +392,17 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { * * @param startYear the first year whose item to check for the timestamp * @param endYear the last year whose item to check for the timestamp - * @return the timestamps from the currently published nvdcve downloads page + * @return the timestamps from the currently published NVD CVE downloads + * page * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data * is incorrect. * @throws DownloadFailedException thrown if there is an error downloading - * the nvd cve meta data file + * the NVD CVE meta data file */ private Map retrieveLastModifiedDates(int startYear, int endYear) throws MalformedURLException, DownloadFailedException { - final Set urls = new HashSet(); + final Set urls = new HashSet<>(); final String baseUrl20 = Settings.getString(Settings.KEYS.CVE_SCHEMA_2_0); for (int i = startYear; i <= endYear; i++) { final String url = String.format(baseUrl20, i); @@ -409,14 +410,14 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { } urls.add(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL)); - final Map> timestampFutures = new HashMap>(); + final Map> timestampFutures = new HashMap<>(); for (String url : urls) { final TimestampRetriever timestampRetriever = new TimestampRetriever(url); final Future future = downloadExecutorService.submit(timestampRetriever); timestampFutures.put(url, future); } - final Map lastModifiedDates = new HashMap(); + final Map lastModifiedDates = new HashMap<>(); for (String url : urls) { final Future timestampFuture = timestampFutures.get(url); final long timestamp; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java index d4a398091..c09568194 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java @@ -24,7 +24,10 @@ import java.io.FileInputStream; import java.io.FileOutputStream; import java.util.zip.ZipEntry; import java.util.zip.ZipInputStream; +import org.junit.AfterClass; import org.junit.Before; +import org.junit.BeforeClass; +import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -41,9 +44,18 @@ public abstract class BaseDBTestCase extends BaseTest { private final static Logger LOGGER = LoggerFactory.getLogger(BaseDBTestCase.class); +// @BeforeClass +// public static void setUpClass() throws Exception { +// BaseTest.setUpClass(); +// } @Before - public void setUp() throws Exception { - ensureDBExists(); + public void setUpDb() throws Exception { + ensureDBExists(); + } + + @AfterClass + public static void tearDownClass() throws Exception { + CveDB.getInstance().closeDatabase(); } public static void ensureDBExists() throws Exception { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java index 8b4452636..5a78871c1 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java @@ -71,10 +71,8 @@ public class EngineIntegrationTest extends BaseDBTestCase { throw ex; } } - CveDB cveDB = new CveDB(); - cveDB.open(); + CveDB cveDB = CveDB.getInstance(); DatabaseProperties dbProp = cveDB.getDatabaseProperties(); - cveDB.close(); ReportGenerator rg = new ReportGenerator("DependencyCheck", instance.getDependencies(), instance.getAnalyzers(), dbProp); rg.generateReports("./target/", "ALL"); instance.cleanup(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java index e2ea5fb3f..6408d4a86 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java @@ -60,10 +60,8 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { * * @throws Exception if there is a problem */ - @Override @Before public void setUp() throws Exception { - super.setUp(); analyzer = new CMakeAnalyzer(); analyzer.setFilesMatched(true); analyzer.initialize(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java index ac8f2aaa3..30c72b25a 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java @@ -54,10 +54,8 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase { * * @throws Exception thrown if there is a problem */ - @Override @Before public void setUp() throws Exception { - super.setUp(); analyzer = new ComposerLockAnalyzer(); analyzer.setFilesMatched(true); analyzer.initialize(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java index f2849efd6..91f72a3ba 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java @@ -65,10 +65,8 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase { * * @throws Exception thrown if there is a problem */ - @Override @Before public void setUp() throws Exception { - super.setUp(); Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false); Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false); Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java index 88a317e0a..54ad59c88 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java @@ -47,15 +47,10 @@ public class CveDBIntegrationTest extends BaseDBTestCase { public void testOpen() { CveDB instance = null; try { - instance = new CveDB(); - instance.open(); + instance = CveDB.getInstance(); instance.commit(); } catch (DatabaseException | SQLException ex) { fail(ex.getMessage()); - } finally { - if (instance != null) { - instance.close(); - } } } @@ -64,19 +59,11 @@ public class CveDBIntegrationTest extends BaseDBTestCase { */ @Test public void testGetCPEs() throws Exception { - CveDB instance = null; - try { - instance = new CveDB(); - String vendor = "apache"; - String product = "struts"; - instance.open(); - Set result = instance.getCPEs(vendor, product); - assertTrue(result.size() > 5); - } finally { - if (instance != null) { - instance.close(); - } - } + CveDB instance = CveDB.getInstance(); + String vendor = "apache"; + String product = "struts"; + Set result = instance.getCPEs(vendor, product); + assertTrue(result.size() > 5); } /** @@ -84,18 +71,9 @@ public class CveDBIntegrationTest extends BaseDBTestCase { */ @Test public void testgetVulnerability() throws Exception { - CveDB instance = null; - try { - instance = new CveDB(); - instance.open(); - Vulnerability result = instance.getVulnerability("CVE-2014-0094"); - assertEquals("The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to \"manipulate\" the ClassLoader via the class parameter, which is passed to the getClass method.", result.getDescription()); - - } finally { - if (instance != null) { - instance.close(); - } - } + CveDB instance = CveDB.getInstance(); + Vulnerability result = instance.getVulnerability("CVE-2014-0094"); + assertEquals("The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to \"manipulate\" the ClassLoader via the class parameter, which is passed to the getClass method.", result.getDescription()); } /** @@ -104,42 +82,34 @@ public class CveDBIntegrationTest extends BaseDBTestCase { @Test public void testGetVulnerabilities() throws Exception { String cpeStr = "cpe:/a:apache:struts:2.1.2"; - CveDB instance = null; + CveDB instance = CveDB.getInstance(); List results; - try { - instance = new CveDB(); - instance.open(); - results = instance.getVulnerabilities(cpeStr); - assertTrue(results.size() > 5); - cpeStr = "cpe:/a:jruby:jruby:1.6.3"; - results = instance.getVulnerabilities(cpeStr); - assertTrue(results.size() > 1); - boolean found = false; - String expected = "CVE-2011-4838"; - for (Vulnerability v : results) { - if (expected.equals(v.getName())) { - found = true; - break; - } - } - assertTrue("Expected " + expected + ", but was not identified", found); + results = instance.getVulnerabilities(cpeStr); + assertTrue(results.size() > 5); + cpeStr = "cpe:/a:jruby:jruby:1.6.3"; + results = instance.getVulnerabilities(cpeStr); + assertTrue(results.size() > 1); - found = false; - expected = "CVE-2012-5370"; - for (Vulnerability v : results) { - if (expected.equals(v.getName())) { - found = true; - break; - } - } - assertTrue("Expected " + expected + ", but was not identified", found); - - } finally { - if (instance != null) { - instance.close(); + boolean found = false; + String expected = "CVE-2011-4838"; + for (Vulnerability v : results) { + if (expected.equals(v.getName())) { + found = true; + break; } } + assertTrue("Expected " + expected + ", but was not identified", found); + + found = false; + expected = "CVE-2012-5370"; + for (Vulnerability v : results) { + if (expected.equals(v.getName())) { + found = true; + break; + } + } + assertTrue("Expected " + expected + ", but was not identified", found); } /** @@ -147,61 +117,53 @@ public class CveDBIntegrationTest extends BaseDBTestCase { */ @Test public void testGetMatchingSoftware() throws Exception { - CveDB instance = null; - Map versions = new HashMap(); + CveDB instance = CveDB.getInstance(); + Map versions = new HashMap<>(); DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o"); versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE); - try { - instance = new CveDB(); - Entry results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); - assertNull(results); - versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE); - results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); - assertNull(results); + Entry results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); + assertNull(results); + versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE); + results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); + assertNull(results); - versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE); - results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); - assertNotNull(results); - assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey()); + versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE); + results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion); + assertNotNull(results); + assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey()); - versions.clear(); + versions.clear(); - versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE); - versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE); - versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE); + versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE); + versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE); + versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE); - versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE); - versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE); - versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE); - versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE); + versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE); + versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE); + versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE); + versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE); - identifiedVersion = new DependencyVersion("3.2.2"); - results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); - assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey()); - assertTrue(results.getValue()); - identifiedVersion = new DependencyVersion("3.2.12"); - results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); - assertNull(results); + identifiedVersion = new DependencyVersion("3.2.2"); + results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); + assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey()); + assertTrue(results.getValue()); + identifiedVersion = new DependencyVersion("3.2.12"); + results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); + assertNull(results); - identifiedVersion = new DependencyVersion("4.0.0"); - results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); - assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey()); - assertTrue(results.getValue()); - identifiedVersion = new DependencyVersion("4.1.0"); - results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); - assertNull(results); + identifiedVersion = new DependencyVersion("4.0.0"); + results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); + assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey()); + assertTrue(results.getValue()); + identifiedVersion = new DependencyVersion("4.1.0"); + results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); + assertNull(results); - versions.clear(); + versions.clear(); - versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE); - identifiedVersion = new DependencyVersion("1.6.3"); - results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); - assertNotNull(results); - } finally { - if (instance != null) { - instance.close(); - } - } + versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE); + identifiedVersion = new DependencyVersion("1.6.3"); + results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion); + assertNotNull(results); } - } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySQLTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySQLTest.java index 4e5250c3e..99e2b3581 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySQLTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySQLTest.java @@ -40,9 +40,7 @@ public class CveDBMySQLTest extends BaseTest { @Test public void testOpen() { try { - CveDB instance = new CveDB(); - instance.open(); - instance.close(); + CveDB instance = CveDB.getInstance(); } catch (DatabaseException ex) { System.out.println("Unable to connect to the My SQL database; verify that the db server is running and that the schema has been generated"); fail(ex.getMessage()); @@ -54,18 +52,15 @@ public class CveDBMySQLTest extends BaseTest { */ @Test public void testGetCPEs() throws Exception { - CveDB instance = new CveDB(); + CveDB instance = CveDB.getInstance(); try { String vendor = "apache"; - String product = "struts"; - instance.open(); + String product = "struts"; Set result = instance.getCPEs(vendor, product); assertTrue("Has data been loaded into the MySQL DB? if not consider using the CLI to populate it", result.size() > 5); } catch (Exception ex) { System.out.println("Unable to access the My SQL database; verify that the db server is running and that the schema has been generated"); throw ex; - } finally { - instance.close(); } } @@ -75,16 +70,13 @@ public class CveDBMySQLTest extends BaseTest { @Test public void testGetVulnerabilities() throws Exception { String cpeStr = "cpe:/a:apache:struts:2.1.2"; - CveDB instance = new CveDB(); + CveDB instance = CveDB.getInstance(); try { - instance.open(); List result = instance.getVulnerabilities(cpeStr); assertTrue(result.size() > 5); } catch (Exception ex) { System.out.println("Unable to access the My SQL database; verify that the db server is running and that the schema has been generated"); throw ex; - } finally { - instance.close(); - } + } } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java index 7b0c0251c..6c6af8bcf 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java @@ -36,19 +36,11 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { */ @Test public void testIsEmpty() throws Exception { - CveDB cveDB = null; - try { - cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - assertNotNull(instance); - //no exception means the call worked... whether or not it is empty depends on if the db is new - //assertEquals(expResult, result); - } finally { - if (cveDB != null) { - cveDB.close(); - } - } + CveDB cveDB = CveDB.getInstance(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + assertNotNull(instance); + //no exception means the call worked... whether or not it is empty depends on if the db is new + //assertEquals(expResult, result); } /** @@ -61,24 +53,12 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { long expected = 1337; updatedValue.setId(key); updatedValue.setTimestamp(expected); - CveDB cveDB = null; - try { - cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - instance.save(updatedValue); - //reload the properties - cveDB.close(); - cveDB = new CveDB(); - cveDB.open(); - instance = cveDB.getDatabaseProperties(); - long results = Long.parseLong(instance.getProperty("NVD CVE " + key)); - assertEquals(expected, results); - } finally { - if (cveDB != null) { - cveDB.close(); - } - } + CveDB cveDB = CveDB.getInstance(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + instance.save(updatedValue); + instance = cveDB.reloadProperties(); + long results = Long.parseLong(instance.getProperty("NVD CVE " + key)); + assertEquals(expected, results); } /** @@ -88,19 +68,11 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { public void testGetProperty_String_String() throws Exception { String key = "doesn't exist"; String defaultValue = "default"; - CveDB cveDB = null; - try { - cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - String expResult = "default"; - String result = instance.getProperty(key, defaultValue); - assertEquals(expResult, result); - } finally { - if (cveDB != null) { - cveDB.close(); - } - } + CveDB cveDB = CveDB.getInstance(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + String expResult = "default"; + String result = instance.getProperty(key, defaultValue); + assertEquals(expResult, result); } /** @@ -109,20 +81,12 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { @Test public void testGetProperty_String() throws DatabaseException { String key = "version"; - CveDB cveDB = null; - try { - cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - String result = instance.getProperty(key); - double version = Double.parseDouble(result); - assertTrue(version >= 2.8); - assertTrue(version <= 10); - } finally { - if (cveDB != null) { - cveDB.close(); - } - } + CveDB cveDB = CveDB.getInstance(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + String result = instance.getProperty(key); + double version = Double.parseDouble(result); + assertTrue(version >= 2.8); + assertTrue(version <= 10); } /** @@ -130,17 +94,9 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase { */ @Test public void testGetProperties() throws DatabaseException { - CveDB cveDB = null; - try { - cveDB = new CveDB(); - cveDB.open(); - DatabaseProperties instance = cveDB.getDatabaseProperties(); - Properties result = instance.getProperties(); - assertTrue(result.size() > 0); - } finally { - if (cveDB != null) { - cveDB.close(); - } - } + CveDB cveDB = CveDB.getInstance(); + DatabaseProperties instance = cveDB.getDatabaseProperties(); + Properties result = instance.getProperties(); + assertTrue(result.size() > 0); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java deleted file mode 100644 index eef9eb1bb..000000000 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java +++ /dev/null @@ -1,108 +0,0 @@ -/* - * This file is part of dependency-check-core. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Copyright (c) 2015 Jeremy Long. All Rights Reserved. - */ -package org.owasp.dependencycheck.data.update; - -import org.junit.Test; -import org.owasp.dependencycheck.BaseDBTestCase; -import org.owasp.dependencycheck.data.nvdcve.CveDB; -import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; -import org.owasp.dependencycheck.data.update.exception.UpdateException; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -/** - * - * @author Jeremy Long - */ -public class BaseUpdaterTest extends BaseDBTestCase { - - /** - * Test of getCveDB method, of class BaseUpdater. - */ - @Test - public void testGetCveDB() { - BaseUpdater instance = new BaseUpdaterImpl(); - CveDB expResult = null; - CveDB result = instance.getCveDB(); - assertEquals(expResult, result); - } - - /** - * Test of getProperties method, of class BaseUpdater. - * - * @throws org.owasp.dependencycheck.data.update.exception.UpdateException - * thrown if there is an error getting the properties - */ - @Test - public void testGetProperties() throws UpdateException { - BaseUpdater instance = null; - try { - instance = new BaseUpdaterImpl(); - instance.openDataStores(); - - DatabaseProperties result = instance.getProperties(); - assertTrue(result.getProperties().keySet().size() > 1); - } finally { - if (instance != null) { - instance.closeDataStores(); - } - } - } - - /** - * Test of closeDataStores method, of class BaseUpdater. - */ - @Test - public void testCloseDataStores() { - BaseUpdater instance = null; - try { - instance = new BaseUpdaterImpl(); - instance.openDataStores(); - } catch (UpdateException ex) { - fail(ex.getMessage()); - } finally { - if (instance != null) { - instance.closeDataStores(); - } - } - } - - /** - * Test of openDataStores method, of class BaseUpdater. - */ - @Test - public void testOpenDataStores() { - BaseUpdater instance = null; - try { - instance = new BaseUpdaterImpl(); - instance.openDataStores(); - } catch (UpdateException ex) { - fail(ex.getMessage()); - } finally { - if (instance != null) { - instance.closeDataStores(); - } - } - } - - public class BaseUpdaterImpl extends BaseUpdater { - } - -} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/CpeUpdaterIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/CpeUpdaterIntegrationTest.java deleted file mode 100644 index 1f9dcf89d..000000000 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/CpeUpdaterIntegrationTest.java +++ /dev/null @@ -1,40 +0,0 @@ -/* - * This file is part of dependency-check-core. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved. - */ -package org.owasp.dependencycheck.data.update; - -import org.junit.Test; -import org.owasp.dependencycheck.BaseTest; - -/** - * - * @author jeremy - */ -public class CpeUpdaterIntegrationTest extends BaseTest { - - /** - * Test of update method, of class CpeUpdater. - */ - @Test - public void testUpdate() throws Exception { - //commented out as the current code base does not utilize the CpeU[pdater. - -// CpeUpdater instance = new CpeUpdater(); -// instance.update(); - } - -} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveUpdaterIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveUpdaterIntegrationTest.java index 293ee6b35..6cedb1858 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveUpdaterIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveUpdaterIntegrationTest.java @@ -21,6 +21,7 @@ import static org.junit.Assert.assertNotNull; import static org.junit.Assert.fail; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.update.exception.UpdateException; import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve; @@ -28,7 +29,7 @@ import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve; * * @author Jeremy Long */ - public class NvdCveUpdaterIntegrationTest extends BaseTest { +public class NvdCveUpdaterIntegrationTest extends BaseTest { public NvdCveUpdater getUpdater() { NvdCveUpdater instance = new NvdCveUpdater(); @@ -55,12 +56,7 @@ import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve; @Test public void testUpdatesNeeded() throws Exception { NvdCveUpdater instance = getUpdater(); - try { - instance.openDataStores(); - UpdateableNvdCve result = instance.getUpdatesNeeded(); - assertNotNull(result); - } finally { - instance.closeDataStores(); - } + UpdateableNvdCve result = instance.getUpdatesNeeded(); + assertNotNull(result); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java index 93a88170f..f379d332d 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java @@ -144,10 +144,8 @@ public class ReportGeneratorIntegrationTest extends BaseDBTestCase { engine.scan(jetty); engine.analyzeDependencies(); - CveDB cveDB = new CveDB(); - cveDB.open(); + CveDB cveDB = CveDB.getInstance(); DatabaseProperties dbProp = cveDB.getDatabaseProperties(); - cveDB.close(); ReportGenerator generator = new ReportGenerator("Test Report", engine.getDependencies(), engine.getAnalyzers(), dbProp); generator.generateReport(templateName, writeTo); diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 95e834c71..ca767a4b4 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -1029,19 +1029,14 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma */ protected void writeReports(Engine engine, MavenProject p, File outputDir) throws ReportException { DatabaseProperties prop = null; - CveDB cve = null; try { - cve = new CveDB(); - cve.open(); + final CveDB cve = CveDB.getInstance(); prop = cve.getDatabaseProperties(); } catch (DatabaseException ex) { + //TODO shouldn't this throw an exception? if (getLog().isDebugEnabled()) { getLog().debug("Unable to retrieve DB Properties", ex); } - } finally { - if (cve != null) { - cve.close(); - } } final ReportGenerator r = new ReportGenerator(p.getName(), engine.getDependencies(), engine.getAnalyzers(), prop); try {