From 69ebb53a059ff86abd7a14ce44f39ee94c1ab2dc Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Wed, 26 Mar 2014 23:02:17 -0400 Subject: [PATCH] Squashed commit of the following: commit 1d1a06a5ae7ea4f6e3adbf5a4b8163eba50562a3 Author: Will Stranathan Date: Wed Mar 26 22:59:15 2014 -0400 Updated unit tests and logging commit bb00174e62c9657809d6e5a9cde7c7308d905593 Author: Will Stranathan Date: Wed Mar 26 22:20:28 2014 -0400 Updated GrokAssembly to not fail if the vendor can't be gotten commit 27f7c9366acca8abbff9c6e9fa9ce1a1329da887 Author: Will Stranathan Date: Wed Mar 26 22:18:33 2014 -0400 Updated unit test to not care about version number Former-commit-id: e700a5f81b7b0f6d6ccf392e846723e67fff591c --- .../analyzer/AssemblyAnalyzer.java | 15 ++++- .../src/main/resources/GrokAssembly.exe | Bin 5120 -> 5632 bytes .../analyzer/AssemblyAnalyzerTest.java | 55 +++++++++++++++--- 3 files changed, 61 insertions(+), 9 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 4857e8f5d..52f5f3911 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -71,7 +71,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { /** * Logger */ - private static final Logger LOG = Logger.getLogger(AbstractAnalyzer.class.getName()); + private static final Logger LOG = Logger.getLogger(AssemblyAnalyzer.class.getName()); /** * Builds the beginnings of a List for ProcessBuilder @@ -113,6 +113,19 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { final ProcessBuilder pb = new ProcessBuilder(args); try { final Process proc = pb.start(); + int rc = 0; + try { + rc = proc.waitFor(); + } catch (InterruptedException ie) { + return; + } + if (rc == 3) { + LOG.info(dependency.getActualFilePath() + " is not a valid assembly"); + return; + } else if (rc != 0) { + LOG.warning("Return code " + rc + " from GrokAssembly"); + } + final Document doc = builder.parse(proc.getInputStream()); final XPath xpath = XPathFactory.newInstance().newXPath(); diff --git a/dependency-check-core/src/main/resources/GrokAssembly.exe b/dependency-check-core/src/main/resources/GrokAssembly.exe index 9c395259e102267f61e693c41e80889a2bd5b815..3324e28e858916827baf2c4e25c9ec4bb505dd8f 100755 GIT binary patch delta 1768 zcmZ8iTTEO<82;w$p54RQa^Re$3oR@h*Z>Q-WD9Mwi$yLiP+Fxbz1XIqa@oK}+(Qpr zZ4=WaRnv+VCDX)|1~oqTU?0?AOuW2Q)1>;MCdQ;uRH}&@AAB*!*fjXhEYy}s=9_=M z|1vY*%*mOF&fNFP`I@VKzC1Y;n}7R|Q5*yI38E9&-AM_e?V+wfg&hHYD*!xl4j-Q{j2o3ov=Y!8%i~@g zQuvUvlXdXRN>whZ6YZveDP=DG5^ab@1H?F+2uk(DmyC*r7NWGg-qt}CH8)7Hj-Te5 zdrp{?qiYT=sOM|FBWi^f+>dFD((&@O%JjsuYqg3*XfZ)y)XdQk^vcAjMRvhgv=WQb z8hWWyLYSqb@}O#}$wpe;ROiy62W+{I@9ylwR6`5SW(vM*FUvyMx@FoNOs_2cz2^RL zC#Ap%iTF~n{#{v`duwAznTXi3F)YB=MJRB#Zghs%odr%g`GWpXP)jt4o%l^{A?VZG zhV_V?X8N3pdkdIa>0?37)J*?ey5o!0)z!SZ%e~@6_vqg$%52pCFp)z4Cusa%|1J8m zcxH9W1jrZEoG^0GeI#txn4p1Qs1HzYA=O1V-4avQ_yaU1h!>Ksw`*jyi)*EzPO|C7 zXa=nF-NcJJbUCbhaBnxuyFsrDPi=3GH}ebLqV_i^Dsl$cL{Ih;>XE^$o6d|+i%Qoi z{UX(j92~?kTAFr*NZ-N!-84?p{26}3TW^MGMnz;78>r`|x`kcgO=>LXXIG%ZVzY#0 z662ED$$FTM!_uCS_9f|kSK>{{LlH4GipXu0_^`wY$-gY|Es38=yeaXP#E?hiZnHgm zJvzobXT|rpcKo~y#VDn+5Ah$>a?h;d^4n@ht^v0ZK|iWk6iL*vN<4xctXVRx7{)Qy zh9j6@9caJ_79l*%dT;`-v3}ouxF!JuAy}g&Cp%NcTyecs*@pFk^OS~a*MdI&-49&QO3xpo_I$?nQMHpoN5|%T; zN0>@SXp(#@D<}JYHpoulD7-UyNd`)=Nb1mWND;s*?6u~ygtYGE-dyVN`&i3(Dto-g zbsZN6Qm3+q-E=nPqCb;uZ9)DGVV9E`9nM0!9!zIae7DwZh_wADvlvWeY2eRmqnmrv zlc@nG+v}XnjP;xvO-*IfPG;#>tx>V7hv8xz({z$aq>v#yiwW3xnl5A-HZKY^76y7r zdEvH!D!w&vxh&X4&S_$v#0Ys#3s0?$5zYg(#VaeT=a#OW?R)VXbN|Ju^B?i+f!c9c zVHJu|QQ@Vp&hWuwP$SzgR4^+hkXd0L*-5kAZ!6&nE2((G)((#i!)wFp5zw#N2wO=C z*1|@Kzd*B8%d}!vm;$XNd3f8Vzv(kdto=8Hx&txZWo}hEWBh30`#i4L+%V1rut@hJ op6uel(yK;0D@r0kB5X$-+vs(+Ed5+mt0<4RFPYY#Y(DP)56-|B@c;k- delta 1341 zcmZ9MTWFj`6vxk*{cihZ^CjQ6aW^q;-OZ-WCfg0$o8673ZCcT`UPG)#X*5VgRw1jK zK6oR$f{H|2Oh*t?iZ>9isB9H{XhD23K3L3CEh)j^lMe+25k%vEW<%2CgZa&W&YW{* z=FHC4w%0OmyxR3zdu)VOzavzn9Mv-JuKzhz^HlQ&E}XN8Fd1 zU`e7yp*Zl6Zm#~ zG-~^{Z=EXbpI=#7X%uHsop#%X^8Kc=te3CDT~xQdZ4n>@$uA7E7)Npop+mcsl?XMW z4pi_%v~FmW0czbokCDpa%Y@l8I3bAA(?l21PvFwiBPS}Q$;YQu#BR7n;GI4;LI-f4 z$VBPej~%%c{k<4Z$QR9?YzIaN)=e#xLc?9_Mb%g}HBU4m7tCDsU;30>3Uk0Nb+gj@ zw0?kRpeHpy(w2Fxf7bk4vsI|5y_$DxKB+mQ`GMvI%}e4B;Zh{jr+&zd0)W_ygJZ<8 z(4c(B>J04^56Sb^{%R2~DosbImoqd(dpJiA(sAAeUE={7rZ@RE=y&-jmFR2e5?$bX z=vlg??Z0YX<@*q&bc(hM#_S<1I16r}w>96>9M=3;^DE77tGfG6^9PWrpMIn%aDiS1 zFVipJGA)6>Yx|$*`{^HT4>5B;HF1&0=^z=k#(4{EV`DfvK0Gfnv}$0K3tFt(OrlXf zT2DI`%j4l8`C0hUdbisvWI2+N-$!1+^PsZ}ubf4=KLLYQY3B&aw3!ndP7O_j3fnn6pCh&5s QtwPjpuKR6Qc{XqV59bre!2kdN diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java index 19c1f57ed..0aa96abd3 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java @@ -17,14 +17,17 @@ */ package org.owasp.dependencycheck.analyzer; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; +import static org.junit.Assume.assumeFalse; + import java.io.File; import java.util.logging.Level; import java.util.logging.Logger; + import org.junit.After; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; import org.junit.Assume; -import static org.junit.Assume.assumeFalse; import org.junit.Before; import org.junit.Test; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; @@ -75,7 +78,21 @@ public class AssemblyAnalyzerTest { File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath()); Dependency d = new Dependency(f); analyzer.analyze(d, null); - assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.0.5176.23901", Confidence.HIGHEST))); + boolean foundVendor = false; + for (Evidence e : d.getVendorEvidence().getEvidence("grokassembly", "vendor")) { + if ("OWASP".equals(e.getValue())) { + foundVendor = true; + } + } + assertTrue(foundVendor); + + boolean foundProduct = false; + for (Evidence e : d.getProductEvidence().getEvidence("grokassembly", "product")) { + if ("GrokAssembly".equals(e.getValue())) { + foundProduct = true; + } + } + assertTrue(foundProduct); } @Test @@ -88,15 +105,29 @@ public class AssemblyAnalyzerTest { assertTrue(d.getProductEvidence().getEvidence().contains(new Evidence("grokassembly", "product", "log4net", Confidence.HIGH))); } - @Test(expected = AnalysisException.class) - public void testNonexistent() throws Exception { + @Test + public void testNonexistent() { + Level oldLevel = Logger.getLogger(AssemblyAnalyzer.class.getName()).getLevel(); + Level oldDependency = Logger.getLogger(Dependency.class.getName()).getLevel(); + // Tweak the log level so the warning doesn't show in the console + Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(Level.OFF); + Logger.getLogger(Dependency.class.getName()).setLevel(Level.OFF); File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath()); File test = new File(f.getParent(), "nonexistent.dll"); Dependency d = new Dependency(test); - analyzer.analyze(d, null); + + try { + analyzer.analyze(d, null); + fail("Expected an AnalysisException"); + } catch (AnalysisException ae) { + assertEquals("File does not exist", ae.getMessage()); + } finally { + Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(oldLevel); + Logger.getLogger(Dependency.class.getName()).setLevel(oldDependency); + } } - @Test(expected = AnalysisException.class) + @Test public void testWithSettingMono() throws Exception { //This test doesn't work on Windows. @@ -113,12 +144,20 @@ public class AssemblyAnalyzerTest { Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, "/yooser/bine/mono"); } + Level oldLevel = Logger.getLogger(AssemblyAnalyzer.class.getName()).getLevel(); try { + // Tweak the logging to swallow the warning when testing + Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(Level.OFF); // Have to make a NEW analyzer because during setUp, it would have gotten the correct one AssemblyAnalyzer aanalyzer = new AssemblyAnalyzer(); aanalyzer.supportsExtension("dll"); aanalyzer.initialize(); + fail("Expected an AnalysisException"); + } catch (AnalysisException ae) { + assertEquals("An error occured with the .NET AssemblyAnalyzer", ae.getMessage()); } finally { + // Recover the logger + Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(oldLevel); // Now recover the way we came in. If we had to set a System property, delete it. Otherwise, // reset the old value if (oldValue == null) {