github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 07:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master'

Browse Source 
Former-commit-id: 5eb272a53b94c6346b7c43ee5f0acd45c2e2911c
This commit is contained in:
Steve Springett
2014-11-16 12:53:37 -06:00
parent 1b2cd354db f333ef76d9
commit 735fcfeee2
28 changed files with 368 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dependency-check-ant/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.6-SNAPSHOT</version>
<version>1.2.6</version>
</parent>
<artifactId>dependency-check-ant</artifactId>

6
dependency-check-cli/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.6-SNAPSHOT</version>
<version>1.2.6</version>
</parent>
<artifactId>dependency-check-cli</artifactId>
@@ -286,12 +286,12 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>appassembler-maven-plugin</artifactId>
<version>1.7</version>
<version>1.8.1</version>
<configuration>
<programs>
<program>
<mainClass>org.owasp.dependencycheck.App</mainClass>
<name>dependency-check</name>
<id>dependency-check</id>
</program>
</programs>
<assembleDirectory>${project.build.directory}/release</assembleDirectory>

6
dependency-check-cli/src/main/assembly/release.xml
View File

@@ -2,10 +2,8 @@
<assembly
xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
http://maven.apache.org/xsd/assembly-1.1.2.xsd
"
xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
http://maven.apache.org/xsd/assembly-1.1.2.xsd"
>
<id>release</id>
<formats>

8
dependency-check-core/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.6-SNAPSHOT</version>
<version>1.2.6</version>
</parent>
<artifactId>dependency-check-core</artifactId>
@@ -419,6 +419,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<version>4.3.1</version>
<scope>test</scope>
</dependency>
<!--dependency>
<groupId>org.jmockit</groupId>
<artifactId>jmockit</artifactId>
<version>1.12</version>
<scope>test</scope>
</dependency-->
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>annotations</artifactId>

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -120,9 +120,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
// Try evacuating the error stream
rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
String line = null;
// CheckStyle:VisibilityModifier OFF
while (rdr.ready() && (line = rdr.readLine()) != null) {
LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.stderr", line);
}
// CheckStyle:VisibilityModifier ON
int rc = 0;
doc = builder.parse(proc.getInputStream());
@@ -233,9 +235,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
final Process p = pb.start();
// Try evacuating the error stream
rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
// CheckStyle:VisibilityModifier OFF
while (rdr.ready() && rdr.readLine() != null) {
// We expect this to complain
}
// CheckStyle:VisibilityModifier ON
final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String error = xpath.evaluate("/assembly/error", doc);

70
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
View File

@@ -1,14 +1,22 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.central.CentralSearch;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URL;
@@ -16,11 +24,23 @@ import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.central.CentralSearch;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
/**
* Created by colezlaw on 10/9/14.
* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's
* SHA-1 digest.
*
* @author colezlaw
*/
public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The logger.
*/
@@ -29,7 +49,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The name of the analyzer.
*/
private static final String ANALYZER_NAME = "Central Analyzer";
private static final String ANALYZER_NAME = "Central Analyzer";
/**
* The phase in which this analyzer runs.
@@ -42,16 +62,21 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
/**
* The analyzer should be disabled if there are errors, so this is a flag
* to determine if such an error has occurred.
* The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has
* occurred.
*/
protected boolean errorFlag = false;
private boolean errorFlag = false;
/**
* The searcher itself.
*/
private CentralSearch searcher;
/**
* Field indicating if the analyzer is enabled.
*/
private final boolean enabled = checkEnabled();
/**
* Determine whether to enable this analyzer or not.
*
@@ -59,6 +84,15 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
*/
@Override
public boolean isEnabled() {
return enabled;
}
/**
* Determines if this analyzer is enabled.
*
* @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
*/
private boolean checkEnabled() {
boolean retval = false;
try {
@@ -68,7 +102,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.info("Enabling the Central analyzer");
retval = true;
} else {
LOGGER.info("Nexus analyzer is enabled, disabling Central");
LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
}
} else {
LOGGER.info("Central analyzer disabled");
@@ -76,14 +110,13 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
} catch (InvalidSettingException ise) {
LOGGER.warning("Invalid setting. Disabling the Central analyzer");
}
return retval;
}
/**
* Initializes the analyzer once before any analysis is performed.
*
* @throws Exception if there's an error during initalization
* @throws Exception if there's an error during initialization
*/
@Override
public void initializeFileTypeAnalyzer() throws Exception {
@@ -106,7 +139,8 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
return ANALYZER_NAME;
}
/** Returns the key used in the properties file to to reference the analyzer's enabled property.
/**
* Returns the key used in the properties file to to reference the analyzer's enabled property.
*
* @return the analyzer's enabled property setting key.
*/

40
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -24,7 +24,6 @@ import java.net.URL;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
@@ -34,8 +33,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
/**
* Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
*
@@ -51,6 +48,7 @@ import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
* @author colezlaw
*/
public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The default URL - this will be used by the CentralAnalyzer to determine whether to enable this.
*/
@@ -82,24 +80,28 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
private NexusSearch searcher;
/**
* Determine whether to enable this analyzer or not.
*
* @return whether the analyzer should be enabled
* Field indicating if the analyzer is enabled.
*/
@Override
public boolean isEnabled() {
private final boolean enabled = checkEnabled();
/**
* Determines if this analyzer is enabled
*
* @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
*/
private boolean checkEnabled() {
/* Enable this analyzer ONLY if the Nexus URL has been set to something
other than the default one (if it's the default one, we'll use the
central one) and it's enabled by the user.
other than the default one (if it's the default one, we'll use the
central one) and it's enabled by the user.
*/
boolean retval = false;
try {
if ((! DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
&& Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
&& Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
LOGGER.info("Enabling Nexus analyzer");
retval = true;
} else {
LOGGER.info("Nexus analyzer disabled");
LOGGER.info("Nexus analyzer disabled, using Central instead");
}
} catch (InvalidSettingException ise) {
LOGGER.warning("Invalid setting. Disabling Nexus analyzer");
@@ -108,6 +110,16 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
return retval;
}
/**
* Determine whether to enable this analyzer or not.
*
* @return whether the analyzer should be enabled
*/
@Override
public boolean isEnabled() {
return enabled;
}
/**
* Initializes the analyzer once before any analysis is performed.
*
@@ -184,7 +196,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
*/
@Override
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
if (! isEnabled()) {
if (!isEnabled()) {
return;
}
try {

60
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
View File

@@ -1,17 +1,22 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.central;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.URLConnectionFactory;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.HttpURLConnection;
@@ -19,6 +24,16 @@ import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Logger;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.URLConnectionFactory;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
/**
* Class of methods to search Maven Central via Central.
@@ -26,6 +41,7 @@ import java.util.logging.Logger;
* @author colezlaw
*/
public class CentralSearch {
/**
* The URL for the Central service
*/
@@ -41,17 +57,11 @@ public class CentralSearch {
*/
private static final Logger LOGGER = Logger.getLogger(CentralSearch.class.getName());
/**
* Determines whether we'll continue using the analyzer. If there's some sort
* of HTTP failure, we'll disable the analyzer.
*/
private boolean isEnabled = true;
/**
* Creates a NexusSearch for the given repository URL.
*
* @param rootURL the URL of the repository on which searches should execute.
* Only parameters are added to this (so it should end in /select)
* @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so
* it should end in /select)
*/
public CentralSearch(URL rootURL) {
this.rootURL = rootURL;
@@ -70,8 +80,8 @@ public class CentralSearch {
*
* @param sha1 the SHA-1 hash string for which to search
* @return the populated Maven GAV.
* @throws IOException if it's unable to connect to the specified repository or if
* the specified artifact is not found.
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
* found.
*/
public List<MavenArtifact> searchSha1(String sha1) throws IOException {
if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
@@ -80,7 +90,7 @@ public class CentralSearch {
final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
LOGGER.info(String.format("Searching Central url %s", url.toString()));
LOGGER.fine(String.format("Searching Central url %s", url.toString()));
// Determine if we need to use a proxy. The rules:
// 1) If the proxy is set, AND the setting is set to true, use the proxy
@@ -106,8 +116,8 @@ public class CentralSearch {
if ("0".equals(numFound)) {
missing = true;
} else {
ArrayList<MavenArtifact> result = new ArrayList<MavenArtifact>();
NodeList docs = (NodeList)xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
final ArrayList<MavenArtifact> result = new ArrayList<MavenArtifact>();
final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
for (int i = 0; i < docs.getLength(); i++) {
final String g = xpath.evaluate("./str[@name='g']", docs.item(i));
LOGGER.finest(String.format("GroupId: %s", g));

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java Normal file
View File

@@ -0,0 +1,14 @@
/**
* <html>
* <head>
* <title>org.owasp.dependencycheck.data.central</title>
* </head>
* <body>
* <p>
* Contains classes related to searching Maven Central.</p>
* <p>
* These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.</p>
* </body>
* </html>
*/
package org.owasp.dependencycheck.data.central;

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
View File

@@ -54,6 +54,7 @@ import org.owasp.dependencycheck.utils.Pair;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class CpeMemoryIndex {
/**
* The logger.
*/
@@ -160,7 +161,7 @@ public final class CpeMemoryIndex {
*/
@SuppressWarnings("unchecked")
private Analyzer createSearchingAnalyzer() {
final Map fieldAnalyzers = new HashMap();
final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
productSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -306,14 +306,14 @@ public class CveDB {
* @throws DatabaseException thrown when there is an error retrieving the data from the DB
*/
public Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
final HashSet data = new HashSet<Pair<String, String>>();
final Set<Pair<String, String>> data = new HashSet<Pair<String, String>>();
ResultSet rs = null;
PreparedStatement ps = null;
try {
ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST);
rs = ps.executeQuery();
while (rs.next()) {
data.add(new Pair(rs.getString(1), rs.getString(2)));
data.add(new Pair<String, String>(rs.getString(1), rs.getString(2)));
}
} catch (SQLException ex) {
final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
@@ -731,7 +731,7 @@ public class CveDB {
* @param previous a flag indicating if previous versions of the product are vulnerable
* @return true if the identified version is affected, otherwise false
*/
private boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
protected boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
boolean affected = false;
final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
final DependencyVersion v = parseDependencyVersion(cpeId);

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
View File

@@ -142,8 +142,8 @@ public class DatabaseProperties {
*
* @return a map of the database meta data
*/
public Map getMetaData() {
final TreeMap map = new TreeMap();
public Map<String, String> getMetaData() {
final TreeMap<String, String> map = new TreeMap<String, String>();
for (Entry<Object, Object> entry : properties.entrySet()) {
final String key = (String) entry.getKey();
if (!"version".equals(key)) {
@@ -156,10 +156,10 @@ public class DatabaseProperties {
map.put(key, formatted);
} catch (Throwable ex) { //deliberately being broad in this catch clause
LOGGER.log(Level.FINE, "Unable to parse timestamp from DB", ex);
map.put(key, entry.getValue());
map.put(key, (String) entry.getValue());
}
} else {
map.put(key, entry.getValue());
map.put(key, (String) entry.getValue());
}
}
}

59
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java
View File

@@ -18,6 +18,9 @@
package org.owasp.dependencycheck.data.update.task;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URL;
import java.util.concurrent.Callable;
@@ -25,6 +28,8 @@ import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.GZIPInputStream;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
@@ -195,10 +200,18 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
LOGGER.log(Level.FINE, null, ex);
return null;
}
if (url1.toExternalForm().endsWith(".xml.gz")) {
extractGzip(first);
}
if (url2.toExternalForm().endsWith(".xml.gz")) {
extractGzip(second);
}
msg = String.format("Download Complete for NVD CVE - %s", nvdCveInfo.getId());
LOGGER.log(Level.INFO, msg);
if (this.processorService == null) {
return null;
}
final ProcessTask task = new ProcessTask(cveDB, this, settings);
return this.processorService.submit(task);
@@ -237,4 +250,48 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
}
}
}
/**
* Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file
* specified.
*
* @param file the archive file
* @throws FileNotFoundException thrown if the file does not exist
* @throws IOException thrown if there is an error extracting the file.
*/
private void extractGzip(File file) throws FileNotFoundException, IOException {
final String originalPath = file.getPath();
File gzip = new File(originalPath + ".gz");
if (gzip.isFile()) {
gzip.delete();
}
if (!file.renameTo(gzip)) {
throw new IOException("Unable to rename '" + file.getPath() + "'");
}
final File newfile = new File(originalPath);
final byte[] buffer = new byte[4096];
GZIPInputStream cin = null;
FileOutputStream out = null;
try {
cin = new GZIPInputStream(new FileInputStream(gzip));
out = new FileOutputStream(newfile);
int len;
while ((len = cin.read(buffer)) > 0) {
out.write(buffer, 0, len);
}
} finally {
if (cin != null) {
cin.close();
}
if (out != null) {
out.close();
}
if (gzip.isFile()) {
FileUtils.deleteQuietly(gzip);
}
}
}
}

13
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -40,11 +40,16 @@ data.driver_path=
cve.url.modified.validfordays=7
# the path to the modified nvd cve xml file.
cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cve.startyear=2002
cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
# file type analyzer settings:
analyzer.archive.enabled=true

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
View File

@@ -40,7 +40,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
@Test
public void testGetSupportedExtensions() {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
Set expResult = new HashSet<String>();
Set<String> expResult = new HashSet<String>();
expResult.add("zip");
expResult.add("war");
expResult.add("ear");

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -93,7 +93,7 @@ public class JarAnalyzerTest extends BaseTest {
@Test
public void testGetSupportedExtensions() {
JarAnalyzer instance = new JarAnalyzer();
Set expResult = new HashSet();
Set<String> expResult = new HashSet<String>();
expResult.add("jar");
expResult.add("war");
Set result = instance.getSupportedExtensions();

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
View File

@@ -38,7 +38,7 @@ public class JavaScriptAnalyzerTest extends BaseTest {
@Test
public void testGetSupportedExtensions() {
JavaScriptAnalyzer instance = new JavaScriptAnalyzer();
Set expResult = new HashSet<String>();
Set<String> expResult = new HashSet<String>();
expResult.add("js");
Set result = instance.getSupportedExtensions();
assertEquals(expResult, result);

19
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
View File

@@ -19,9 +19,11 @@ package org.owasp.dependencycheck.data.nvdcve;
import java.util.List;
import java.util.Set;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.DependencyVersion;
/**
*
@@ -72,4 +74,21 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
instance.close();
}
}
/**
* Test of isAffected method, of class CveDB.
*/
@Test
public void testIsAffected() throws Exception {
String vendor = "openssl";
String product = "openssl";
DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
String cpeId = "cpe:/a:openssl:openssl:1.0.1e";
String previous = "y";
CveDB instance = new CveDB();
assertFalse(instance.isAffected(vendor, product, identifiedVersion, cpeId, previous));
}
}

75
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java Normal file
View File

@@ -0,0 +1,75 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.task;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertNull;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class DownloadTaskTest {
public DownloadTaskTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
Settings.initialize();
}
@After
public void tearDown() {
Settings.cleanup();
}
/**
* Test of call method, of class DownloadTask.
*/
@Test
public void testCall() throws Exception {
NvdCveInfo cve = new NvdCveInfo();
cve.setId("modified");
cve.setNeedsUpdate(true);
cve.setUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
cve.setOldSchemaVersionUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL));
ExecutorService processExecutor = null;
CveDB cveDB = null;
DownloadTask instance = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());;
Future<ProcessTask> result = instance.call();
assertNull(result);
}
}

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
View File

@@ -165,6 +165,14 @@ public class DependencyVersionTest {
version = new DependencyVersion("1.2.3.1");
assertEquals(-1, instance.compareTo(version));
instance = new DependencyVersion("1.0.1n");
version = new DependencyVersion("1.0.1m");
assertEquals(1, instance.compareTo(version));
version = new DependencyVersion("1.0.1n");
assertEquals(0, instance.compareTo(version));
version = new DependencyVersion("1.0.1o");
assertEquals(-1, instance.compareTo(version));
DependencyVersion[] dv = new DependencyVersion[7];
dv[0] = new DependencyVersion("2.1.3");
dv[1] = new DependencyVersion("2.1.3.r2");

13
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -47,11 +47,16 @@ cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-di
cve.url.modified.validfordays=7
# the path to the modified nvd cve xml file.
cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cve.startyear=2014
cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true

2
dependency-check-jenkins/pom.xml
View File

@@ -3,7 +3,7 @@
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.6-SNAPSHOT</version>
<version>1.2.6</version>
</parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-jenkins</artifactId>

2
dependency-check-maven/pom.xml
View File

@@ -22,7 +22,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.6-SNAPSHOT</version>
<version>1.2.6</version>
</parent>
<artifactId>dependency-check-maven</artifactId>

2
dependency-check-utils/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.6-SNAPSHOT</version>
<version>1.2.6</version>
</parent>
<artifactId>dependency-check-utils</artifactId>

4
dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java
View File

@@ -42,12 +42,12 @@ public class DownloaderIntegrationTest extends BaseTest {
URL url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
File outputPath = new File("target/downloaded_cve.xml");
Downloader.fetchFile(url, outputPath);
assertTrue(outputPath.isFile());
}
@Test
public void testGetLastModified() throws Exception {
URL url = new URL("http://nvd.nist.gov/download/nvdcve-2012.xml");
URL url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
long timestamp = Downloader.getLastModified(url);
assertTrue("timestamp equal to zero?", timestamp > 0);
}

12
dependency-check-utils/src/test/resources/dependencycheck.properties
View File

@@ -45,11 +45,15 @@ cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-di
cve.url.modified.validfordays=7
# the path to the modified nvd cve xml file.
cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cve.startyear=2014
cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true

2
pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.6-SNAPSHOT</version>
<version>1.2.6</version>
<packaging>pom</packaging>
<modules>

20
src/site/markdown/related.md Normal file
View File

@@ -0,0 +1,20 @@
Related FOSS Projects
===========
* [The Victims Project](https://github.com/victims)
* [Retire.js](http://bekk.github.io/retire.js/)
Vulnerability Sources
===========
The following are sources of vulnerability information. Dependency-check only uses information in the National Vulnerability
Database (NVD). The other sources listed below contain vulnerability information that may not be included in the NVD.
* [National Vulnerability Database](https://nvd.nist.gov/)
* [OSVDB](http://osvdb.org/)
Related Commercial Products
===========
The below list is merely informational. It is not a complete list, nor do the authors of dependency-check endorse any
of the products listed below.
* [Sonatype CLM](http://www.sonatype.com/clm/overview)
* [Black Duck](https://www.blackducksoftware.com/products/black-duck-suite/code-center)
* [Palamida](http://www.palamida.com/products/enterpriseedition.html)