diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index 19cd62adb..59af44b24 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 dependency-check-ant diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index c89fbe155..96b2d11c6 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 dependency-check-cli @@ -286,12 +286,12 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.codehaus.mojo appassembler-maven-plugin - 1.7 + 1.8.1 org.owasp.dependencycheck.App - dependency-check + dependency-check ${project.build.directory}/release diff --git a/dependency-check-cli/src/main/assembly/release.xml b/dependency-check-cli/src/main/assembly/release.xml index 7ebf60d62..a2dd05d87 100644 --- a/dependency-check-cli/src/main/assembly/release.xml +++ b/dependency-check-cli/src/main/assembly/release.xml @@ -2,10 +2,8 @@ release diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 8512ae327..b64f35368 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 dependency-check-core @@ -419,6 +419,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. 4.3.1 test + com.google.code.findbugs annotations diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index ac18ec90a..e59d6c77c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -120,9 +120,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { // Try evacuating the error stream rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8")); String line = null; + // CheckStyle:VisibilityModifier OFF while (rdr.ready() && (line = rdr.readLine()) != null) { LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.stderr", line); } + // CheckStyle:VisibilityModifier ON int rc = 0; doc = builder.parse(proc.getInputStream()); @@ -233,9 +235,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { final Process p = pb.start(); // Try evacuating the error stream rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8")); + // CheckStyle:VisibilityModifier OFF while (rdr.ready() && rdr.readLine() != null) { // We expect this to complain } + // CheckStyle:VisibilityModifier ON final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream()); final XPath xpath = XPathFactory.newInstance().newXPath(); final String error = xpath.evaluate("/assembly/error", doc); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index ade039960..b062359c4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -1,14 +1,22 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ package org.owasp.dependencycheck.analyzer; -import org.owasp.dependencycheck.Engine; -import org.owasp.dependencycheck.analyzer.exception.AnalysisException; -import org.owasp.dependencycheck.data.nexus.MavenArtifact; -import org.owasp.dependencycheck.data.central.CentralSearch; -import org.owasp.dependencycheck.dependency.Confidence; -import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.utils.InvalidSettingException; -import org.owasp.dependencycheck.utils.Settings; - import java.io.FileNotFoundException; import java.io.IOException; import java.net.URL; @@ -16,11 +24,23 @@ import java.util.List; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.data.central.CentralSearch; +import org.owasp.dependencycheck.data.nexus.MavenArtifact; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.InvalidSettingException; +import org.owasp.dependencycheck.utils.Settings; /** - * Created by colezlaw on 10/9/14. + * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's + * SHA-1 digest. + * + * @author colezlaw */ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { + /** * The logger. */ @@ -29,7 +49,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { /** * The name of the analyzer. */ - private static final String ANALYZER_NAME = "Central Analyzer"; + private static final String ANALYZER_NAME = "Central Analyzer"; /** * The phase in which this analyzer runs. @@ -42,16 +62,21 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { private static final Set SUPPORTED_EXTENSIONS = newHashSet("jar"); /** - * The analyzer should be disabled if there are errors, so this is a flag - * to determine if such an error has occurred. + * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has + * occurred. */ - protected boolean errorFlag = false; + private boolean errorFlag = false; /** * The searcher itself. */ private CentralSearch searcher; + /** + * Field indicating if the analyzer is enabled. + */ + private final boolean enabled = checkEnabled(); + /** * Determine whether to enable this analyzer or not. * @@ -59,6 +84,15 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { */ @Override public boolean isEnabled() { + return enabled; + } + + /** + * Determines if this analyzer is enabled. + * + * @return true if the analyzer is enabled; otherwise false + */ + private boolean checkEnabled() { boolean retval = false; try { @@ -68,7 +102,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.info("Enabling the Central analyzer"); retval = true; } else { - LOGGER.info("Nexus analyzer is enabled, disabling Central"); + LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer"); } } else { LOGGER.info("Central analyzer disabled"); @@ -76,14 +110,13 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { } catch (InvalidSettingException ise) { LOGGER.warning("Invalid setting. Disabling the Central analyzer"); } - return retval; } /** * Initializes the analyzer once before any analysis is performed. * - * @throws Exception if there's an error during initalization + * @throws Exception if there's an error during initialization */ @Override public void initializeFileTypeAnalyzer() throws Exception { @@ -106,7 +139,8 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { return ANALYZER_NAME; } - /** Returns the key used in the properties file to to reference the analyzer's enabled property. + /** + * Returns the key used in the properties file to to reference the analyzer's enabled property. * * @return the analyzer's enabled property setting key. */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index 22db369ad..0da7a5147 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -24,7 +24,6 @@ import java.net.URL; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; - import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.data.nexus.MavenArtifact; @@ -34,8 +33,6 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.utils.InvalidSettingException; import org.owasp.dependencycheck.utils.Settings; -import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; - /** * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency. * @@ -51,6 +48,7 @@ import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; * @author colezlaw */ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { + /** * The default URL - this will be used by the CentralAnalyzer to determine whether to enable this. */ @@ -82,24 +80,28 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { private NexusSearch searcher; /** - * Determine whether to enable this analyzer or not. - * - * @return whether the analyzer should be enabled + * Field indicating if the analyzer is enabled. */ - @Override - public boolean isEnabled() { + private final boolean enabled = checkEnabled(); + + /** + * Determines if this analyzer is enabled + * + * @return true if the analyzer is enabled; otherwise false + */ + private boolean checkEnabled() { /* Enable this analyzer ONLY if the Nexus URL has been set to something - other than the default one (if it's the default one, we'll use the - central one) and it's enabled by the user. + other than the default one (if it's the default one, we'll use the + central one) and it's enabled by the user. */ boolean retval = false; try { - if ((! DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) - && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) { + if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) + && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) { LOGGER.info("Enabling Nexus analyzer"); retval = true; } else { - LOGGER.info("Nexus analyzer disabled"); + LOGGER.info("Nexus analyzer disabled, using Central instead"); } } catch (InvalidSettingException ise) { LOGGER.warning("Invalid setting. Disabling Nexus analyzer"); @@ -108,6 +110,16 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { return retval; } + /** + * Determine whether to enable this analyzer or not. + * + * @return whether the analyzer should be enabled + */ + @Override + public boolean isEnabled() { + return enabled; + } + /** * Initializes the analyzer once before any analysis is performed. * @@ -184,7 +196,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { */ @Override public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { - if (! isEnabled()) { + if (!isEnabled()) { return; } try { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java index 8977d13e7..fb6d86a1d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java @@ -1,17 +1,22 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ package org.owasp.dependencycheck.data.central; -import org.owasp.dependencycheck.data.nexus.MavenArtifact; -import org.owasp.dependencycheck.utils.InvalidSettingException; -import org.owasp.dependencycheck.utils.Settings; -import org.owasp.dependencycheck.utils.URLConnectionFactory; -import org.w3c.dom.Document; -import org.w3c.dom.NodeList; - -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.xpath.XPath; -import javax.xml.xpath.XPathConstants; -import javax.xml.xpath.XPathFactory; import java.io.FileNotFoundException; import java.io.IOException; import java.net.HttpURLConnection; @@ -19,6 +24,16 @@ import java.net.URL; import java.util.ArrayList; import java.util.List; import java.util.logging.Logger; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathConstants; +import javax.xml.xpath.XPathFactory; +import org.owasp.dependencycheck.data.nexus.MavenArtifact; +import org.owasp.dependencycheck.utils.Settings; +import org.owasp.dependencycheck.utils.URLConnectionFactory; +import org.w3c.dom.Document; +import org.w3c.dom.NodeList; /** * Class of methods to search Maven Central via Central. @@ -26,6 +41,7 @@ import java.util.logging.Logger; * @author colezlaw */ public class CentralSearch { + /** * The URL for the Central service */ @@ -41,17 +57,11 @@ public class CentralSearch { */ private static final Logger LOGGER = Logger.getLogger(CentralSearch.class.getName()); - /** - * Determines whether we'll continue using the analyzer. If there's some sort - * of HTTP failure, we'll disable the analyzer. - */ - private boolean isEnabled = true; - /** * Creates a NexusSearch for the given repository URL. * - * @param rootURL the URL of the repository on which searches should execute. - * Only parameters are added to this (so it should end in /select) + * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so + * it should end in /select) */ public CentralSearch(URL rootURL) { this.rootURL = rootURL; @@ -70,8 +80,8 @@ public class CentralSearch { * * @param sha1 the SHA-1 hash string for which to search * @return the populated Maven GAV. - * @throws IOException if it's unable to connect to the specified repository or if - * the specified artifact is not found. + * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not + * found. */ public List searchSha1(String sha1) throws IOException { if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) { @@ -80,7 +90,7 @@ public class CentralSearch { final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1)); - LOGGER.info(String.format("Searching Central url %s", url.toString())); + LOGGER.fine(String.format("Searching Central url %s", url.toString())); // Determine if we need to use a proxy. The rules: // 1) If the proxy is set, AND the setting is set to true, use the proxy @@ -106,8 +116,8 @@ public class CentralSearch { if ("0".equals(numFound)) { missing = true; } else { - ArrayList result = new ArrayList(); - NodeList docs = (NodeList)xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET); + final ArrayList result = new ArrayList(); + final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET); for (int i = 0; i < docs.getLength(); i++) { final String g = xpath.evaluate("./str[@name='g']", docs.item(i)); LOGGER.finest(String.format("GroupId: %s", g)); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java new file mode 100644 index 000000000..9b51647d6 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java @@ -0,0 +1,14 @@ +/** + * + * + * org.owasp.dependencycheck.data.central + * + * + *

+ * Contains classes related to searching Maven Central.

+ *

+ * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.

+ * + * + */ +package org.owasp.dependencycheck.data.central; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java index fa35d5eb3..857abb6cc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java @@ -54,6 +54,7 @@ import org.owasp.dependencycheck.utils.Pair; * @author Jeremy Long */ public final class CpeMemoryIndex { + /** * The logger. */ @@ -160,7 +161,7 @@ public final class CpeMemoryIndex { */ @SuppressWarnings("unchecked") private Analyzer createSearchingAnalyzer() { - final Map fieldAnalyzers = new HashMap(); + final Map fieldAnalyzers = new HashMap(); fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer()); productSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index da6b2ae58..461f1a030 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -306,14 +306,14 @@ public class CveDB { * @throws DatabaseException thrown when there is an error retrieving the data from the DB */ public Set> getVendorProductList() throws DatabaseException { - final HashSet data = new HashSet>(); + final Set> data = new HashSet>(); ResultSet rs = null; PreparedStatement ps = null; try { ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST); rs = ps.executeQuery(); while (rs.next()) { - data.add(new Pair(rs.getString(1), rs.getString(2))); + data.add(new Pair(rs.getString(1), rs.getString(2))); } } catch (SQLException ex) { final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details."; @@ -731,7 +731,7 @@ public class CveDB { * @param previous a flag indicating if previous versions of the product are vulnerable * @return true if the identified version is affected, otherwise false */ - private boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) { + protected boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) { boolean affected = false; final boolean isStruts = "apache".equals(vendor) && "struts".equals(product); final DependencyVersion v = parseDependencyVersion(cpeId); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java index cadcb2ae6..a4261abfe 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java @@ -142,8 +142,8 @@ public class DatabaseProperties { * * @return a map of the database meta data */ - public Map getMetaData() { - final TreeMap map = new TreeMap(); + public Map getMetaData() { + final TreeMap map = new TreeMap(); for (Entry entry : properties.entrySet()) { final String key = (String) entry.getKey(); if (!"version".equals(key)) { @@ -156,10 +156,10 @@ public class DatabaseProperties { map.put(key, formatted); } catch (Throwable ex) { //deliberately being broad in this catch clause LOGGER.log(Level.FINE, "Unable to parse timestamp from DB", ex); - map.put(key, entry.getValue()); + map.put(key, (String) entry.getValue()); } } else { - map.put(key, entry.getValue()); + map.put(key, (String) entry.getValue()); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java index 5c3fba161..75565f527 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java @@ -18,6 +18,9 @@ package org.owasp.dependencycheck.data.update.task; import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; import java.io.IOException; import java.net.URL; import java.util.concurrent.Callable; @@ -25,6 +28,8 @@ import java.util.concurrent.ExecutorService; import java.util.concurrent.Future; import java.util.logging.Level; import java.util.logging.Logger; +import java.util.zip.GZIPInputStream; +import org.apache.commons.io.FileUtils; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.update.NvdCveInfo; import org.owasp.dependencycheck.data.update.exception.UpdateException; @@ -195,10 +200,18 @@ public class DownloadTask implements Callable> { LOGGER.log(Level.FINE, null, ex); return null; } + if (url1.toExternalForm().endsWith(".xml.gz")) { + extractGzip(first); + } + if (url2.toExternalForm().endsWith(".xml.gz")) { + extractGzip(second); + } msg = String.format("Download Complete for NVD CVE - %s", nvdCveInfo.getId()); LOGGER.log(Level.INFO, msg); - + if (this.processorService == null) { + return null; + } final ProcessTask task = new ProcessTask(cveDB, this, settings); return this.processorService.submit(task); @@ -237,4 +250,48 @@ public class DownloadTask implements Callable> { } } } + + /** + * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file + * specified. + * + * @param file the archive file + * @throws FileNotFoundException thrown if the file does not exist + * @throws IOException thrown if there is an error extracting the file. + */ + private void extractGzip(File file) throws FileNotFoundException, IOException { + final String originalPath = file.getPath(); + File gzip = new File(originalPath + ".gz"); + if (gzip.isFile()) { + gzip.delete(); + } + if (!file.renameTo(gzip)) { + throw new IOException("Unable to rename '" + file.getPath() + "'"); + } + final File newfile = new File(originalPath); + + final byte[] buffer = new byte[4096]; + + GZIPInputStream cin = null; + FileOutputStream out = null; + try { + cin = new GZIPInputStream(new FileInputStream(gzip)); + out = new FileOutputStream(newfile); + + int len; + while ((len = cin.read(buffer)) > 0) { + out.write(buffer, 0, len); + } + } finally { + if (cin != null) { + cin.close(); + } + if (out != null) { + out.close(); + } + if (gzip.isFile()) { + FileUtils.deleteQuietly(gzip); + } + } + } } diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index 9f764fd0a..ef9be913f 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -40,11 +40,16 @@ data.driver_path= cve.url.modified.validfordays=7 # the path to the modified nvd cve xml file. -cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml -cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz +#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml +cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz +#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cve.startyear=2002 -cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml -cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz +#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz +#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml + # file type analyzer settings: analyzer.archive.enabled=true diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java index 1ca50dfcf..c53277180 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java @@ -40,7 +40,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase { @Test public void testGetSupportedExtensions() { ArchiveAnalyzer instance = new ArchiveAnalyzer(); - Set expResult = new HashSet(); + Set expResult = new HashSet(); expResult.add("zip"); expResult.add("war"); expResult.add("ear"); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java index 1febeedd2..e57d8cf15 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java @@ -93,7 +93,7 @@ public class JarAnalyzerTest extends BaseTest { @Test public void testGetSupportedExtensions() { JarAnalyzer instance = new JarAnalyzer(); - Set expResult = new HashSet(); + Set expResult = new HashSet(); expResult.add("jar"); expResult.add("war"); Set result = instance.getSupportedExtensions(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java index 74dfb7efa..cdb137e7d 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java @@ -38,7 +38,7 @@ public class JavaScriptAnalyzerTest extends BaseTest { @Test public void testGetSupportedExtensions() { JavaScriptAnalyzer instance = new JavaScriptAnalyzer(); - Set expResult = new HashSet(); + Set expResult = new HashSet(); expResult.add("js"); Set result = instance.getSupportedExtensions(); assertEquals(expResult, result); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java index 66f78f19c..8dca8b780 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java @@ -19,9 +19,11 @@ package org.owasp.dependencycheck.data.nvdcve; import java.util.List; import java.util.Set; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import org.junit.Test; import org.owasp.dependencycheck.dependency.VulnerableSoftware; +import org.owasp.dependencycheck.utils.DependencyVersion; /** * @@ -72,4 +74,21 @@ public class CveDBIntegrationTest extends BaseDBTestCase { instance.close(); } } + + /** + * Test of isAffected method, of class CveDB. + */ + @Test + public void testIsAffected() throws Exception { + String vendor = "openssl"; + String product = "openssl"; + DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o"); + String cpeId = "cpe:/a:openssl:openssl:1.0.1e"; + String previous = "y"; + + CveDB instance = new CveDB(); + assertFalse(instance.isAffected(vendor, product, identifiedVersion, cpeId, previous)); + + } + } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java new file mode 100644 index 000000000..5e6ffdeb0 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java @@ -0,0 +1,75 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.update.task; + +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Future; +import org.junit.After; +import org.junit.AfterClass; +import static org.junit.Assert.assertNull; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.owasp.dependencycheck.data.nvdcve.CveDB; +import org.owasp.dependencycheck.data.update.NvdCveInfo; +import org.owasp.dependencycheck.utils.Settings; + +/** + * + * @author Jeremy Long + */ +public class DownloadTaskTest { + + public DownloadTaskTest() { + } + + @BeforeClass + public static void setUpClass() { + } + + @AfterClass + public static void tearDownClass() { + } + + @Before + public void setUp() { + Settings.initialize(); + } + + @After + public void tearDown() { + Settings.cleanup(); + } + + /** + * Test of call method, of class DownloadTask. + */ + @Test + public void testCall() throws Exception { + NvdCveInfo cve = new NvdCveInfo(); + cve.setId("modified"); + cve.setNeedsUpdate(true); + cve.setUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL)); + cve.setOldSchemaVersionUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL)); + ExecutorService processExecutor = null; + CveDB cveDB = null; + DownloadTask instance = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());; + Future result = instance.call(); + assertNull(result); + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java index 642bc99a4..c786cf0cc 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java @@ -165,6 +165,14 @@ public class DependencyVersionTest { version = new DependencyVersion("1.2.3.1"); assertEquals(-1, instance.compareTo(version)); + instance = new DependencyVersion("1.0.1n"); + version = new DependencyVersion("1.0.1m"); + assertEquals(1, instance.compareTo(version)); + version = new DependencyVersion("1.0.1n"); + assertEquals(0, instance.compareTo(version)); + version = new DependencyVersion("1.0.1o"); + assertEquals(-1, instance.compareTo(version)); + DependencyVersion[] dv = new DependencyVersion[7]; dv[0] = new DependencyVersion("2.1.3"); dv[1] = new DependencyVersion("2.1.3.r2"); diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index ae48d04c2..2a364e089 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -47,11 +47,16 @@ cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-di cve.url.modified.validfordays=7 # the path to the modified nvd cve xml file. -cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml -cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cve.startyear=2014 -cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml -cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz +#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml +cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz +#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz +#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz +#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml + # the URL for searching Nexus for SHA-1 hashes and whether it's enabled analyzer.nexus.enabled=true diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml index 7c87b0e1d..a967cd996 100644 --- a/dependency-check-jenkins/pom.xml +++ b/dependency-check-jenkins/pom.xml @@ -3,7 +3,7 @@ org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 org.owasp dependency-check-jenkins diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index dfbdb8e37..147dca413 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -22,7 +22,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 dependency-check-maven diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml index 9dad1ea6f..3dca43d54 100644 --- a/dependency-check-utils/pom.xml +++ b/dependency-check-utils/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 dependency-check-utils diff --git a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java index 530a8faae..b84b49257 100644 --- a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java +++ b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java @@ -42,12 +42,12 @@ public class DownloaderIntegrationTest extends BaseTest { URL url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL)); File outputPath = new File("target/downloaded_cve.xml"); Downloader.fetchFile(url, outputPath); - + assertTrue(outputPath.isFile()); } @Test public void testGetLastModified() throws Exception { - URL url = new URL("http://nvd.nist.gov/download/nvdcve-2012.xml"); + URL url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL)); long timestamp = Downloader.getLastModified(url); assertTrue("timestamp equal to zero?", timestamp > 0); } diff --git a/dependency-check-utils/src/test/resources/dependencycheck.properties b/dependency-check-utils/src/test/resources/dependencycheck.properties index 8ed80a630..bdcbe1a41 100644 --- a/dependency-check-utils/src/test/resources/dependencycheck.properties +++ b/dependency-check-utils/src/test/resources/dependencycheck.properties @@ -45,11 +45,15 @@ cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-di cve.url.modified.validfordays=7 # the path to the modified nvd cve xml file. -cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml -cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cve.startyear=2014 -cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml -cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz +#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml +cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz +#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz +#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz +#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml # the URL for searching Nexus for SHA-1 hashes and whether it's enabled analyzer.nexus.enabled=true diff --git a/pom.xml b/pom.xml index eb48cde22..62bfb302c 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 pom diff --git a/src/site/markdown/related.md b/src/site/markdown/related.md new file mode 100644 index 000000000..17ccc6fe6 --- /dev/null +++ b/src/site/markdown/related.md @@ -0,0 +1,20 @@ +Related FOSS Projects +=========== +* [The Victims Project](https://github.com/victims) +* [Retire.js](http://bekk.github.io/retire.js/) + +Vulnerability Sources +=========== +The following are sources of vulnerability information. Dependency-check only uses information in the National Vulnerability +Database (NVD). The other sources listed below contain vulnerability information that may not be included in the NVD. +* [National Vulnerability Database](https://nvd.nist.gov/) +* [OSVDB](http://osvdb.org/) + +Related Commercial Products +=========== +The below list is merely informational. It is not a complete list, nor do the authors of dependency-check endorse any +of the products listed below. +* [Sonatype CLM](http://www.sonatype.com/clm/overview) +* [Black Duck](https://www.blackducksoftware.com/products/black-duck-suite/code-center) +* [Palamida](http://www.palamida.com/products/enterpriseedition.html) +