From 06cd811ae4cae7268c8a09258a581f718ed4645c Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 11 Nov 2014 13:41:20 -0500 Subject: [PATCH 01/26] fixed xlint unchecked call warnings Former-commit-id: b74ee0e63568b7b222f0459ad66a7e281b2f2e2f --- .../owasp/dependencycheck/data/cpe/CpeMemoryIndex.java | 3 ++- .../java/org/owasp/dependencycheck/data/nvdcve/CveDB.java | 4 ++-- .../dependencycheck/data/nvdcve/DatabaseProperties.java | 8 ++++---- .../analyzer/ArchiveAnalyzerIntegrationTest.java | 2 +- .../owasp/dependencycheck/analyzer/JarAnalyzerTest.java | 2 +- .../dependencycheck/analyzer/JavaScriptAnalyzerTest.java | 2 +- 6 files changed, 11 insertions(+), 10 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java index fa35d5eb3..857abb6cc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java @@ -54,6 +54,7 @@ import org.owasp.dependencycheck.utils.Pair; * @author Jeremy Long */ public final class CpeMemoryIndex { + /** * The logger. */ @@ -160,7 +161,7 @@ public final class CpeMemoryIndex { */ @SuppressWarnings("unchecked") private Analyzer createSearchingAnalyzer() { - final Map fieldAnalyzers = new HashMap(); + final Map fieldAnalyzers = new HashMap(); fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer()); productSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index da6b2ae58..24d6a09b4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -306,14 +306,14 @@ public class CveDB { * @throws DatabaseException thrown when there is an error retrieving the data from the DB */ public Set> getVendorProductList() throws DatabaseException { - final HashSet data = new HashSet>(); + final Set> data = new HashSet>(); ResultSet rs = null; PreparedStatement ps = null; try { ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST); rs = ps.executeQuery(); while (rs.next()) { - data.add(new Pair(rs.getString(1), rs.getString(2))); + data.add(new Pair(rs.getString(1), rs.getString(2))); } } catch (SQLException ex) { final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details."; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java index cadcb2ae6..a4261abfe 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java @@ -142,8 +142,8 @@ public class DatabaseProperties { * * @return a map of the database meta data */ - public Map getMetaData() { - final TreeMap map = new TreeMap(); + public Map getMetaData() { + final TreeMap map = new TreeMap(); for (Entry entry : properties.entrySet()) { final String key = (String) entry.getKey(); if (!"version".equals(key)) { @@ -156,10 +156,10 @@ public class DatabaseProperties { map.put(key, formatted); } catch (Throwable ex) { //deliberately being broad in this catch clause LOGGER.log(Level.FINE, "Unable to parse timestamp from DB", ex); - map.put(key, entry.getValue()); + map.put(key, (String) entry.getValue()); } } else { - map.put(key, entry.getValue()); + map.put(key, (String) entry.getValue()); } } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java index 1ca50dfcf..c53277180 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java @@ -40,7 +40,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase { @Test public void testGetSupportedExtensions() { ArchiveAnalyzer instance = new ArchiveAnalyzer(); - Set expResult = new HashSet(); + Set expResult = new HashSet(); expResult.add("zip"); expResult.add("war"); expResult.add("ear"); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java index 1febeedd2..e57d8cf15 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java @@ -93,7 +93,7 @@ public class JarAnalyzerTest extends BaseTest { @Test public void testGetSupportedExtensions() { JarAnalyzer instance = new JarAnalyzer(); - Set expResult = new HashSet(); + Set expResult = new HashSet(); expResult.add("jar"); expResult.add("war"); Set result = instance.getSupportedExtensions(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java index 74dfb7efa..cdb137e7d 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java @@ -38,7 +38,7 @@ public class JavaScriptAnalyzerTest extends BaseTest { @Test public void testGetSupportedExtensions() { JavaScriptAnalyzer instance = new JavaScriptAnalyzer(); - Set expResult = new HashSet(); + Set expResult = new HashSet(); expResult.add("js"); Set result = instance.getSupportedExtensions(); assertEquals(expResult, result); From 155464bc8788aefdb7c441e2abfebad9e6d35a4a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 11 Nov 2014 14:40:48 -0500 Subject: [PATCH 02/26] reformated and changed isEnabled to a getter by adding checkEnabled that is called during initialization Former-commit-id: d5c1224709469fccacfad7e22cf5a44eecdcab36 --- .../analyzer/CentralAnalyzer.java | 33 +++++++++++-------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index ade039960..4c66c133c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -1,14 +1,5 @@ package org.owasp.dependencycheck.analyzer; -import org.owasp.dependencycheck.Engine; -import org.owasp.dependencycheck.analyzer.exception.AnalysisException; -import org.owasp.dependencycheck.data.nexus.MavenArtifact; -import org.owasp.dependencycheck.data.central.CentralSearch; -import org.owasp.dependencycheck.dependency.Confidence; -import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.utils.InvalidSettingException; -import org.owasp.dependencycheck.utils.Settings; - import java.io.FileNotFoundException; import java.io.IOException; import java.net.URL; @@ -16,11 +7,20 @@ import java.util.List; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.data.central.CentralSearch; +import org.owasp.dependencycheck.data.nexus.MavenArtifact; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.InvalidSettingException; +import org.owasp.dependencycheck.utils.Settings; /** * Created by colezlaw on 10/9/14. */ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { + /** * The logger. */ @@ -29,7 +29,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { /** * The name of the analyzer. */ - private static final String ANALYZER_NAME = "Central Analyzer"; + private static final String ANALYZER_NAME = "Central Analyzer"; /** * The phase in which this analyzer runs. @@ -42,8 +42,8 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { private static final Set SUPPORTED_EXTENSIONS = newHashSet("jar"); /** - * The analyzer should be disabled if there are errors, so this is a flag - * to determine if such an error has occurred. + * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has + * occurred. */ protected boolean errorFlag = false; @@ -52,6 +52,8 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { */ private CentralSearch searcher; + private boolean enabled = checkEnabled(); + /** * Determine whether to enable this analyzer or not. * @@ -59,6 +61,10 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { */ @Override public boolean isEnabled() { + return enabled; + } + + private boolean checkEnabled() { boolean retval = false; try { @@ -106,7 +112,8 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { return ANALYZER_NAME; } - /** Returns the key used in the properties file to to reference the analyzer's enabled property. + /** + * Returns the key used in the properties file to to reference the analyzer's enabled property. * * @return the analyzer's enabled property setting key. */ From e662041d066c378d7384953f013732608955e2e1 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 11 Nov 2014 14:41:08 -0500 Subject: [PATCH 03/26] reformated and changed isEnabled to a getter by adding checkEnabled that is called during initialization Former-commit-id: 3bfb0dd2da37d718708d047e425fb8b125dddf34 --- .../analyzer/NexusAnalyzer.java | 34 +++++++++++-------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index 22db369ad..d6324d11e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -24,7 +24,6 @@ import java.net.URL; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; - import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.data.nexus.MavenArtifact; @@ -34,8 +33,6 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.utils.InvalidSettingException; import org.owasp.dependencycheck.utils.Settings; -import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; - /** * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency. * @@ -51,6 +48,7 @@ import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; * @author colezlaw */ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { + /** * The default URL - this will be used by the CentralAnalyzer to determine whether to enable this. */ @@ -81,21 +79,17 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { */ private NexusSearch searcher; - /** - * Determine whether to enable this analyzer or not. - * - * @return whether the analyzer should be enabled - */ - @Override - public boolean isEnabled() { + private boolean enabled = checkEnabled(); + + private boolean checkEnabled() { /* Enable this analyzer ONLY if the Nexus URL has been set to something - other than the default one (if it's the default one, we'll use the - central one) and it's enabled by the user. + other than the default one (if it's the default one, we'll use the + central one) and it's enabled by the user. */ boolean retval = false; try { - if ((! DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) - && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) { + if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) + && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) { LOGGER.info("Enabling Nexus analyzer"); retval = true; } else { @@ -108,6 +102,16 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { return retval; } + /** + * Determine whether to enable this analyzer or not. + * + * @return whether the analyzer should be enabled + */ + @Override + public boolean isEnabled() { + return enabled; + } + /** * Initializes the analyzer once before any analysis is performed. * @@ -184,7 +188,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { */ @Override public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { - if (! isEnabled()) { + if (!isEnabled()) { return; } try { From 0a9d8a9b225398d190eb562d0b9cd1ee5508cba5 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 11 Nov 2014 14:41:40 -0500 Subject: [PATCH 04/26] reformated and changed logging level from info to fine Former-commit-id: 035ca7c4d83322734f16f0b51f695bf7e4caa7b0 --- .../data/central/CentralSearch.java | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java index 8977d13e7..d02adb8e3 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java @@ -1,7 +1,6 @@ package org.owasp.dependencycheck.data.central; import org.owasp.dependencycheck.data.nexus.MavenArtifact; -import org.owasp.dependencycheck.utils.InvalidSettingException; import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.URLConnectionFactory; import org.w3c.dom.Document; @@ -26,6 +25,7 @@ import java.util.logging.Logger; * @author colezlaw */ public class CentralSearch { + /** * The URL for the Central service */ @@ -42,16 +42,16 @@ public class CentralSearch { private static final Logger LOGGER = Logger.getLogger(CentralSearch.class.getName()); /** - * Determines whether we'll continue using the analyzer. If there's some sort - * of HTTP failure, we'll disable the analyzer. + * Determines whether we'll continue using the analyzer. If there's some sort of HTTP failure, we'll disable the + * analyzer. */ private boolean isEnabled = true; /** * Creates a NexusSearch for the given repository URL. * - * @param rootURL the URL of the repository on which searches should execute. - * Only parameters are added to this (so it should end in /select) + * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so + * it should end in /select) */ public CentralSearch(URL rootURL) { this.rootURL = rootURL; @@ -70,8 +70,8 @@ public class CentralSearch { * * @param sha1 the SHA-1 hash string for which to search * @return the populated Maven GAV. - * @throws IOException if it's unable to connect to the specified repository or if - * the specified artifact is not found. + * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not + * found. */ public List searchSha1(String sha1) throws IOException { if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) { @@ -80,7 +80,7 @@ public class CentralSearch { final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1)); - LOGGER.info(String.format("Searching Central url %s", url.toString())); + LOGGER.fine(String.format("Searching Central url %s", url.toString())); // Determine if we need to use a proxy. The rules: // 1) If the proxy is set, AND the setting is set to true, use the proxy @@ -107,7 +107,7 @@ public class CentralSearch { missing = true; } else { ArrayList result = new ArrayList(); - NodeList docs = (NodeList)xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET); + NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET); for (int i = 0; i < docs.getLength(); i++) { final String g = xpath.evaluate("./str[@name='g']", docs.item(i)); LOGGER.finest(String.format("GroupId: %s", g)); From cdbbb1b94c6322cfdd31bfaf39d1ff6b2489853a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 11 Nov 2014 14:42:34 -0500 Subject: [PATCH 05/26] made isAffected protected instead of private so that tests could be added Former-commit-id: e7fd58900b4c8ebbaf06d476870defa4fc921628 --- .../main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index 24d6a09b4..461f1a030 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -731,7 +731,7 @@ public class CveDB { * @param previous a flag indicating if previous versions of the product are vulnerable * @return true if the identified version is affected, otherwise false */ - private boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) { + protected boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) { boolean affected = false; final boolean isStruts = "apache".equals(vendor) && "struts".equals(product); final DependencyVersion v = parseDependencyVersion(cpeId); From bad425c0d78f8a333544b44c2ec6e16cd8194719 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 11 Nov 2014 14:43:15 -0500 Subject: [PATCH 06/26] added test for isAffected Former-commit-id: 36a6d28ff03e41307574ee40381b0833c5c4ab01 --- .../data/nvdcve/CveDBIntegrationTest.java | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java index 66f78f19c..8dca8b780 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java @@ -19,9 +19,11 @@ package org.owasp.dependencycheck.data.nvdcve; import java.util.List; import java.util.Set; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import org.junit.Test; import org.owasp.dependencycheck.dependency.VulnerableSoftware; +import org.owasp.dependencycheck.utils.DependencyVersion; /** * @@ -72,4 +74,21 @@ public class CveDBIntegrationTest extends BaseDBTestCase { instance.close(); } } + + /** + * Test of isAffected method, of class CveDB. + */ + @Test + public void testIsAffected() throws Exception { + String vendor = "openssl"; + String product = "openssl"; + DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o"); + String cpeId = "cpe:/a:openssl:openssl:1.0.1e"; + String previous = "y"; + + CveDB instance = new CveDB(); + assertFalse(instance.isAffected(vendor, product, identifiedVersion, cpeId, previous)); + + } + } From 89ab382a184974176b853a1fbb3121b35d662fbb Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 11 Nov 2014 14:43:47 -0500 Subject: [PATCH 07/26] added additional tests for compareto(version) Former-commit-id: 0a02681251a30e6b675461b7487198a1cc7eb850 --- .../dependencycheck/utils/DependencyVersionTest.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java index 642bc99a4..c786cf0cc 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java @@ -165,6 +165,14 @@ public class DependencyVersionTest { version = new DependencyVersion("1.2.3.1"); assertEquals(-1, instance.compareTo(version)); + instance = new DependencyVersion("1.0.1n"); + version = new DependencyVersion("1.0.1m"); + assertEquals(1, instance.compareTo(version)); + version = new DependencyVersion("1.0.1n"); + assertEquals(0, instance.compareTo(version)); + version = new DependencyVersion("1.0.1o"); + assertEquals(-1, instance.compareTo(version)); + DependencyVersion[] dv = new DependencyVersion[7]; dv[0] = new DependencyVersion("2.1.3"); dv[1] = new DependencyVersion("2.1.3.r2"); From 5ca5bca3df6124214752ddc818394cf2cc759336 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 11 Nov 2014 15:13:01 -0500 Subject: [PATCH 08/26] updated javadoc Former-commit-id: 7b00991a0cf90ca34c8c54b8297014b01e676b04 --- .../owasp/dependencycheck/analyzer/CentralAnalyzer.java | 8 ++++++++ .../org/owasp/dependencycheck/analyzer/NexusAnalyzer.java | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index 4c66c133c..019b59aeb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -52,6 +52,9 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { */ private CentralSearch searcher; + /** + * Field indicating if the analyzer is enabled. + */ private boolean enabled = checkEnabled(); /** @@ -64,6 +67,11 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { return enabled; } + /** + * Determines if this analyzer is enabled + * + * @return true if the analyzer is enabled; otherwise false + */ private boolean checkEnabled() { boolean retval = false; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index d6324d11e..d97c499c0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -79,8 +79,16 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { */ private NexusSearch searcher; + /** + * Field indicating if the analyzer is enabled. + */ private boolean enabled = checkEnabled(); + /** + * Determines if this analyzer is enabled + * + * @return true if the analyzer is enabled; otherwise false + */ private boolean checkEnabled() { /* Enable this analyzer ONLY if the Nexus URL has been set to something other than the default one (if it's the default one, we'll use the From 6b73430473e33f9593553eb8eeae3ab4aff7bf94 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 12 Nov 2014 15:43:36 -0500 Subject: [PATCH 09/26] added javadoc and changes suggested by checkstyle Former-commit-id: 5f216b873b2d1845747fa4a77159399e818aef5a --- .../analyzer/CentralAnalyzer.java | 31 +++++++++++++++---- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index 019b59aeb..c89f35bd2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -1,3 +1,20 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ package org.owasp.dependencycheck.analyzer; import java.io.FileNotFoundException; @@ -17,7 +34,10 @@ import org.owasp.dependencycheck.utils.InvalidSettingException; import org.owasp.dependencycheck.utils.Settings; /** - * Created by colezlaw on 10/9/14. + * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's + * SHA-1 digest. + * + * @author colezlaw */ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { @@ -45,7 +65,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has * occurred. */ - protected boolean errorFlag = false; + private boolean errorFlag = false; /** * The searcher itself. @@ -55,7 +75,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { /** * Field indicating if the analyzer is enabled. */ - private boolean enabled = checkEnabled(); + private final boolean enabled = checkEnabled(); /** * Determine whether to enable this analyzer or not. @@ -68,7 +88,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Determines if this analyzer is enabled + * Determines if this analyzer is enabled. * * @return true if the analyzer is enabled; otherwise false */ @@ -90,14 +110,13 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { } catch (InvalidSettingException ise) { LOGGER.warning("Invalid setting. Disabling the Central analyzer"); } - return retval; } /** * Initializes the analyzer once before any analysis is performed. * - * @throws Exception if there's an error during initalization + * @throws Exception if there's an error during initialization */ @Override public void initializeFileTypeAnalyzer() throws Exception { From 9bc9bc9169c3e4179f85d69926c8c08317308d86 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 12 Nov 2014 15:44:18 -0500 Subject: [PATCH 10/26] made enabled final Former-commit-id: ded2d5de559091d8383ec26941f166018c33bb7a --- .../java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index d97c499c0..3219787d1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -82,7 +82,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { /** * Field indicating if the analyzer is enabled. */ - private boolean enabled = checkEnabled(); + private final boolean enabled = checkEnabled(); /** * Determines if this analyzer is enabled From 89217f778ed81ba64333e5b3fda60b446dd051c3 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 12 Nov 2014 15:44:43 -0500 Subject: [PATCH 11/26] added package-info Former-commit-id: 78bd4ce6243fadc58524ec48bb0d964205e044cd --- .../dependencycheck/data/central/package-info.java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java new file mode 100644 index 000000000..9b51647d6 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java @@ -0,0 +1,14 @@ +/** + * + * + * org.owasp.dependencycheck.data.central + * + * + *

+ * Contains classes related to searching Maven Central.

+ *

+ * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.

+ * + * + */ +package org.owasp.dependencycheck.data.central; From 52d5baaf3f48e4799549495c4a487143fd05c63a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 12 Nov 2014 16:04:23 -0500 Subject: [PATCH 12/26] reformated and added checkstyle corrections Former-commit-id: c68e06287fdd09768c9fade7e534ca421899c9c5 --- .../data/central/CentralSearch.java | 42 +++++++++++++------ 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java index d02adb8e3..97b4841b5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java @@ -1,16 +1,22 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ package org.owasp.dependencycheck.data.central; -import org.owasp.dependencycheck.data.nexus.MavenArtifact; -import org.owasp.dependencycheck.utils.Settings; -import org.owasp.dependencycheck.utils.URLConnectionFactory; -import org.w3c.dom.Document; -import org.w3c.dom.NodeList; - -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.xpath.XPath; -import javax.xml.xpath.XPathConstants; -import javax.xml.xpath.XPathFactory; import java.io.FileNotFoundException; import java.io.IOException; import java.net.HttpURLConnection; @@ -18,6 +24,16 @@ import java.net.URL; import java.util.ArrayList; import java.util.List; import java.util.logging.Logger; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathConstants; +import javax.xml.xpath.XPathFactory; +import org.owasp.dependencycheck.data.nexus.MavenArtifact; +import org.owasp.dependencycheck.utils.Settings; +import org.owasp.dependencycheck.utils.URLConnectionFactory; +import org.w3c.dom.Document; +import org.w3c.dom.NodeList; /** * Class of methods to search Maven Central via Central. @@ -106,8 +122,8 @@ public class CentralSearch { if ("0".equals(numFound)) { missing = true; } else { - ArrayList result = new ArrayList(); - NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET); + final ArrayList result = new ArrayList(); + final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET); for (int i = 0; i < docs.getLength(); i++) { final String g = xpath.evaluate("./str[@name='g']", docs.item(i)); LOGGER.finest(String.format("GroupId: %s", g)); From 243c36849cec6fe534d77c17405493b284a9b8b5 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 15 Nov 2014 08:20:15 -0500 Subject: [PATCH 13/26] noop Former-commit-id: e155fa37527c62925bdb7e52d539329e3f9ebabe --- dependency-check-core/pom.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 8512ae327..16f14d585 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -419,6 +419,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. 4.3.1 test + com.google.code.findbugs annotations From 662815b1eef6fbd4d08cefb97dee2d98b0a72e99 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 15 Nov 2014 08:21:03 -0500 Subject: [PATCH 14/26] added an extract phase if the downloaded file is a .gz Former-commit-id: 0385e9a7922bc18eccb3b3075cc866c462ae6f2b --- .../data/update/task/DownloadTask.java | 47 ++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java index 5c3fba161..2231dc613 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java @@ -18,6 +18,9 @@ package org.owasp.dependencycheck.data.update.task; import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; import java.io.IOException; import java.net.URL; import java.util.concurrent.Callable; @@ -25,6 +28,8 @@ import java.util.concurrent.ExecutorService; import java.util.concurrent.Future; import java.util.logging.Level; import java.util.logging.Logger; +import java.util.zip.GZIPInputStream; +import org.apache.tools.ant.util.FileUtils; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.update.NvdCveInfo; import org.owasp.dependencycheck.data.update.exception.UpdateException; @@ -195,10 +200,18 @@ public class DownloadTask implements Callable> { LOGGER.log(Level.FINE, null, ex); return null; } + if (url1.toExternalForm().endsWith(".xml.gz")) { + extractGzip(first); + } + if (url2.toExternalForm().endsWith(".xml.gz")) { + extractGzip(second); + } msg = String.format("Download Complete for NVD CVE - %s", nvdCveInfo.getId()); LOGGER.log(Level.INFO, msg); - + if (this.processorService == null) { + return null; + } final ProcessTask task = new ProcessTask(cveDB, this, settings); return this.processorService.submit(task); @@ -237,4 +250,36 @@ public class DownloadTask implements Callable> { } } } + + /** + * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file + * specified. + * + * @param file the archive file + * @throws FileNotFoundException thrown if the file does not exist + * @throws IOException thrown if there is an error extracting the file. + */ + private void extractGzip(File file) throws FileNotFoundException, IOException { + String originalPath = file.getPath(); + File gzip = new File(originalPath + ".gz"); + if (gzip.isFile()) { + gzip.delete(); + } + file.renameTo(gzip); + file = new File(originalPath); + + byte[] buffer = new byte[4096]; + + GZIPInputStream cin = new GZIPInputStream(new FileInputStream(gzip)); + + FileOutputStream out = new FileOutputStream(file); + + int len; + while ((len = cin.read(buffer)) > 0) { + out.write(buffer, 0, len); + } + cin.close(); + out.close(); + FileUtils.delete(gzip); + } } From aa126039e5ec88a2b26315872c4e785880933b03 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 15 Nov 2014 08:21:44 -0500 Subject: [PATCH 15/26] updated NVD CVE URLs to use gzipped files Former-commit-id: 25c0c2e5df3a6626fae5401209fac93b105b3392 --- .../src/main/resources/dependencycheck.properties | 13 +++++++++---- .../src/test/resources/dependencycheck.properties | 13 +++++++++---- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index 9f764fd0a..ef9be913f 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -40,11 +40,16 @@ data.driver_path= cve.url.modified.validfordays=7 # the path to the modified nvd cve xml file. -cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml -cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz +#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml +cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz +#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cve.startyear=2002 -cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml -cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz +#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz +#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml + # file type analyzer settings: analyzer.archive.enabled=true diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index ae48d04c2..2a364e089 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -47,11 +47,16 @@ cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-di cve.url.modified.validfordays=7 # the path to the modified nvd cve xml file. -cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml -cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cve.startyear=2014 -cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml -cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz +#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml +cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz +#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz +#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz +#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml + # the URL for searching Nexus for SHA-1 hashes and whether it's enabled analyzer.nexus.enabled=true From 3f3ac86d380c367d8812467d0d04cb4c7bc62cc5 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 15 Nov 2014 08:22:43 -0500 Subject: [PATCH 16/26] minor change to test cases Former-commit-id: bbfc241e7576b508af819f7fe66892da0511e549 --- .../dependencycheck/utils/DownloaderIntegrationTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java index 530a8faae..b84b49257 100644 --- a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java +++ b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java @@ -42,12 +42,12 @@ public class DownloaderIntegrationTest extends BaseTest { URL url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL)); File outputPath = new File("target/downloaded_cve.xml"); Downloader.fetchFile(url, outputPath); - + assertTrue(outputPath.isFile()); } @Test public void testGetLastModified() throws Exception { - URL url = new URL("http://nvd.nist.gov/download/nvdcve-2012.xml"); + URL url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL)); long timestamp = Downloader.getLastModified(url); assertTrue("timestamp equal to zero?", timestamp > 0); } From 90457c89ff429a18b8a0ef613642321efcdf9881 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 15 Nov 2014 08:23:13 -0500 Subject: [PATCH 17/26] updated NVD CVE URLs to use gzipped files Former-commit-id: ca3c5ec40458f200a19cfcda36d518cf4de5a65a --- .../src/test/resources/dependencycheck.properties | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/dependency-check-utils/src/test/resources/dependencycheck.properties b/dependency-check-utils/src/test/resources/dependencycheck.properties index 8ed80a630..bdcbe1a41 100644 --- a/dependency-check-utils/src/test/resources/dependencycheck.properties +++ b/dependency-check-utils/src/test/resources/dependencycheck.properties @@ -45,11 +45,15 @@ cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-di cve.url.modified.validfordays=7 # the path to the modified nvd cve xml file. -cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml -cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cve.startyear=2014 -cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml -cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz +#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml +cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz +#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz +#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml +cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz +#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml # the URL for searching Nexus for SHA-1 hashes and whether it's enabled analyzer.nexus.enabled=true From 82151c5b3f534f1ce678ac4f4f6c950cf3f7f187 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 15 Nov 2014 08:23:54 -0500 Subject: [PATCH 18/26] initial version of the test for DownloadTask Former-commit-id: 5c82a5dda739525be25eed5ee763effe839758d0 --- .../data/update/task/DownloadTaskTest.java | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java new file mode 100644 index 000000000..5e6ffdeb0 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java @@ -0,0 +1,75 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.update.task; + +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Future; +import org.junit.After; +import org.junit.AfterClass; +import static org.junit.Assert.assertNull; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.owasp.dependencycheck.data.nvdcve.CveDB; +import org.owasp.dependencycheck.data.update.NvdCveInfo; +import org.owasp.dependencycheck.utils.Settings; + +/** + * + * @author Jeremy Long + */ +public class DownloadTaskTest { + + public DownloadTaskTest() { + } + + @BeforeClass + public static void setUpClass() { + } + + @AfterClass + public static void tearDownClass() { + } + + @Before + public void setUp() { + Settings.initialize(); + } + + @After + public void tearDown() { + Settings.cleanup(); + } + + /** + * Test of call method, of class DownloadTask. + */ + @Test + public void testCall() throws Exception { + NvdCveInfo cve = new NvdCveInfo(); + cve.setId("modified"); + cve.setNeedsUpdate(true); + cve.setUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL)); + cve.setOldSchemaVersionUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL)); + ExecutorService processExecutor = null; + CveDB cveDB = null; + DownloadTask instance = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());; + Future result = instance.call(); + assertNull(result); + } +} From ad1ad3a9972611c99a03b4c32769221a3224e156 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 16 Nov 2014 06:20:07 -0500 Subject: [PATCH 19/26] turned off checkstyle for a few lines Former-commit-id: 62bf63649427363c0d86bd72acbb76a9772d1da3 --- .../org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index ac18ec90a..e59d6c77c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -120,9 +120,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { // Try evacuating the error stream rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8")); String line = null; + // CheckStyle:VisibilityModifier OFF while (rdr.ready() && (line = rdr.readLine()) != null) { LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.stderr", line); } + // CheckStyle:VisibilityModifier ON int rc = 0; doc = builder.parse(proc.getInputStream()); @@ -233,9 +235,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { final Process p = pb.start(); // Try evacuating the error stream rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8")); + // CheckStyle:VisibilityModifier OFF while (rdr.ready() && rdr.readLine() != null) { // We expect this to complain } + // CheckStyle:VisibilityModifier ON final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream()); final XPath xpath = XPathFactory.newInstance().newXPath(); final String error = xpath.evaluate("/assembly/error", doc); From 127eafc9b36f6d7c6a8273c9ac38c6bcae1c75a6 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 16 Nov 2014 06:20:27 -0500 Subject: [PATCH 20/26] removed unused field Former-commit-id: f44e6398f946abe2faa8ab1b2e3813a6831b9c66 --- .../owasp/dependencycheck/data/central/CentralSearch.java | 6 ------ 1 file changed, 6 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java index 97b4841b5..fb6d86a1d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java @@ -57,12 +57,6 @@ public class CentralSearch { */ private static final Logger LOGGER = Logger.getLogger(CentralSearch.class.getName()); - /** - * Determines whether we'll continue using the analyzer. If there's some sort of HTTP failure, we'll disable the - * analyzer. - */ - private boolean isEnabled = true; - /** * Creates a NexusSearch for the given repository URL. * From 299350f655f619176f4d8b70ef1d6fc68900a77f Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 16 Nov 2014 06:21:02 -0500 Subject: [PATCH 21/26] correctly closed streams when extracting a gzip archive Former-commit-id: 0a0c917cc3e4c4a004823fba9b7f8ab53f90d557 --- .../data/update/task/DownloadTask.java | 44 ++++++++++++------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java index 2231dc613..0cf992c6e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java @@ -260,26 +260,38 @@ public class DownloadTask implements Callable> { * @throws IOException thrown if there is an error extracting the file. */ private void extractGzip(File file) throws FileNotFoundException, IOException { - String originalPath = file.getPath(); + final String originalPath = file.getPath(); File gzip = new File(originalPath + ".gz"); if (gzip.isFile()) { gzip.delete(); } - file.renameTo(gzip); - file = new File(originalPath); - - byte[] buffer = new byte[4096]; - - GZIPInputStream cin = new GZIPInputStream(new FileInputStream(gzip)); - - FileOutputStream out = new FileOutputStream(file); - - int len; - while ((len = cin.read(buffer)) > 0) { - out.write(buffer, 0, len); + if (!file.renameTo(gzip)) { + throw new IOException("Unable to rename '" + file.getPath() + "'"); + } + final File newfile = new File(originalPath); + + final byte[] buffer = new byte[4096]; + + GZIPInputStream cin = null; + FileOutputStream out = null; + try { + cin = new GZIPInputStream(new FileInputStream(gzip)); + out = new FileOutputStream(newfile); + + int len; + while ((len = cin.read(buffer)) > 0) { + out.write(buffer, 0, len); + } + } finally { + if (cin != null) { + cin.close(); + } + if (out != null) { + out.close(); + } + if (gzip.isFile()) { + FileUtils.delete(gzip); + } } - cin.close(); - out.close(); - FileUtils.delete(gzip); } } From 92b11526be507c010aa42aec2b19106fb4ac0735 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 16 Nov 2014 08:24:17 -0500 Subject: [PATCH 22/26] updated log messages Former-commit-id: 4f58ed64efbee2a2d604bdc5bd51394e152bd408 --- .../org/owasp/dependencycheck/analyzer/CentralAnalyzer.java | 2 +- .../java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index c89f35bd2..b062359c4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -102,7 +102,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.info("Enabling the Central analyzer"); retval = true; } else { - LOGGER.info("Nexus analyzer is enabled, disabling Central"); + LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer"); } } else { LOGGER.info("Central analyzer disabled"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index 3219787d1..0da7a5147 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -101,7 +101,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.info("Enabling Nexus analyzer"); retval = true; } else { - LOGGER.info("Nexus analyzer disabled"); + LOGGER.info("Nexus analyzer disabled, using Central instead"); } } catch (InvalidSettingException ise) { LOGGER.warning("Invalid setting. Disabling Nexus analyzer"); From 297a5e516f48a15b3d4f097cac2cf5a3a23858dd Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 16 Nov 2014 08:24:55 -0500 Subject: [PATCH 23/26] switched to using commons.io.FileUtils to delete files Former-commit-id: e63309f20e7af759233db5486acc85f2c5c6806d --- .../owasp/dependencycheck/data/update/task/DownloadTask.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java index 0cf992c6e..75565f527 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java @@ -29,7 +29,7 @@ import java.util.concurrent.Future; import java.util.logging.Level; import java.util.logging.Logger; import java.util.zip.GZIPInputStream; -import org.apache.tools.ant.util.FileUtils; +import org.apache.commons.io.FileUtils; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.update.NvdCveInfo; import org.owasp.dependencycheck.data.update.exception.UpdateException; @@ -290,7 +290,7 @@ public class DownloadTask implements Callable> { out.close(); } if (gzip.isFile()) { - FileUtils.delete(gzip); + FileUtils.deleteQuietly(gzip); } } } From 8b7ce067935a2043e83d37c63555c2d7db870ec1 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 16 Nov 2014 08:25:13 -0500 Subject: [PATCH 24/26] initial version Former-commit-id: efb4fec83ee9d788b3a5b21c683f52dd91113ec0 --- src/site/markdown/related.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 src/site/markdown/related.md diff --git a/src/site/markdown/related.md b/src/site/markdown/related.md new file mode 100644 index 000000000..17ccc6fe6 --- /dev/null +++ b/src/site/markdown/related.md @@ -0,0 +1,20 @@ +Related FOSS Projects +=========== +* [The Victims Project](https://github.com/victims) +* [Retire.js](http://bekk.github.io/retire.js/) + +Vulnerability Sources +=========== +The following are sources of vulnerability information. Dependency-check only uses information in the National Vulnerability +Database (NVD). The other sources listed below contain vulnerability information that may not be included in the NVD. +* [National Vulnerability Database](https://nvd.nist.gov/) +* [OSVDB](http://osvdb.org/) + +Related Commercial Products +=========== +The below list is merely informational. It is not a complete list, nor do the authors of dependency-check endorse any +of the products listed below. +* [Sonatype CLM](http://www.sonatype.com/clm/overview) +* [Black Duck](https://www.blackducksoftware.com/products/black-duck-suite/code-center) +* [Palamida](http://www.palamida.com/products/enterpriseedition.html) + From af5ba6854e385b3441fb8eb87df8f9f9427f2dbe Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 16 Nov 2014 09:43:26 -0500 Subject: [PATCH 25/26] minor format change Former-commit-id: 138be9fe55a362d21021b428b36ac65e621fd88a --- dependency-check-cli/src/main/assembly/release.xml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/dependency-check-cli/src/main/assembly/release.xml b/dependency-check-cli/src/main/assembly/release.xml index 7ebf60d62..a2dd05d87 100644 --- a/dependency-check-cli/src/main/assembly/release.xml +++ b/dependency-check-cli/src/main/assembly/release.xml @@ -2,10 +2,8 @@ release From f333ef76d9fee4a70d15d804685ffeaa51ef15f7 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 16 Nov 2014 09:44:11 -0500 Subject: [PATCH 26/26] version 1.2.6 Former-commit-id: d32ff0d840fc1d1a3153da73158adc125a589efc --- dependency-check-ant/pom.xml | 2 +- dependency-check-cli/pom.xml | 6 +++--- dependency-check-core/pom.xml | 2 +- dependency-check-jenkins/pom.xml | 2 +- dependency-check-maven/pom.xml | 2 +- dependency-check-utils/pom.xml | 2 +- pom.xml | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index 19cd62adb..59af44b24 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 dependency-check-ant diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index c89fbe155..96b2d11c6 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 dependency-check-cli @@ -286,12 +286,12 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.codehaus.mojo appassembler-maven-plugin - 1.7 + 1.8.1 org.owasp.dependencycheck.App - dependency-check + dependency-check ${project.build.directory}/release diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 16f14d585..b64f35368 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 dependency-check-core diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml index 7c87b0e1d..a967cd996 100644 --- a/dependency-check-jenkins/pom.xml +++ b/dependency-check-jenkins/pom.xml @@ -3,7 +3,7 @@ org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 org.owasp dependency-check-jenkins diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index dfbdb8e37..147dca413 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -22,7 +22,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 dependency-check-maven diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml index 9dad1ea6f..3dca43d54 100644 --- a/dependency-check-utils/pom.xml +++ b/dependency-check-utils/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 dependency-check-utils diff --git a/pom.xml b/pom.xml index eb48cde22..62bfb302c 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 1.2.6-SNAPSHOT + 1.2.6 pom