github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-03 22:50:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Modified CveDB and Settings so that they are no longer singletons; first step in thread safety updates

Browse Source
This commit is contained in:
Jeremy Long
2017-08-30 06:47:45 -04:00
parent c4b67a1db2
commit 74a2326e0e
113 changed files with 1809 additions and 1400 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
View File

@@ -948,7 +948,7 @@ public class Check extends Update {
dealWithReferences();
validateConfiguration();
populateSettings();
try (Engine engine = new Engine(Check.class.getClassLoader())) {
try (Engine engine = new Engine(Check.class.getClassLoader(), getSettings())) {
if (isUpdateOnly()) {
log("Deprecated 'UpdateOnly' property set; please use the UpdateTask instead", Project.MSG_WARN);
try {
@@ -999,7 +999,7 @@ public class Check extends Update {
}
log(msg, ex, Project.MSG_ERR);
} finally {
Settings.cleanup(true);
getSettings().cleanup(true);
}
}
@@ -1028,33 +1028,33 @@ public class Check extends Update {
@Override
protected void populateSettings() throws BuildException {
super.populateSettings();
Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
Settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles.toArray(new String[suppressionFiles.size()]));
Settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
Settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, nspAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
getSettings().setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
getSettings().setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles.toArray(new String[suppressionFiles.size()]));
getSettings().setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, nspAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
getSettings().setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
}
/**

49
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java
View File

@@ -37,22 +37,35 @@ public class Purge extends Task {
* The properties file location.
*/
private static final String PROPERTIES_FILE = "task.properties";
/**
* Construct a new DependencyCheckTask.
* The configured settings.
*/
public Purge() {
super();
// Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
// core end up coming through this tasks logger
StaticLoggerBinder.getSingleton().setTask(this);
}
private Settings settings;
/**
* The location of the data directory that contains
*/
private String dataDirectory = null;
/**
* Indicates if dependency-check should fail the build if an exception
* occurs.
*/
private boolean failOnError = true;
/**
* Construct a new DependencyCheckTask.
*/
public Purge() {
super();
// Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
// core end up coming through this tasks logger
StaticLoggerBinder.getSingleton().setTask(this);
}
public Settings getSettings() {
return settings;
}
/**
* Get the value of dataDirectory.
*
@@ -71,12 +84,6 @@ public class Purge extends Task {
this.dataDirectory = dataDirectory;
}
/**
* Indicates if dependency-check should fail the build if an exception
* occurs.
*/
private boolean failOnError = true;
/**
* Get the value of failOnError.
*
@@ -106,7 +113,7 @@ public class Purge extends Task {
populateSettings();
File db;
try {
db = new File(Settings.getDataDirectory(), "dc.h2.db");
db = new File(settings.getDataDirectory(), "dc.h2.db");
if (db.exists()) {
if (db.delete()) {
log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO);
@@ -131,7 +138,7 @@ public class Purge extends Task {
}
log(msg, Project.MSG_ERR);
} finally {
Settings.cleanup(true);
settings.cleanup(true);
}
}
@@ -143,9 +150,9 @@ public class Purge extends Task {
* @throws BuildException thrown if the properties file cannot be read.
*/
protected void populateSettings() throws BuildException {
Settings.initialize();
settings = new Settings();
try (InputStream taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE)) {
Settings.mergeProperties(taskProperties);
settings.mergeProperties(taskProperties);
} catch (IOException ex) {
final String msg = "Unable to load the dependency-check ant task.properties file.";
if (this.failOnError) {
@@ -154,13 +161,13 @@ public class Purge extends Task {
log(msg, ex, Project.MSG_WARN);
}
if (dataDirectory != null) {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
} else {
final File jarPath = new File(Purge.class.getProtectionDomain().getCodeSource().getLocation().getPath());
final File base = jarPath.getParentFile();
final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
final String sub = settings.getString(Settings.KEYS.DATA_DIRECTORY);
final File dataDir = new File(base, sub);
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
}
}
}

34
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java
View File

@@ -385,7 +385,7 @@ public class Update extends Purge {
@Override
public void execute() throws BuildException {
populateSettings();
try (Engine engine = new Engine(Update.class.getClassLoader())) {
try (Engine engine = new Engine(Update.class.getClassLoader(), getSettings())) {
try {
engine.doUpdates();
} catch (UpdateException ex) {
@@ -401,7 +401,7 @@ public class Update extends Purge {
}
log(msg, Project.MSG_ERR);
} finally {
Settings.cleanup(true);
getSettings().cleanup(true);
}
}
@@ -415,23 +415,23 @@ public class Update extends Purge {
@Override
protected void populateSettings() throws BuildException {
super.populateSettings();
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
getSettings().setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
getSettings().setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
getSettings().setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
getSettings().setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
getSettings().setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
getSettings().setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
if (cveValidForHours != null) {
if (cveValidForHours >= 0) {
Settings.setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
getSettings().setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
} else {
throw new BuildException("Invalid setting: `cpeValidForHours` must be 0 or greater");
}

15
dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
View File

@@ -21,13 +21,11 @@ import java.io.File;
import org.apache.tools.ant.BuildException;
import org.apache.tools.ant.BuildFileRule;
import org.junit.After;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.owasp.dependencycheck.BaseDBTestCase;
import org.owasp.dependencycheck.utils.Settings;
import static org.junit.Assert.assertTrue;
@@ -35,7 +33,7 @@ import static org.junit.Assert.assertTrue;
*
* @author Jeremy Long
*/
public class DependencyCheckTaskTest {
public class DependencyCheckTaskTest extends BaseDBTestCase {
@Rule
public BuildFileRule buildFileRule = new BuildFileRule();
@@ -44,20 +42,13 @@ public class DependencyCheckTaskTest {
public ExpectedException expectedException = ExpectedException.none();
@Before
@Override
public void setUp() throws Exception {
Settings.initialize();
BaseDBTestCase.ensureDBExists();
super.setUp();
final String buildFile = this.getClass().getClassLoader().getResource("build.xml").getPath();
buildFileRule.configureProject(buildFile);
}
@After
public void tearDown() {
//no cleanup...
//executeTarget("cleanup");
Settings.cleanup(true);
}
/**
* Test of addFileSet method, of class DependencyCheckTask.
*/

142
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -53,6 +53,10 @@ public class App {
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(App.class);
/**
* The configured settings.
*/
private Settings settings = null;
/**
* The main method for the application.
@@ -61,17 +65,28 @@ public class App {
*/
public static void main(String[] args) {
int exitCode = 0;
try {
Settings.initialize();
final App app = new App();
exitCode = app.run(args);
LOGGER.debug("Exit code: {}", exitCode);
} finally {
Settings.cleanup(true);
}
final App app = new App();
exitCode = app.run(args);
LOGGER.debug("Exit code: {}", exitCode);
System.exit(exitCode);
}
/**
* Builds the App object.
*/
public App() {
settings = new Settings();
}
/**
* Builds the App object; this method is used for testing.
*
* @param settings the configured settings
*/
protected App(Settings settings) {
this.settings = settings;
}
/**
* Main CLI entry-point into the application.
*
@@ -80,7 +95,7 @@ public class App {
*/
public int run(String[] args) {
int exitCode = 0;
final CliParser cli = new CliParser();
final CliParser cli = new CliParser(settings);
try {
cli.parse(args);
@@ -109,10 +124,11 @@ public class App {
LOGGER.error(ex.getMessage());
LOGGER.debug("Error loading properties file", ex);
exitCode = -4;
return exitCode;
}
File db;
try {
db = new File(Settings.getDataDirectory(), Settings.getString(Settings.KEYS.DB_FILE_NAME, "dc.h2.db"));
db = new File(settings.getDataDirectory(), settings.getString(Settings.KEYS.DB_FILE_NAME, "dc.h2.db"));
if (db.exists()) {
if (db.delete()) {
LOGGER.info("Database file purged; local copy of the NVD has been removed");
@@ -127,6 +143,8 @@ public class App {
} catch (IOException ex) {
LOGGER.error("Unable to delete the database");
exitCode = -7;
} finally {
settings.cleanup();
}
}
} else if (cli.isGetVersion()) {
@@ -138,6 +156,7 @@ public class App {
LOGGER.error(ex.getMessage());
LOGGER.debug("Error loading properties file", ex);
exitCode = -4;
return exitCode;
}
try {
runUpdateOnly();
@@ -147,6 +166,8 @@ public class App {
} catch (DatabaseException ex) {
LOGGER.error(ex.getMessage());
exitCode = -9;
} finally {
settings.cleanup();
}
} else if (cli.isRunScan()) {
try {
@@ -155,6 +176,7 @@ public class App {
LOGGER.error(ex.getMessage());
LOGGER.debug("Error loading properties file", ex);
exitCode = -4;
return exitCode;
}
try {
final String[] scanFiles = cli.getScanFiles();
@@ -183,6 +205,8 @@ public class App {
for (Throwable e : ex.getExceptions()) {
LOGGER.error(e.getMessage());
}
} finally {
settings.cleanup();
}
} else {
cli.printHelp();
@@ -221,7 +245,7 @@ public class App {
final List<String> antStylePaths = getPaths(files);
final Set<File> paths = scanAntStylePaths(antStylePaths, symLinkDepth, excludes);
engine = new Engine();
engine = new Engine(settings);
engine.scan(paths);
ExceptionCollection exCol = null;
@@ -359,7 +383,7 @@ public class App {
* connection to the database could not be established
*/
private void runUpdateOnly() throws UpdateException, DatabaseException {
try (Engine engine = new Engine()) {
try (Engine engine = new Engine(settings)) {
engine.doUpdates();
}
}
@@ -401,7 +425,7 @@ public class App {
if (propertiesFile != null) {
try {
Settings.mergeProperties(propertiesFile);
settings.mergeProperties(propertiesFile);
} catch (FileNotFoundException ex) {
throw new InvalidSettingException("Unable to find properties file '" + propertiesFile.getPath() + "'", ex);
} catch (IOException ex) {
@@ -413,65 +437,65 @@ public class App {
// on the command line. This is true of other boolean values set below not using the setBooleanIfNotNull.
final boolean nexusUsesProxy = cli.isNexusUsesProxy();
if (dataDirectory != null) {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
} else if (System.getProperty("basedir") != null) {
final File dataDir = new File(System.getProperty("basedir"), "data");
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
} else {
final File jarPath = new File(App.class.getProtectionDomain().getCodeSource().getLocation().getPath());
final File base = jarPath.getParentFile();
final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
final String sub = settings.getString(Settings.KEYS.DATA_DIRECTORY);
final File dataDir = new File(base, sub);
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
}
Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUser);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPass);
Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
Settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUser);
settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPass);
settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
Settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles);
settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles);
//File Type Analyzer Settings
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, experimentalEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, experimentalEnabled);
Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !cli.isArchiveDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !cli.isPythonPackageDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cli.isCmakeDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !cli.isNuspecDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !cli.isAssemblyDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !cli.isBundleAuditDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, !cli.isNspDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, !cli.isSwiftPackageAnalyzerDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, !cli.isCocoapodsAnalyzerDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !cli.isCentralDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !cli.isNexusDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !cli.isArchiveDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !cli.isPythonPackageDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cli.isCmakeDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !cli.isNuspecDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !cli.isAssemblyDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !cli.isBundleAuditDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, !cli.isNspDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, !cli.isSwiftPackageAnalyzerDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, !cli.isCocoapodsAnalyzerDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !cli.isCentralDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !cli.isNexusDisabled());
Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, cli.getPathToBundleAudit());
Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, cli.getPathToBundleAudit());
settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
if (cveBase12 != null && !cveBase12.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveBase12);
Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveBase20);
Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveMod12);
Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveMod20);
settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveBase12);
settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveBase20);
settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveMod12);
settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveMod20);
}
}

22
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -53,6 +53,14 @@ public final class CliParser {
* Indicates whether the arguments are valid.
*/
private boolean isValid = true;
/**
* The configured settings.
*/
private final Settings settings;
public CliParser(Settings settings) {
this.settings = settings;
}
/**
* Parses the arguments passed in and captures the results for later use.
@@ -582,7 +590,7 @@ public final class CliParser {
private boolean hasDisableOption(String argument, String setting) {
if (line == null || !line.hasOption(argument)) {
try {
return !Settings.getBoolean(setting);
return !settings.getBoolean(setting);
} catch (InvalidSettingException ise) {
LOGGER.warn("Invalid property setting '{}' defaulting to false", setting);
return false;
@@ -801,7 +809,7 @@ public final class CliParser {
// still honor the property if it's set.
if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
try {
return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
return settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
} catch (InvalidSettingException ise) {
return true;
}
@@ -823,10 +831,10 @@ public final class CliParser {
final String helpMsg = String.format("%n%s"
+ " can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. "
+ "%s will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov.%n%n",
Settings.getString("application.name", "DependencyCheck"),
Settings.getString("application.name", "DependencyCheck"));
settings.getString("application.name", "DependencyCheck"),
settings.getString("application.name", "DependencyCheck"));
formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
formatter.printHelp(settings.getString("application.name", "DependencyCheck"),
helpMsg,
options,
"",
@@ -1054,8 +1062,8 @@ public final class CliParser {
*/
public void printVersionInfo() {
final String version = String.format("%s version %s",
Settings.getString(Settings.KEYS.APPLICATION_NAME, "dependency-check"),
Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
settings.getString(Settings.KEYS.APPLICATION_NAME, "dependency-check"),
settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
System.out.println(version);
}

64
dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java
View File

@@ -30,8 +30,6 @@ import java.util.Map;
import org.apache.commons.cli.ParseException;
import org.apache.commons.cli.UnrecognizedOptionException;
import org.junit.After;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
@@ -42,7 +40,7 @@ import org.owasp.dependencycheck.utils.Settings.KEYS;
/**
* Tests for the {@link AppTest} class.
*/
public class AppTest {
public class AppTest extends BaseTest {
/**
* Test rule for asserting exceptions and their contents.
@@ -50,29 +48,13 @@ public class AppTest {
@Rule
public ExpectedException expectedException = ExpectedException.none();
/**
* Initialize the {@link Settings} singleton.
*/
@Before
public void setUp() {
Settings.initialize();
}
/**
* Clean the {@link Settings} singleton.
*/
@After
public void tearDown() {
Settings.cleanup();
}
/**
* Test of ensureCanonicalPath method, of class App.
*/
@Test
public void testEnsureCanonicalPath() {
String file = "../*.jar";
App instance = new App();
App instance = new App(getSettings());
String result = instance.ensureCanonicalPath(file);
assertFalse(result.contains(".."));
assertTrue(result.endsWith("*.jar"));
@@ -85,7 +67,7 @@ public class AppTest {
/**
* Assert that boolean properties can be set on the CLI and parsed into the
* {@link Settings} singleton.
* {@link Settings}.
*
* @throws Exception the unexpected {@link Exception}.
*/
@@ -165,13 +147,13 @@ public class AppTest {
String[] args = {"-P", prop.getAbsolutePath(), "--suppression", "another-file.xml"};
// WHEN parsing the CLI arguments
final CliParser cli = new CliParser();
final CliParser cli = new CliParser(getSettings());
cli.parse(args);
final App classUnderTest = new App();
final App classUnderTest = new App(getSettings());
classUnderTest.populateSettings(cli);
// THEN the suppression file is set in the settings singleton for use in the application core
assertThat("Expected the suppression file to be set in the Settings singleton", Settings.getString(KEYS.SUPPRESSION_FILE), is("another-file.xml"));
// THEN the suppression file is set in the settings for use in the application core
assertThat("Expected the suppression file to be set in the Settings", getSettings().getString(KEYS.SUPPRESSION_FILE), is("another-file.xml"));
}
/**
@@ -188,31 +170,25 @@ public class AppTest {
String[] args = {"-P", prop.getAbsolutePath(), "--suppression", "first-file.xml", "another-file.xml"};
// WHEN parsing the CLI arguments
final CliParser cli = new CliParser();
final CliParser cli = new CliParser(getSettings());
cli.parse(args);
final App classUnderTest = new App();
final App classUnderTest = new App(getSettings());
classUnderTest.populateSettings(cli);
// THEN the suppression file is set in the settings singleton for use in the application core
assertThat("Expected the suppression files to be set in the Settings singleton with a separator", Settings.getString(KEYS.SUPPRESSION_FILE), is("first-file.xml,another-file.xml"));
// THEN the suppression file is set in the settings for use in the application core
assertThat("Expected the suppression files to be set in the Settings with a separator", getSettings().getString(KEYS.SUPPRESSION_FILE), is("first-file.xml,another-file.xml"));
}
private boolean testBooleanProperties(String[] args, Map<String, Boolean> expected) throws URISyntaxException, FileNotFoundException, ParseException, InvalidSettingException {
Settings.initialize();
try {
final CliParser cli = new CliParser();
cli.parse(args);
App instance = new App();
instance.populateSettings(cli);
boolean results = true;
for (Map.Entry<String, Boolean> entry : expected.entrySet()) {
results &= Settings.getBoolean(entry.getKey()) == entry.getValue();
}
return results;
} finally {
Settings.cleanup();
this.reloadSettings();
final CliParser cli = new CliParser(getSettings());
cli.parse(args);
App instance = new App(getSettings());
instance.populateSettings(cli);
boolean results = true;
for (Map.Entry<String, Boolean> entry : expected.entrySet()) {
results &= getSettings().getBoolean(entry.getKey()) == entry.getValue();
}
return results;
}
}

62
dependency-check-cli/src/test/java/org/owasp/dependencycheck/BaseTest.java Normal file
View File

@@ -0,0 +1,62 @@
/*
* Copyright 2014 OWASP.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.owasp.dependencycheck;
import org.junit.After;
import org.junit.Before;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long
*/
public class BaseTest {
/**
* The configured settings.
*/
private Settings settings;
/**
* Initialize the {@link Settings}.
*/
@Before
public void setUp() {
settings = new Settings();
}
/**
* Clean the {@link Settings}.
*/
@After
public void tearDown() {
settings.cleanup(true);
}
/**
* Returns the settings for the test cases.
*
* @return
*/
protected Settings getSettings() {
return settings;
}
protected void reloadSettings() {
tearDown();
setUp();
}
}

36
dependency-check-cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java
View File

@@ -33,17 +33,7 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long
*/
public class CliParserTest {
@BeforeClass
public static void setUpClass() throws Exception {
Settings.initialize();
}
@AfterClass
public static void tearDownClass() throws Exception {
Settings.cleanup(true);
}
public class CliParserTest extends BaseTest {
/**
* Test of parse method, of class CliParser.
@@ -59,7 +49,7 @@ public class CliParserTest {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
System.setOut(new PrintStream(baos));
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
instance.parse(args);
Assert.assertFalse(instance.isGetVersion());
@@ -78,7 +68,7 @@ public class CliParserTest {
String[] args = {"-help"};
PrintStream out = System.out;
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
instance.parse(args);
Assert.assertFalse(instance.isGetVersion());
@@ -96,7 +86,7 @@ public class CliParserTest {
String[] args = {"-version"};
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
instance.parse(args);
Assert.assertTrue(instance.isGetVersion());
Assert.assertFalse(instance.isGetHelp());
@@ -114,7 +104,7 @@ public class CliParserTest {
String[] args = {"--failOnCVSS"};
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
try {
instance.parse(args);
} catch (ParseException ex) {
@@ -135,7 +125,7 @@ public class CliParserTest {
String[] args = {"--failOnCVSS","bad"};
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
instance.parse(args);
Assert.assertEquals("Default should be 11", 11, instance.getFailOnCVSS());
Assert.assertFalse(instance.isGetVersion());
@@ -153,7 +143,7 @@ public class CliParserTest {
String[] args = {"--failOnCVSS","6"};
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
instance.parse(args);
Assert.assertEquals(6, instance.getFailOnCVSS());
Assert.assertFalse(instance.isGetVersion());
@@ -178,7 +168,7 @@ public class CliParserTest {
System.setOut(new PrintStream(baos_out));
System.setErr(new PrintStream(baos_err));
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
try {
instance.parse(args);
@@ -200,7 +190,7 @@ public class CliParserTest {
String[] args = {"-scan"};
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
try {
instance.parse(args);
@@ -223,7 +213,7 @@ public class CliParserTest {
String[] args = {"-scan", "jar.that.does.not.exist", "-app", "test"};
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
try {
instance.parse(args);
} catch (FileNotFoundException ex) {
@@ -245,7 +235,7 @@ public class CliParserTest {
File path = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
String[] args = {"-scan", path.getCanonicalPath(), "-out", "./", "-app", "test"};
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
instance.parse(args);
Assert.assertEquals(path.getCanonicalPath(), instance.getScanFiles()[0]);
@@ -267,7 +257,7 @@ public class CliParserTest {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
System.setOut(new PrintStream(baos));
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
instance.printVersionInfo();
try {
baos.flush();
@@ -296,7 +286,7 @@ public class CliParserTest {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
System.setOut(new PrintStream(baos));
CliParser instance = new CliParser();
CliParser instance = new CliParser(getSettings());
String[] args = {"-h"};
instance.parse(args);
instance.printHelp();

2
dependency-check-cli/src/test/resources/sample.properties
View File

@@ -1,5 +1,5 @@
autoupdate=false
somethingmadeup=test
analyzer.experimental.enabled=false
analyzer.jar.enabled=true
analyzer.archive.enabled=true

33
dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java
View File

@@ -89,26 +89,20 @@ public class AnalysisTask implements Callable<Void> {
*/
@Override
public Void call() {
try {
Settings.setInstance(settings);
if (shouldAnalyze()) {
LOGGER.debug("Begin Analysis of '{}' ({})", dependency.getActualFilePath(), analyzer.getName());
try {
analyzer.analyze(dependency, engine);
} catch (AnalysisException ex) {
LOGGER.warn("An error occurred while analyzing '{}' ({}).", dependency.getActualFilePath(), analyzer.getName());
LOGGER.debug("", ex);
exceptions.add(ex);
} catch (Throwable ex) {
LOGGER.warn("An unexpected error occurred during analysis of '{}' ({}): {}",
dependency.getActualFilePath(), analyzer.getName(), ex.getMessage());
LOGGER.debug("", ex);
exceptions.add(ex);
}
if (shouldAnalyze()) {
LOGGER.debug("Begin Analysis of '{}' ({})", dependency.getActualFilePath(), analyzer.getName());
try {
analyzer.analyze(dependency, engine);
} catch (AnalysisException ex) {
LOGGER.warn("An error occurred while analyzing '{}' ({}).", dependency.getActualFilePath(), analyzer.getName());
LOGGER.debug("", ex);
exceptions.add(ex);
} catch (Throwable ex) {
LOGGER.warn("An unexpected error occurred during analysis of '{}' ({}): {}",
dependency.getActualFilePath(), analyzer.getName(), ex.getMessage());
LOGGER.debug("", ex);
exceptions.add(ex);
}
} finally {
Settings.cleanup(false);
}
return null;
}
@@ -123,7 +117,6 @@ public class AnalysisTask implements Callable<Void> {
final FileTypeAnalyzer fileTypeAnalyzer = (FileTypeAnalyzer) analyzer;
return fileTypeAnalyzer.accept(dependency.getActualFile());
}
return true;
}
}

81
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -179,30 +179,38 @@ public class Engine implements FileFilter, AutoCloseable {
* The Logger for use throughout the class.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(Engine.class);
/**
* The configured settings.
*/
private final Settings settings;
/**
* Creates a new {@link Mode#STANDALONE} Engine.
*
* @param settings reference to the configured settings
*/
public Engine() {
this(Mode.STANDALONE);
public Engine(Settings settings) {
this(Mode.STANDALONE, settings);
}
/**
* Creates a new Engine.
*
* @param mode the mode of operation
* @param settings reference to the configured settings
*/
public Engine(Mode mode) {
this(Thread.currentThread().getContextClassLoader(), mode);
public Engine(Mode mode, Settings settings) {
this(Thread.currentThread().getContextClassLoader(), mode, settings);
}
/**
* Creates a new {@link Mode#STANDALONE} Engine.
*
* @param serviceClassLoader a reference the class loader being used
* @param settings reference to the configured settings
*/
public Engine(ClassLoader serviceClassLoader) {
this(serviceClassLoader, Mode.STANDALONE);
public Engine(ClassLoader serviceClassLoader, Settings settings) {
this(serviceClassLoader, Mode.STANDALONE, settings);
}
/**
@@ -210,8 +218,10 @@ public class Engine implements FileFilter, AutoCloseable {
*
* @param serviceClassLoader a reference the class loader being used
* @param mode the mode of the engine
* @param settings reference to the configured settings
*/
public Engine(ClassLoader serviceClassLoader, Mode mode) {
public Engine(ClassLoader serviceClassLoader, Mode mode, Settings settings) {
this.settings = settings;
this.serviceClassLoader = serviceClassLoader;
this.mode = mode;
initializeEngine();
@@ -225,9 +235,6 @@ public class Engine implements FileFilter, AutoCloseable {
* database
*/
protected final void initializeEngine() {
if (mode.isDatabseRequired()) {
ConnectionFactory.initialize();
}
loadAnalyzers();
}
@@ -240,7 +247,6 @@ public class Engine implements FileFilter, AutoCloseable {
database.close();
database = null;
}
ConnectionFactory.cleanup();
}
}
@@ -260,10 +266,16 @@ public class Engine implements FileFilter, AutoCloseable {
for (AnalysisPhase phase : mode.getPhases()) {
analyzers.put(phase, new ArrayList<Analyzer>());
}
final AnalyzerService service = new AnalyzerService(serviceClassLoader);
boolean loadExperimental = false;
try {
loadExperimental = settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
} catch (InvalidSettingException ex) {
LOGGER.trace("Experimenal setting not configured; defaulting to false");
}
final AnalyzerService service = new AnalyzerService(serviceClassLoader, loadExperimental);
final List<Analyzer> iterator = service.getAnalyzers(mode.getPhases());
for (Analyzer a : iterator) {
a.initializeSettings(this.settings);
analyzers.get(a.getAnalysisPhase()).add(a);
if (a instanceof FileTypeAnalyzer) {
this.fileTypeAnalyzers.add((FileTypeAnalyzer) a);
@@ -662,14 +674,13 @@ public class Engine implements FileFilter, AutoCloseable {
}
boolean autoUpdate = true;
try {
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
autoUpdate = settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
} catch (InvalidSettingException ex) {
LOGGER.debug("Invalid setting for auto-update; using true.");
exceptions.add(ex);
}
if (autoUpdate) {
try {
database = CveDB.getInstance();
doUpdates();
} catch (UpdateException ex) {
exceptions.add(ex);
@@ -681,10 +692,10 @@ public class Engine implements FileFilter, AutoCloseable {
}
} else {
try {
if (ConnectionFactory.isH2Connection() && !ConnectionFactory.h2DataFileExists()) {
if (ConnectionFactory.isH2Connection(settings) && !ConnectionFactory.h2DataFileExists(settings)) {
throw new ExceptionCollection(new NoDataException("Autoupdate is disabled and the database does not exist"), true);
} else {
database = CveDB.getInstance();
openDatabase();
}
} catch (IOException ex) {
throw new ExceptionCollection(new DatabaseException("Autoupdate is disabled and unable to connect to the database"), true);
@@ -739,7 +750,7 @@ public class Engine implements FileFilter, AutoCloseable {
final List<AnalysisTask> result = new ArrayList<>();
synchronized (dependencies) {
for (final Dependency dependency : dependencies) {
final AnalysisTask task = new AnalysisTask(analyzer, dependency, this, exceptions, Settings.getInstance());
final AnalysisTask task = new AnalysisTask(analyzer, dependency, this, exceptions, settings);
result.add(task);
}
}
@@ -773,7 +784,7 @@ public class Engine implements FileFilter, AutoCloseable {
protected void initializeAnalyzer(Analyzer analyzer) throws InitializationException {
try {
LOGGER.debug("Initializing {}", analyzer.getName());
analyzer.initialize();
analyzer.initialize(this);
} catch (InitializationException ex) {
LOGGER.error("Exception occurred initializing {}.", analyzer.getName());
LOGGER.debug("", ex);
@@ -817,13 +828,14 @@ public class Engine implements FileFilter, AutoCloseable {
*/
public void doUpdates() throws UpdateException {
if (mode.isDatabseRequired()) {
openDatabase();
LOGGER.info("Checking for updates");
final long updateStart = System.currentTimeMillis();
final UpdateService service = new UpdateService(serviceClassLoader);
final Iterator<CachedWebDataSource> iterator = service.getDataSources();
while (iterator.hasNext()) {
final CachedWebDataSource source = iterator.next();
source.update();
source.update(this);
}
LOGGER.info("Check for updates complete ({} ms)", System.currentTimeMillis() - updateStart);
} else {
@@ -831,6 +843,24 @@ public class Engine implements FileFilter, AutoCloseable {
}
}
/**
* Opens the database connection.
*/
public void openDatabase() {
if (mode.isDatabseRequired() && database == null) {
database = new CveDB(settings);
}
}
/**
* Returns a reference to the database.
*
* @return a reference to the database
*/
public CveDB getDatabase() {
return this.database;
}
/**
* Returns a full list of all of the analyzers. This is useful for reporting
* which analyzers where used.
@@ -876,6 +906,15 @@ public class Engine implements FileFilter, AutoCloseable {
return this.fileTypeAnalyzers;
}
/**
* Returns
*
* @return
*/
public Settings getSettings() {
return settings;
}
/**
* Adds a file type analyzer. This has been added solely to assist in unit
* testing the Engine.
@@ -932,7 +971,7 @@ public class Engine implements FileFilter, AutoCloseable {
throw new UnsupportedOperationException("Cannot generate report in evidence collection mode.");
}
final DatabaseProperties prop = database.getDatabaseProperties();
final ReportGenerator r = new ReportGenerator(applicationName, groupId, artifactId, version, dependencies, getAnalyzers(), prop);
final ReportGenerator r = new ReportGenerator(applicationName, groupId, artifactId, version, dependencies, getAnalyzers(), prop, settings);
try {
r.write(outputDir.getAbsolutePath(), format);
} catch (ReportException ex) {

62
dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
View File

@@ -207,6 +207,10 @@ public class DependencyCheckScanAgent {
* The path to Mono for .NET assembly analysis on non-windows systems.
*/
private String pathToMono;
/**
* The configured settings.
*/
private Settings settings;
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="getters/setters">
@@ -823,7 +827,7 @@ public class DependencyCheckScanAgent {
populateSettings();
final Engine engine;
try {
engine = new Engine();
engine = new Engine(settings);
} catch (DatabaseException ex) {
throw new ExceptionCollection(ex, true);
}
@@ -855,40 +859,40 @@ public class DependencyCheckScanAgent {
* proxy server, port, and connection timeout.
*/
private void populateSettings() {
Settings.initialize();
settings = new Settings();
if (dataDirectory != null) {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
} else {
final File jarPath = new File(DependencyCheckScanAgent.class.getProtectionDomain().getCodeSource().getLocation().getPath());
final File base = jarPath.getParentFile();
final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
final String sub = settings.getString(Settings.KEYS.DATA_DIRECTORY);
final File dataDir = new File(base, sub);
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
}
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
}
/**
@@ -918,7 +922,7 @@ public class DependencyCheckScanAgent {
}
throw new ScanAgentException("One or more exceptions occurred during analysis; please see the debug log for more details.", ex);
} finally {
Settings.cleanup(true);
settings.cleanup(true);
if (engine != null) {
engine.cleanup();
}

41
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java
View File

@@ -42,6 +42,10 @@ public abstract class AbstractAnalyzer implements Analyzer {
* A flag indicating whether or not the analyzer is enabled.
*/
private volatile boolean enabled = true;
/**
* The configured settings.
*/
private Settings settings;
/**
* Get the value of enabled.
@@ -62,6 +66,25 @@ public abstract class AbstractAnalyzer implements Analyzer {
this.enabled = enabled;
}
/**
* Returns the configured settings.
*
* @return the configured settings
*/
protected Settings getSettings() {
return settings;
}
/**
* Initializes the analyzer with the configured settings.
*
* @param settings the configured settings to use
*/
@Override
public void initializeSettings(Settings settings) {
this.settings = settings;
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
@@ -85,9 +108,11 @@ public abstract class AbstractAnalyzer implements Analyzer {
* Initializes a given Analyzer. This will be skipped if the analyzer is
* disabled.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException thrown if there is an exception
*/
protected void initializeAnalyzer() throws InitializationException {
protected void initializeAnalyzer(Engine engine) throws InitializationException {
// Intentionally empty, analyzer will override this if they must initialize anything.
}
/**
@@ -117,22 +142,24 @@ public abstract class AbstractAnalyzer implements Analyzer {
}
/**
* The initialize method does nothing for this Analyzer.
* Initialize the abstract analyzer.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException thrown if there is an exception
*/
@Override
public final void initialize() throws InitializationException {
public final void initialize(Engine engine) throws InitializationException {
final String key = getAnalyzerEnabledSettingKey();
try {
this.setEnabled(Settings.getBoolean(key, true));
this.setEnabled(settings.getBoolean(key, true));
} catch (InvalidSettingException ex) {
LOGGER.warn("Invalid setting for property '{}'", key);
LOGGER.debug("", ex);
String msg = String.format("Invalid setting for property '{}'", key);
LOGGER.warn(msg);
LOGGER.debug(msg, ex);
}
if (isEnabled()) {
initializeAnalyzer();
initializeAnalyzer(engine);
} else {
LOGGER.debug("{} has been disabled", getName());
}

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
View File

@@ -25,6 +25,7 @@ import java.io.FileFilter;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.exception.InitializationException;
/**
@@ -70,13 +71,14 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
/**
* Initializes the analyzer.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException thrown if there is an exception during
* initialization
*/
@Override
protected final void initializeAnalyzer() throws InitializationException {
protected final void initializeAnalyzer(Engine engine) throws InitializationException {
if (filesMatched) {
initializeFileTypeAnalyzer();
initializeFileTypeAnalyzer(engine);
} else {
this.setEnabled(false);
}
@@ -101,10 +103,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
/**
* Initializes the file type analyzer.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException thrown if there is an exception during
* initialization
*/
protected abstract void initializeFileTypeAnalyzer() throws InitializationException;
protected abstract void initializeFileTypeAnalyzer(Engine engine) throws InitializationException;
//</editor-fold>
/**

18
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
View File

@@ -79,10 +79,11 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
/**
* The initialize method loads the suppression XML file.
*
* @param engine a reference the dependency-check engine
* @throws InitializationException thrown if there is an exception
*/
@Override
public void initializeAnalyzer() throws InitializationException {
public void initializeAnalyzer(Engine engine) throws InitializationException {
try {
loadSuppressionData();
} catch (SuppressionParseException ex) {
@@ -101,8 +102,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
}
/**
* Loads all the suppression rules files configured in the {@link Settings}
* singleton.
* Loads all the suppression rules files configured in the {@link Settings}.
*
* @throws SuppressionParseException thrown if the XML cannot be parsed.
*/
@@ -114,7 +114,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
} catch (SAXException ex) {
throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
}
final String[] suppressionFilePaths = Settings.getArray(Settings.KEYS.SUPPRESSION_FILE);
final String[] suppressionFilePaths = getSettings().getArray(Settings.KEYS.SUPPRESSION_FILE);
if (suppressionFilePaths == null || suppressionFilePaths.length == 0) {
return;
}
@@ -144,12 +144,14 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
if (uriRx.matcher(suppressionFilePath).matches()) {
deleteTempFile = true;
file = FileUtils.getTempFile("suppression", "xml");
file = getSettings().getTempFile("suppression", "xml");
final URL url = new URL(suppressionFilePath);
Downloader downloader = new Downloader(getSettings());
try {
Downloader.fetchFile(url, file, false);
downloader.fetchFile(url, file, false);
} catch (DownloadFailedException ex) {
Downloader.fetchFile(url, file, true);
LOGGER.trace("Failed download - first attempt", ex);
downloader.fetchFile(url, file, true);
}
} else {
file = new File(suppressionFilePath);
@@ -158,7 +160,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
try (InputStream suppressionsFromClasspath = FileUtils.getResourceAsStream(suppressionFilePath)) {
if (suppressionsFromClasspath != null) {
deleteTempFile = true;
file = FileUtils.getTempFile("suppression", "xml");
file = getSettings().getTempFile("suppression", "xml");
try {
org.apache.commons.io.FileUtils.copyInputStreamToFile(suppressionsFromClasspath, file);
} catch (IOException ex) {

33
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java
View File

@@ -21,11 +21,22 @@ import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.utils.Settings;
/**
* <p>
* An interface that defines an Analyzer that is used to identify Dependencies.
* An analyzer will collect information about the dependency in the form of
* Evidence.
* Evidence.<p>
* <p>
* When the {@link org.owasp.dependencycheck.Engine} executes it will load the
* analyzers and call the methods in the following order:
* <ol>
* <li>{@link #initializeSettings(org.owasp.dependencycheck.utils.Settings)}</li>
* <li>{@link #initialize(org.owasp.dependencycheck.Engine)}</li>
* <li>{@link #analyze(org.owasp.dependencycheck.dependency.Dependency, org.owasp.dependencycheck.Engine)}</li>
* <li>{@link #close()}</li>
* </ol>
*
* @author Jeremy Long
*/
@@ -59,14 +70,22 @@ public interface Analyzer {
*/
AnalysisPhase getAnalysisPhase();
/**
* Initializes the analyzer with the configured settings.
*
* @param settings the configured settings
*/
public void initializeSettings(Settings settings);
/**
* The initialize method is called (once) prior to the analyze method being
* called on all of the dependencies.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException is thrown if an exception occurs
* initializing the analyzer.
*/
void initialize() throws InitializationException;
void initialize(Engine engine) throws InitializationException;
/**
* The close method is called after all of the dependencies have been
@@ -77,16 +96,20 @@ public interface Analyzer {
void close() throws Exception;
/**
* Returns whether multiple instances of the same type of analyzer can run in parallel.
* Note that running analyzers of different types in parallel is not supported at all.
* Returns whether multiple instances of the same type of analyzer can run
* in parallel. Note that running analyzers of different types in parallel
* is not supported at all.
*
* @return {@code true} if the analyzer supports parallel processing, {@code false} else
* @return {@code true} if the analyzer supports parallel processing,
* {@code false} else
*/
boolean supportsParallelProcessing();
/**
* Get the value of enabled.
*
* @return the value of enabled
*/
boolean isEnabled();
}

18
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
View File

@@ -18,8 +18,6 @@
package org.owasp.dependencycheck.analyzer;
import java.util.ArrayList;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.LoggerFactory;
import static java.util.Arrays.asList;
@@ -44,14 +42,20 @@ public class AnalyzerService {
* The service loader for analyzers.
*/
private final ServiceLoader<Analyzer> service;
/**
* The configured settings.
*/
private final boolean loadExperimental;
/**
* Creates a new instance of AnalyzerService.
*
* @param classLoader the ClassLoader to use when dynamically loading
* Analyzer and Update services
* @param loadExperimental whether or not to load the experimental analyzers
*/
public AnalyzerService(ClassLoader classLoader) {
public AnalyzerService(ClassLoader classLoader, boolean loadExperimental) {
this.loadExperimental = loadExperimental;
service = ServiceLoader.load(Analyzer.class, classLoader);
}
@@ -85,18 +89,12 @@ public class AnalyzerService {
private List<Analyzer> getAnalyzers(List<AnalysisPhase> phases) {
final List<Analyzer> analyzers = new ArrayList<>();
final Iterator<Analyzer> iterator = service.iterator();
boolean experimentalEnabled = false;
try {
experimentalEnabled = Settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
} catch (InvalidSettingException ex) {
LOGGER.error("invalid experimental setting", ex);
}
while (iterator.hasNext()) {
final Analyzer a = iterator.next();
if (!phases.contains(a.getAnalysisPhase())) {
continue;
}
if (!experimentalEnabled && a.getClass().isAnnotationPresent(Experimental.class)) {
if (!loadExperimental && a.getClass().isAnnotationPresent(Experimental.class)) {
continue;
}
LOGGER.debug("Loaded Analyzer {}", a.getName());

70
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -80,21 +80,16 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* The max scan depth that the analyzer will recursively extract nested
* archives.
*/
private static final int MAX_SCAN_DEPTH = Settings.getInt("archive.scan.depth", 3);
private int maxScanDepth;
/**
* Tracks the current scan/extraction depth for nested archives.
*/
private int scanDepth = 0;
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
* The file filter used to filter supported files.
*/
private static final String ANALYZER_NAME = "Archive Analyzer";
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INITIAL;
private FileFilter fileFilter = null;
/**
* The set of things we can handle with Zip methods
*/
@@ -106,35 +101,40 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2");
static {
final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
if (additionalZipExt != null) {
final String[] ext = additionalZipExt.split("\\s*,\\s*");
Collections.addAll(KNOWN_ZIP_EXT, ext);
}
EXTENSIONS.addAll(KNOWN_ZIP_EXT);
}
/**
* Detects files with extensions to remove from the engine's collection of
* dependencies.
*/
private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance()
.addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build();
/**
* The file filter used to filter supported files.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
/**
* Detects files with .zip extension.
*/
private static final FileFilter ZIP_FILTER = FileFilterBuilder.newInstance().addExtensions("zip").build();
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/
private static final String ANALYZER_NAME = "Archive Analyzer";
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INITIAL;
/**
* Initializes the analyzer with the configured settings.
*
* @param settings the configured settings to use
*/
@Override
public void initializeSettings(Settings settings) {
super.initializeSettings(settings);
initializeSettings();
}
@Override
protected FileFilter getFileFilter() {
return FILTER;
return fileFilter;
}
/**
@@ -172,13 +172,14 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The initialize method does nothing for this Analyzer.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException is thrown if there is an exception
* deleting or creating temporary files
*/
@Override
public void initializeFileTypeAnalyzer() throws InitializationException {
public void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
try {
final File baseDir = Settings.getTempDirectory();
final File baseDir = getSettings().getTempDirectory();
tempFileLocation = File.createTempFile("check", "tmp", baseDir);
if (!tempFileLocation.delete()) {
setEnabled(false);
@@ -265,7 +266,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
//TODO - can we get more evidence from the parent? EAR contains module name, etc.
//analyze the dependency (i.e. extract files) if it is a supported type.
if (this.accept(d.getActualFile()) && scanDepth < MAX_SCAN_DEPTH) {
if (this.accept(d.getActualFile()) && scanDepth < maxScanDepth) {
scanDepth += 1;
analyze(d, engine);
scanDepth -= 1;
@@ -603,4 +604,19 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
}
return isJar;
}
/**
* Initializes settings used by the scanning functions of the archive
* analyzer.
*/
private void initializeSettings() {
maxScanDepth = getSettings().getInt("archive.scan.depth", 3);
final String additionalZipExt = getSettings().getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
if (additionalZipExt != null) {
final String[] ext = additionalZipExt.split("\\s*,\\s*");
Collections.addAll(KNOWN_ZIP_EXT, ext);
}
EXTENSIONS.addAll(KNOWN_ZIP_EXT);
fileFilter = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
}
}

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -91,8 +91,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
// Use file.separator as a wild guess as to whether this is Windows
final List<String> args = new ArrayList<>();
if (!SystemUtils.IS_OS_WINDOWS) {
if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
if (getSettings().getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
args.add(getSettings().getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
} else if (isInPath("mono")) {
args.add("mono");
} else {
@@ -207,14 +207,15 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
* Initialize the analyzer. In this case, extract GrokAssembly.exe to a
* temporary location.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException thrown if anything goes wrong
*/
@Override
public void initializeFileTypeAnalyzer() throws InitializationException {
public void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
final File tempFile;
final File cfgFile;
try {
tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
tempFile = File.createTempFile("GKA", ".exe", getSettings().getTempDirectory());
cfgFile = new File(tempFile.getPath() + ".config");
} catch (IOException ex) {
setEnabled(false);

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
View File

@@ -268,11 +268,12 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Initializes the file type analyzer.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException thrown if there is an exception during
* initialization
*/
@Override
protected void initializeFileTypeAnalyzer() throws InitializationException {
protected void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
// No initialization needed.
}
}

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
View File

@@ -125,11 +125,12 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Initializes the analyzer.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException thrown if an exception occurs getting an
* instance of SHA1
*/
@Override
protected void initializeFileTypeAnalyzer() throws InitializationException {
protected void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
try {
getSha1MessageDigest();
} catch (IllegalStateException ex) {

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -138,14 +138,14 @@ public class CPEAnalyzer extends AbstractAnalyzer {
/**
* Creates the CPE Lucene Index.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException is thrown if there is an issue opening
* the index.
*/
@Override
public void initializeAnalyzer() throws InitializationException {
public void initializeAnalyzer(Engine engine) throws InitializationException {
try {
this.open();
this.open(engine.getDatabase());
} catch (IOException ex) {
LOGGER.debug("Exception initializing the Lucene Index", ex);
throw new InitializationException("An exception occurred initializing the Lucene Index", ex);
@@ -158,15 +158,16 @@ public class CPEAnalyzer extends AbstractAnalyzer {
/**
* Opens the data source.
*
* @param cve a reference to the NVD CVE database
* @throws IOException when the Lucene directory to be queried does not
* exist or is corrupt.
* @throws DatabaseException when the database throws an exception. This
* usually occurs when the database is in use by another process.
*/
public void open() throws IOException, DatabaseException {
public void open(CveDB cve) throws IOException, DatabaseException {
if (!isOpen()) {
cve = CveDB.getInstance();
cpe = CpeMemoryIndex.getInstance();
this.cve = cve;
this.cpe = CpeMemoryIndex.getInstance();
try {
final long creationStart = System.currentTimeMillis();
cpe.open(cve);

33
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
View File

@@ -84,7 +84,18 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Field indicating if the analyzer is enabled.
*/
private final boolean enabled = checkEnabled();
private boolean enabled = true;
/**
* Initializes the analyzer with the configured settings.
*
* @param settings the configured settings to use
*/
@Override
public void initializeSettings(Settings settings) {
super.initializeSettings(settings);
enabled = checkEnabled();
}
/**
* Determine whether to enable this analyzer or not.
@@ -106,9 +117,9 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
boolean retVal = false;
try {
if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
|| NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
if (getSettings().getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
if (!getSettings().getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
|| NexusAnalyzer.DEFAULT_URL.equals(getSettings().getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
LOGGER.debug("Enabling the Central analyzer");
retVal = true;
} else {
@@ -126,20 +137,19 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Initializes the analyzer once before any analysis is performed.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException if there's an error during initialization
*/
@Override
public void initializeFileTypeAnalyzer() throws InitializationException {
public void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
LOGGER.debug("Initializing Central analyzer");
LOGGER.debug("Central analyzer enabled: {}", isEnabled());
if (isEnabled()) {
final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
LOGGER.debug("Central Analyzer URL: {}", searchUrl);
try {
searcher = new CentralSearch(new URL(searchUrl));
searcher = new CentralSearch(getSettings());
} catch (MalformedURLException ex) {
setEnabled(false);
throw new InitializationException("The configured URL to Maven Central is malformed: " + searchUrl, ex);
throw new InitializationException("The configured URL to Maven Central is malformed", ex);
}
}
}
@@ -214,7 +224,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
if (!pomAnalyzed && ma.getPomUrl() != null) {
File pomFile = null;
try {
final File baseDir = Settings.getTempDirectory();
final File baseDir = getSettings().getTempDirectory();
pomFile = File.createTempFile("pom", ".xml", baseDir);
if (!pomFile.delete()) {
LOGGER.warn("Unable to fetch pom.xml for {} from Central; "
@@ -222,7 +232,8 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.debug("Unable to delete temp file");
}
LOGGER.debug("Downloading {}", ma.getPomUrl());
Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
Downloader downloader = new Downloader(getSettings());
downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
PomUtils.analyzePOM(dependency, pomFile);
} catch (DownloadFailedException ex) {

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java
View File

@@ -83,7 +83,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
}
@Override
protected void initializeFileTypeAnalyzer() {
protected void initializeFileTypeAnalyzer(Engine engine) {
// NO-OP
}

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
View File

@@ -79,11 +79,12 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Initializes the analyzer.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException thrown if an exception occurs getting an
* instance of SHA1
*/
@Override
protected void initializeFileTypeAnalyzer() throws InitializationException {
protected void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
try {
getSha1MessageDigest();
} catch (IllegalStateException ex) {

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -110,10 +110,11 @@ public class HintAnalyzer extends AbstractAnalyzer {
/**
* The initialize method does nothing for this Analyzer.
*
* @param engine a reference the dependency-check engine
* @throws InitializationException thrown if there is an exception
*/
@Override
public void initializeAnalyzer() throws InitializationException {
public void initializeAnalyzer(Engine engine) throws InitializationException {
try {
loadHintRules();
} catch (HintParseException ex) {
@@ -224,7 +225,7 @@ public class HintAnalyzer extends AbstractAnalyzer {
LOGGER.error("Unable to parse the base hint data file");
LOGGER.debug("Unable to parse the base hint data file", ex);
}
final String filePath = Settings.getString(Settings.KEYS.HINTS_FILE);
final String filePath = getSettings().getString(Settings.KEYS.HINTS_FILE);
if (filePath == null) {
return;
}
@@ -233,12 +234,13 @@ public class HintAnalyzer extends AbstractAnalyzer {
final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
if (uriRx.matcher(filePath).matches()) {
deleteTempFile = true;
file = FileUtils.getTempFile("hint", "xml");
file = getSettings().getTempFile("hint", "xml");
final URL url = new URL(filePath);
Downloader downloader = new Downloader(getSettings());
try {
Downloader.fetchFile(url, file, false);
downloader.fetchFile(url, file, false);
} catch (DownloadFailedException ex) {
Downloader.fetchFile(url, file, true);
downloader.fetchFile(url, file, true);
}
} else {
file = new File(filePath);
@@ -246,7 +248,7 @@ public class HintAnalyzer extends AbstractAnalyzer {
try (InputStream fromClasspath = FileUtils.getResourceAsStream(filePath)) {
if (fromClasspath != null) {
deleteTempFile = true;
file = FileUtils.getTempFile("hint", "xml");
file = getSettings().getTempFile("hint", "xml");
try {
org.apache.commons.io.FileUtils.copyInputStreamToFile(fromClasspath, file);
} catch (IOException ex) {

46
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -264,13 +264,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Checks if the given dependency appears to be a macOS metadata file, returning true if its filename starts with a
* ._ prefix and if there is another dependency with the same filename minus the ._ prefix, otherwise it returns
* false.
* Checks if the given dependency appears to be a macOS metadata file,
* returning true if its filename starts with a ._ prefix and if there is
* another dependency with the same filename minus the ._ prefix, otherwise
* it returns false.
*
* @param dependency the dependency to check if it's a macOS metadata file
* @param engine the engine that is scanning the dependencies
* @return whether or not the given dependency appears to be a macOS metadata file
* @param engine the engine that is scanning the dependencies
* @return whether or not the given dependency appears to be a macOS
* metadata file
*/
private boolean isMacOSMetaDataFile(final Dependency dependency, final Engine engine) {
final String fileName = Paths.get(dependency.getActualFilePath()).getFileName().toString();
@@ -278,17 +280,19 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Iterates through the given list of dependencies and returns true when it finds a dependency with a filename
* matching the given filename, otherwise returns false.
* Iterates through the given list of dependencies and returns true when it
* finds a dependency with a filename matching the given filename, otherwise
* returns false.
*
* @param dependencies the dependencies to search within
* @param fileName the filename to search for
* @return whether or not the given dependencies contain a dependency with the given filename
* @param fileName the filename to search for
* @return whether or not the given dependencies contain a dependency with
* the given filename
*/
private boolean hasDependencyWithFilename(final List<Dependency> dependencies, final String fileName) {
for (final Dependency dependency : dependencies) {
if (Paths.get(dependency.getActualFilePath()).getFileName().toString().toLowerCase()
.equals(fileName.toLowerCase())) {
.equals(fileName.toLowerCase())) {
return true;
}
}
@@ -296,23 +300,24 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Attempts to read the first bytes of the given dependency (using its actual file path) and returns true if they
* match the expected first bytes of a zip file, which may be empty or spanned. If they don't match, or if the file
* could not be read, then it returns false.
* Attempts to read the first bytes of the given dependency (using its
* actual file path) and returns true if they match the expected first bytes
* of a zip file, which may be empty or spanned. If they don't match, or if
* the file could not be read, then it returns false.
*
* @param dependency the dependency to check if it's a zip file
* @return whether or not the given dependency appears to be a zip file from its first bytes
* @return whether or not the given dependency appears to be a zip file from
* its first bytes
*/
private boolean isZipFile(final Dependency dependency) {
final byte[] buffer = new byte[4];
try (final FileInputStream fileInputStream = new FileInputStream(dependency.getActualFilePath())) {
fileInputStream.read(buffer);
if (Arrays.equals(buffer, ZIP_FIRST_BYTES) || Arrays.equals(buffer, ZIP_EMPTY_FIRST_BYTES) ||
Arrays.equals(buffer, ZIP_SPANNED_FIRST_BYTES)) {
if (Arrays.equals(buffer, ZIP_FIRST_BYTES) || Arrays.equals(buffer, ZIP_EMPTY_FIRST_BYTES)
|| Arrays.equals(buffer, ZIP_SPANNED_FIRST_BYTES)) {
return true;
}
}
catch (Exception e) {
} catch (Exception e) {
LOGGER.warn("Unable to check if '{}' is a zip file", dependency.getActualFilePath());
LOGGER.trace("", e);
}
@@ -911,13 +916,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Initializes the JarAnalyzer.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException is thrown if there is an exception
* creating a temporary directory
*/
@Override
public void initializeFileTypeAnalyzer() throws InitializationException {
public void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
try {
final File baseDir = Settings.getTempDirectory();
final File baseDir = getSettings().getTempDirectory();
tempFileLocation = File.createTempFile("check", "tmp", baseDir);
if (!tempFileLocation.delete()) {
final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());

40
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -95,7 +95,18 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Field indicating if the analyzer is enabled.
*/
private final boolean enabled = checkEnabled();
private boolean enabled = true;
/**
* Initializes the analyzer with the configured settings.
*
* @param settings the configured settings to use
*/
@Override
public void initializeSettings(Settings settings) {
super.initializeSettings(settings);
enabled = checkEnabled();
}
/**
* Determines if this analyzer is enabled
@@ -110,8 +121,8 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
*/
boolean retval = false;
try {
if (!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))
&& Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
if (!DEFAULT_URL.equals(getSettings().getString(Settings.KEYS.ANALYZER_NEXUS_URL))
&& getSettings().getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
LOGGER.info("Enabling Nexus analyzer");
retval = true;
} else {
@@ -137,25 +148,25 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Initializes the analyzer once before any analysis is performed.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException if there's an error during initialization
*/
@Override
public void initializeFileTypeAnalyzer() throws InitializationException {
public void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
LOGGER.debug("Initializing Nexus Analyzer");
LOGGER.debug("Nexus Analyzer enabled: {}", isEnabled());
if (isEnabled()) {
final boolean useProxy = useProxy();
final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
LOGGER.debug("Nexus Analyzer URL: {}", searchUrl);
LOGGER.debug("Using proxy: {}", useProxy);
try {
searcher = new NexusSearch(new URL(searchUrl), useProxy);
searcher = new NexusSearch(getSettings(), useProxy);
if (!searcher.preflightRequest()) {
setEnabled(false);
throw new InitializationException("There was an issue getting Nexus status. Disabling analyzer.");
}
} catch (MalformedURLException mue) {
setEnabled(false);
throw new InitializationException("Malformed URL to Nexus: " + searchUrl, mue);
throw new InitializationException("Malformed URL to Nexus", mue);
}
}
}
@@ -232,7 +243,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
if (!pomAnalyzed && ma.getPomUrl() != null) {
File pomFile = null;
try {
final File baseDir = Settings.getTempDirectory();
final File baseDir = getSettings().getTempDirectory();
pomFile = File.createTempFile("pom", ".xml", baseDir);
if (!pomFile.delete()) {
LOGGER.warn("Unable to fetch pom.xml for {} from Nexus repository; "
@@ -240,7 +251,8 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.debug("Unable to delete temp file");
}
LOGGER.debug("Downloading {}", ma.getPomUrl());
Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
Downloader downloader = new Downloader(getSettings());
downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
PomUtils.analyzePOM(dependency, pomFile);
} catch (DownloadFailedException ex) {
LOGGER.warn("Unable to download pom.xml for {} from Nexus repository; "
@@ -266,14 +278,14 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Determine if a proxy should be used.
* Determine if a proxy should be used for the Nexus Analyzer.
*
* @return {@code true} if a proxy should be used
*/
public static boolean useProxy() {
public boolean useProxy() {
try {
return Settings.getString(Settings.KEYS.PROXY_SERVER) != null
&& Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
return getSettings().getString(Settings.KEYS.PROXY_SERVER) != null
&& getSettings().getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
} catch (InvalidSettingException ise) {
LOGGER.warn("Failed to parse proxy settings.", ise);
return false;

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
View File

@@ -85,7 +85,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
}
@Override
protected void initializeFileTypeAnalyzer() throws InitializationException {
protected void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
// NO-OP
}
@@ -123,7 +123,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
@Override
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
final File file = dependency.getActualFile();
if (!file.isFile() || file.length()==0) {
if (!file.isFile() || file.length() == 0) {
return;
}
try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(file))) {

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java
View File

@@ -100,17 +100,17 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Initializes the analyzer once before any analysis is performed.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException if there's an error during initialization
*/
@Override
public void initializeFileTypeAnalyzer() throws InitializationException {
public void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
LOGGER.debug("Initializing {}", getName());
final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NSP_URL, DEFAULT_URL);
try {
searcher = new NspSearch(new URL(searchUrl));
searcher = new NspSearch(getSettings());
} catch (MalformedURLException ex) {
setEnabled(false);
throw new InitializationException("The configured URL to Node Security Platform is malformed: " + searchUrl, ex);
throw new InitializationException("The configured URL to Node Security Platform is malformed", ex);
}
}
@@ -148,7 +148,7 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
@Override
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
final File file = dependency.getActualFile();
if (!file.isFile() || file.length()==0) {
if (!file.isFile() || file.length() == 0) {
return;
}
try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(file))) {
@@ -276,8 +276,8 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Processes a part of package.json (as defined by JsonArray) and update
* the specified dependency with relevant info.
* Processes a part of package.json (as defined by JsonArray) and update the
* specified dependency with relevant info.
*
* @param dependency the Dependency to update
* @param jsonArray the jsonArray to parse

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
View File

@@ -69,10 +69,11 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Initializes the analyzer once before any analysis is performed.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException if there's an error during initialization
*/
@Override
public void initializeFileTypeAnalyzer() throws InitializationException {
public void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
//nothing to initialize
}

32
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
View File

@@ -50,19 +50,6 @@ public class NvdCveAnalyzer extends AbstractAnalyzer {
*/
private CveDB cveDB;
/**
* Opens the data source.
*
* @throws SQLException thrown when there is a SQL Exception
* @throws IOException thrown when there is an IO Exception
* @throws DatabaseException thrown when there is a database exceptions
* @throws ClassNotFoundException thrown if the h2 database driver cannot be
* loaded
*/
public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
cveDB = CveDB.getInstance();
}
/**
* Closes the data source.
*/
@@ -150,25 +137,12 @@ public class NvdCveAnalyzer extends AbstractAnalyzer {
/**
* Opens the database used to gather NVD CVE data.
*
* @param engine a reference the dependency-check engine
* @throws InitializationException is thrown if there is an issue opening
* the index.
*/
@Override
public void initializeAnalyzer() throws InitializationException {
try {
this.open();
} catch (SQLException ex) {
LOGGER.debug("SQL Exception initializing NvdCveAnalyzer", ex);
throw new InitializationException(ex);
} catch (IOException ex) {
LOGGER.debug("IO Exception initializing NvdCveAnalyzer", ex);
throw new InitializationException(ex);
} catch (DatabaseException ex) {
LOGGER.debug("Database Exception initializing NvdCveAnalyzer", ex);
throw new InitializationException(ex);
} catch (ClassNotFoundException ex) {
LOGGER.debug("Exception initializing NvdCveAnalyzer", ex);
throw new InitializationException(ex);
}
public void initializeAnalyzer(Engine engine) throws InitializationException {
this.cveDB = engine.getDatabase();
}
}

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
View File

@@ -146,10 +146,11 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
/**
* No-op initializer implementation.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException never thrown
*/
@Override
protected void initializeFileTypeAnalyzer() throws InitializationException {
protected void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
// Nothing to do here.
}

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
View File

@@ -241,13 +241,14 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Makes sure a usable temporary directory is available.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException an AnalyzeException is thrown when the
* temp directory cannot be created
*/
@Override
protected void initializeFileTypeAnalyzer() throws InitializationException {
protected void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
try {
final File baseDir = Settings.getTempDirectory();
final File baseDir = getSettings().getTempDirectory();
tempFileLocation = File.createTempFile("check", "tmp", baseDir);
if (!tempFileLocation.delete()) {
setEnabled(false);

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
View File

@@ -143,10 +143,11 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
/**
* No-op initializer implementation.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException never thrown
*/
@Override
protected void initializeFileTypeAnalyzer() throws InitializationException {
protected void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
// Nothing to do here.
}

49
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
View File

@@ -90,7 +90,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The DAL.
*/
private CveDB cvedb;
private CveDB cvedb = null;
/**
* @return a filter that accepts files named Gemfile.lock
@@ -113,7 +113,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
throw new AnalysisException(String.format("%s should have been a directory.", folder.getAbsolutePath()));
}
final List<String> args = new ArrayList<>();
final String bundleAuditPath = Settings.getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH);
final String bundleAuditPath = getSettings().getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH);
File bundleAudit = null;
if (bundleAuditPath != null) {
bundleAudit = new File(bundleAuditPath);
@@ -140,22 +140,18 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
* Initialize the analyzer. In this case, extract GrokAssembly.exe to a
* temporary location.
*
* @param engine a reference to the dependency-check engine
* @throws InitializationException if anything goes wrong
*/
@Override
public void initializeFileTypeAnalyzer() throws InitializationException {
try {
cvedb = CveDB.getInstance();
} catch (DatabaseException ex) {
LOGGER.warn("Exception opening the database");
LOGGER.debug("error", ex);
setEnabled(false);
throw new InitializationException("Error connecting to the database", ex);
}
public void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
// Now, need to see if bundle-audit actually runs from this location.
if (engine != null) {
this.cvedb = engine.getDatabase();
}
Process process = null;
try {
process = launchBundleAudit(Settings.getTempDirectory());
process = launchBundleAudit(getSettings().getTempDirectory());
} catch (AnalysisException ae) {
setEnabled(false);
@@ -208,17 +204,6 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
}
}
/**
* Closes the data source.
*/
@Override
public void closeAnalyzer() {
if (cvedb != null) {
cvedb.close();
cvedb = null;
}
}
/**
* Returns the name of the analyzer.
*
@@ -413,13 +398,21 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
final String criticality = nextLine.substring(CRITICALITY.length()).trim();
float score = -1.0f;
Vulnerability v = null;
try {
v = cvedb.getVulnerability(vulnerability.getName());
} catch (DatabaseException ex) {
LOGGER.debug("Unable to look up vulnerability {}", vulnerability.getName());
if (cvedb != null) {
try {
v = cvedb.getVulnerability(vulnerability.getName());
} catch (DatabaseException ex) {
LOGGER.debug("Unable to look up vulnerability {}", vulnerability.getName());
}
}
if (v != null) {
score = v.getCvssScore();
vulnerability.setCvssAccessComplexity(v.getCvssAccessComplexity());
vulnerability.setCvssAccessVector(v.getCvssAccessVector());
vulnerability.setCvssAuthentication(v.getCvssAuthentication());
vulnerability.setCvssAvailabilityImpact(v.getCvssAvailabilityImpact());
vulnerability.setCvssConfidentialityImpact(v.getCvssConfidentialityImpact());
vulnerability.setCvssIntegrityImpact(v.getCvssIntegrityImpact());
} else if ("High".equalsIgnoreCase(criticality)) {
score = 8.5f;
} else if ("Medium".equalsIgnoreCase(criticality)) {
@@ -477,7 +470,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
* @throws IOException thrown if a temporary gem file could not be written
*/
private Dependency createDependencyForGem(Engine engine, String parentName, String fileName, String filePath, String gem) throws IOException {
final File gemFile = new File(Settings.getTempDirectory(), gem + "_Gemfile.lock");
final File gemFile = new File(getSettings().getTempDirectory(), gem + "_Gemfile.lock");
if (!gemFile.createNewFile()) {
throw new IOException("Unable to create temporary gem file");
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
View File

@@ -89,7 +89,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
}
@Override
protected void initializeFileTypeAnalyzer() throws InitializationException {
protected void initializeFileTypeAnalyzer(Engine engine) throws InitializationException {
// NO-OP
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java
View File

@@ -80,7 +80,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
}
@Override
protected void initializeFileTypeAnalyzer() {
protected void initializeFileTypeAnalyzer(Engine engine) {
// NO-OP
}

23
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
View File

@@ -20,6 +20,7 @@ package org.owasp.dependencycheck.data.central;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
@@ -60,16 +61,25 @@ public class CentralSearch {
* Used for logging.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(CentralSearch.class);
/**
* The configured settings.
*/
private final Settings settings;
/**
* Creates a NexusSearch for the given repository URL.
*
* @param rootURL the URL of the repository on which searches should
* execute. Only parameters are added to this (so it should end in /select)
* @param settings the configured settings
* @throws java.net.MalformedURLException thrown if the configured URL is
* invalid
*/
public CentralSearch(URL rootURL) {
this.rootURL = rootURL;
if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)) {
public CentralSearch(Settings settings) throws MalformedURLException {
this.settings = settings;
final String searchUrl = settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
LOGGER.debug("Central Search URL: {}", searchUrl);
this.rootURL = new URL(searchUrl);
if (null != settings.getString(Settings.KEYS.PROXY_SERVER)) {
useProxy = true;
LOGGER.debug("Using proxy");
} else {
@@ -101,7 +111,8 @@ public class CentralSearch {
// 1) If the proxy is set, AND the setting is set to true, use the proxy
// 2) Otherwise, don't use the proxy (either the proxy isn't configured,
// or proxy is specifically set to false)
final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
final URLConnectionFactory factory = new URLConnectionFactory(settings);
final HttpURLConnection conn = factory.createHttpURLConnection(url, useProxy);
conn.setDoOutput(true);

27
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
View File

@@ -20,12 +20,14 @@ package org.owasp.dependencycheck.data.nexus;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.URLConnectionFactory;
import org.owasp.dependencycheck.utils.XmlUtils;
@@ -50,6 +52,10 @@ public class NexusSearch {
* Whether to use the Proxy when making requests.
*/
private final boolean useProxy;
/**
* The configured settings.
*/
private final Settings settings;
/**
* Used for logging.
*/
@@ -58,15 +64,18 @@ public class NexusSearch {
/**
* Creates a NexusSearch for the given repository URL.
*
* @param rootURL the root URL of the repository on which searches should
* execute. full URL's are calculated relative to this URL, so it should end
* with a /
* @param settings the configured settings
* @param useProxy flag indicating if the proxy settings should be used
* @throws java.net.MalformedURLException thrown if the configured URL is invalid
*/
public NexusSearch(URL rootURL, boolean useProxy) {
this.rootURL = rootURL;
public NexusSearch(Settings settings, boolean useProxy) throws MalformedURLException {
this.settings = settings;
this.useProxy = useProxy;
LOGGER.debug("Using proxy: {}", useProxy);
final String searchUrl = settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
LOGGER.debug("Nexus Search URL: {}", searchUrl);
this.rootURL = new URL(searchUrl);
}
/**
@@ -94,7 +103,8 @@ public class NexusSearch {
// 2) Otherwise, don't use the proxy (either the proxy isn't configured,
// or proxy is specifically set to false
HttpURLConnection conn;
conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
URLConnectionFactory factory = new URLConnectionFactory(settings);
conn = factory.createHttpURLConnection(url, useProxy);
conn.setDoOutput(true);
// JSON would be more elegant, but there's not currently a dependency
@@ -159,7 +169,8 @@ public class NexusSearch {
HttpURLConnection conn;
try {
final URL url = new URL(rootURL, "status");
conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
URLConnectionFactory factory = new URLConnectionFactory(settings);
conn = factory.createHttpURLConnection(url, useProxy);
conn.addRequestProperty("Accept", "application/xml");
conn.connect();
if (conn.getResponseCode() != 200) {

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java
View File

@@ -23,6 +23,7 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
@@ -36,6 +37,7 @@ import javax.json.Json;
import javax.json.JsonArray;
import javax.json.JsonObject;
import javax.json.JsonReader;
import static org.owasp.dependencycheck.analyzer.NspAnalyzer.DEFAULT_URL;
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
/**
@@ -54,7 +56,10 @@ public class NspSearch {
* Whether to use the Proxy when making requests.
*/
private final boolean useProxy;
/**
* The configured settings.
*/
private final Settings settings;
/**
* Used for logging.
*/
@@ -63,11 +68,16 @@ public class NspSearch {
/**
* Creates a NspSearch for the given repository URL.
*
* @param nspCheckUrl the URL to the public NSP check API
* @param settings the configured settings
* @throws java.net.MalformedURLException thrown if the configured URL is
* invalid
*/
public NspSearch(URL nspCheckUrl) {
this.nspCheckUrl = nspCheckUrl;
if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)) {
public NspSearch(Settings settings) throws MalformedURLException {
final String searchUrl = settings.getString(Settings.KEYS.ANALYZER_NSP_URL, DEFAULT_URL);
LOGGER.debug("NSP Search URL: {}", searchUrl);
this.nspCheckUrl = new URL(searchUrl);
this.settings = settings;
if (null != settings.getString(Settings.KEYS.PROXY_SERVER)) {
useProxy = true;
LOGGER.debug("Using proxy");
} else {
@@ -90,8 +100,8 @@ public class NspSearch {
try {
final List<Advisory> result = new ArrayList<>();
final byte[] packageDatabytes = packageJson.toString().getBytes(StandardCharsets.UTF_8);
final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(nspCheckUrl, useProxy);
final URLConnectionFactory factory = new URLConnectionFactory(settings);
final HttpURLConnection conn = factory.createHttpURLConnection(nspCheckUrl, useProxy);
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setRequestMethod("POST");

97
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
View File

@@ -50,10 +50,6 @@ public final class ConnectionFactory {
* The Logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(ConnectionFactory.class);
/**
* The version of the current DB Schema.
*/
public static final String DB_SCHEMA_VERSION = Settings.getString(Settings.KEYS.DB_VERSION);
/**
* Resource location for SQL file used to create the database schema.
*/
@@ -69,29 +65,36 @@ public final class ConnectionFactory {
/**
* The database driver used to connect to the database.
*/
private static Driver driver = null;
private Driver driver = null;
/**
* The database connection string.
*/
private static String connectionString = null;
private String connectionString = null;
/**
* The username to connect to the database.
*/
private static String userName = null;
private String userName = null;
/**
* The password for the database.
*/
private static String password = null;
private String password = null;
/**
* Counter to ensure that calls to ensureSchemaVersion does not end up in an
* endless loop.
*/
private static int callDepth = 0;
private int callDepth = 0;
/**
* The configured settings.
*/
private final Settings settings;
/**
* Private constructor for this factory class; no instance is ever needed.
*
* @param settings the configured settings
*/
private ConnectionFactory() {
public ConnectionFactory(Settings settings) {
this.settings = settings;
}
/**
@@ -101,7 +104,7 @@ public final class ConnectionFactory {
* @throws DatabaseException thrown if we are unable to connect to the
* database
*/
public static void initialize() throws DatabaseException {
public void initialize() throws DatabaseException {
//this only needs to be called once.
if (connectionString != null) {
return;
@@ -109,10 +112,10 @@ public final class ConnectionFactory {
Connection conn = null;
try {
//load the driver if necessary
final String driverName = Settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
if (!driverName.isEmpty()) { //likely need to load the correct driver
final String driverName = settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
if (!driverName.isEmpty()) {
LOGGER.debug("Loading driver: {}", driverName);
final String driverPath = Settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
final String driverPath = settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
try {
if (!driverPath.isEmpty()) {
LOGGER.debug("Loading driver from: {}", driverPath);
@@ -125,11 +128,11 @@ public final class ConnectionFactory {
throw new DatabaseException("Unable to load database driver", ex);
}
}
userName = Settings.getString(Settings.KEYS.DB_USER, "dcuser");
userName = settings.getString(Settings.KEYS.DB_USER, "dcuser");
//yes, yes - hard-coded password - only if there isn't one in the properties file.
password = Settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
password = settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
try {
connectionString = Settings.getConnectionString(
connectionString = settings.getConnectionString(
Settings.KEYS.DB_CONNECTION_STRING,
Settings.KEYS.DB_FILE_NAME);
} catch (IOException ex) {
@@ -158,7 +161,7 @@ public final class ConnectionFactory {
connectionString = connectionString.replace("AUTO_SERVER=TRUE;", "");
try {
conn = DriverManager.getConnection(connectionString, userName, password);
Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
LOGGER.debug("Unable to start the database in server mode; reverting to single user mode");
} catch (SQLException sqlex) {
LOGGER.debug("Unable to connect to the database", ex);
@@ -201,16 +204,9 @@ public final class ConnectionFactory {
* finalize method being called as during shutdown the class loader used to
* load the driver may be unloaded prior to the driver being de-registered.
*/
public static void cleanup() {
public void cleanup() {
if (driver != null) {
try {
DriverManager.deregisterDriver(driver);
} catch (SQLException ex) {
LOGGER.debug("An error occurred unloading the database driver", ex);
} catch (Throwable unexpected) {
LOGGER.debug(
"An unexpected throwable occurred unloading the database driver", unexpected);
}
DriverLoader.cleanup(driver);
driver = null;
}
connectionString = null;
@@ -226,7 +222,7 @@ public final class ConnectionFactory {
* @throws DatabaseException thrown if there is an exception loading the
* database connection
*/
public static Connection getConnection() throws DatabaseException {
public Connection getConnection() throws DatabaseException {
initialize();
Connection conn = null;
try {
@@ -246,9 +242,21 @@ public final class ConnectionFactory {
* @throws IOException thrown if the data directory does not exist and
* cannot be created
*/
public static boolean h2DataFileExists() throws IOException {
final File dir = Settings.getDataDirectory();
final String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME);
public boolean h2DataFileExists() throws IOException {
return h2DataFileExists(settings);
}
/**
* Determines if the H2 database file exists. If it does not exist then the
* data structure will need to be created.
*
* @param configuration the configured settings
* @return true if the H2 database file does not exist; otherwise false
* @throws IOException thrown if the data directory does not exist and
* cannot be created
*/
public static boolean h2DataFileExists(Settings configuration) throws IOException {
final File dir = configuration.getDataDirectory();
final String fileName = configuration.getString(Settings.KEYS.DB_FILE_NAME);
final File file = new File(dir, fileName);
return file.exists();
}
@@ -258,10 +266,20 @@ public final class ConnectionFactory {
*
* @return true if the connection string is for an H2 database
*/
public static boolean isH2Connection() {
public boolean isH2Connection() {
return isH2Connection(settings);
}
/**
* Determines if the connection string is for an H2 database.
*
* @param configuration the configured settings
* @return true if the connection string is for an H2 database
*/
public static boolean isH2Connection(Settings configuration) {
String connStr;
try {
connStr = Settings.getConnectionString(
connStr = configuration.getConnectionString(
Settings.KEYS.DB_CONNECTION_STRING,
Settings.KEYS.DB_FILE_NAME);
} catch (IOException ex) {
@@ -278,7 +296,7 @@ public final class ConnectionFactory {
* @param conn the database connection
* @throws DatabaseException thrown if there is a Database Exception
*/
private static void createTables(Connection conn) throws DatabaseException {
private void createTables(Connection conn) throws DatabaseException {
LOGGER.debug("Creating database structure");
InputStream is = null;
try {
@@ -315,7 +333,7 @@ public final class ConnectionFactory {
* @throws DatabaseException thrown if there is an exception upgrading the
* database schema
*/
private static void updateSchema(Connection conn, DependencyVersion appExpectedVersion, DependencyVersion currentDbVersion)
private void updateSchema(Connection conn, DependencyVersion appExpectedVersion, DependencyVersion currentDbVersion)
throws DatabaseException {
final String databaseProductName;
@@ -363,7 +381,7 @@ public final class ConnectionFactory {
final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
if (e0 == c0 && e1 < c1) {
LOGGER.warn("A new version of dependency-check is available; consider upgrading");
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
} else if (e0 == c0 && e1 == c1) {
//do nothing - not sure how we got here, but just in case...
} else {
@@ -382,7 +400,7 @@ public final class ConnectionFactory {
* @throws DatabaseException thrown if the schema version is not compatible
* with this version of dependency-check
*/
private static void ensureSchemaVersion(Connection conn) throws DatabaseException {
private void ensureSchemaVersion(Connection conn) throws DatabaseException {
ResultSet rs = null;
PreparedStatement ps = null;
try {
@@ -390,7 +408,8 @@ public final class ConnectionFactory {
ps = conn.prepareStatement("SELECT value FROM properties WHERE id = 'version'");
rs = ps.executeQuery();
if (rs.next()) {
final DependencyVersion appDbVersion = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
final String dbSchemaVersion = settings.getString(Settings.KEYS.DB_VERSION);
final DependencyVersion appDbVersion = DependencyVersionUtil.parseVersion(dbSchemaVersion);
if (appDbVersion == null) {
throw new DatabaseException("Invalid application database schema");
}
@@ -399,7 +418,7 @@ public final class ConnectionFactory {
throw new DatabaseException("Invalid database schema");
}
if (appDbVersion.compareTo(db) > 0) {
LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
LOGGER.debug("Current Schema: {}", dbSchemaVersion);
LOGGER.debug("DB Schema: {}", rs.getString(1));
updateSchema(conn, appDbVersion, db);
if (++callDepth < 10) {

109
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.data.nvdcve;
import java.io.File;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.sql.Connection;
@@ -64,19 +65,14 @@ import static org.owasp.dependencycheck.data.nvdcve.CveDB.PreparedStatementCveDb
@ThreadSafe
public final class CveDB implements AutoCloseable {
/**
* Singleton instance of the CveDB.
*/
private static CveDB instance = null;
/**
* Track the number of current users of the CveDB; so that if someone is
* using database another user cannot close the connection on them.
*/
private int usageCount = 0;
/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(CveDB.class);
/**
* The database connection factory.
*/
private final ConnectionFactory connectionFactory;
/**
* Database connection
*/
@@ -100,6 +96,10 @@ public final class CveDB implements AutoCloseable {
*/
@SuppressWarnings("unchecked")
private final Map<String, List<Vulnerability>> vulnerabilitiesForCpeCache = Collections.synchronizedMap(new ReferenceMap(HARD, SOFT));
/**
* The configured settings
*/
private final Settings settings;
/**
* The enum value names must match the keys of the statements in the
@@ -196,31 +196,19 @@ public final class CveDB implements AutoCloseable {
UPDATE_VULNERABILITY
}
/**
* Gets the CveDB singleton object.
*
* @return the CveDB singleton
* @throws DatabaseException thrown if there is a database error
*/
public static synchronized CveDB getInstance() throws DatabaseException {
if (instance == null) {
instance = new CveDB();
}
if (!instance.isOpen()) {
instance.open();
}
instance.usageCount += 1;
return instance;
}
/**
* Creates a new CveDB object and opens the database connection. Note, the
* connection must be closed by the caller by calling the close method.
*
* @param settings the configured settings
* @throws DatabaseException thrown if there is an exception opening the
* database.
*/
private CveDB() throws DatabaseException {
public CveDB(Settings settings) throws DatabaseException {
this.settings = settings;
connectionFactory = new ConnectionFactory(settings);
connectionFactory.initialize();
open();
}
/**
@@ -229,7 +217,7 @@ public final class CveDB implements AutoCloseable {
* @param conn the database connection
* @return the product name of the database if successful, {@code null} else
*/
private static String determineDatabaseProductName(Connection conn) {
private String determineDatabaseProductName(Connection conn) {
try {
final String databaseProductName = conn.getMetaData().getDatabaseProductName().toLowerCase();
LOGGER.debug("Database product: {}", databaseProductName);
@@ -240,16 +228,6 @@ public final class CveDB implements AutoCloseable {
}
}
/**
* Method added for testing, returns the current usage count of the CveDB
* singleton.
*
* @return the current usage of the CveDB singleton
*/
protected synchronized int getUsageCount() {
return usageCount;
}
/**
* Opens the database connection. If the database does not exist, it will
* create a new one.
@@ -259,14 +237,14 @@ public final class CveDB implements AutoCloseable {
*/
private synchronized void open() throws DatabaseException {
try {
if (!instance.isOpen()) {
instance.connection = ConnectionFactory.getConnection();
final String databaseProductName = determineDatabaseProductName(instance.connection);
instance.statementBundle = databaseProductName != null
if (!isOpen()) {
connection = connectionFactory.getConnection();
final String databaseProductName = determineDatabaseProductName(this.connection);
statementBundle = databaseProductName != null
? ResourceBundle.getBundle("data/dbStatements", new Locale(databaseProductName))
: ResourceBundle.getBundle("data/dbStatements");
instance.prepareStatements();
instance.databaseProperties = new DatabaseProperties(instance);
prepareStatements();
databaseProperties = new DatabaseProperties(this);
}
} catch (DatabaseException e) {
releaseResources();
@@ -280,23 +258,20 @@ public final class CveDB implements AutoCloseable {
*/
@Override
public synchronized void close() {
if (instance != null) {
instance.usageCount -= 1;
if (instance.usageCount <= 0 && instance.isOpen()) {
instance.usageCount = 0;
clearCache();
instance.closeStatements();
try {
instance.connection.close();
} catch (SQLException ex) {
LOGGER.error("There was an error attempting to close the CveDB, see the log for more details.");
LOGGER.debug("", ex);
} catch (Throwable ex) {
LOGGER.error("There was an exception attempting to close the CveDB, see the log for more details.");
LOGGER.debug("", ex);
}
releaseResources();
if (isOpen()) {
clearCache();
closeStatements();
try {
connection.close();
} catch (SQLException ex) {
LOGGER.error("There was an error attempting to close the CveDB, see the log for more details.");
LOGGER.debug("", ex);
} catch (Throwable ex) {
LOGGER.error("There was an exception attempting to close the CveDB, see the log for more details.");
LOGGER.debug("", ex);
}
releaseResources();
connectionFactory.cleanup();
}
}
@@ -304,10 +279,10 @@ public final class CveDB implements AutoCloseable {
* Releases the resources used by CveDB.
*/
private synchronized void releaseResources() {
instance.statementBundle = null;
instance.preparedStatements.clear();
instance.databaseProperties = null;
instance.connection = null;
statementBundle = null;
preparedStatements.clear();
databaseProperties = null;
connection = null;
}
/**
@@ -836,15 +811,15 @@ public final class CveDB implements AutoCloseable {
} catch (Exception ex) {
String dd;
try {
dd = Settings.getDataDirectory().getAbsolutePath();
dd = settings.getDataDirectory().getAbsolutePath();
} catch (IOException ex1) {
dd = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
dd = settings.getString(Settings.KEYS.DATA_DIRECTORY);
}
LOGGER.error("Unable to access the local database.\n\nEnsure that '{}' is a writable directory. "
+ "If the problem persist try deleting the files in '{}' and running {} again. If the problem continues, please "
+ "create a log file (see documentation at http://jeremylong.github.io/DependencyCheck/) and open a ticket at "
+ "https://github.com/jeremylong/DependencyCheck/issues and include the log file.\n\n",
dd, dd, Settings.getString(Settings.KEYS.APPLICATION_NAME));
dd, dd, settings.getString(Settings.KEYS.APPLICATION_NAME));
LOGGER.debug("", ex);
} finally {
DBUtils.closeResultSet(rs);

41
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
View File

@@ -44,6 +44,21 @@ public final class DriverLoader {
*/
private static final Logger LOGGER = LoggerFactory.getLogger(DriverLoader.class);
/**
* De-registers the driver.
*
* @param driver the driver to de-register
*/
public static void cleanup(Driver driver) {
try {
DriverManager.deregisterDriver(driver);
} catch (SQLException ex) {
LOGGER.debug("An error occurred unloading the database driver", ex);
} catch (Throwable unexpected) {
LOGGER.debug("An unexpected throwable occurred unloading the database driver", unexpected);
}
}
/**
* Private constructor for a utility class.
*/
@@ -51,25 +66,30 @@ public final class DriverLoader {
}
/**
* Loads the specified class using the system class loader and registers the driver with the driver manager.
* Loads the specified class using the system class loader and registers the
* driver with the driver manager.
*
* @param className the fully qualified name of the desired class
* @return the loaded Driver
* @throws DriverLoadException thrown if the driver cannot be loaded
*/
public static Driver load(String className) throws DriverLoadException {
final ClassLoader loader = DriverLoader.class.getClassLoader(); //ClassLoader.getSystemClassLoader();
final ClassLoader loader = DriverLoader.class.getClassLoader();
return load(className, loader);
}
/**
* Loads the specified class by registering the supplied paths to the class loader and then registers the driver with the
* driver manager. The pathToDriver argument is added to the class loader so that an external driver can be loaded. Note, the
* pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added as needed. If a path in the
* pathToDriver argument is a directory all files in the directory are added to the class path.
* Loads the specified class by registering the supplied paths to the class
* loader and then registers the driver with the driver manager. The
* pathToDriver argument is added to the class loader so that an external
* driver can be loaded. Note, the pathToDriver can contain a semi-colon
* separated list of paths so any dependencies can be added as needed. If a
* path in the pathToDriver argument is a directory all files in the
* directory are added to the class path.
*
* @param className the fully qualified name of the desired class
* @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list of paths
* @param pathToDriver the path to the JAR file containing the driver; note,
* this can be a semi-colon separated list of paths
* @return the loaded Driver
* @throws DriverLoadException thrown if the driver cannot be loaded
*/
@@ -113,7 +133,8 @@ public final class DriverLoader {
}
/**
* Loads the specified class using the supplied class loader and registers the driver with the driver manager.
* Loads the specified class using the supplied class loader and registers
* the driver with the driver manager.
*
* @param className the fully qualified name of the desired class
* @param loader the class loader to use when loading the driver
@@ -125,6 +146,10 @@ public final class DriverLoader {
final Class c = Class.forName(className, true, loader);
//final Class c = loader.loadClass(className);
final Driver driver = (Driver) c.newInstance();
//TODO add usage count so we don't de-register a driver that is in use.
final Driver shim = new DriverShim(driver);
//using the DriverShim to get around the fact that the DriverManager won't register a driver not in the base class path
DriverManager.registerDriver(shim);

16
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CachedWebDataSource.java
View File

@@ -17,21 +17,25 @@
*/
package org.owasp.dependencycheck.data.update;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
/**
* Defines a data source who's data is retrieved from the Internet. This data can be downloaded and the local cache
* updated.
* Defines a data source who's data is retrieved from the Internet. This data
* can be downloaded and the local cache updated.
*
* @author Jeremy Long
*/
public interface CachedWebDataSource {
/**
* Determines if an update to the current data store is needed, if it is the new data is downloaded from the
* Internet and imported into the current cached data store.
* Determines if an update to the current data store is needed, if it is the
* new data is downloaded from the Internet and imported into the current
* cached data store.
*
* @throws UpdateException is thrown if there is an exception downloading the data or updating the data store.
* @param engine a reference to the dependency-check engine
* @throws UpdateException is thrown if there is an exception downloading
* the data or updating the data store.
*/
void update() throws UpdateException;
void update(Engine engine) throws UpdateException;
}

41
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
View File

@@ -22,6 +22,7 @@ import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import org.apache.commons.io.IOUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -62,6 +63,25 @@ public class EngineVersionCheck implements CachedWebDataSource {
* against.
*/
private String updateToVersion;
/**
* The configured settings.
*/
private Settings settings;
/**
* Constructs a new engine version check utility for testing.
*
* @param settings the configured settings
*/
protected EngineVersionCheck(Settings settings) {
this.settings = settings;
}
/**
* Constructs a new engine version check utility.
*/
public EngineVersionCheck() {
}
/**
* Getter for updateToVersion - only used for testing. Represents the
@@ -92,12 +112,14 @@ public class EngineVersionCheck implements CachedWebDataSource {
* be updated
*/
@Override
public void update() throws UpdateException {
try (CveDB db = CveDB.getInstance()) {
final boolean autoupdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE, true);
final boolean enabled = Settings.getBoolean(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, true);
final String original = Settings.getString(Settings.KEYS.CVE_ORIGINAL_MODIFIED_20_URL);
final String current = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
public void update(Engine engine) throws UpdateException {
this.settings = engine.getSettings();
try {
CveDB db = engine.getDatabase();
final boolean autoupdate = settings.getBoolean(Settings.KEYS.AUTO_UPDATE, true);
final boolean enabled = settings.getBoolean(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, true);
final String original = settings.getString(Settings.KEYS.CVE_ORIGINAL_MODIFIED_20_URL);
final String current = settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
/*
* Only update if auto-update is enabled, the engine check is
* enabled, and the NVD CVE URLs have not been modified (i.e. the
@@ -111,7 +133,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
final long now = System.currentTimeMillis();
updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
final String currentVersion = settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
LOGGER.debug("Last checked: {}", lastChecked);
LOGGER.debug("Now: {}", now);
LOGGER.debug("Current version: {}", currentVersion);
@@ -184,9 +206,10 @@ public class EngineVersionCheck implements CachedWebDataSource {
protected String getCurrentReleaseVersion() {
HttpURLConnection conn = null;
try {
final String str = Settings.getString(Settings.KEYS.ENGINE_VERSION_CHECK_URL, "http://jeremylong.github.io/DependencyCheck/current.txt");
final String str = settings.getString(Settings.KEYS.ENGINE_VERSION_CHECK_URL, "http://jeremylong.github.io/DependencyCheck/current.txt");
final URL url = new URL(str);
conn = URLConnectionFactory.createHttpURLConnection(url);
URLConnectionFactory factory = new URLConnectionFactory(settings);
conn = factory.createHttpURLConnection(url);
conn.connect();
if (conn.getResponseCode() != 200) {
return null;

72
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -36,6 +36,7 @@ import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -85,7 +86,10 @@ public class NvdCveUpdater implements CachedWebDataSource {
* very CPU-intense, e.g. downloading files.
*/
private ExecutorService downloadExecutorService = null;
/**
* The configured settings.
*/
private Settings settings;
/**
* Reference to the DAO.
*/
@@ -101,19 +105,21 @@ public class NvdCveUpdater implements CachedWebDataSource {
* prevent more then one thread/JVM from updating the database at the same
* time. This method may sleep upto 5 minutes.
*
* @param engine a reference to the dependency-check engine
* @throws UpdateException is thrown if there is an error updating the
* database
*/
@Override
public synchronized void update() throws UpdateException {
public synchronized void update(Engine engine) throws UpdateException {
this.settings = engine.getSettings();
this.cveDb = engine.getDatabase();
if (isUpdateConfiguredFalse()) {
return;
}
H2DBLock dbupdate = new H2DBLock();
H2DBLock dbupdate = new H2DBLock(settings, ConnectionFactory.isH2Connection(settings));
try {
dbupdate.lock();
initializeExecutorServices();
cveDb = CveDB.getInstance();
dbProperties = cveDb.getDatabaseProperties();
if (checkUpdate()) {
@@ -127,7 +133,7 @@ public class NvdCveUpdater implements CachedWebDataSource {
throw new UpdateException("NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.", ex);
} catch (DownloadFailedException ex) {
LOGGER.warn("Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.");
if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
if (settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
LOGGER.info("If you are behind a proxy you may need to configure dependency-check to use the proxy.");
}
throw new UpdateException("Unable to download the NVD CVE data.", ex);
@@ -136,9 +142,6 @@ public class NvdCveUpdater implements CachedWebDataSource {
} catch (H2DBLockException ex) {
throw new UpdateException("Unable to obtain an exclusive lock on the H2 database to perform updates", ex);
} finally {
if (cveDb != null) {
cveDb.close();
}
dbupdate.release();
shutdownExecutorServices();
}
@@ -152,7 +155,7 @@ public class NvdCveUpdater implements CachedWebDataSource {
*/
private boolean isUpdateConfiguredFalse() {
try {
if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
if (!settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
return true;
}
} catch (InvalidSettingException ex) {
@@ -160,7 +163,7 @@ public class NvdCveUpdater implements CachedWebDataSource {
}
boolean autoUpdate = true;
try {
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
autoUpdate = settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
} catch (InvalidSettingException ex) {
LOGGER.debug("Invalid setting for auto-update; using true.");
}
@@ -204,7 +207,7 @@ public class NvdCveUpdater implements CachedWebDataSource {
private boolean checkUpdate() throws UpdateException {
boolean proceed = true;
// If the valid setting has not been specified, then we proceed to check...
final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
final int validForHours = settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
if (dataExists() && 0 < validForHours) {
// ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
final long msValid = validForHours * 60L * 60L * 1000L;
@@ -213,8 +216,7 @@ public class NvdCveUpdater implements CachedWebDataSource {
proceed = (now - lastChecked) > msValid;
if (!proceed) {
LOGGER.info("Skipping NVD check since last check was within {} hours.", validForHours);
LOGGER.debug("Last NVD was at {}, and now {} is within {} ms.",
lastChecked, now, msValid);
LOGGER.debug("Last NVD was at {}, and now {} is within {} ms.", lastChecked, now, msValid);
}
}
return proceed;
@@ -226,11 +228,7 @@ public class NvdCveUpdater implements CachedWebDataSource {
* @return true if the database contains data
*/
private boolean dataExists() {
try (CveDB cve = CveDB.getInstance()) {
return cve.dataExists();
} catch (DatabaseException ex) {
return false;
}
return cveDb.dataExists();
}
/**
@@ -259,7 +257,7 @@ public class NvdCveUpdater implements CachedWebDataSource {
final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<>(maxUpdates);
for (NvdCveInfo cve : updateable) {
if (cve.getNeedsUpdate()) {
final DownloadTask call = new DownloadTask(cve, processingExecutorService, cveDb, Settings.getInstance());
final DownloadTask call = new DownloadTask(cve, processingExecutorService, cveDb, settings);
downloadFutures.add(downloadExecutorService.submit(call));
}
}
@@ -343,7 +341,7 @@ public class NvdCveUpdater implements CachedWebDataSource {
}
if (dbProperties != null && !dbProperties.isEmpty()) {
try {
final int startYear = Settings.getInt(Settings.KEYS.CVE_START_YEAR, 2002);
final int startYear = settings.getInt(Settings.KEYS.CVE_START_YEAR, 2002);
final int endYear = Calendar.getInstance().get(Calendar.YEAR);
boolean needsFullUpdate = false;
for (int y = startYear; y <= endYear; y++) {
@@ -355,7 +353,7 @@ public class NvdCveUpdater implements CachedWebDataSource {
final long lastUpdated = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_UPDATED, "0"));
final long now = System.currentTimeMillis();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
final int days = settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
if (!needsFullUpdate && lastUpdated == updates.getTimeStamp(MODIFIED)) {
updates.clear(); //we don't need to update anything.
} else if (!needsFullUpdate && DateUtil.withinDateRange(lastUpdated, now, days)) {
@@ -408,25 +406,24 @@ public class NvdCveUpdater implements CachedWebDataSource {
private UpdateableNvdCve retrieveCurrentTimestampsFromWeb()
throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException {
final int start = Settings.getInt(Settings.KEYS.CVE_START_YEAR);
final int start = settings.getInt(Settings.KEYS.CVE_START_YEAR);
final int end = Calendar.getInstance().get(Calendar.YEAR);
final Map<String, Long> lastModifiedDates = retrieveLastModifiedDates(start, end);
final UpdateableNvdCve updates = new UpdateableNvdCve();
final String baseUrl20 = Settings.getString(Settings.KEYS.CVE_SCHEMA_2_0);
final String baseUrl12 = Settings.getString(Settings.KEYS.CVE_SCHEMA_1_2);
final String baseUrl20 = settings.getString(Settings.KEYS.CVE_SCHEMA_2_0);
final String baseUrl12 = settings.getString(Settings.KEYS.CVE_SCHEMA_1_2);
for (int i = start; i <= end; i++) {
final String url = String.format(baseUrl20, i);
updates.add(Integer.toString(i), url, String.format(baseUrl12, i),
lastModifiedDates.get(url), true);
}
final String url = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
updates.add(MODIFIED, url, Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL),
final String url = settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
updates.add(MODIFIED, url, settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL),
lastModifiedDates.get(url), false);
return updates;
}
@@ -446,16 +443,16 @@ public class NvdCveUpdater implements CachedWebDataSource {
throws MalformedURLException, DownloadFailedException {
final Set<String> urls = new HashSet<>();
final String baseUrl20 = Settings.getString(Settings.KEYS.CVE_SCHEMA_2_0);
final String baseUrl20 = settings.getString(Settings.KEYS.CVE_SCHEMA_2_0);
for (int i = startYear; i <= endYear; i++) {
final String url = String.format(baseUrl20, i);
urls.add(url);
}
urls.add(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
urls.add(settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
final Map<String, Future<Long>> timestampFutures = new HashMap<>();
for (String url : urls) {
final TimestampRetriever timestampRetriever = new TimestampRetriever(url, Settings.getInstance());
final TimestampRetriever timestampRetriever = new TimestampRetriever(url, settings);
final Future<Long> future = downloadExecutorService.submit(timestampRetriever);
timestampFutures.put(url, future);
}
@@ -478,6 +475,15 @@ public class NvdCveUpdater implements CachedWebDataSource {
return lastModifiedDates;
}
/**
* Sets the settings object; this is used during testing.
*
* @param settings the configured settings
*/
protected void setSettings(Settings settings) {
this.settings = settings;
}
/**
* Retrieves the last modified timestamp from a NVD CVE meta data file.
*/
@@ -507,10 +513,10 @@ public class NvdCveUpdater implements CachedWebDataSource {
public Long call() throws Exception {
LOGGER.debug("Checking for updates from: {}", url);
try {
Settings.setInstance(settings);
return Downloader.getLastModified(new URL(url));
Downloader downloader = new Downloader(settings);
return downloader.getLastModified(new URL(url));
} finally {
Settings.cleanup(false);
settings.cleanup(false);
}
}
}

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java
View File

@@ -43,7 +43,7 @@ public class CPEHandler extends DefaultHandler {
/**
* The Starts with expression to filter CVE entries by CPE.
*/
private static final String CPE_STARTS_WITH = Settings.getString(Settings.KEYS.CVE_CPE_STARTS_WITH_FILTER, "cpe:/a:");
private final String cpeStartsWith;
/**
* The text content of the node being processed. This can be used during the
* end element event.
@@ -62,6 +62,10 @@ public class CPEHandler extends DefaultHandler {
*/
private final List<Cpe> data = new ArrayList<>();
public CPEHandler(Settings settings) {
cpeStartsWith = settings.getString(Settings.KEYS.CVE_CPE_STARTS_WITH_FILTER, "cpe:/a:");
}
/**
* Returns the list of CPE values.
*
@@ -89,7 +93,7 @@ public class CPEHandler extends DefaultHandler {
final String temp = attributes.getValue("deprecated");
final String value = attributes.getValue("name");
final boolean delete = "true".equalsIgnoreCase(temp);
if (!delete && value.startsWith(CPE_STARTS_WITH) && value.length() > 7) {
if (!delete && value.startsWith(cpeStartsWith) && value.length() > 7) {
try {
final Cpe cpe = new Cpe(value);
data.add(cpe);

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
View File

@@ -91,8 +91,8 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
final File file2;
try {
file1 = File.createTempFile("cve" + nvdCveInfo.getId() + '_', ".xml", Settings.getTempDirectory());
file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + '_', ".xml", Settings.getTempDirectory());
file1 = File.createTempFile("cve" + nvdCveInfo.getId() + '_', ".xml", settings.getTempDirectory());
file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + '_', ".xml", settings.getTempDirectory());
} catch (IOException ex) {
throw new UpdateException("Unable to create temporary files", ex);
}
@@ -158,17 +158,17 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
@Override
public Future<ProcessTask> call() throws Exception {
try {
Settings.setInstance(settings);
final URL url1 = new URL(nvdCveInfo.getUrl());
final URL url2 = new URL(nvdCveInfo.getOldSchemaVersionUrl());
LOGGER.info("Download Started for NVD CVE - {}", nvdCveInfo.getId());
final long startDownload = System.currentTimeMillis();
try {
Downloader.fetchFile(url1, first);
Downloader.fetchFile(url2, second);
Downloader downloader = new Downloader(settings);
downloader.fetchFile(url1, first);
downloader.fetchFile(url2, second);
} catch (DownloadFailedException ex) {
LOGGER.warn("Download Failed for NVD CVE - {}\nSome CVEs may not be reported.", nvdCveInfo.getId());
if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
if (settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
LOGGER.info("If you are behind a proxy you may need to configure dependency-check to use the proxy.");
}
LOGGER.debug("", ex);
@@ -193,7 +193,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
LOGGER.warn("An exception occurred downloading NVD CVE - {}\nSome CVEs may not be reported.", nvdCveInfo.getId());
LOGGER.debug("Download Task Failed", ex);
} finally {
Settings.cleanup(false);
settings.cleanup(false);
}
return null;
}

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
View File

@@ -114,12 +114,11 @@ public class ProcessTask implements Callable<ProcessTask> {
@Override
public ProcessTask call() throws Exception {
try {
Settings.setInstance(settings);
processFiles();
} catch (UpdateException ex) {
this.exception = ex;
} finally {
Settings.cleanup(false);
settings.cleanup(false);
}
return this;
}

33
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -104,6 +104,10 @@ public class ReportGenerator {
* The Velocity Engine Context.
*/
private final Context context;
/**
* The configured settings.
*/
private final Settings settings;
/**
* Constructs a new ReportGenerator.
@@ -113,8 +117,11 @@ public class ReportGenerator {
* @param analyzers the list of analyzers used
* @param properties the database properties (containing timestamps of the
* NVD CVE data)
* @param settings a reference to the database settings
*/
public ReportGenerator(String applicationName, List<Dependency> dependencies, List<Analyzer> analyzers, DatabaseProperties properties) {
public ReportGenerator(String applicationName, List<Dependency> dependencies, List<Analyzer> analyzers,
DatabaseProperties properties, Settings settings) {
this.settings = settings;
velocityEngine = createVelocityEngine();
velocityEngine.init();
context = createContext(applicationName, dependencies, analyzers, properties);
@@ -131,11 +138,11 @@ public class ReportGenerator {
* @param analyzers the list of analyzers used
* @param properties the database properties (containing timestamps of the
* NVD CVE data)
* @param settings a reference to the database settings
*/
public ReportGenerator(String applicationName, String groupID, String artifactID, String version,
List<Dependency> dependencies, List<Analyzer> analyzers, DatabaseProperties properties) {
this(applicationName, dependencies, analyzers, properties);
List<Dependency> dependencies, List<Analyzer> analyzers, DatabaseProperties properties, Settings settings) {
this(applicationName, dependencies, analyzers, properties, settings);
if (version != null) {
context.put("applicationVersion", version);
}
@@ -187,7 +194,7 @@ public class ReportGenerator {
ctxt.put("scanDate", scanDate);
ctxt.put("scanDateXML", scanDateXML);
ctxt.put("enc", new EscapeTool());
ctxt.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
ctxt.put("version", settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
return ctxt;
}
@@ -246,22 +253,6 @@ public class ReportGenerator {
}
}
// /**
// * Writes the dependency-check report(s).
// *
// * @param outputStream the OutputStream to send the generated report to
// * @param format the format the report should be written in
// * @throws ReportException thrown if the report format is ALL
// * @throws IOException is thrown when the template file does not exist
// * @throws Exception is thrown if there is an error writing out the reports
// */
// public void write(OutputStream outputStream, Format format) throws ReportException, IOException, Exception {
// if (format == Format.ALL) {
// throw new ReportException("Unable to write ALL reports to a single output stream, please check the API");
// }
// final String templateName = format.toString().toLowerCase() + "Report";
// processTemplate(templateName, outputStream);
// }
/**
* Determines the report file name based on the give output location and
* format. If the output location contains a full file name that has the

18
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/H2DBLock.java
View File

@@ -23,6 +23,7 @@ import java.io.RandomAccessFile;
import java.nio.channels.FileLock;
import java.util.Date;
import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.exception.H2DBLockException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -49,6 +50,19 @@ public class H2DBLock {
* The lock file.
*/
private File lockFile = null;
/**
* The configured settings.
*/
private final Settings settings;
/**
* Whether the database connection is using H2.
*/
private final boolean isH2Connection;
public H2DBLock(Settings settings, boolean isH2Connection) {
this.settings = settings;
this.isH2Connection = isH2Connection;
}
/**
* Determine if the lock is currently held.
@@ -65,9 +79,9 @@ public class H2DBLock {
* @throws H2DBLockException thrown if a lock could not be obtained
*/
public void lock() throws H2DBLockException {
if (ConnectionFactory.isH2Connection()) {
if (isH2Connection) {
try {
final File dir = Settings.getDataDirectory();
final File dir = settings.getDataDirectory();
lockFile = new File(dir, "dc.update.lock");
if (lockFile.isFile() && getFileAge(lockFile) > 5 && !lockFile.delete()) {
LOGGER.warn("An old db update lock file was found but the system was unable to delete "

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/AnalysisTaskTest.java
View File

@@ -44,7 +44,7 @@ public class AnalysisTaskTest extends BaseTest {
result = true;
}};
AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, null, null, Settings.getInstance());
AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, null, null, getSettings());
boolean shouldAnalyze = analysisTask.shouldAnalyze();
assertTrue(shouldAnalyze);
@@ -61,7 +61,7 @@ public class AnalysisTaskTest extends BaseTest {
result = false;
}};
AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, null, null, Settings.getInstance());
AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, null, null, getSettings());
boolean shouldAnalyze = analysisTask.shouldAnalyze();
assertFalse(shouldAnalyze);
@@ -69,7 +69,7 @@ public class AnalysisTaskTest extends BaseTest {
@Test
public void taskAnalyzes() throws Exception {
final AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, engine, null, Settings.getInstance());
final AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, engine, null, getSettings());
new Expectations(analysisTask) {{
analysisTask.shouldAnalyze();
result = true;
@@ -85,7 +85,7 @@ public class AnalysisTaskTest extends BaseTest {
@Test
public void taskDoesNothingIfItShouldNotAnalyze() throws Exception {
final AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, engine, null, Settings.getInstance());
final AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, engine, null, getSettings());
new Expectations(analysisTask) {{
analysisTask.shouldAnalyze();
result = false;

10
dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java
View File

@@ -43,17 +43,19 @@ public abstract class BaseDBTestCase extends BaseTest {
private final static Logger LOGGER = LoggerFactory.getLogger(BaseDBTestCase.class);
@Before
public void setUpDb() throws Exception {
@Override
public void setUp() throws Exception {
super.setUp();
ensureDBExists();
}
public static void ensureDBExists() throws Exception {
public void ensureDBExists() throws Exception {
File f = new File("./target/data/dc.h2.db");
if (f.exists() && f.isFile() && f.length() < 71680) {
f.delete();
}
File dataPath = Settings.getDataDirectory();
String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME);
File dataPath = getSettings().getDataDirectory();
String fileName = getSettings().getString(Settings.KEYS.DB_FILE_NAME);
LOGGER.trace("DB file name {}", fileName);
File dataFile = new File(dataPath, fileName);
LOGGER.trace("Ensuring {} exists", dataFile.toString());

49
dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseTest.java
View File

@@ -18,9 +18,11 @@ package org.owasp.dependencycheck;
import java.io.File;
import java.io.InputStream;
import java.net.URISyntaxException;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assume;
import org.junit.Before;
import org.junit.BeforeClass;
import org.owasp.dependencycheck.utils.Settings;
@@ -30,9 +32,25 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public class BaseTest {
@BeforeClass
public static void setUpClass() throws Exception {
Settings.initialize();
/**
* The configured settings.
*/
private Settings settings;
/**
* Initialize the {@link Settings}.
*/
@Before
public void setUp() throws Exception {
settings = new Settings();
}
/**
* Clean the {@link Settings}.
*/
@After
public void tearDown() throws Exception {
settings.cleanup(true);
}
@AfterClass
@@ -45,13 +63,12 @@ public class BaseTest {
System.err.println("------------------------------------------------");
System.err.println("------------------------------------------------");
}
Settings.cleanup(true);
}
/**
* Returns the given resource as an InputStream using the object's class loader. The org.junit.Assume API is used so that test
* cases are skipped if the resource is not available.
* Returns the given resource as an InputStream using the object's class
* loader. The org.junit.Assume API is used so that test cases are skipped
* if the resource is not available.
*
* @param o the object used to obtain a reference to the class loader
* @param resource the name of the resource to load
@@ -63,20 +80,30 @@ public class BaseTest {
}
/**
* Returns the given resource as a File using the object's class loader. The org.junit.Assume API is used so that test cases
* are skipped if the resource is not available.
* Returns the given resource as a File using the object's class loader. The
* org.junit.Assume API is used so that test cases are skipped if the
* resource is not available.
*
* @param o the object used to obtain a reference to the class loader
* @param resource the name of the resource to load
* @return the resource as an File
*/
public static File getResourceAsFile(Object o, String resource) {
try{
try {
File f = new File(o.getClass().getClassLoader().getResource(resource).toURI().getPath());
Assume.assumeTrue(String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource), f.exists());
return f;
}catch (URISyntaxException e){
} catch (URISyntaxException e) {
throw new UnsupportedOperationException(e);
}
}
/**
* Returns the settings for the test cases.
*
* @return
*/
protected Settings getSettings() {
return settings;
}
}

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java
View File

@@ -48,10 +48,10 @@ public class EngineIT extends BaseDBTestCase {
@Test
public void testEngine() throws IOException, InvalidSettingException, DatabaseException, ReportException, ExceptionCollection {
String testClasses = "target/test-classes";
boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Engine instance = new Engine();
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
boolean autoUpdate = getSettings().getBoolean(Settings.KEYS.AUTO_UPDATE);
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Engine instance = new Engine(getSettings());
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
instance.scan(testClasses);
assertTrue(instance.getDependencies().size() > 0);
try {

46
dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineModeIT.java
View File

@@ -38,26 +38,35 @@ public class EngineModeIT extends BaseTest {
private String originalDataDir = null;
@Before
@Override
public void setUp() throws Exception {
super.setUp();
// Have to use System properties as the Settings object pulls from the
// system properties before configured properties
originalDataDir = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
originalDataDir = getSettings().getString(Settings.KEYS.DATA_DIRECTORY);
System.setProperty(Settings.KEYS.DATA_DIRECTORY, tempDir.newFolder().getAbsolutePath());
}
@After
public void tearDown() throws IOException {
//delete temp files
FileUtils.delete(Settings.getDataDirectory());
//Reset system property to original value just to be safe for other tests.
System.setProperty(Settings.KEYS.DATA_DIRECTORY, originalDataDir);
@Override
public void tearDown() throws Exception {
try {
//delete temp files
FileUtils.delete(getSettings().getDataDirectory());
//Reset system property to original value just to be safe for other tests.
System.setProperty(Settings.KEYS.DATA_DIRECTORY, originalDataDir);
} catch (IOException ex) {
throw new RuntimeException(ex);
} finally {
super.tearDown();
}
}
@Test
public void testEvidenceCollectionAndEvidenceProcessingModes() throws Exception {
List<Dependency> dependencies;
try (Engine engine = new Engine(Engine.Mode.EVIDENCE_COLLECTION)) {
try (Engine engine = new Engine(Engine.Mode.EVIDENCE_COLLECTION, getSettings())) {
engine.openDatabase(); //does nothing in the current mode
assertDatabase(false);
for (AnalysisPhase phase : Engine.Mode.EVIDENCE_COLLECTION.getPhases()) {
assertThat(engine.getAnalyzers(phase), is(notNullValue()));
@@ -76,7 +85,8 @@ public class EngineModeIT extends BaseTest {
assertTrue(dependency.getVulnerabilities().isEmpty());
}
try (Engine engine = new Engine(Engine.Mode.EVIDENCE_PROCESSING)) {
try (Engine engine = new Engine(Engine.Mode.EVIDENCE_PROCESSING, getSettings())) {
engine.openDatabase();
assertDatabase(true);
for (AnalysisPhase phase : Engine.Mode.EVIDENCE_PROCESSING.getPhases()) {
assertThat(engine.getAnalyzers(phase), is(notNullValue()));
@@ -93,7 +103,8 @@ public class EngineModeIT extends BaseTest {
@Test
public void testStandaloneMode() throws Exception {
try (Engine engine = new Engine(Engine.Mode.STANDALONE)) {
try (Engine engine = new Engine(Engine.Mode.STANDALONE, getSettings())) {
engine.openDatabase();
assertDatabase(true);
for (AnalysisPhase phase : Engine.Mode.STANDALONE.getPhases()) {
assertThat(engine.getAnalyzers(phase), is(notNullValue()));
@@ -111,16 +122,15 @@ public class EngineModeIT extends BaseTest {
}
private void assertDatabase(boolean exists) throws Exception {
Assume.assumeThat(Settings.getString(Settings.KEYS.DB_DRIVER_NAME), is("org.h2.Driver"));
Path directory = Settings.getDataDirectory().toPath();
Assume.assumeThat(getSettings().getString(Settings.KEYS.DB_DRIVER_NAME), is("org.h2.Driver"));
Path directory = getSettings().getDataDirectory().toPath();
assertThat(Files.exists(directory), is(true));
assertThat(Files.isDirectory(directory), is(true));
Path database = directory.resolve(Settings.getString(Settings.KEYS.DB_FILE_NAME));
System.err.println(database.toString());
for (String f : directory.toFile().list()) {
System.err.println(f);
}
Path database = directory.resolve(getSettings().getString(Settings.KEYS.DB_FILE_NAME));
//System.err.println(database.toString());
//for (String f : directory.toFile().list()) {
// System.err.println(f);
//}
assertThat(Files.exists(database), is(exists));
}
}

7
dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineTest.java
View File

@@ -54,7 +54,7 @@ public class EngineTest extends BaseDBTestCase {
*/
@Test
public void testScanFile() throws DatabaseException {
Engine instance = new Engine();
Engine instance = new Engine(getSettings());
instance.addFileTypeAnalyzer(new JarAnalyzer());
File file = BaseTest.getResourceAsFile(this, "dwr.jar");
Dependency dwr = instance.scanFile(file);
@@ -72,7 +72,7 @@ public class EngineTest extends BaseDBTestCase {
@Test(expected = ExceptionCollection.class)
public void exceptionDuringAnalysisTaskExecutionIsFatal() throws DatabaseException, ExceptionCollection {
final ExecutorService executorService = Executors.newFixedThreadPool(3);
final Engine instance = new Engine();
final Engine instance = new Engine(getSettings());
final List<Throwable> exceptions = new ArrayList<>();
new Expectations() {
@@ -89,14 +89,11 @@ public class EngineTest extends BaseDBTestCase {
{
instance.getExecutorService(analyzer);
result = executorService;
instance.getAnalysisTasks(analyzer, exceptions);
result = failingAnalysisTask;
}
};
instance.executeAnalysisTasks(analyzer, exceptions);
assertTrue(executorService.isShutdown());
}
}

63
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
View File

@@ -39,14 +39,18 @@ import org.owasp.dependencycheck.utils.Settings.KEYS;
*/
public class AbstractSuppressionAnalyzerTest extends BaseTest {
/** A second suppression file to test with. */
/**
* A second suppression file to test with.
*/
private static final String OTHER_SUPPRESSIONS_FILE = "other-suppressions.xml";
/** Suppression file to test with. */
/**
* Suppression file to test with.
*/
private static final String SUPPRESSIONS_FILE = "suppressions.xml";
private AbstractSuppressionAnalyzer instance;
@Before
public void createObjectUnderTest() throws Exception {
instance = new AbstractSuppressionAnalyzerImpl();
@@ -75,7 +79,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
/**
* Test of getRules method, of class AbstractSuppressionAnalyzer for
* suppression file on the classpath.
* suppression file on the class path.
*/
@Test
public void testGetRulesFromSuppressionFileInClasspath() throws Exception {
@@ -84,7 +88,8 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
}
/**
* Assert that rules are loaded from multiple files if multiple files are denfined in the {@link Settings} singleton.
* Assert that rules are loaded from multiple files if multiple files are
* defined in the {@link Settings}.
*/
@Test
public void testGetRulesFromMultipleSuppressionFiles() throws Exception {
@@ -97,71 +102,75 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
final int rulesInSecondFile = getNumberOfRulesLoadedFromPath(OTHER_SUPPRESSIONS_FILE) - rulesInCoreFile;
// WHEN initializing with both suppression files
final String[] suppressionFiles = { SUPPRESSIONS_FILE, OTHER_SUPPRESSIONS_FILE };
Settings.setArrayIfNotEmpty(KEYS.SUPPRESSION_FILE, suppressionFiles);
instance.initialize();
final String[] suppressionFiles = {SUPPRESSIONS_FILE, OTHER_SUPPRESSIONS_FILE};
getSettings().setArrayIfNotEmpty(KEYS.SUPPRESSION_FILE, suppressionFiles);
instance.initializeSettings(getSettings());
instance.initialize(null);
// THEN rules from both files were loaded
final int expectedSize = rulesInFirstFile + rulesInSecondFile + rulesInCoreFile;
assertThat("Expected suppressions from both files", instance.getRuleCount(), is(expectedSize));
}
@Test(expected = InitializationException.class)
public void testFailureToLocateSuppressionFileAnywhere() throws Exception {
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, "doesnotexist.xml");
instance.initialize();
getSettings().setString(Settings.KEYS.SUPPRESSION_FILE, "doesnotexist.xml");
instance.initializeSettings(getSettings());
instance.initialize(null);
}
/**
* Return the number of rules that are loaded from the core suppression file.
* Return the number of rules that are loaded from the core suppression
* file.
*
* @return the number of rules defined in the core suppresion file.
* @return the number of rules defined in the core suppression file.
* @throws Exception if loading the rules fails.
*/
private int getNumberOfRulesLoadedInCoreFile() throws Exception {
Settings.removeProperty(KEYS.SUPPRESSION_FILE);
getSettings().removeProperty(KEYS.SUPPRESSION_FILE);
final AbstractSuppressionAnalyzerImpl coreFileAnalyzer = new AbstractSuppressionAnalyzerImpl();
coreFileAnalyzer.initialize();
coreFileAnalyzer.initializeSettings(getSettings());
coreFileAnalyzer.initialize(null);
return coreFileAnalyzer.getRuleCount();
}
/**
* Load a file into the {@link AbstractSuppressionAnalyzer} and return the number of rules loaded.
* Load a file into the {@link AbstractSuppressionAnalyzer} and return the
* number of rules loaded.
*
* @param path the path to load.
* @return the number of rules that were loaded (including the core rules).
* @throws Exception if loading the rules fails.
*/
private int getNumberOfRulesLoadedFromPath(final String path) throws Exception {
Settings.setString(KEYS.SUPPRESSION_FILE, path);
getSettings().setString(KEYS.SUPPRESSION_FILE, path);
final AbstractSuppressionAnalyzerImpl fileAnalyzer = new AbstractSuppressionAnalyzerImpl();
fileAnalyzer.initialize();
fileAnalyzer.initializeSettings(getSettings());
fileAnalyzer.initialize(null);
return fileAnalyzer.getRuleCount();
}
public class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer {
@Override
public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
}
@Override
public String getName() {
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
}
@Override
public AnalysisPhase getAnalysisPhase() {
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
}
@Override
protected String getAnalyzerEnabledSettingKey() {
return "unknown";
}
}
}

12
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
View File

@@ -40,13 +40,14 @@ public class AnalyzerServiceTest extends BaseDBTestCase {
*/
@Test
public void testGetAnalyzers() {
AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), false);
List<Analyzer> result = instance.getAnalyzers();
boolean found = false;
for (Analyzer a : result) {
if ("Jar Analyzer".equals(a.getName())) {
found = true;
break;
}
}
assertTrue("JarAnalyzer loaded", found);
@@ -57,7 +58,7 @@ public class AnalyzerServiceTest extends BaseDBTestCase {
*/
@Test
public void testGetAnalyzers_SpecificPhases() throws Exception {
AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), false);
List<Analyzer> result = instance.getAnalyzers(INITIAL, FINAL);
for (Analyzer a : result) {
@@ -72,8 +73,7 @@ public class AnalyzerServiceTest extends BaseDBTestCase {
*/
@Test
public void testGetExperimentalAnalyzers() {
Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), false);
List<Analyzer> result = instance.getAnalyzers();
String experimental = "CMake Analyzer";
boolean found = false;
@@ -83,8 +83,8 @@ public class AnalyzerServiceTest extends BaseDBTestCase {
}
}
assertFalse("Experimental analyzer loaded when set to false", found);
Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, true);
instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), true);
result = instance.getAnalyzers();
found = false;
for (Analyzer a : result) {

96
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIT.java
View File

@@ -41,6 +41,7 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testSupportsExtensions() {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
Set<String> expResult = new HashSet<>();
expResult.add("zip");
expResult.add("war");
@@ -65,6 +66,7 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testGetName() {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
String expResult = "Archive Analyzer";
String result = instance.getName();
assertEquals(expResult, result);
@@ -77,6 +79,7 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
public void testSupportsExtension() {
String extension = "test.7z"; //not supported
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
assertFalse(extension, instance.accept(new File(extension)));
}
@@ -86,6 +89,7 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testGetAnalysisPhase() {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
AnalysisPhase expResult = AnalysisPhase.INITIAL;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
@@ -97,10 +101,11 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testInitialize() {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
try {
instance.setEnabled(true);
instance.setFilesMatched(true);
instance.initialize();
instance.initialize(null);
} catch (InitializationException ex) {
fail(ex.getMessage());
} finally {
@@ -120,16 +125,18 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testAnalyze() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
//trick the analyzer into thinking it is active.
instance.accept(new File("test.ear"));
try {
instance.initialize();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine(getSettings());
instance.initialize(engine);
File file = BaseTest.getResourceAsFile(this, "daytrader-ear-2.1.7.ear");
Dependency dependency = new Dependency(file);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
int initial_size = engine.getDependencies().size();
instance.analyze(dependency, engine);
@@ -150,16 +157,17 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testAnalyzeExecutableJar() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
//trick the analyzer into thinking it is active.
instance.accept(new File("test.ear"));
try {
instance.initialize();
instance.initialize(null);
File file = BaseTest.getResourceAsFile(this, "bootable-0.1.0.jar");
Dependency dependency = new Dependency(file);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine(getSettings());
int initial_size = engine.getDependencies().size();
instance.analyze(dependency, engine);
@@ -180,19 +188,20 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testAnalyzeTar() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
//trick the analyzer into thinking it is active so that it will initialize
instance.accept(new File("test.tar"));
try {
instance.initialize();
instance.initialize(null);
//File file = new File(this.getClass().getClassLoader().getResource("file.tar").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("stagedhttp-modified.tar").getPath());
File file = BaseTest.getResourceAsFile(this, "stagedhttp-modified.tar");
Dependency dependency = new Dependency(file);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine(getSettings());
int initial_size = engine.getDependencies().size();
instance.analyze(dependency, engine);
@@ -212,17 +221,18 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testAnalyzeTarGz() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
instance.accept(new File("zip")); //ensure analyzer is "enabled"
try {
instance.initialize();
instance.initialize(null);
//File file = new File(this.getClass().getClassLoader().getResource("file.tar.gz").getPath());
File file = BaseTest.getResourceAsFile(this, "file.tar.gz");
//Dependency dependency = new Dependency(file);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine(getSettings());
int initial_size = engine.getDependencies().size();
//instance.analyze(dependency, engine);
@@ -243,14 +253,15 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testAnalyzeTarBz2() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
instance.accept(new File("zip")); //ensure analyzer is "enabled"
try {
instance.initialize();
instance.initialize(null);
File file = BaseTest.getResourceAsFile(this, "file.tar.bz2");
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine(getSettings());
int initial_size = engine.getDependencies().size();
engine.scan(file);
engine.analyzeDependencies();
@@ -268,16 +279,17 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testAnalyzeTgz() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
instance.accept(new File("zip")); //ensure analyzer is "enabled"
try {
instance.initialize();
instance.initialize(null);
//File file = new File(this.getClass().getClassLoader().getResource("file.tgz").getPath());
File file = BaseTest.getResourceAsFile(this, "file.tgz");
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine(getSettings());
int initial_size = engine.getDependencies().size();
engine.scan(file);
@@ -297,14 +309,15 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testAnalyzeTbz2() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
instance.accept(new File("zip")); //ensure analyzer is "enabled"
try {
instance.initialize();
instance.initialize(null);
File file = BaseTest.getResourceAsFile(this, "file.tbz2");
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine(getSettings());
int initial_size = engine.getDependencies().size();
engine.scan(file);
engine.analyzeDependencies();
@@ -322,16 +335,17 @@ public class ArchiveAnalyzerIT extends BaseDBTestCase {
@Test
public void testAnalyze_badZip() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
try {
instance.initialize();
instance.initialize(null);
//File file = new File(this.getClass().getClassLoader().getResource("test.zip").getPath());
File file = BaseTest.getResourceAsFile(this, "test.zip");
Dependency dependency = new Dependency(file);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine(getSettings());
int initial_size = engine.getDependencies().size();
// boolean failed = false;
// try {

17
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java
View File

@@ -36,8 +36,10 @@ import org.owasp.dependencycheck.utils.Settings;
public class ArchiveAnalyzerTest extends BaseTest {
@Before
public void setUp() {
Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, "z2, z3");
@Override
public void setUp() throws Exception {
super.setUp();
getSettings().setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, "z2, z3");
}
/**
@@ -47,6 +49,7 @@ public class ArchiveAnalyzerTest extends BaseTest {
public void testZippableExtensions() throws Exception {
assumeFalse(isPreviouslyLoaded("org.owasp.dependencycheck.analyzer.ArchiveAnalyzer"));
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.initializeSettings(getSettings());
assertTrue(instance.getFileFilter().accept(new File("c:/test.zip")));
assertTrue(instance.getFileFilter().accept(new File("c:/test.z2")));
assertTrue(instance.getFileFilter().accept(new File("c:/test.z3")));
@@ -59,15 +62,7 @@ public class ArchiveAnalyzerTest extends BaseTest {
m.setAccessible(true);
Object t = m.invoke(Thread.currentThread().getContextClassLoader(), className);
return t != null;
} catch (NoSuchMethodException ex) {
Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
} catch (SecurityException ex) {
Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
} catch (IllegalAccessException ex) {
Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
} catch (IllegalArgumentException ex) {
Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
} catch (InvocationTargetException ex) {
} catch (NoSuchMethodException | SecurityException | IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
}
return false;

32
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
View File

@@ -65,11 +65,14 @@ public class AssemblyAnalyzerTest extends BaseTest {
* @throws Exception if anything goes sideways
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
try {
analyzer = new AssemblyAnalyzer();
analyzer.initializeSettings(getSettings());
analyzer.accept(new File("test.dll")); // trick into "thinking it is active"
analyzer.initialize();
analyzer.initialize(null);
assertGrokAssembly();
} catch (Exception e) {
if (e.getMessage().contains("Could not execute .NET AssemblyAnalyzer")) {
@@ -86,8 +89,8 @@ public class AssemblyAnalyzerTest extends BaseTest {
// directory and they must match the resources they were created from.
File grokAssemblyExeFile = null;
File grokAssemblyConfigFile = null;
File tempDirectory = Settings.getTempDirectory();
File tempDirectory = getSettings().getTempDirectory();
for (File file : tempDirectory.listFiles()) {
String filename = file.getName();
if (filename.startsWith("GKA") && filename.endsWith(".exe")) {
@@ -99,10 +102,8 @@ public class AssemblyAnalyzerTest extends BaseTest {
grokAssemblyConfigFile = new File(grokAssemblyExeFile.getPath() + ".config");
assertTrue("The GrokAssembly config was not created.", grokAssemblyConfigFile.isFile());
assertFileContent("The GrokAssembly executable has incorrect content.", "GrokAssembly.exe",
grokAssemblyExeFile);
assertFileContent("The GrokAssembly config has incorrect content.", "GrokAssembly.exe.config",
grokAssemblyConfigFile);
assertFileContent("The GrokAssembly executable has incorrect content.", "GrokAssembly.exe", grokAssemblyExeFile);
assertFileContent("The GrokAssembly config has incorrect content.", "GrokAssembly.exe.config", grokAssemblyConfigFile);
}
private void assertFileContent(String message, String expectedResourceName, File actualFile) throws IOException {
@@ -183,7 +184,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
//This test doesn't work on Windows.
assumeFalse(System.getProperty("os.name").startsWith("Windows"));
String oldValue = Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH);
String oldValue = getSettings().getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH);
// if oldValue is null, that means that neither the system property nor the setting has
// been set. If that's the case, then we have to make it such that when we recover,
// null still comes back. But you can't put a null value in a HashMap, so we have to set
@@ -191,7 +192,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
if (oldValue == null) {
System.setProperty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, "/yooser/bine/mono");
} else {
Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, "/yooser/bine/mono");
getSettings().setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, "/yooser/bine/mono");
}
String oldProp = System.getProperty(LOG_KEY, "info");
@@ -201,7 +202,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
// Have to make a NEW analyzer because during setUp, it would have gotten the correct one
AssemblyAnalyzer aanalyzer = new AssemblyAnalyzer();
aanalyzer.accept(new File("test.dll")); // trick into "thinking it is active"
aanalyzer.initialize();
aanalyzer.initialize(null);
fail("Expected an InitializationException");
} catch (InitializationException ae) {
assertEquals("An error occurred with the .NET AssemblyAnalyzer", ae.getMessage());
@@ -213,13 +214,20 @@ public class AssemblyAnalyzerTest extends BaseTest {
if (oldValue == null) {
System.getProperties().remove(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH);
} else {
Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, oldValue);
getSettings().setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, oldValue);
}
}
}
@After
@Override
public void tearDown() throws Exception {
analyzer.closeAnalyzer();
try {
analyzer.closeAnalyzer();
} catch (Exception ex) {
throw new RuntimeException(ex);
} finally {
super.tearDown();
}
}
}

21
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java
View File

@@ -30,11 +30,13 @@ import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
/**
* Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were obtained from outside open source software projects.
* Links to those projects are given below.
* Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were
* obtained from outside open source software projects. Links to those projects
* are given below.
*
* @author Dale Visser
* @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions Project</a>
* @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions
* Project</a>
* @see <a href="https://gnu.org/software/binutils/">GNU Binutils</a>
* @see <a href="https://gnu.org/software/ghostscript/">GNU Ghostscript</a>
*/
@@ -66,10 +68,13 @@ public class AutoconfAnalyzerTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
analyzer = new AutoconfAnalyzer();
analyzer.initializeSettings(getSettings());
analyzer.setFilesMatched(true);
analyzer.initialize();
analyzer.initialize(null);
}
/**
@@ -78,13 +83,16 @@ public class AutoconfAnalyzerTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
super.tearDown();
}
/**
* Test whether expected evidence is gathered from Ghostscript's configure.ac.
* Test whether expected evidence is gathered from Ghostscript's
* configure.
*
* @throws AnalysisException is thrown when an exception occurs.
*/
@@ -130,7 +138,8 @@ public class AutoconfAnalyzerTest extends BaseTest {
}
/**
* Test whether expected evidence is gathered from GNU Ghostscript's configure.
* Test whether expected evidence is gathered from GNU Ghostscript's
* configure.
*
* @throws AnalysisException is thrown when an exception occurs.
*/

34
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java
View File

@@ -61,21 +61,29 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
* @throws Exception if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
analyzer = new CMakeAnalyzer();
analyzer.initializeSettings(getSettings());
analyzer.setFilesMatched(true);
analyzer.initialize();
analyzer.initialize(null);
}
/**
* Cleanup any resources used.
*
* @throws Exception if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
try {
analyzer.close();
} catch (Exception ex) {
throw new RuntimeException(ex);
} finally {
super.tearDown();
}
}
/**
@@ -124,14 +132,15 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
final String product = "zlib";
assertProductEvidence(result, product);
}
private void assertProductEvidence(Dependency result, String product) {
assertTrue("Expected product evidence to contain \"" + product + "\".",
result.getProductEvidence().toString().contains(product));
}
/**
* Test whether expected version evidence is gathered from OpenCV's third party cmake files.
* Test whether expected version evidence is gathered from OpenCV's third
* party cmake files.
*
* @throws AnalysisException is thrown when an exception occurs.
*/
@@ -139,7 +148,7 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
public void testAnalyzeCMakeListsOpenCV3rdParty() throws AnalysisException, DatabaseException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this, "cmake/opencv/3rdparty/ffmpeg/ffmpeg_version.cmake"));
final Engine engine = new Engine();
final Engine engine = new Engine(getSettings());
analyzer.analyze(result, engine);
assertProductEvidence(result, "libavcodec");
assertVersionEvidence(result, "55.18.102");
@@ -151,12 +160,12 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
assertProductEvidence(last, "libavresample");
assertVersionEvidence(last, "1.0.1");
}
private void assertVersionEvidence(Dependency result, String version) {
assertTrue("Expected version evidence to contain \"" + version + "\".",
result.getVersionEvidence().toString().contains(version));
}
@Test(expected = InitializationException.class)
public void analyzerIsDisabledInCaseOfMissingMessageDigest() throws InitializationException {
new MockUp<MessageDigest>() {
@@ -165,12 +174,13 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
throw new NoSuchAlgorithmException();
}
};
analyzer = new CMakeAnalyzer();
analyzer.setFilesMatched(true);
assertTrue(analyzer.isEnabled());
analyzer.initialize();
analyzer.initializeSettings(getSettings());
analyzer.initialize(null);
assertFalse(analyzer.isEnabled());
}
}

47
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
View File

@@ -24,8 +24,6 @@ import java.util.List;
import java.util.Set;
import org.apache.lucene.index.CorruptIndexException;
import org.apache.lucene.queryparser.classic.ParseException;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.BaseDBTestCase;
@@ -58,9 +56,9 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
String vendor = "apache software foundation";
String product = "struts 2 core";
CPEAnalyzer instance = new CPEAnalyzer();
CPEAnalyzer instance = new CPEAnalyzer();
instance.initializeSettings(getSettings());
String queryText = instance.buildSearch(vendor, product, null, null);
String expResult = " product:( struts 2 core ) AND vendor:( apache software foundation ) ";
assertTrue(expResult.equals(queryText));
@@ -86,21 +84,26 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
@Test
public void testDetermineCPE_full() throws Exception {
//update needs to be performed so that xtream can be tested
Engine e = new Engine();
Engine e = new Engine(getSettings());
e.doUpdates();
CPEAnalyzer cpeAnalyzer = new CPEAnalyzer();
try {
cpeAnalyzer.initialize();
cpeAnalyzer.initializeSettings(getSettings());
cpeAnalyzer.initialize(e);
FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
fnAnalyzer.initialize();
fnAnalyzer.initializeSettings(getSettings());
fnAnalyzer.initialize(e);
JarAnalyzer jarAnalyzer = new JarAnalyzer();
jarAnalyzer.initializeSettings(getSettings());
jarAnalyzer.accept(new File("test.jar"));//trick analyzer into "thinking it is active"
jarAnalyzer.initialize();
jarAnalyzer.initialize(e);
HintAnalyzer hAnalyzer = new HintAnalyzer();
hAnalyzer.initialize();
hAnalyzer.initializeSettings(getSettings());
hAnalyzer.initialize(e);
FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer();
fp.initialize();
fp.initializeSettings(getSettings());
fp.initialize(e);
callDetermineCPE_full("hazelcast-2.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
@@ -159,10 +162,12 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
fnAnalyzer.analyze(struts, null);
HintAnalyzer hintAnalyzer = new HintAnalyzer();
hintAnalyzer.initialize();
hintAnalyzer.initializeSettings(getSettings());
hintAnalyzer.initialize(null);
JarAnalyzer jarAnalyzer = new JarAnalyzer();
jarAnalyzer.initializeSettings(getSettings());
jarAnalyzer.accept(new File("test.jar"));//trick analyzer into "thinking it is active"
jarAnalyzer.initialize();
jarAnalyzer.initialize(null);
jarAnalyzer.analyze(struts, null);
hintAnalyzer.analyze(struts, null);
@@ -185,7 +190,10 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
hintAnalyzer.analyze(spring3, null);
CPEAnalyzer instance = new CPEAnalyzer();
instance.open();
Engine engine = new Engine(getSettings());
engine.openDatabase();
instance.initializeSettings(getSettings());
instance.initialize(engine);
instance.determineCPE(commonValidator);
instance.determineCPE(struts);
instance.determineCPE(spring);
@@ -204,6 +212,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);
jarAnalyzer.close();
engine.cleanup();
}
/**
@@ -219,7 +228,10 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
openssl.getVersionEvidence().addEvidence("test", "version", "1.0.1c", Confidence.HIGHEST);
CPEAnalyzer instance = new CPEAnalyzer();
instance.open();
Engine engine = new Engine(getSettings());
engine.openDatabase();
instance.initializeSettings(getSettings());
instance.initialize(engine);
instance.determineIdentifiers(openssl, "openssl", "openssl", Confidence.HIGHEST);
instance.close();
@@ -227,7 +239,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
assertTrue(openssl.getIdentifiers().contains(expIdentifier));
engine.cleanup();
}
/**
@@ -243,7 +255,10 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
String expProduct = "struts";
CPEAnalyzer instance = new CPEAnalyzer();
instance.open();
Engine engine = new Engine(getSettings());
engine.openDatabase();
instance.initializeSettings(getSettings());
instance.initialize(engine);
Set<String> productWeightings = Collections.singleton("struts2");
Set<String> vendorWeightings = Collections.singleton("apache");

22
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
View File

@@ -55,10 +55,13 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase {
* @throws Exception thrown if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
analyzer = new ComposerLockAnalyzer();
analyzer.initializeSettings(getSettings());
analyzer.setFilesMatched(true);
analyzer.initialize();
analyzer.initialize(null);
}
/**
@@ -67,9 +70,10 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase {
* @throws Exception thrown if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
super.tearDown();
}
/**
@@ -95,27 +99,27 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase {
*/
@Test
public void testAnalyzePackageJson() throws Exception {
final Engine engine = new Engine();
final Engine engine = new Engine(getSettings());
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
"composer.lock"));
analyzer.analyze(result, engine);
}
@Test(expected = InitializationException.class)
public void analyzerIsDisabledInCaseOfMissingMessageDigest() throws InitializationException {
new MockUp<MessageDigest>() {
@Mock
MessageDigest getInstance(String ignore) throws NoSuchAlgorithmException {
throw new NoSuchAlgorithmException();
throw new NoSuchAlgorithmException("SHA1 is missing");
}
};
analyzer = new ComposerLockAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initializeSettings(getSettings());
assertTrue(analyzer.isEnabled());
analyzer.initialize();
analyzer.initialize(null);
assertFalse(analyzer.isEnabled());
}
}

3
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
View File

@@ -81,7 +81,8 @@ public class FileNameAnalyzerTest extends BaseTest {
public void testInitialize() {
FileNameAnalyzer instance = new FileNameAnalyzer();
try {
instance.initialize();
instance.initializeSettings(getSettings());
instance.initialize(null);
} catch (InitializationException ex) {
fail(ex.getMessage());
}

33
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
View File

@@ -69,11 +69,11 @@ public class HintAnalyzerTest extends BaseDBTestCase {
//File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
File spring = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
//Dependency spring = new Dependency(files);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine(getSettings());
engine.scan(guice);
engine.scan(spring);
engine.analyzeDependencies();
@@ -91,14 +91,14 @@ public class HintAnalyzerTest extends BaseDBTestCase {
final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
Set<Evidence> evidence = gdep.getEvidence().getEvidence();
assertFalse(evidence.contains(springTest1));
assertFalse(evidence.contains(springTest2));
assertFalse(evidence.contains(springTest3));
assertFalse(evidence.contains(springTest4));
assertFalse(evidence.contains(springTest5));
evidence = sdep.getEvidence().getEvidence();
assertTrue(evidence.contains(springTest1));
assertTrue(evidence.contains(springTest2));
@@ -106,15 +106,17 @@ public class HintAnalyzerTest extends BaseDBTestCase {
//assertTrue(evidence.contains(springTest4));
//assertTrue(evidence.contains(springTest5));
}
/**
* Test of analyze method, of class HintAnalyzer.
*/
@Test
public void testAnalyze_1() throws Exception {
File path = BaseTest.getResourceAsFile(this, "hints_12.xml");
Settings.setString(Settings.KEYS.HINTS_FILE, path.getPath());
getSettings().setString(Settings.KEYS.HINTS_FILE, path.getPath());
HintAnalyzer instance = new HintAnalyzer();
instance.initialize();
instance.initializeSettings(getSettings());
instance.initialize(null);
Dependency d = new Dependency();
d.getVersionEvidence().addEvidence("version source", "given version name", "1.2.3", Confidence.HIGH);
d.getVersionEvidence().addEvidence("hint analyzer", "remove version name", "value", Confidence.HIGH);
@@ -124,14 +126,13 @@ public class HintAnalyzerTest extends BaseDBTestCase {
d.getVendorEvidence().addEvidence("hint analyzer", "other vendor name", "vendor", Confidence.HIGH);
d.getProductEvidence().addEvidence("hint analyzer", "other product name", "product", Confidence.HIGH);
assertEquals("vendor evidence mismatch",2, d.getVendorEvidence().size());
assertEquals("product evidence mismatch",2, d.getProductEvidence().size());
assertEquals("version evidence mismatch",3, d.getVersionEvidence().size());
assertEquals("vendor evidence mismatch", 2, d.getVendorEvidence().size());
assertEquals("product evidence mismatch", 2, d.getProductEvidence().size());
assertEquals("version evidence mismatch", 3, d.getVersionEvidence().size());
instance.analyze(d, null);
assertEquals("vendor evidence mismatch",1, d.getVendorEvidence().size());
assertEquals("product evidence mismatch",1, d.getProductEvidence().size());
assertEquals("version evidence mismatch",2, d.getVersionEvidence().size());
assertEquals("vendor evidence mismatch", 1, d.getVendorEvidence().size());
assertEquals("product evidence mismatch", 1, d.getProductEvidence().size());
assertEquals("version evidence mismatch", 2, d.getVersionEvidence().size());
}
}

14
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -50,7 +50,8 @@ public class JarAnalyzerTest extends BaseTest {
File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
Dependency result = new Dependency(file);
JarAnalyzer instance = new JarAnalyzer();
instance.initializeFileTypeAnalyzer();
instance.initializeSettings(getSettings());
instance.initializeFileTypeAnalyzer(null);
instance.analyze(result, null);
assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache"));
assertTrue(result.getVendorEvidence().getWeighting().contains("apache"));
@@ -115,7 +116,8 @@ public class JarAnalyzerTest extends BaseTest {
@Test
public void testAcceptSupportedExtensions() throws Exception {
JarAnalyzer instance = new JarAnalyzer();
instance.initialize();
instance.initializeSettings(getSettings());
instance.initialize(null);
instance.setEnabled(true);
String[] files = {"test.jar", "test.war"};
for (String name : files) {
@@ -181,12 +183,12 @@ public class JarAnalyzerTest extends BaseTest {
JarAnalyzer instance = new JarAnalyzer();
Dependency macOSMetaDataFile = new Dependency();
macOSMetaDataFile
.setActualFilePath(FileUtils.getFile("src", "test", "resources", "._avro-ipc-1.5.0.jar").getAbsolutePath());
.setActualFilePath(FileUtils.getFile("src", "test", "resources", "._avro-ipc-1.5.0.jar").getAbsolutePath());
macOSMetaDataFile.setFileName("._avro-ipc-1.5.0.jar");
Dependency actualJarFile = new Dependency();
actualJarFile.setActualFilePath(BaseTest.getResourceAsFile(this, "avro-ipc-1.5.0.jar").getAbsolutePath());
actualJarFile.setFileName("avro-ipc-1.5.0.jar");
Engine engine = new Engine();
Engine engine = new Engine(getSettings());
engine.setDependencies(Arrays.asList(macOSMetaDataFile, actualJarFile));
instance.analyzeDependency(macOSMetaDataFile, engine);
}
@@ -196,9 +198,9 @@ public class JarAnalyzerTest extends BaseTest {
JarAnalyzer instance = new JarAnalyzer();
Dependency textFileWithJarExtension = new Dependency();
textFileWithJarExtension
.setActualFilePath(BaseTest.getResourceAsFile(this, "textFileWithJarExtension.jar").getAbsolutePath());
.setActualFilePath(BaseTest.getResourceAsFile(this, "textFileWithJarExtension.jar").getAbsolutePath());
textFileWithJarExtension.setFileName("textFileWithJarExtension.jar");
Engine engine = new Engine();
Engine engine = new Engine(getSettings());
engine.setDependencies(Collections.singletonList(textFileWithJarExtension));
instance.analyzeDependency(textFileWithJarExtension, engine);
}

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java
View File

@@ -48,10 +48,13 @@ public class NodePackageAnalyzerTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
analyzer = new NodePackageAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
analyzer.initializeSettings(getSettings());
analyzer.initialize(null);
}
/**
@@ -60,9 +63,10 @@ public class NodePackageAnalyzerTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
super.tearDown();
}
/**

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java
View File

@@ -16,16 +16,20 @@ public class NspAnalyzerTest extends BaseTest {
private NspAnalyzer analyzer;
@Before
@Override
public void setUp() throws Exception {
super.setUp();
analyzer = new NspAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
analyzer.initializeSettings(getSettings());
analyzer.initialize(null);
}
@After
@Override
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
super.tearDown();
}
@Test

7
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java
View File

@@ -31,9 +31,12 @@ public class NuspecAnalyzerTest extends BaseTest {
private NuspecAnalyzer instance;
@Before
@Override
public void setUp() throws Exception {
super.setUp();
instance = new NuspecAnalyzer();
instance.initialize();
instance.initializeSettings(getSettings());
instance.initialize(null);
instance.setEnabled(true);
}
@@ -53,5 +56,3 @@ public class NuspecAnalyzerTest extends BaseTest {
assertEquals(AnalysisPhase.INFORMATION_COLLECTION, instance.getAnalysisPhase());
}
}
// vim: cc=120:sw=4:ts=4:sts=4

11
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java
View File

@@ -47,10 +47,13 @@ public class OpenSSLAnalyzerTest extends BaseTest {
* @throws Exception if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
analyzer = new OpenSSLAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
analyzer.initializeSettings(getSettings());
analyzer.initialize(null);
}
/**
@@ -59,9 +62,10 @@ public class OpenSSLAnalyzerTest extends BaseTest {
* @throws Exception if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
super.tearDown();
}
/**
@@ -69,8 +73,7 @@ public class OpenSSLAnalyzerTest extends BaseTest {
*/
@Test
public void testGetName() {
assertEquals("Analyzer name wrong.", "OpenSSL Source Analyzer",
analyzer.getName());
assertEquals("Analyzer name wrong.", "OpenSSL Source Analyzer", analyzer.getName());
}
/**

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java
View File

@@ -49,10 +49,13 @@ public class PythonDistributionAnalyzerTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
analyzer = new PythonDistributionAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
analyzer.initializeSettings(getSettings());
analyzer.initialize(null);
}
/**
@@ -61,9 +64,10 @@ public class PythonDistributionAnalyzerTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
super.tearDown();
}
/**

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java
View File

@@ -48,10 +48,13 @@ public class PythonPackageAnalyzerTest extends BaseTest {
* @throws Exception if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
analyzer = new PythonPackageAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
analyzer.initializeSettings(getSettings());
analyzer.initialize(null);
}
/**
@@ -60,9 +63,10 @@ public class PythonPackageAnalyzerTest extends BaseTest {
* @throws Exception if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
super.tearDown();
}
/**

42
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java
View File

@@ -54,7 +54,7 @@ import org.owasp.dependencycheck.exception.InitializationException;
* @author Dale Visser
*/
public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzerTest.class);
/**
@@ -68,11 +68,14 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
* @throws Exception thrown if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
super.setUp();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
analyzer = new RubyBundleAuditAnalyzer();
analyzer.initializeSettings(getSettings());
analyzer.setFilesMatched(true);
}
@@ -82,11 +85,13 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
* @throws Exception thrown if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
if (analyzer != null) {
analyzer.close();
analyzer = null;
}
super.tearDown();
}
/**
@@ -113,14 +118,14 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
@Test
public void testAnalysis() throws AnalysisException, DatabaseException {
try {
analyzer.initialize();
analyzer.initialize(null);
final String resource = "ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock";
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, resource));
final Engine engine = new Engine();
final Engine engine = new Engine(getSettings());
analyzer.analyze(result, engine);
int size = engine.getDependencies().size();
assertTrue(size >= 1);
Dependency dependency = engine.getDependencies().get(0);
assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet"));
assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2"));
@@ -138,17 +143,17 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
@Test
public void testAddCriticalityToVulnerability() throws AnalysisException, DatabaseException {
try {
analyzer.initialize();
analyzer.initialize(null);
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
"ruby/vulnerable/gems/sinatra/Gemfile.lock"));
final Engine engine = new Engine();
final Engine engine = new Engine(getSettings());
analyzer.analyze(result, engine);
Dependency dependency = engine.getDependencies().get(0);
Vulnerability vulnerability = dependency.getVulnerabilities().first();
assertEquals(vulnerability.getCvssScore(), 5.0f, 0.0);
} catch (InitializationException | DatabaseException | AnalysisException e) {
LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".");
Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e);
@@ -163,10 +168,11 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
@Test
public void testMissingBundleAudit() throws AnalysisException, DatabaseException {
//set a non-exist bundle-audit
Settings.setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, "phantom-bundle-audit");
getSettings().setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, "phantom-bundle-audit");
analyzer.initializeSettings(getSettings());
try {
//initialize should fail.
analyzer.initialize();
analyzer.initialize(null);
} catch (Exception e) {
//expected, so ignore.
assertNotNull(e);
@@ -184,7 +190,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
*/
@Test
public void testDependenciesPath() throws AnalysisException, DatabaseException {
final Engine engine = new Engine();
final Engine engine = new Engine(getSettings());
engine.scan(BaseTest.getResourceAsFile(this,
"ruby/vulnerable/gems/rails-4.1.15/"));
try {
@@ -202,14 +208,14 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
while (dIterator.hasNext()) {
Dependency dept = dIterator.next();
LOGGER.info("dept path: {}", dept.getActualFilePath());
Set<Identifier> identifiers = dept.getIdentifiers();
Iterator<Identifier> idIterator = identifiers.iterator();
while (idIterator.hasNext()) {
Identifier id = idIterator.next();
LOGGER.info(" Identifier: {}, type={}, url={}, conf={}", id.getValue(), id.getType(), id.getUrl(), id.getConfidence());
}
Set<Evidence> prodEv = dept.getProductEvidence().getEvidence();
Iterator<Evidence> it = prodEv.iterator();
while (it.hasNext()) {
@@ -222,7 +228,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
Evidence e = vIt.next();
LOGGER.info(" version: name={}, value={}, source={}, confidence={}", e.getName(), e.getValue(), e.getSource(), e.getConfidence());
}
Set<Evidence> vendorEv = dept.getVendorEvidence().getEvidence();
Iterator<Evidence> vendorIt = vendorEv.iterator();
while (vendorIt.hasNext()) {

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java
View File

@@ -48,10 +48,13 @@ public class RubyBundlerAnalyzerTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
analyzer = new RubyBundlerAnalyzer();
analyzer.initializeSettings(getSettings());
analyzer.setFilesMatched(true);
analyzer.initialize();
analyzer.initialize(null);
}
/**
@@ -60,9 +63,10 @@ public class RubyBundlerAnalyzerTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
super.tearDown();
}
/**

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java
View File

@@ -48,10 +48,13 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
analyzer = new RubyGemspecAnalyzer();
analyzer.initializeSettings(getSettings());
analyzer.setFilesMatched(true);
analyzer.initialize();
analyzer.initialize(null);
}
/**
@@ -60,9 +63,10 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
super.tearDown();
}
/**

11
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java
View File

@@ -32,14 +32,18 @@ public class SwiftAnalyzersTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@Before
@Override
public void setUp() throws Exception {
super.setUp();
podsAnalyzer = new CocoaPodsAnalyzer();
podsAnalyzer.initializeSettings(getSettings());
podsAnalyzer.setFilesMatched(true);
podsAnalyzer.initialize();
podsAnalyzer.initialize(null);
spmAnalyzer = new SwiftPackageManagerAnalyzer();
spmAnalyzer.initializeSettings(getSettings());
spmAnalyzer.setFilesMatched(true);
spmAnalyzer.initialize();
spmAnalyzer.initialize(null);
}
/**
@@ -48,12 +52,15 @@ public class SwiftAnalyzersTest extends BaseTest {
* @throws Exception thrown if there is a problem
*/
@After
@Override
public void tearDown() throws Exception {
podsAnalyzer.close();
podsAnalyzer = null;
spmAnalyzer.close();
spmAnalyzer = null;
super.tearDown();
}
/**

7
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java
View File

@@ -48,6 +48,7 @@ public class VersionFilterAnalyzerTest extends BaseTest {
@Test
public void testGetAnalysisPhase() {
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.initializeSettings(getSettings());
AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
@@ -60,6 +61,7 @@ public class VersionFilterAnalyzerTest extends BaseTest {
@Test
public void testGetAnalyzerEnabledSettingKey() {
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.initializeSettings(getSettings());
String expResult = Settings.KEYS.ANALYZER_VERSION_FILTER_ENABLED;
String result = instance.getAnalyzerEnabledSettingKey();
assertEquals(expResult, result);
@@ -78,6 +80,7 @@ public class VersionFilterAnalyzerTest extends BaseTest {
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.initializeSettings(getSettings());
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
@@ -119,6 +122,7 @@ public class VersionFilterAnalyzerTest extends BaseTest {
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.initializeSettings(getSettings());
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
@@ -156,6 +160,7 @@ public class VersionFilterAnalyzerTest extends BaseTest {
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.initializeSettings(getSettings());
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
@@ -183,6 +188,7 @@ public class VersionFilterAnalyzerTest extends BaseTest {
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.initializeSettings(getSettings());
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
@@ -206,5 +212,4 @@ public class VersionFilterAnalyzerTest extends BaseTest {
instance.analyzeDependency(dependency, null);
assertEquals(4, versions.size());
}
}

18
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
View File

@@ -42,17 +42,20 @@ public class VulnerabilitySuppressionAnalyzerIT extends BaseDBTestCase {
@Test
public void testGetName() {
VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
instance.initializeSettings(getSettings());
String expResult = "Vulnerability Suppression Analyzer";
String result = instance.getName();
assertEquals(expResult, result);
}
/**
* Test of getAnalysisPhase method, of class VulnerabilitySuppressionAnalyzer.
* Test of getAnalysisPhase method, of class
* VulnerabilitySuppressionAnalyzer.
*/
@Test
public void testGetAnalysisPhase() {
VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
instance.initializeSettings(getSettings());
AnalysisPhase expResult = AnalysisPhase.POST_FINDING_ANALYSIS;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
@@ -68,10 +71,10 @@ public class VulnerabilitySuppressionAnalyzerIT extends BaseDBTestCase {
File file = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
//File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
File suppression = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.suppression.xml");
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine(getSettings());
engine.scan(file);
engine.analyzeDependencies();
Dependency dependency = getDependency(engine, file);
@@ -79,9 +82,10 @@ public class VulnerabilitySuppressionAnalyzerIT extends BaseDBTestCase {
int cpeSize = dependency.getIdentifiers().size();
assertTrue(cveSize > 0);
assertTrue(cpeSize > 0);
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
getSettings().setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
instance.initialize();
instance.initializeSettings(getSettings());
instance.initialize(engine);
instance.analyze(dependency, engine);
cveSize = cveSize > 1 ? cveSize - 2 : 0;
cpeSize = cpeSize > 0 ? cpeSize - 1 : 0;

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
View File

@@ -22,10 +22,10 @@ public class CentralSearchTest extends BaseTest {
private CentralSearch searcher;
@Before
@Override
public void setUp() throws Exception {
String centralUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
LOGGER.debug(centralUrl);
searcher = new CentralSearch(new URL(centralUrl));
super.setUp();
searcher = new CentralSearch(getSettings());
}
@Test(expected = IllegalArgumentException.class)

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/composer/ComposerLockParserTest.java
View File

@@ -35,7 +35,9 @@ public class ComposerLockParserTest extends BaseTest {
private InputStream inputStream;
@Before
public void setUp() {
@Override
public void setUp() throws Exception {
super.setUp();
inputStream = this.getClass().getClassLoader().getResourceAsStream("composer.lock");
}

10
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusSearchTest.java
View File

@@ -18,7 +18,6 @@
package org.owasp.dependencycheck.data.nexus;
import java.io.FileNotFoundException;
import java.net.URL;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import org.junit.Assume;
@@ -26,7 +25,6 @@ import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.analyzer.NexusAnalyzer;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -37,10 +35,12 @@ public class NexusSearchTest extends BaseTest {
private NexusSearch searcher;
@Before
@Override
public void setUp() throws Exception {
String nexusUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
super.setUp();
String nexusUrl = getSettings().getString(Settings.KEYS.ANALYZER_NEXUS_URL);
LOGGER.debug(nexusUrl);
searcher = new NexusSearch(new URL(nexusUrl), NexusAnalyzer.useProxy());
searcher = new NexusSearch(getSettings(), false);
Assume.assumeTrue(searcher.preflightRequest());
}
@@ -78,5 +78,3 @@ public class NexusSearchTest extends BaseTest {
searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
}
}
// vim: cc=120:sw=4:ts=4:sts=4

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java
View File

@@ -22,7 +22,6 @@ import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.json.Json;
@@ -30,7 +29,6 @@ import javax.json.JsonObject;
import javax.json.JsonObjectBuilder;
import javax.json.JsonReader;
import java.io.InputStream;
import java.net.URL;
import java.util.List;
import static org.junit.Assume.assumeFalse;
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
@@ -41,10 +39,10 @@ public class NspSearchTest extends BaseTest {
private NspSearch searcher;
@Before
@Override
public void setUp() throws Exception {
String url = Settings.getString(Settings.KEYS.ANALYZER_NSP_URL);
LOGGER.debug(url);
searcher = new NspSearch(new URL(url));
super.setUp();
searcher = new NspSearch(getSettings());
}
@Test

1
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java
View File

@@ -61,5 +61,4 @@ public class SanitizePackageTest {
Assert.assertFalse(sanitized.containsKey("license"));
Assert.assertFalse(sanitized.containsKey("main"));
}
}

7
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactoryTest.java
View File

@@ -35,10 +35,11 @@ public class ConnectionFactoryTest extends BaseDBTestCase {
*/
@Test
public void testInitialize() throws DatabaseException, SQLException {
ConnectionFactory.initialize();
try (Connection result = ConnectionFactory.getConnection()) {
ConnectionFactory factory = new ConnectionFactory(getSettings());
factory.initialize();
try (Connection result = factory.getConnection()) {
assertNotNull(result);
}
ConnectionFactory.cleanup();
factory.cleanup();
}
}

50
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIT.java
View File

@@ -27,51 +27,47 @@ import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import org.junit.After;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import org.junit.Before;
/**
*
* @author Jeremy Long
*/
public class CveDBIT extends BaseDBTestCase {
CveDB instance = null;
@Before
@Override
public void setUp() throws Exception {
super.setUp();
instance = new CveDB(getSettings());
}
@After
@Override
public void tearDown() throws Exception {
instance.close();
super.tearDown();
}
/**
* Pretty useless tests of open, commit, and close methods, of class CveDB.
*/
@Test
public void testOpen() {
CveDB instance = null;
try {
instance = CveDB.getInstance();
instance.commit();
} catch (DatabaseException | SQLException ex) {
fail(ex.getMessage());
} finally {
int start = instance.getUsageCount();
instance.close();
int end = instance.getUsageCount();
assertTrue( end < start);
}
}
@@ -80,12 +76,10 @@ public class CveDBIT extends BaseDBTestCase {
*/
@Test
public void testGetCPEs() throws Exception {
CveDB instance = CveDB.getInstance();
String vendor = "apache";
String product = "struts";
Set<VulnerableSoftware> result = instance.getCPEs(vendor, product);
assertTrue(result.size() > 5);
instance.close();
}
/**
@@ -93,10 +87,8 @@ public class CveDBIT extends BaseDBTestCase {
*/
@Test
public void testgetVulnerability() throws Exception {
CveDB instance = CveDB.getInstance();
Vulnerability result = instance.getVulnerability("CVE-2014-0094");
assertEquals("The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to \"manipulate\" the ClassLoader via the class parameter, which is passed to the getClass method.", result.getDescription());
instance.close();
}
/**
@@ -105,7 +97,6 @@ public class CveDBIT extends BaseDBTestCase {
@Test
public void testGetVulnerabilities() throws Exception {
String cpeStr = "cpe:/a:apache:struts:2.1.2";
CveDB instance = CveDB.getInstance();
List<Vulnerability> results;
results = instance.getVulnerabilities(cpeStr);
@@ -133,7 +124,6 @@ public class CveDBIT extends BaseDBTestCase {
}
}
assertTrue("Expected " + expected + ", but was not identified", found);
instance.close();
}
/**
@@ -141,7 +131,6 @@ public class CveDBIT extends BaseDBTestCase {
*/
@Test
public void testGetMatchingSoftware() throws Exception {
CveDB instance = CveDB.getInstance();
Map<String, Boolean> versions = new HashMap<>();
DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE);
@@ -189,6 +178,5 @@ public class CveDBIT extends BaseDBTestCase {
identifiedVersion = new DependencyVersion("1.6.3");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
assertNotNull(results);
instance.close();
}
}

35
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java
View File

@@ -17,8 +17,10 @@
*/
package org.owasp.dependencycheck.data.nvdcve;
import java.sql.SQLException;
import java.util.List;
import java.util.Set;
import org.junit.After;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
@@ -26,6 +28,7 @@ import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import org.junit.Before;
/**
*
@@ -33,22 +36,32 @@ import static org.junit.Assert.fail;
*/
public class CveDBMySqlIT extends BaseTest {
CveDB instance = null;
@Before
@Override
public void setUp() throws Exception {
super.setUp();
instance = new CveDB(getSettings());
}
@After
@Override
public void tearDown() throws Exception {
instance.close();
super.tearDown();
}
/**
* Pretty useless tests of open, commit, and close methods, of class CveDB.
*/
@Test
public void testOpen() {
CveDB instance = null;
try {
instance = CveDB.getInstance();
} catch (DatabaseException ex) {
instance.commit();
} catch (SQLException | DatabaseException ex) {
System.out.println("Unable to connect to the My SQL database; verify that the db server is running and that the schema has been generated");
fail(ex.getMessage());
} finally {
int start = instance.getUsageCount();
instance.close();
int end = instance.getUsageCount();
assertTrue( end < start);
}
}
@@ -57,7 +70,6 @@ public class CveDBMySqlIT extends BaseTest {
*/
@Test
public void testGetCPEs() throws Exception {
CveDB instance = CveDB.getInstance();
try {
String vendor = "apache";
String product = "struts";
@@ -66,8 +78,6 @@ public class CveDBMySqlIT extends BaseTest {
} catch (Exception ex) {
System.out.println("Unable to access the My SQL database; verify that the db server is running and that the schema has been generated");
throw ex;
} finally {
instance.close();
}
}
@@ -77,15 +87,12 @@ public class CveDBMySqlIT extends BaseTest {
@Test
public void testGetVulnerabilities() throws Exception {
String cpeStr = "cpe:/a:apache:struts:2.1.2";
CveDB instance = CveDB.getInstance();
try {
List<Vulnerability> result = instance.getVulnerabilities(cpeStr);
assertTrue(result.size() > 5);
} catch (Exception ex) {
System.out.println("Unable to access the My SQL database; verify that the db server is running and that the schema has been generated");
throw ex;
} finally {
instance.close();
}
}
}

46
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIT.java
View File

@@ -19,14 +19,13 @@ package org.owasp.dependencycheck.data.nvdcve;
import org.owasp.dependencycheck.BaseDBTestCase;
import java.util.Properties;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import org.junit.After;
import org.junit.Test;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
/**
*
@@ -34,17 +33,31 @@ import static org.junit.Assert.assertTrue;
*/
public class DatabasePropertiesIT extends BaseDBTestCase {
CveDB cveDb = null;
@Before
@Override
public void setUp() throws Exception {
super.setUp();
cveDb = new CveDB(getSettings());
}
@After
@Override
public void tearDown() throws Exception {
cveDb.close();
super.tearDown();
}
/**
* Test of isEmpty method, of class DatabaseProperties.
*/
@Test
public void testIsEmpty() throws Exception {
CveDB cveDB = CveDB.getInstance();
DatabaseProperties instance = cveDB.getDatabaseProperties();
assertNotNull(instance);
DatabaseProperties prop = cveDb.getDatabaseProperties();
assertNotNull(prop);
//no exception means the call worked... whether or not it is empty depends on if the db is new
//assertEquals(expResult, result);
cveDB.close();
}
/**
@@ -57,13 +70,11 @@ public class DatabasePropertiesIT extends BaseDBTestCase {
long expected = 1337;
updatedValue.setId(key);
updatedValue.setTimestamp(expected);
CveDB cveDB = CveDB.getInstance();
DatabaseProperties instance = cveDB.getDatabaseProperties();
DatabaseProperties instance = cveDb.getDatabaseProperties();
instance.save(updatedValue);
instance = cveDB.reloadProperties();
instance = cveDb.reloadProperties();
long results = Long.parseLong(instance.getProperty("NVD CVE " + key));
assertEquals(expected, results);
cveDB.close();
}
/**
@@ -73,12 +84,10 @@ public class DatabasePropertiesIT extends BaseDBTestCase {
public void testGetProperty_String_String() throws Exception {
String key = "doesn't exist";
String defaultValue = "default";
CveDB cveDB = CveDB.getInstance();
DatabaseProperties instance = cveDB.getDatabaseProperties();
DatabaseProperties instance = cveDb.getDatabaseProperties();
String expResult = "default";
String result = instance.getProperty(key, defaultValue);
assertEquals(expResult, result);
cveDB.close();
}
/**
@@ -87,13 +96,11 @@ public class DatabasePropertiesIT extends BaseDBTestCase {
@Test
public void testGetProperty_String() throws DatabaseException {
String key = "version";
CveDB cveDB = CveDB.getInstance();
DatabaseProperties instance = cveDB.getDatabaseProperties();
DatabaseProperties instance = cveDb.getDatabaseProperties();
String result = instance.getProperty(key);
double version = Double.parseDouble(result);
assertTrue(version >= 2.8);
assertTrue(version <= 10);
cveDB.close();
}
/**
@@ -101,10 +108,9 @@ public class DatabasePropertiesIT extends BaseDBTestCase {
*/
@Test
public void testGetProperties() throws DatabaseException {
CveDB cveDB = CveDB.getInstance();
DatabaseProperties instance = cveDB.getDatabaseProperties();
DatabaseProperties instance = cveDb.getDatabaseProperties();
Properties result = instance.getProperties();
assertTrue(result.size() > 0);
cveDB.close();
cveDb.close();
}
}

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java
View File

@@ -66,31 +66,31 @@ public class EngineVersionCheckTest extends BaseTest {
public void testShouldUpdate() throws Exception {
DatabaseProperties properties = new MockUp<DatabaseProperties>() {
final private Properties properties = new Properties();
@Mock
public void save(String key, String value) throws UpdateException {
properties.setProperty(key, value);
}
@Mock
public String getProperty(String key) {
return properties.getProperty(key);
}
}.getMockInstance();
String updateToVersion = "1.2.6";
String currentVersion = "1.2.6";
long lastChecked = dateToMilliseconds("2014-12-01");
long now = dateToMilliseconds("2014-12-01");
EngineVersionCheck instance = new EngineVersionCheck();
EngineVersionCheck instance = new EngineVersionCheck(getSettings());
boolean expResult = false;
instance.setUpdateToVersion(updateToVersion);
boolean result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
assertEquals(expResult, result);
updateToVersion = "1.2.5";
currentVersion = "1.2.5";
lastChecked = dateToMilliseconds("2014-10-01");
@@ -109,7 +109,7 @@ public class EngineVersionCheckTest extends BaseTest {
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
assertEquals(expResult, result);
updateToVersion = "1.2.6";
currentVersion = "1.2.5";
lastChecked = dateToMilliseconds("2014-12-01");
@@ -118,7 +118,7 @@ public class EngineVersionCheckTest extends BaseTest {
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
assertEquals(expResult, result);
updateToVersion = "1.2.5";
currentVersion = "1.2.6";
lastChecked = dateToMilliseconds("2014-12-01");
@@ -127,7 +127,7 @@ public class EngineVersionCheckTest extends BaseTest {
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
assertEquals(expResult, result);
updateToVersion = "";
currentVersion = "1.2.5";
lastChecked = dateToMilliseconds("2014-12-01");
@@ -136,7 +136,7 @@ public class EngineVersionCheckTest extends BaseTest {
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
assertEquals(expResult, result);
updateToVersion = "";
currentVersion = "1.2.5";
lastChecked = dateToMilliseconds("2014-12-01");
@@ -152,7 +152,7 @@ public class EngineVersionCheckTest extends BaseTest {
*/
@Test
public void testGetCurrentReleaseVersion() {
EngineVersionCheck instance = new EngineVersionCheck();
EngineVersionCheck instance = new EngineVersionCheck(getSettings());
DependencyVersion minExpResult = new DependencyVersion("1.2.6");
String release = instance.getCurrentReleaseVersion();
DependencyVersion result = new DependencyVersion(release);

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveUpdaterIT.java
View File

@@ -17,14 +17,13 @@
*/
package org.owasp.dependencycheck.data.update;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.fail;
import org.junit.Test;
import org.owasp.dependencycheck.BaseDBTestCase;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.fail;
import org.owasp.dependencycheck.Engine;
/**
*
@@ -32,31 +31,14 @@ import static org.junit.Assert.fail;
*/
public class NvdCveUpdaterIT extends BaseDBTestCase {
public NvdCveUpdater getUpdater() {
NvdCveUpdater instance = new NvdCveUpdater();
instance.initializeExecutorServices();
return instance;
}
/**
* Test of update method.
*/
@Test
public void testUpdate() {
try {
NvdCveUpdater instance = getUpdater();
instance.update();
} catch (UpdateException ex) {
fail(ex.getMessage());
}
}
/**
* Test of updatesNeeded method.
*/
@Test
public void testUpdatesNeeded() throws Exception {
NvdCveUpdater instance = getUpdater();
NvdCveUpdater instance = new NvdCveUpdater();
instance.setSettings(getSettings());
instance.initializeExecutorServices();
UpdateableNvdCve result = instance.getUpdatesNeeded();
assertNotNull(result);
}

7
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java
View File

@@ -44,11 +44,11 @@ public class DownloadTaskTest extends BaseTest {
NvdCveInfo cve = new NvdCveInfo();
cve.setId("modified");
cve.setNeedsUpdate(true);
cve.setUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
cve.setOldSchemaVersionUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL));
cve.setUrl(getSettings().getString(Settings.KEYS.CVE_MODIFIED_20_URL));
cve.setOldSchemaVersionUrl(getSettings().getString(Settings.KEYS.CVE_MODIFIED_12_URL));
ExecutorService processExecutor = null;
CveDB cveDB = null;
DownloadTask instance = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
DownloadTask instance = new DownloadTask(cve, processExecutor, cveDB, getSettings());
Future<ProcessTask> result = instance.call();
assertNull(result);
}
@@ -62,6 +62,5 @@ public class DownloadTaskTest extends BaseTest {
assertTrue(DownloadTask.isXml(f));
f = getResourceAsFile(this, "file.tar.gz");
assertFalse(DownloadTask.isXml(f));
}
}

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
View File

@@ -58,7 +58,7 @@ public class ReportGeneratorIT extends BaseDBTestCase {
File writeTo = new File("target/test-reports/Report.xml");
File suppressionFile = BaseTest.getResourceAsFile(this, "incorrectSuppressions.xml");
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile.getAbsolutePath());
getSettings().setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile.getAbsolutePath());
//File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
@@ -67,8 +67,8 @@ public class ReportGeneratorIT extends BaseDBTestCase {
//File jetty = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
File jetty = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar");
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Engine engine = new Engine();
getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Engine engine = new Engine(getSettings());
engine.scan(struts);
engine.scan(axis);

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
View File

@@ -151,7 +151,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol);
}
engine.cleanup();
Settings.cleanup();
getSettings().cleanup();
}
/**

107
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -84,6 +84,10 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
* A flag indicating whether or not the Maven site is being generated.
*/
private boolean generatingSite = false;
/**
* The configured settings.
*/
private Settings settings = null;
//</editor-fold>
// <editor-fold defaultstate="collapsed" desc="Maven bound parameters and components">
/**
@@ -931,7 +935,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*/
protected Engine initializeEngine() throws DatabaseException {
populateSettings();
return new Engine();
return new Engine(settings);
}
/**
@@ -940,11 +944,11 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
* proxy url, port, and connection timeout.
*/
protected void populateSettings() {
Settings.initialize();
settings = new Settings();
InputStream mojoProperties = null;
try {
mojoProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
Settings.mergeProperties(mojoProperties);
settings.mergeProperties(mojoProperties);
} catch (IOException ex) {
getLog().warn("Unable to load the dependency-check ant task.properties file.");
if (getLog().isDebugEnabled()) {
@@ -961,9 +965,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
}
}
Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
if (externalReport != null) {
getLog().warn("The 'externalReport' option was set; this configuration option has been removed. "
@@ -975,50 +979,50 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
final Proxy proxy = getMavenProxy();
if (proxy != null) {
Settings.setString(Settings.KEYS.PROXY_SERVER, proxy.getHost());
Settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(proxy.getPort()));
settings.setString(Settings.KEYS.PROXY_SERVER, proxy.getHost());
settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(proxy.getPort()));
final String userName = proxy.getUsername();
final String password = proxy.getPassword();
Settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
Settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
Settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, proxy.getNonProxyHosts());
settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, proxy.getNonProxyHosts());
}
final String[] suppressions = determineSuppressions();
Settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressions);
settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressions);
Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
Settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
//File Type Analyzer Settings
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, nspAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
Settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, nspAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
//Database configuration
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
if (databaseUser == null && databasePassword == null && serverId != null) {
final Server server = settingsXml.getServer(serverId);
@@ -1060,15 +1064,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
}
Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
Settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
artifactScopeExcluded = new ArtifactScopeExcluded(skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope);
artifactTypeExcluded = new ArtifactTypeExcluded(skipArtifactType);
@@ -1161,6 +1165,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
return artifactScopeExcluded;
}
/**
* Returns the configured settings.
*
* @return the configured settings
*/
protected Settings getSettings() {
return settings;
}
//<editor-fold defaultstate="collapsed" desc="Methods to fail build or show summary">
/**
* Checks to see if a vulnerability has been identified with a CVSS score

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
View File

@@ -131,7 +131,7 @@ public class CheckMojo extends BaseDependencyCheckMojo {
}
engine.cleanup();
}
Settings.cleanup();
getSettings().cleanup();
}
/**

4
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java
View File

@@ -73,7 +73,7 @@ public class PurgeMojo extends BaseDependencyCheckMojo {
populateSettings();
File db;
try {
db = new File(Settings.getDataDirectory(), Settings.getString(Settings.KEYS.DB_FILE_NAME, "dc.h2.db"));
db = new File(getSettings().getDataDirectory(), getSettings().getString(Settings.KEYS.DB_FILE_NAME, "dc.h2.db"));
if (db.exists()) {
if (db.delete()) {
getLog().info("Database file purged; local copy of the NVD has been removed");
@@ -98,7 +98,7 @@ public class PurgeMojo extends BaseDependencyCheckMojo {
}
getLog().error(msg);
}
Settings.cleanup();
getSettings().cleanup();
}
}

Some files were not shown because too many files have changed in this diff Show More