From 4a02c87c27c3df1dc14ff2362e0aa4bc37b37eeb Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Fri, 24 Jan 2014 07:09:45 -0500 Subject: [PATCH 1/5] Added nupkg to the list of supported ZIP-like extensions Former-commit-id: a70f09ba9cadec56034a178d76692276f7946255 --- .../dependencycheck/analyzer/ArchiveAnalyzer.java | 11 +++++++++-- .../dependencycheck/analyzer/ArchiveAnalyzerTest.java | 5 +++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index c9d14b33d..f6b0a10d4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -81,10 +81,17 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer { * The phase that this analyzer is intended to run in. */ private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INITIAL; + /** + * The set of things we can handle with Zip methods + */ + private static final Set ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg"); /** * The set of file extensions supported by this analyzer. */ - private static final Set EXTENSIONS = newHashSet("zip", "ear", "war", "tar", "gz", "tgz"); + private static final Set EXTENSIONS = newHashSet("tar", "gz", "tgz"); + static { + EXTENSIONS.addAll(ZIPPABLES); + } /** * Returns a list of file EXTENSIONS supported by this analyzer. @@ -251,7 +258,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer { } final String archiveExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(archive.getName()).toLowerCase(); try { - if ("zip".equals(archiveExt) || "war".equals(archiveExt) || "ear".equals(archiveExt)) { + if (ZIPPABLES.contains(archiveExt)) { extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine); } else if ("tar".equals(archiveExt)) { extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java index 3d8ea28ce..08d519d2b 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java @@ -69,6 +69,7 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase { expResult.add("zip"); expResult.add("war"); expResult.add("ear"); + expResult.add("nupkg"); expResult.add("tar"); expResult.add("gz"); expResult.add("tgz"); @@ -110,6 +111,10 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase { extension = "zip"; //supported result = instance.supportsExtension(extension); assertEquals(expResult, result); + + extension = "nupkg"; //supported + result = instance.supportsExtension(extension); + assertEquals(expResult, result); } /** From 8b6e9b7f76acc3a7bb167006c747c9352a81c312 Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Fri, 24 Jan 2014 07:10:53 -0500 Subject: [PATCH 2/5] Initial checkin of an analyzer which gets info from .nuspec files Former-commit-id: 7d14609e887829f67a23dd51412761b1691bc135 --- .../analyzer/NuspecAnalyzer.java | 158 +++++++++++++++ .../data/nuget/NuspecHandler.java | 187 ++++++++++++++++++ .../data/nuget/package-info.java | 15 ++ .../analyzer/NuspecAnalyzerTest.java | 55 ++++++ 4 files changed, 415 insertions(+) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java new file mode 100644 index 000000000..9c17b8239 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -0,0 +1,158 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import java.io.File; +import java.util.Set; +import java.util.logging.Level; +import java.util.logging.Logger; +import javax.xml.parsers.SAXParser; +import javax.xml.parsers.SAXParserFactory; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.data.nuget.NuspecHandler; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; + +/** + * Analyzer which will parse a Nuspec file to gather module information. + * + * @author colezlaw + */ +public class NuspecAnalyzer extends AbstractAnalyzer { + + /** + * The logger + */ + private static final Logger LOGGER = Logger.getLogger(NuspecAnalyzer.class.getName()); + + /** + * The name of the analyzer + */ + private static final String ANALYZER_NAME = "Nuspec Analyzer"; + + /** + * The phase in which the analyzer runs + */ + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; + + /** + * The types of files on which this will work. + */ + private static final Set SUPPORTED_EXTENSIONS = newHashSet("nuspec"); + + /** + * The SAXParser we'll use to parse nuspec files. + */ + private SAXParser parser; + + /** + * Initializes the analyzer once before any analysis is performed. + * + * @throws Exception if there's an error during initialization + */ + @Override + public void initialize() throws Exception { + SAXParserFactory factory = SAXParserFactory.newInstance(); + factory.setNamespaceAware(true); + parser = factory.newSAXParser(); + } + + /** + * Returns the analyzer's name. + * + * @return the name of the analyzer + */ + @Override + public String getName() { + return ANALYZER_NAME; + } + + /** + * Returns the analysis phase under which the analyzer runs. + * + * @return the phase under which this analyzer runs + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return ANALYSIS_PHASE; + } + + /** + * Returns the extensions for which this Analyzer runs. + * + * @return the extensions for which this Analyzer runs + */ + @Override + public Set getSupportedExtensions() { + return SUPPORTED_EXTENSIONS; + } + + /** + * Determines whether the incoming extension is supported. + * + * @param extension the extension to check for support + * @return whether the extension is supported + */ + @Override + public boolean supportsExtension(String extension) { + return SUPPORTED_EXTENSIONS.contains(extension); + } + + /** + * Performs the analysis. + * + * @param dependency the dependency to analyze + * @param engine the engine + * @throws AnalysisException when there's an exception during analysis + */ + @Override + public void analyze(Dependency dependency, Engine engine) throws AnalysisException { + LOGGER.log(Level.INFO, "Checking Nuspec file {0}", dependency.toString()); + try { + NuspecHandler nh = new NuspecHandler(); + parser.parse(new File(dependency.getActualFilePath()), nh); + if (nh.getVersion() != null && !"".equals(nh.getVersion())) { + dependency.getVersionEvidence().addEvidence("nuspec", "version", nh.getVersion(), + Confidence.HIGHEST); + } + if (nh.getId() != null && !"".equals(nh.getId())) { + dependency.getProductEvidence().addEvidence("nuspec", "id", nh.getId(), + Confidence.HIGHEST); + } + if (nh.getOwners() != null && !"".equals(nh.getOwners())) { + dependency.getVendorEvidence().addEvidence("nuspec", "owners", nh.getOwners(), + Confidence.HIGHEST); + } + if (nh.getAuthors() != null && !"".equals(nh.getAuthors())) { + dependency.getVendorEvidence().addEvidence("nuspec", "authors", nh.getAuthors(), + Confidence.MEDIUM); + } + if (nh.getTitle() != null && !"".equals(nh.getTitle())) { + dependency.getProductEvidence().addEvidence("nuspec", "title", nh.getTitle(), + Confidence.MEDIUM); + } + if (nh.getLicenseUrl() != null && !"".equals(nh.getLicenseUrl())) { + dependency.setLicense(nh.getLicenseUrl()); + } + } catch (Exception e) { + throw new AnalysisException(e); + } + } +} + +// vim: cc=120:sw=4:ts=4:sts=4 diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java new file mode 100644 index 000000000..e0572becd --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java @@ -0,0 +1,187 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nuget; + +import java.util.logging.Level; +import java.util.logging.Logger; +import org.xml.sax.Attributes; +import org.xml.sax.SAXException; +import org.xml.sax.helpers.DefaultHandler; + +/** + * A DefaultHandler for parsing a Nuspec + * file. + */ +public class NuspecHandler extends DefaultHandler { + private String id; + private String version; + private String title; + private String authors; + private String owners; + private String licenseUrl; + + private boolean inId; + private boolean inVersion; + private boolean inTitle; + private boolean inAuthors; + private boolean inOwners; + private boolean inLicenseUrl; + + private static final String NS_NUSPEC = + "http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd"; + + private static final Logger LOGGER = Logger.getLogger(NuspecHandler.class.getName()); + + /** + * Creates a NugetHandler + */ + public NuspecHandler() { + inId = inVersion = inTitle = inAuthors = inOwners = inLicenseUrl = false; + } + + /** + * Gets the id. + * @return the id + */ + public String getId() { + return id; + } + + /** + * Gets the version. + */ + public String getVersion() { + return version; + } + + /** + * Gets the title. + */ + public String getTitle() { + return title; + } + + /** + * Gets the authors. + */ + public String getAuthors() { + return authors; + } + + /** + * Gets the owners. + */ + public String getOwners() { + return owners; + } + + /** + * Gets the licenseUrl; + */ + public String getLicenseUrl() { + return licenseUrl; + } + + /** + * Receive notification of the start of an element. + * @param uri The Namespace URL, or the empty string if the element has no + * Namespace URI or if Namespace processing is not being + * performed. + * @param localName The loca name (without prefix), or the empty string if + * Namespace processing is not being performed. + * @param qName The qualified name (with prefix), or the empty string if + * qualified names are not available. + * @param attributes The attributes attached to the element. If there are + * no attributes, it shall be an empty Attributes object. + * @throws SAXException Any SAX exception, possibly wrapping another + * exception. + */ + public void startElement(String uri, String localName, String qName, + Attributes attributes) throws SAXException { + if (NS_NUSPEC.equals(uri) && "id".equals(localName)) { + id = ""; + inId = true; + } else if (NS_NUSPEC.equals(uri) && "version".equals(localName)) { + version = ""; + inVersion = true; + } else if (NS_NUSPEC.equals(uri) && "title".equals(localName)) { + title = ""; + inTitle = true; + } else if (NS_NUSPEC.equals(uri) && "authors".equals(localName)) { + authors = ""; + inAuthors = true; + } else if (NS_NUSPEC.equals(uri) && "owners".equals(localName)) { + owners = ""; + inOwners = true; + } else if (NS_NUSPEC.equals(uri) && "licenseUrl".equals(localName)) { + licenseUrl = ""; + inLicenseUrl = true; + } + } + + /** + * Receive notification of the end of an element. + * By default, do nothing. Application writers may override this method in + * a subclass to take specific actions at the end of each element (such as + * finalising a tree node or writing output to a file). + * @param uri The Namespace URI, or the empty string if the element has no + * Namespace URI or if Namespace processing is not being + * performed. + * @param localName The local name (without prefix), or the empty string if + * Namespace processing is not being performed. + * @param qName The qualified name (with prefix), or the empty string if + * qualified names are not available. + * @throws SAXException Any SAX exception, possibly wrapping another + * exception. + */ + public void endElement(String uri, String localName, String qName) + throws SAXException { + inId = inVersion = inTitle = inAuthors = inOwners = inLicenseUrl = false; + } + + /** + * Receive notification of character data inside an element. + * By default, do nothing. Application writers may override this method to + * take specific actions for each chunk of character data (such as adding + * the data to a node or buffer, or printing it to a file). + * @param ch The characters. + * @param start The start position in the character array. + * @param length The number of characters to use from the character array. + * @throws SAXException Any SAX exception, possibly wrapping another + * exception. + */ + public void characters(char[] ch, int start, int length) + throws SAXException { + String toAppend = new String(ch, start, length); + if (inId) { + id += toAppend; + } else if (inVersion) { + version += toAppend; + } else if (inTitle) { + title += toAppend; + } else if (inAuthors) { + authors += toAppend; + } else if (inOwners) { + owners += toAppend; + } else if (inLicenseUrl) { + licenseUrl += toAppend; + } + } +} + +// vim: cc=120:sw=4:ts=4:sts=4 diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java new file mode 100644 index 000000000..95d7c721f --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java @@ -0,0 +1,15 @@ +/** + * + * + * org.owasp.dependencycheck.data.nuget + * + * + *

+ * Contains classes related to parsing Nuget related files

+ *

+ * These are used to abstract away Nuget-related handling from Dependency Check + * so they can be used elsewhere.

+ * + * + */ +package org.owasp.dependencycheck.data.nuget; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java new file mode 100644 index 000000000..9e4551063 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java @@ -0,0 +1,55 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2013 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.junit.Before; +import org.junit.Test; +import static org.junit.Assert.*; + +public class NuspecAnalyzerTest { + private NuspecAnalyzer instance; + + @Before + public void setUp() { + instance = new NuspecAnalyzer(); + } + + @Test + public void testGetAnalyzerName() { + assertEquals("Nuspec Analyzer", instance.getName()); + } + + @Test + public void testGetSupportedExtensions() { + assertTrue(instance.getSupportedExtensions().contains("nuspec")); + assertFalse(instance.getSupportedExtensions().contains("nupkg")); + } + + @Test + public void testSupportsExtension() { + assertTrue(instance.supportsExtension("nuspec")); + assertFalse(instance.supportsExtension("nupkg")); + } + + @Test + public void testGetAnalysisPhaze() { + assertEquals(AnalysisPhase.INFORMATION_COLLECTION, instance.getAnalysisPhase()); + } +} + +// vim: cc=120:sw=4:ts=4:sts=4 From b9f5799c1b6f06752c3789ee86d3471b8fb19764 Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Fri, 24 Jan 2014 07:11:18 -0500 Subject: [PATCH 3/5] Added the NuspecAnalyzer to the list of analyzers Former-commit-id: 7472ceb2fefef23c0b6aad112f4e4e7e04ce93e5 --- .../services/org.owasp.dependencycheck.analyzer.Analyzer | 1 + 1 file changed, 1 insertion(+) diff --git a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index 0ed6a16cb..e06c7230d 100644 --- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -9,3 +9,4 @@ org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer org.owasp.dependencycheck.analyzer.NvdCveAnalyzer org.owasp.dependencycheck.analyzer.VulnerabilitySuppressionAnalyzer org.owasp.dependencycheck.analyzer.NexusAnalyzer +org.owasp.dependencycheck.analyzer.NuspecAnalyzer From 17e3e51607209c2571c34eefa9e0d5c2bb1a2ee0 Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Sat, 25 Jan 2014 11:27:28 -0500 Subject: [PATCH 4/5] Updated javadocs Former-commit-id: 9c054f0396b8b1431cc87759b0e43e13d1b14086 --- .../analyzer/NuspecAnalyzer.java | 4 +- .../data/nuget/NuspecHandler.java | 73 ++++++++++++++++--- 2 files changed, 65 insertions(+), 12 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 9c17b8239..434a72622 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -67,7 +67,7 @@ public class NuspecAnalyzer extends AbstractAnalyzer { */ @Override public void initialize() throws Exception { - SAXParserFactory factory = SAXParserFactory.newInstance(); + final SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setNamespaceAware(true); parser = factory.newSAXParser(); } @@ -124,7 +124,7 @@ public class NuspecAnalyzer extends AbstractAnalyzer { public void analyze(Dependency dependency, Engine engine) throws AnalysisException { LOGGER.log(Level.INFO, "Checking Nuspec file {0}", dependency.toString()); try { - NuspecHandler nh = new NuspecHandler(); + final NuspecHandler nh = new NuspecHandler(); parser.parse(new File(dependency.getActualFilePath()), nh); if (nh.getVersion() != null && !"".equals(nh.getVersion())) { dependency.getVersionEvidence().addEvidence("nuspec", "version", nh.getVersion(), diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java index e0572becd..68dc0afd1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java @@ -17,8 +17,8 @@ */ package org.owasp.dependencycheck.data.nuget; -import java.util.logging.Level; import java.util.logging.Logger; + import org.xml.sax.Attributes; import org.xml.sax.SAXException; import org.xml.sax.helpers.DefaultHandler; @@ -26,34 +26,77 @@ import org.xml.sax.helpers.DefaultHandler; /** * A DefaultHandler for parsing a Nuspec * file. + * @author colezlaw */ public class NuspecHandler extends DefaultHandler { + /** + * Holds the id + */ private String id; + /** + * Holds the version + */ private String version; + /** + * Holds the title + */ private String title; + /** + * Holds the authors + */ private String authors; + /** + * Holds the owners + */ private String owners; + /** + * Holds the licenseUrl + */ private String licenseUrl; + /** + * Indicates whether we're currently processing the id. + */ private boolean inId; + /** + * Indicates whether we're currently processing the version. + */ private boolean inVersion; + /** + * Indicates whether we're currently processing the title. + */ private boolean inTitle; + /** + * Indicates whether we're currently processing the authors. + */ private boolean inAuthors; + /** + * Indicates whether we're currently processing the owners. + */ private boolean inOwners; + /** + * Indicates whether we're currently processing the licenseUrl. + */ private boolean inLicenseUrl; + /** + * The Namespace for Nuspec documents. + */ private static final String NS_NUSPEC = "http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd"; - private static final Logger LOGGER = Logger.getLogger(NuspecHandler.class.getName()); - /** - * Creates a NugetHandler + * Creates a NugetHandler. */ public NuspecHandler() { - inId = inVersion = inTitle = inAuthors = inOwners = inLicenseUrl = false; + inId = false; + inVersion = false; + inTitle = false; + inAuthors = false; + inOwners = false; + inLicenseUrl = false; } - + /** * Gets the id. * @return the id @@ -64,6 +107,7 @@ public class NuspecHandler extends DefaultHandler { /** * Gets the version. + * @return the version */ public String getVersion() { return version; @@ -71,6 +115,7 @@ public class NuspecHandler extends DefaultHandler { /** * Gets the title. + * @return the title */ public String getTitle() { return title; @@ -78,6 +123,7 @@ public class NuspecHandler extends DefaultHandler { /** * Gets the authors. + * @return the authors */ public String getAuthors() { return authors; @@ -85,18 +131,20 @@ public class NuspecHandler extends DefaultHandler { /** * Gets the owners. + * @return the owners */ public String getOwners() { return owners; } /** - * Gets the licenseUrl; + * Gets the licenseUrl. + * @return the licenseUrl */ public String getLicenseUrl() { return licenseUrl; } - + /** * Receive notification of the start of an element. * @param uri The Namespace URL, or the empty string if the element has no @@ -151,7 +199,12 @@ public class NuspecHandler extends DefaultHandler { */ public void endElement(String uri, String localName, String qName) throws SAXException { - inId = inVersion = inTitle = inAuthors = inOwners = inLicenseUrl = false; + inId = false; + inVersion = false; + inTitle = false; + inAuthors = false; + inOwners = false; + inLicenseUrl = false; } /** @@ -167,7 +220,7 @@ public class NuspecHandler extends DefaultHandler { */ public void characters(char[] ch, int start, int length) throws SAXException { - String toAppend = new String(ch, start, length); + final String toAppend = new String(ch, start, length); if (inId) { id += toAppend; } else if (inVersion) { From 78f7152f6c2ce8aebfbe85c49de7088335fd47a9 Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Sun, 26 Jan 2014 22:11:11 -0500 Subject: [PATCH 5/5] Converted to XPath instead of SAX Former-commit-id: e6062e1b9497a7134b6923f7f85e1fe3f18cefcc --- .../analyzer/NuspecAnalyzer.java | 57 ++--- .../data/nuget/NugetPackage.java | 186 ++++++++++++++ .../data/nuget/NuspecHandler.java | 240 ------------------ .../data/nuget/NuspecParseException.java | 68 +++++ .../data/nuget/NuspecParser.java | 37 +++ .../data/nuget/XPathNuspecParser.java | 82 ++++++ .../data/nuget/XPathNuspecParserTest.java | 73 ++++++ .../src/test/resources/log4net.2.0.3.nuspec | 20 ++ 8 files changed, 489 insertions(+), 274 deletions(-) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetPackage.java delete mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParser.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java create mode 100644 dependency-check-core/src/test/resources/log4net.2.0.3.nuspec diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 434a72622..36306e915 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -17,14 +17,15 @@ */ package org.owasp.dependencycheck.analyzer; -import java.io.File; +import java.io.FileInputStream; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; -import javax.xml.parsers.SAXParser; -import javax.xml.parsers.SAXParserFactory; + import org.owasp.dependencycheck.Engine; -import org.owasp.dependencycheck.data.nuget.NuspecHandler; +import org.owasp.dependencycheck.data.nuget.NugetPackage; +import org.owasp.dependencycheck.data.nuget.NuspecParser; +import org.owasp.dependencycheck.data.nuget.XPathNuspecParser; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; @@ -55,11 +56,6 @@ public class NuspecAnalyzer extends AbstractAnalyzer { */ private static final Set SUPPORTED_EXTENSIONS = newHashSet("nuspec"); - /** - * The SAXParser we'll use to parse nuspec files. - */ - private SAXParser parser; - /** * Initializes the analyzer once before any analysis is performed. * @@ -67,9 +63,6 @@ public class NuspecAnalyzer extends AbstractAnalyzer { */ @Override public void initialize() throws Exception { - final SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setNamespaceAware(true); - parser = factory.newSAXParser(); } /** @@ -124,30 +117,26 @@ public class NuspecAnalyzer extends AbstractAnalyzer { public void analyze(Dependency dependency, Engine engine) throws AnalysisException { LOGGER.log(Level.INFO, "Checking Nuspec file {0}", dependency.toString()); try { - final NuspecHandler nh = new NuspecHandler(); - parser.parse(new File(dependency.getActualFilePath()), nh); - if (nh.getVersion() != null && !"".equals(nh.getVersion())) { - dependency.getVersionEvidence().addEvidence("nuspec", "version", nh.getVersion(), - Confidence.HIGHEST); + final NuspecParser parser = new XPathNuspecParser(); + NugetPackage np = null; + FileInputStream fis = null; + try { + fis = new FileInputStream(dependency.getActualFilePath()); + np = parser.parse(fis); + } finally { + if (fis != null) { + try { fis.close(); } catch (Exception e) { } + } } - if (nh.getId() != null && !"".equals(nh.getId())) { - dependency.getProductEvidence().addEvidence("nuspec", "id", nh.getId(), - Confidence.HIGHEST); + + if (np.getOwners() != null) { + dependency.getVendorEvidence().addEvidence("nuspec", "owners", np.getOwners(), Confidence.HIGHEST); } - if (nh.getOwners() != null && !"".equals(nh.getOwners())) { - dependency.getVendorEvidence().addEvidence("nuspec", "owners", nh.getOwners(), - Confidence.HIGHEST); - } - if (nh.getAuthors() != null && !"".equals(nh.getAuthors())) { - dependency.getVendorEvidence().addEvidence("nuspec", "authors", nh.getAuthors(), - Confidence.MEDIUM); - } - if (nh.getTitle() != null && !"".equals(nh.getTitle())) { - dependency.getProductEvidence().addEvidence("nuspec", "title", nh.getTitle(), - Confidence.MEDIUM); - } - if (nh.getLicenseUrl() != null && !"".equals(nh.getLicenseUrl())) { - dependency.setLicense(nh.getLicenseUrl()); + dependency.getVendorEvidence().addEvidence("nuspec", "authors", np.getAuthors(), Confidence.HIGH); + dependency.getVersionEvidence().addEvidence("nuspec", "version", np.getVersion(), Confidence.HIGHEST); + dependency.getProductEvidence().addEvidence("nuspec", "id", np.getId(), Confidence.HIGHEST); + if (np.getTitle() != null) { + dependency.getProductEvidence().addEvidence("nuspec", "title", np.getTitle(), Confidence.MEDIUM); } } catch (Exception e) { throw new AnalysisException(e); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetPackage.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetPackage.java new file mode 100644 index 000000000..ae03901e1 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetPackage.java @@ -0,0 +1,186 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nuget; + +/** + * Represents the contents of a Nuspec manifest. + * + * @author colezlaw + */ +public class NugetPackage { + /** + * The id. + */ + private String id; + + /** + * The version. + */ + private String version; + + /** + * The title. + */ + private String title; + + /** + * The authors. + */ + private String authors; + + /** + * The owners. + */ + private String owners; + + /** + * The licenseUrl. + */ + private String licenseUrl; + + /** + * Creates an empty NugetPackage. + */ + public NugetPackage() { + } + + /** + * Sets the id. + * @param id the id + */ + public void setId(String id) { + this.id = id; + } + + /** + * Gets the id. + * @return the id + */ + public String getId() { + return id; + } + + /** + * Sets the version. + * @param version the version + */ + public void setVersion(String version) { + this.version = version; + } + + /** + * Gets the version. + * @return the version + */ + public String getVersion() { + return version; + } + + /** + * Sets the title. + * @param title the title + */ + public void setTitle(String title) { + this.title = title; + } + + /** + * Gets the title. + * @return the title + */ + public String getTitle() { + return title; + } + + /** + * Sets the authors. + * @param authors the authors + */ + public void setAuthors(String authors) { + this.authors = authors; + } + + /** + * Gets the authors. + * @return the authors + */ + public String getAuthors() { + return authors; + } + + /** + * Sets the owners. + * @param owners the owners + */ + public void setOwners(String owners) { + this.owners = owners; + } + + /** + * Gets the owners. + * @return the owners + */ + public String getOwners() { + return owners; + } + + /** + * Sets the licenseUrl. + * @param licenseUrl the licenseUrl + */ + public void setLicenseUrl(String licenseUrl) { + this.licenseUrl = licenseUrl; + } + + /** + * Gets the licenseUrl. + * @return the licenseUrl + */ + public String getLicenseUrl() { + return licenseUrl; + } + + @Override + public boolean equals(Object other) { + if (this == other) { + return true; + } + if (other == null || other.getClass() != this.getClass()) { + return false; + } + final NugetPackage o = (NugetPackage) other; + return o.getId().equals(id) + && o.getVersion().equals(version) + && o.getTitle().equals(title) + && o.getAuthors().equals(authors) + && o.getOwners().equals(owners) + && o.getLicenseUrl().equals(licenseUrl); + } + + @Override + public int hashCode() { + int hash = 7; + hash = 31 * hash + (null == id ? 0 : id.hashCode()); + hash = 31 * hash + (null == version ? 0 : version.hashCode()); + hash = 31 * hash + (null == title ? 0 : title.hashCode()); + hash = 31 * hash + (null == authors ? 0 : authors.hashCode()); + hash = 31 * hash + (null == owners ? 0 : owners.hashCode()); + hash = 31 * hash + (null == licenseUrl ? 0 : licenseUrl.hashCode()); + return hash; + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java deleted file mode 100644 index 68dc0afd1..000000000 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecHandler.java +++ /dev/null @@ -1,240 +0,0 @@ -/* - * This file is part of dependency-check-core. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Copyright (c) 2014 Jeremy Long. All Rights Reserved. - */ -package org.owasp.dependencycheck.data.nuget; - -import java.util.logging.Logger; - -import org.xml.sax.Attributes; -import org.xml.sax.SAXException; -import org.xml.sax.helpers.DefaultHandler; - -/** - * A DefaultHandler for parsing a Nuspec - * file. - * @author colezlaw - */ -public class NuspecHandler extends DefaultHandler { - /** - * Holds the id - */ - private String id; - /** - * Holds the version - */ - private String version; - /** - * Holds the title - */ - private String title; - /** - * Holds the authors - */ - private String authors; - /** - * Holds the owners - */ - private String owners; - /** - * Holds the licenseUrl - */ - private String licenseUrl; - - /** - * Indicates whether we're currently processing the id. - */ - private boolean inId; - /** - * Indicates whether we're currently processing the version. - */ - private boolean inVersion; - /** - * Indicates whether we're currently processing the title. - */ - private boolean inTitle; - /** - * Indicates whether we're currently processing the authors. - */ - private boolean inAuthors; - /** - * Indicates whether we're currently processing the owners. - */ - private boolean inOwners; - /** - * Indicates whether we're currently processing the licenseUrl. - */ - private boolean inLicenseUrl; - - /** - * The Namespace for Nuspec documents. - */ - private static final String NS_NUSPEC = - "http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd"; - - /** - * Creates a NugetHandler. - */ - public NuspecHandler() { - inId = false; - inVersion = false; - inTitle = false; - inAuthors = false; - inOwners = false; - inLicenseUrl = false; - } - - /** - * Gets the id. - * @return the id - */ - public String getId() { - return id; - } - - /** - * Gets the version. - * @return the version - */ - public String getVersion() { - return version; - } - - /** - * Gets the title. - * @return the title - */ - public String getTitle() { - return title; - } - - /** - * Gets the authors. - * @return the authors - */ - public String getAuthors() { - return authors; - } - - /** - * Gets the owners. - * @return the owners - */ - public String getOwners() { - return owners; - } - - /** - * Gets the licenseUrl. - * @return the licenseUrl - */ - public String getLicenseUrl() { - return licenseUrl; - } - - /** - * Receive notification of the start of an element. - * @param uri The Namespace URL, or the empty string if the element has no - * Namespace URI or if Namespace processing is not being - * performed. - * @param localName The loca name (without prefix), or the empty string if - * Namespace processing is not being performed. - * @param qName The qualified name (with prefix), or the empty string if - * qualified names are not available. - * @param attributes The attributes attached to the element. If there are - * no attributes, it shall be an empty Attributes object. - * @throws SAXException Any SAX exception, possibly wrapping another - * exception. - */ - public void startElement(String uri, String localName, String qName, - Attributes attributes) throws SAXException { - if (NS_NUSPEC.equals(uri) && "id".equals(localName)) { - id = ""; - inId = true; - } else if (NS_NUSPEC.equals(uri) && "version".equals(localName)) { - version = ""; - inVersion = true; - } else if (NS_NUSPEC.equals(uri) && "title".equals(localName)) { - title = ""; - inTitle = true; - } else if (NS_NUSPEC.equals(uri) && "authors".equals(localName)) { - authors = ""; - inAuthors = true; - } else if (NS_NUSPEC.equals(uri) && "owners".equals(localName)) { - owners = ""; - inOwners = true; - } else if (NS_NUSPEC.equals(uri) && "licenseUrl".equals(localName)) { - licenseUrl = ""; - inLicenseUrl = true; - } - } - - /** - * Receive notification of the end of an element. - * By default, do nothing. Application writers may override this method in - * a subclass to take specific actions at the end of each element (such as - * finalising a tree node or writing output to a file). - * @param uri The Namespace URI, or the empty string if the element has no - * Namespace URI or if Namespace processing is not being - * performed. - * @param localName The local name (without prefix), or the empty string if - * Namespace processing is not being performed. - * @param qName The qualified name (with prefix), or the empty string if - * qualified names are not available. - * @throws SAXException Any SAX exception, possibly wrapping another - * exception. - */ - public void endElement(String uri, String localName, String qName) - throws SAXException { - inId = false; - inVersion = false; - inTitle = false; - inAuthors = false; - inOwners = false; - inLicenseUrl = false; - } - - /** - * Receive notification of character data inside an element. - * By default, do nothing. Application writers may override this method to - * take specific actions for each chunk of character data (such as adding - * the data to a node or buffer, or printing it to a file). - * @param ch The characters. - * @param start The start position in the character array. - * @param length The number of characters to use from the character array. - * @throws SAXException Any SAX exception, possibly wrapping another - * exception. - */ - public void characters(char[] ch, int start, int length) - throws SAXException { - final String toAppend = new String(ch, start, length); - if (inId) { - id += toAppend; - } else if (inVersion) { - version += toAppend; - } else if (inTitle) { - title += toAppend; - } else if (inAuthors) { - authors += toAppend; - } else if (inOwners) { - owners += toAppend; - } else if (inLicenseUrl) { - licenseUrl += toAppend; - } - } -} - -// vim: cc=120:sw=4:ts=4:sts=4 diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java new file mode 100644 index 000000000..027bf4d00 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java @@ -0,0 +1,68 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nuget; + +/** + * Exception during the parsing of a Nuspec file. + * + * @author colezlaw + */ +public class NuspecParseException extends Exception { + /** + * The serialVersionUID + */ + private static final long serialVersionUID = 1; + + /** + * Constructs a new exception with null as its detail message. + * + * The cause is not initialized, and may subsequently be initialized by a call + * to {@link java.lang.Throwable#initCause(java.lang.Throwable)}. + */ + public NuspecParseException() { + super(); + } + + /** + * Constructs a new exception with the specified detail message. The cause is + * not initialized, and may subsequently be initialized by a call to + * {@link java.lang.Throwable#initCause(java.lang.Throwable). + * + * @param message the detail message. The detail message is saved for later retrieval + * by the {@link java.lang.Throwable#getMessage()} method. + */ + public NuspecParseException(String message) { + super(message); + } + + /** + * Constructs a new exception with the specified detail message and cause. + * + * Note that the detail message associated with cause is not + * automatically incorporated in this exception's detail message. + * + * @param message the detail message (whcih is saved for later retrieval by the + * {@link java.lang.Throwable#getMessage()} method. + * @param cause the cause (which is saved for later retrieval by the + * {@link java.lang.Throwable#getCause()} method). (A null value is permitted, + * and indicates that the cause is nonexistent or unknown). + */ + public NuspecParseException(String message, Throwable cause) { + super(message, cause); + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParser.java new file mode 100644 index 000000000..e752946d6 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParser.java @@ -0,0 +1,37 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nuget; + +import java.io.InputStream; + +/** + * Interface defining methods for parsing a Nuspec file. + * + * @author willstranathan + * + */ +public interface NuspecParser { + /** + * Parse an input stream and return the resulting {@link NugetPackage}. + * + * @param stream the input stream to parse + * @return the populated bean + * @throws NuspecParseException when an exception occurs + */ + NugetPackage parse(InputStream stream) throws NuspecParseException; +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java new file mode 100644 index 000000000..cadf36aa7 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java @@ -0,0 +1,82 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nuget; + +import java.io.InputStream; + +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathConstants; +import javax.xml.xpath.XPathFactory; + +import org.w3c.dom.Document; +import org.w3c.dom.Node; + +/** + * Parse a Nuspec file using XPath. + * + * @author willstranathan + */ +public class XPathNuspecParser implements NuspecParser { + /** + * Gets the string value of a node or null if it's not present + * + * @param n the node to test + * @return the string content of the node, or null if the node itself is null + */ + private String getOrNull(Node n) { + if (n != null) { + return n.getTextContent(); + } else { + return null; + } + } + + /** + * Parse an input stream and return the resulting {@link NugetPackage}. + * + * @param stream the input stream to parse + * @return the populated bean + * @throws NuspecParseException when an exception occurs + */ + @Override + public NugetPackage parse(InputStream stream) throws NuspecParseException { + try { + final Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(stream); + final XPath xpath = XPathFactory.newInstance().newXPath(); + final NugetPackage nuspec = new NugetPackage(); + + if (xpath.evaluate("/package/metadata/id", d, XPathConstants.NODE) == null + || xpath.evaluate("/package/metadata/version", d, XPathConstants.NODE) == null + || xpath.evaluate("/package/metadata/authors", d, XPathConstants.NODE) == null + || xpath.evaluate("/package/metadata/description", d, XPathConstants.NODE) == null) { + throw new NuspecParseException("Invalid Nuspec format"); + } + + nuspec.setId(xpath.evaluate("/package/metadata/id", d)); + nuspec.setVersion(xpath.evaluate("/package/metadata/version", d)); + nuspec.setAuthors(xpath.evaluate("/package/metadata/authors", d)); + nuspec.setOwners(getOrNull((Node) xpath.evaluate("/package/metadata/owners", d, XPathConstants.NODE))); + nuspec.setLicenseUrl(getOrNull((Node) xpath.evaluate("/package/metadata/licenseUrl", d, XPathConstants.NODE))); + nuspec.setTitle(getOrNull((Node) xpath.evaluate("/package/metadata/title", d, XPathConstants.NODE))); + return nuspec; + } catch (Exception e) { + throw new NuspecParseException("Unable to parse nuspec", e); + } + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java new file mode 100644 index 000000000..dface467e --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java @@ -0,0 +1,73 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nuget; + +import java.io.InputStream; + +import org.junit.Test; +import static org.junit.Assert.*; + + +/** + * + * @author willstranathan + * + */ +public class XPathNuspecParserTest { + /** + * Test all the valid components. + * + * @throws Exception if anything goes sideways. + */ + @Test + public void testGoodDocument() throws Exception { + NuspecParser parser = new XPathNuspecParser(); + InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("log4net.2.0.3.nuspec"); + NugetPackage np = parser.parse(is); + assertEquals("log4net", np.getId()); + assertEquals("2.0.3", np.getVersion()); + assertEquals("log4net [1.2.13]", np.getTitle()); + assertEquals("Apache Software Foundation", np.getAuthors()); + assertEquals("Apache Software Foundation", np.getOwners()); + assertEquals("http://logging.apache.org/log4net/license.html", np.getLicenseUrl()); + } + + /** + * Expect a NuspecParseException when what we pass isn't even XML. + * + * @throws Exception we expect this. + */ + @Test(expected=NuspecParseException.class) + public void testMissingDocument() throws Exception { + NuspecParser parser = new XPathNuspecParser(); + InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("dependencycheck.properties"); + NugetPackage np = parser.parse(is); + } + + /** + * Expect a NuspecParseException when it's valid XML, but not a Nuspec. + * + * @throws Exception we expect this. + */ + @Test(expected=NuspecParseException.class) + public void testNotNuspec() throws Exception { + NuspecParser parser = new XPathNuspecParser(); + InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("suppressions.xml"); + NugetPackage np = parser.parse(is); + } +} diff --git a/dependency-check-core/src/test/resources/log4net.2.0.3.nuspec b/dependency-check-core/src/test/resources/log4net.2.0.3.nuspec new file mode 100644 index 000000000..99ad59ab7 --- /dev/null +++ b/dependency-check-core/src/test/resources/log4net.2.0.3.nuspec @@ -0,0 +1,20 @@ + + + + log4net + 2.0.3 + log4net [1.2.13] + Apache Software Foundation + Apache Software Foundation + http://logging.apache.org/log4net/license.html + http://logging.apache.org/log4net/ + false + log4net is a tool to help the programmer output log statements to a variety of output targets. In case of problems with an application, it is helpful to enable logging so that the problem can be located. With log4net it is possible to enable logging at runtime without modifying the application binary. The log4net package is designed so that log statements can remain in shipped code without incurring a high performance cost. It follows that the speed of logging (or rather not logging) is crucial. + +At the same time, log output can be so voluminous that it quickly becomes overwhelming. One of the distinctive features of log4net is the notion of hierarchical loggers. Using these loggers it is possible to selectively control which log statements are output at arbitrary granularity. + +log4net is designed with two distinct goals in mind: speed and flexibility + The Apache log4net library is a tool to help the programmer output log statements to a variety of output targets. + logging log tracing logfiles + + \ No newline at end of file