rugygems: Added gemspec test resources, test cases, and minimal code to run tests and have evidence gathering test fail.

2026-01-15 08:13:43 +01:00 · 2015-08-09 14:34:24 -04:00
parent c856d01b52
commit 7eb2c89f39
6 changed files with 382 additions and 0 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
@@ -0,0 +1,117 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.apache.commons.io.FileUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.io.FileFilter;
+import java.io.IOException;
+
+/**
+ * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine
+ * the associated CPE.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(RubyGemspecAnalyzer.class);
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Ruby Gemspec Analyzer";
+
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    private static final FileFilter FILTER =
+            FileFilterBuilder.newInstance().addExtensions("gemspec").addFilenames("Rakefile").build();
+
+    /**
+     * Returns the FileFilter
+     *
+     * @return the FileFilter
+     */
+    @Override
+    protected FileFilter getFileFilter() {
+        return FILTER;
+    }
+
+    @Override
+    protected void initializeFileTypeAnalyzer() throws Exception {
+        // NO-OP
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED;
+    }
+
+    @Override
+    protected void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        final File file = dependency.getActualFile();
+        String contents;
+        try {
+            contents = FileUtils.readFileToString(file).trim();
+        } catch (IOException e) {
+            throw new AnalysisException(
+                    "Problem occurred while reading dependency file.", e);
+        }
+        // TODO analyze contents
+    }
+}
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java
@@ -0,0 +1,103 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+
+import java.io.File;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.*;
+
+/**
+ * Unit tests for {@link RubyGemspecAnalyzer}.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class RubyGemspecAnalyzerTest extends BaseTest {
+
+    /**
+     * The analyzer to test.
+     */
+    RubyGemspecAnalyzer analyzer;
+
+    /**
+     * Correctly setup the analyzer for testing.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @Before
+    public void setUp() throws Exception {
+        analyzer = new RubyGemspecAnalyzer();
+        analyzer.setFilesMatched(true);
+        analyzer.initialize();
+    }
+
+    /**
+     * Cleanup the analyzer's temp files, etc.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @After
+    public void tearDown() throws Exception {
+        analyzer.close();
+        analyzer = null;
+    }
+
+    /**
+     * Test of getName method, of class PythonDistributionAnalyzer.
+     */
+    @Test
+    public void testGetName() {
+        assertThat(analyzer.getName(), is("Ruby Gemspec Analyzer"));
+    }
+
+    /**
+     * Test of supportsExtension method, of class PythonDistributionAnalyzer.
+     */
+    @Test
+    public void testSupportsFiles() {
+        assertThat(analyzer.accept(new File("test.gemspec")), is(true));
+        assertThat(analyzer.accept(new File("Rakefile")), is(true));
+    }
+
+    /**
+     * Test of inspect method, of class PythonDistributionAnalyzer.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzePackageJson() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
+                "ruby/gems/specifications/rest-client-1.7.2.gemspec"));
+        analyzer.analyze(result, null);
+        final String vendorString = result.getVendorEvidence().toString();
+        assertThat(vendorString, containsString("REST Client Team"));
+        assertThat(vendorString, containsString("rest-client_project"));
+        assertThat(vendorString, containsString("rest.client@librelist.com"));
+        assertThat(vendorString, containsString("https://github.com/rest-client/rest-client"));
+        assertThat(result.getProductEvidence().toString(), containsString("rest-client"));
+        assertThat(result.getVersionEvidence().toString(), containsString("1.7.2"));
+    }
+}
--- a/dependency-check-core/src/test/resources/ruby/gems/specifications/mime-types-2.6.1.gemspec
+++ b/dependency-check-core/src/test/resources/ruby/gems/specifications/mime-types-2.6.1.gemspec
@@ -0,0 +1,72 @@
+# -*- encoding: utf-8 -*-
+# stub: mime-types 2.6.1 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "mime-types"
+  s.version = "2.6.1"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
+  s.authors = ["Austin Ziegler"]
+  s.date = "2015-05-25"
+  s.description = "The mime-types library provides a library and registry for information about\nMIME content type definitions. It can be used to determine defined filename\nextensions for MIME types, or to use filename extensions to look up the likely\nMIME type definitions.\n\nMIME content types are used in MIME-compliant communications, as in e-mail or\nHTTP traffic, to indicate the type of content which is transmitted. The\nmime-types library provides the ability for detailed information about MIME\nentities (provided as an enumerable collection of MIME::Type objects) to be\ndetermined and used. There are many types defined by RFCs and vendors, so the\nlist is long but by definition incomplete; don't hesitate to add additional\ntype definitions. MIME type definitions found in mime-types are from RFCs, W3C\nrecommendations, the {IANA Media Types\nregistry}[https://www.iana.org/assignments/media-types/media-types.xhtml], and\nuser contributions. It conforms to RFCs 2045 and 2231.\n\nThis is release 2.6 with two new experimental features. The first new feature\nis a new default registry storage format that greatly reduces the initial\nmemory use of the mime-types library. This feature is enabled by requiring\n+mime/types/columnar+ instead of +mime/types+ with a small performance cost and\nno change in *total* memory use if certain methods are called (see {Columnar\nStore}[#columnar-store] for more details). The second new feature is a logger\ninterface that conforms to the expectations of an ActiveSupport::Logger so that\nwarnings can be written to an application's log rather than the default\nlocation for +warn+. This interface may be used for other logging purposes in\nthe future.\n\nmime-types 2.6 is the last planned version of mime-types 2.x, so deprecation\nwarnings are no longer cached but provided every time the method is called.\nmime-types 2.6 supports Ruby 1.9.2 or later."
+  s.email = ["halostatue@gmail.com"]
+  s.extra_rdoc_files = ["Contributing.rdoc", "History-Types.rdoc", "History.rdoc", "Licence.rdoc", "Manifest.txt", "README.rdoc", "docs/COPYING.txt", "docs/artistic.txt"]
+  s.files = ["Contributing.rdoc", "History-Types.rdoc", "History.rdoc", "Licence.rdoc", "Manifest.txt", "README.rdoc", "docs/COPYING.txt", "docs/artistic.txt"]
+  s.homepage = "https://github.com/mime-types/ruby-mime-types/"
+  s.licenses = ["MIT", "Artistic 2.0", "GPL-2"]
+  s.rdoc_options = ["--main", "README.rdoc"]
+  s.required_ruby_version = Gem::Requirement.new(">= 1.9.2")
+  s.rubygems_version = "2.2.2"
+  s.summary = "The mime-types library provides a library and registry for information about MIME content type definitions"
+
+  s.installed_by_version = "2.2.2" if s.respond_to? :installed_by_version
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 4
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<minitest>, ["~> 5.6"])
+      s.add_development_dependency(%q<rdoc>, ["~> 4.0"])
+      s.add_development_dependency(%q<hoe-doofus>, ["~> 1.0"])
+      s.add_development_dependency(%q<hoe-gemspec2>, ["~> 1.1"])
+      s.add_development_dependency(%q<hoe-git>, ["~> 1.6"])
+      s.add_development_dependency(%q<hoe-rubygems>, ["~> 1.0"])
+      s.add_development_dependency(%q<hoe-travis>, ["~> 1.2"])
+      s.add_development_dependency(%q<minitest-autotest>, ["~> 1.0"])
+      s.add_development_dependency(%q<minitest-focus>, ["~> 1.0"])
+      s.add_development_dependency(%q<rake>, ["~> 10.0"])
+      s.add_development_dependency(%q<simplecov>, ["~> 0.7"])
+      s.add_development_dependency(%q<coveralls>, ["~> 0.8"])
+      s.add_development_dependency(%q<hoe>, ["~> 3.13"])
+    else
+      s.add_dependency(%q<minitest>, ["~> 5.6"])
+      s.add_dependency(%q<rdoc>, ["~> 4.0"])
+      s.add_dependency(%q<hoe-doofus>, ["~> 1.0"])
+      s.add_dependency(%q<hoe-gemspec2>, ["~> 1.1"])
+      s.add_dependency(%q<hoe-git>, ["~> 1.6"])
+      s.add_dependency(%q<hoe-rubygems>, ["~> 1.0"])
+      s.add_dependency(%q<hoe-travis>, ["~> 1.2"])
+      s.add_dependency(%q<minitest-autotest>, ["~> 1.0"])
+      s.add_dependency(%q<minitest-focus>, ["~> 1.0"])
+      s.add_dependency(%q<rake>, ["~> 10.0"])
+      s.add_dependency(%q<simplecov>, ["~> 0.7"])
+      s.add_dependency(%q<coveralls>, ["~> 0.8"])
+      s.add_dependency(%q<hoe>, ["~> 3.13"])
+    end
+  else
+    s.add_dependency(%q<minitest>, ["~> 5.6"])
+    s.add_dependency(%q<rdoc>, ["~> 4.0"])
+    s.add_dependency(%q<hoe-doofus>, ["~> 1.0"])
+    s.add_dependency(%q<hoe-gemspec2>, ["~> 1.1"])
+    s.add_dependency(%q<hoe-git>, ["~> 1.6"])
+    s.add_dependency(%q<hoe-rubygems>, ["~> 1.0"])
+    s.add_dependency(%q<hoe-travis>, ["~> 1.2"])
+    s.add_dependency(%q<minitest-autotest>, ["~> 1.0"])
+    s.add_dependency(%q<minitest-focus>, ["~> 1.0"])
+    s.add_dependency(%q<rake>, ["~> 10.0"])
+    s.add_dependency(%q<simplecov>, ["~> 0.7"])
+    s.add_dependency(%q<coveralls>, ["~> 0.8"])
+    s.add_dependency(%q<hoe>, ["~> 3.13"])
+  end
+end
--- a/dependency-check-core/src/test/resources/ruby/gems/specifications/netrc-0.10.3.gemspec
+++ b/dependency-check-core/src/test/resources/ruby/gems/specifications/netrc-0.10.3.gemspec
@@ -0,0 +1,32 @@
+# -*- encoding: utf-8 -*-
+# stub: netrc 0.10.3 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "netrc"
+  s.version = "0.10.3"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
+  s.authors = ["Keith Rarick", "geemus (Wesley Beary)"]
+  s.date = "2015-02-24"
+  s.description = "This library can read and update netrc files, preserving formatting including comments and whitespace."
+  s.email = "geemus@gmail.com"
+  s.homepage = "https://github.com/geemus/netrc"
+  s.licenses = ["MIT"]
+  s.rubygems_version = "2.2.2"
+  s.summary = "Library to read and write netrc files."
+
+  s.installed_by_version = "2.2.2" if s.respond_to? :installed_by_version
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 4
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<turn>, [">= 0"])
+    else
+      s.add_dependency(%q<turn>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<turn>, [">= 0"])
+  end
+end
--- a/dependency-check-core/src/test/resources/ruby/gems/specifications/rest-client-1.7.2.gemspec
+++ b/dependency-check-core/src/test/resources/ruby/gems/specifications/rest-client-1.7.2.gemspec
@@ -0,0 +1,54 @@
+# -*- encoding: utf-8 -*-
+# stub: rest-client 1.7.2 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "rest-client"
+  s.version = "1.7.2"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
+  s.authors = ["REST Client Team"]
+  s.date = "2014-07-14"
+  s.description = "A simple HTTP and REST client for Ruby, inspired by the Sinatra microframework style of specifying actions: get, put, post, delete."
+  s.email = "rest.client@librelist.com"
+  s.executables = ["restclient"]
+  s.extra_rdoc_files = ["README.rdoc", "history.md"]
+  s.files = ["README.rdoc", "bin/restclient", "history.md"]
+  s.homepage = "https://github.com/rest-client/rest-client"
+  s.licenses = ["MIT"]
+  s.required_ruby_version = Gem::Requirement.new(">= 1.9.2")
+  s.rubygems_version = "2.2.2"
+  s.summary = "Simple HTTP and REST client for Ruby, inspired by microframework syntax for specifying actions."
+
+  s.installed_by_version = "2.2.2" if s.respond_to? :installed_by_version
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<webmock>, ["~> 1.4"])
+      s.add_development_dependency(%q<rspec>, ["~> 2.4"])
+      s.add_development_dependency(%q<pry>, [">= 0"])
+      s.add_development_dependency(%q<pry-doc>, [">= 0"])
+      s.add_development_dependency(%q<rdoc>, ["< 5.0", ">= 2.4.2"])
+      s.add_runtime_dependency(%q<mime-types>, ["< 3.0", ">= 1.16"])
+      s.add_runtime_dependency(%q<netrc>, ["~> 0.7"])
+    else
+      s.add_dependency(%q<webmock>, ["~> 1.4"])
+      s.add_dependency(%q<rspec>, ["~> 2.4"])
+      s.add_dependency(%q<pry>, [">= 0"])
+      s.add_dependency(%q<pry-doc>, [">= 0"])
+      s.add_dependency(%q<rdoc>, ["< 5.0", ">= 2.4.2"])
+      s.add_dependency(%q<mime-types>, ["< 3.0", ">= 1.16"])
+      s.add_dependency(%q<netrc>, ["~> 0.7"])
+    end
+  else
+    s.add_dependency(%q<webmock>, ["~> 1.4"])
+    s.add_dependency(%q<rspec>, ["~> 2.4"])
+    s.add_dependency(%q<pry>, [">= 0"])
+    s.add_dependency(%q<pry-doc>, [">= 0"])
+    s.add_dependency(%q<rdoc>, ["< 5.0", ">= 2.4.2"])
+    s.add_dependency(%q<mime-types>, ["< 3.0", ">= 1.16"])
+    s.add_dependency(%q<netrc>, ["~> 0.7"])
+  end
+end
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -194,6 +194,10 @@ public final class Settings {
         * The properties key for whether the Python Package analyzer is enabled.
         */
        public static final String ANALYZER_PYTHON_PACKAGE_ENABLED = "analyzer.python.package.enabled";
+        /**
+         * The properties key for whether the Ruby Gemspec Analyzer is enabled.
+         */
+        public static final String ANALYZER_RUBY_GEMSPEC_ENABLED = "analyzer.ruby.gemspec.enabled";
        /**
         * The properties key for whether the Autoconf analyzer is enabled.
         */