From 8127dc2620008bc6c39b620dd0a7ac71ece257f4 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 7 Jul 2015 15:51:33 -0400 Subject: [PATCH] OpenSSL: Initial skeleton of OpenSSLAnalyzer and unit test suite. Fixed package imports in PythonPackageAnalyzerTest.java Former-commit-id: b27fa07cde451c0a19e5ce3f2d46701f02dda47e --- .../analyzer/OpenSSLAnalyzer.java | 150 ++++++++++++++++++ .../analyzer/OpenSSLAnalyzerTest.java | 96 +++++++++++ .../analyzer/PythonPackageAnalyzerTest.java | 13 +- 3 files changed, 252 insertions(+), 7 deletions(-) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java new file mode 100644 index 000000000..d05b57e80 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -0,0 +1,150 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.apache.commons.io.FileUtils; +import org.apache.commons.io.filefilter.NameFileFilter; +import org.apache.commons.io.filefilter.SuffixFileFilter; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.utils.Settings; +import org.owasp.dependencycheck.utils.UrlStringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.File; +import java.io.FileFilter; +import java.io.IOException; +import java.net.MalformedURLException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +/** + * Used to analyze OpenSSL source code present in the file system. + * + * @author Dale Visser + */ +public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { + + /** + * Used when compiling file scanning regex patterns. + */ + private static final int REGEX_OPTIONS = Pattern.DOTALL + | Pattern.CASE_INSENSITIVE; + + /** + * The logger. + */ + private static final Logger LOGGER = LoggerFactory + .getLogger(OpenSSLAnalyzer.class); + + /** + * Filename extensions for files to be analyzed. + */ + private static final Set EXTENSIONS = Collections + .unmodifiableSet(Collections.singleton("h")); + + /** + * Filter that detects files named "__init__.py". + */ + private static final FileFilter OPENSSLV_FILTER = new NameFileFilter("opensslv.h"); + + /** + * Returns the name of the Python Package Analyzer. + * + * @return the name of the analyzer + */ + @Override + public String getName() { + return "OpenSSL Source Analyzer"; + } + + /** + * Tell that we are used for information collection. + * + * @return INFORMATION_COLLECTION + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return AnalysisPhase.INFORMATION_COLLECTION; + } + + /** + * Returns the set of supported file extensions. + * + * @return the set of supported file extensions + */ + @Override + protected Set getSupportedExtensions() { + return EXTENSIONS; + } + + /** + * No-op initializer implementation. + * + * @throws Exception never thrown + */ + @Override + protected void initializeFileTypeAnalyzer() throws Exception { + // Nothing to do here. + } + + /** + * Analyzes python packages and adds evidence to the dependency. + * + * @param dependency the dependency being analyzed + * @param engine the engine being used to perform the scan + * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency + */ + @Override + protected void analyzeFileType(Dependency dependency, Engine engine) + throws AnalysisException { + final File file = dependency.getActualFile(); + final File parent = file.getParentFile(); + final String parentName = parent.getName(); + boolean found = false; +// if (INIT_PY_FILTER.accept(file)) { +// for (final File sourcefile : parent.listFiles(PY_FILTER)) { +// found |= analyzeFileContents(dependency, sourcefile); +// } +// } + if (found) { + dependency.setDisplayFileName(parentName + "/__init__.py"); + dependency.getProductEvidence().addEvidence(file.getName(), + "PackageName", parentName, Confidence.MEDIUM); + } else { + // copy, alter and set in case some other thread is iterating over + final List deps = new ArrayList( + engine.getDependencies()); + deps.remove(dependency); + engine.setDependencies(deps); + } + } + + @Override + protected String getAnalyzerEnabledSettingKey() { + return "fixme"; + } +} \ No newline at end of file diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java new file mode 100644 index 000000000..839bbee8a --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -0,0 +1,96 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.apache.commons.lang.StringUtils; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; + +import java.util.Arrays; +import java.util.HashSet; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +/** + * Unit tests for OpenSSLAnalyzerAnalyzer. + * + * @author Dale Visser + */ +public class OpenSSLAnalyzerTest extends BaseTest { + + /** + * The package analyzer to test. + */ + OpenSSLAnalyzer analyzer; + + /** + * Setup the PtyhonPackageAnalyzer. + * + * @throws Exception if there is a problem + */ + @Before + public void setUp() throws Exception { + analyzer = new OpenSSLAnalyzer(); + analyzer.setFilesMatched(true); + analyzer.initialize(); + } + + /** + * Cleanup any resources used. + * + * @throws Exception if there is a problem + */ + @After + public void tearDown() throws Exception { + analyzer.close(); + analyzer = null; + } + + /** + * Test of getName method, of class OpenSSLAnalyzer. + */ + @Test + public void testGetName() { + assertEquals("Analyzer name wrong.", "OpenSSL Source Analyzer", + analyzer.getName()); + } + + /** + * Test of getSupportedExtensions method, of class OpenSSLAnalyzer. + */ + @Test + public void testGetSupportedExtensions() { + final String[] expected = {"h"}; + assertEquals("Supported extensions should just have the following: " + + StringUtils.join(expected, ", "), + new HashSet(Arrays.asList(expected)), + analyzer.getSupportedExtensions()); + } + + /** + * Test of supportsExtension method, of class PythonPackageAnalyzer. + */ + @Test + public void testSupportsExtension() { + assertTrue("Should support \"h\" extension.", + analyzer.supportsExtension("h")); + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java index 0b13dd153..d77a8380c 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java @@ -17,15 +17,8 @@ */ package org.owasp.dependencycheck.analyzer; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - -import java.util.Arrays; -import java.util.HashSet; - import org.apache.commons.lang.StringUtils; import org.junit.After; -import static org.junit.Assert.assertTrue; import org.junit.Before; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; @@ -33,6 +26,12 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; +import java.util.Arrays; +import java.util.HashSet; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + /** * Unit tests for PythonPackageAnalyzer. *