add RubyBundlerAnalyzerTest

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java

@@ -43,7 +43,12 @@ import org.owasp.dependencycheck.dependency.Dependency;
  * @author Bianca Jiang (biancajiang@gmail.com)
  */
 public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
-	
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Ruby Bundler Analyzer";
+    
 	//Folder name that contains .gemspec files created by "bundle install"
 	private static final String SPECIFICATIONS = "specifications";
 	

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java

@@ -0,0 +1,105 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Bianca Jiang. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+
+import java.io.File;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.*;
+
+/**
+ * Unit tests for {@link RubyBundlerAnalyzer}.
+ *
+ * @author Bianca Jiang
+ */
+public class RubyBundlerAnalyzerTest extends BaseTest {
+
+    /**
+     * The analyzer to test.
+     */
+    RubyBundlerAnalyzer analyzer;
+
+    /**
+     * Correctly setup the analyzer for testing.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @Before
+    public void setUp() throws Exception {
+        analyzer = new RubyBundlerAnalyzer();
+        analyzer.setFilesMatched(true);
+        analyzer.initialize();
+    }
+
+    /**
+     * Cleanup the analyzer's temp files, etc.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @After
+    public void tearDown() throws Exception {
+        analyzer.close();
+        analyzer = null;
+    }
+
+    /**
+     * Test Analyzer name.
+     */
+    @Test
+    public void testGetName() {
+        assertThat(analyzer.getName(), is("Ruby Bundler Analyzer"));
+    }
+
+    /**
+     * Test Ruby Gemspec file support.
+     */
+    @Test
+    public void testSupportsFiles() {
+        assertThat(analyzer.accept(new File("test.gemspec")), is(true));
+    }
+
+    /**
+     * Test Ruby Bundler created gemspec analysis.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzeGemspec() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
+                "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/specifications/dalli-2.7.5.gemspec"));
+        analyzer.analyze(result, null);
+        
+        final String vendorString = result.getVendorEvidence().toString();
+        assertThat(vendorString, containsString("Peter M. Goldstein"));
+        assertThat(vendorString, containsString("Mike Perham"));
+        assertThat(vendorString, containsString("peter.m.goldstein@gmail.com"));
+        assertThat(vendorString, containsString("https://github.com/petergoldstein/dalli"));
+        assertThat(vendorString, containsString("MIT"));
+        assertThat(result.getProductEvidence().toString(), containsString("dalli"));
+        assertThat(result.getProductEvidence().toString(), containsString("High performance memcached client for Ruby"));
+        assertThat(result.getVersionEvidence().toString(), containsString("2.7.5"));
+    }
+}

dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/gems/pg-0.18.4/Rakefile

@@ -0,0 +1,218 @@
+#!/usr/bin/env rake
+
+require 'rbconfig'
+require 'pathname'
+require 'tmpdir'
+
+begin
+	require 'rake/extensiontask'
+rescue LoadError
+	abort "This Rakefile requires rake-compiler (gem install rake-compiler)"
+end
+
+begin
+	require 'hoe'
+rescue LoadError
+	abort "This Rakefile requires hoe (gem install hoe)"
+end
+
+require 'rake/clean'
+
+# Build directory constants
+BASEDIR = Pathname( __FILE__ ).dirname
+SPECDIR = BASEDIR + 'spec'
+LIBDIR  = BASEDIR + 'lib'
+EXTDIR  = BASEDIR + 'ext'
+PKGDIR  = BASEDIR + 'pkg'
+TMPDIR  = BASEDIR + 'tmp'
+
+DLEXT   = RbConfig::CONFIG['DLEXT']
+EXT     = LIBDIR + "pg_ext.#{DLEXT}"
+
+GEMSPEC = 'pg.gemspec'
+
+TEST_DIRECTORY = BASEDIR + "tmp_test_specs"
+
+CLOBBER.include( TEST_DIRECTORY.to_s )
+CLEAN.include( PKGDIR.to_s, TMPDIR.to_s )
+
+# Set up Hoe plugins
+Hoe.plugin :mercurial
+Hoe.plugin :signing
+Hoe.plugin :deveiate
+Hoe.plugin :bundler
+
+Hoe.plugins.delete :rubyforge
+Hoe.plugins.delete :compiler
+
+load 'Rakefile.cross'
+
+
+# Hoe specification
+$hoespec = Hoe.spec 'pg' do
+	self.readme_file = 'README.rdoc'
+	self.history_file = 'History.rdoc'
+	self.extra_rdoc_files = Rake::FileList[ '*.rdoc' ]
+	self.extra_rdoc_files.include( 'POSTGRES', 'LICENSE' )
+	self.extra_rdoc_files.include( 'ext/*.c' )
+	self.license :BSD
+
+	self.developer 'Michael Granger', 'ged@FaerieMUD.org'
+	self.developer 'Lars Kanis', 'lars@greiz-reinsdorf.de'
+
+	self.dependency 'rake-compiler', '~> 0.9', :developer
+	self.dependency 'rake-compiler-dock', '~> 0.3', :developer
+	self.dependency 'hoe', '~> 3.12', :developer
+	self.dependency 'hoe-deveiate', '~> 0.6', :developer
+	self.dependency 'hoe-bundler', '~> 1.0', :developer
+	self.dependency 'rspec', '~> 3.0', :developer
+
+	self.spec_extras[:licenses] = ['BSD', 'Ruby', 'GPL']
+	self.spec_extras[:extensions] = [ 'ext/extconf.rb' ]
+
+	self.require_ruby_version( '>= 1.9.3' )
+
+	self.hg_sign_tags = true if self.respond_to?( :hg_sign_tags= )
+	self.check_history_on_release = true if self.respond_to?( :check_history_on_release= )
+
+	self.rdoc_locations << "deveiate:/usr/local/www/public/code/#{remote_rdoc_dir}"
+end
+
+ENV['VERSION'] ||= $hoespec.spec.version.to_s
+
+# Tests should pass before checking in
+task 'hg:precheckin' => [ :check_history, :check_manifest, :spec ]
+
+# Support for 'rvm specs'
+task :specs => :spec
+
+# Compile before testing
+task :spec => :compile
+
+# gem-testers support
+task :test do
+	# rake-compiler always wants to copy the compiled extension into lib/, but
+	# we don't want testers to have to re-compile, especially since that
+	# often fails because they can't (and shouldn't have to) write to tmp/ in
+	# the installed gem dir. So we clear the task rake-compiler set up
+	# to break the dependency between :spec and :compile when running under
+	# rubygems-test, and then run :spec.
+	Rake::Task[ EXT.to_s ].clear
+	Rake::Task[ :spec ].execute
+end
+
+desc "Turn on warnings and debugging in the build."
+task :maint do
+	ENV['MAINTAINER_MODE'] = 'yes'
+end
+
+ENV['RUBY_CC_VERSION'] ||= '1.8.7:1.9.2:2.0.0'
+
+# Rake-compiler task
+Rake::ExtensionTask.new do |ext|
+	ext.name           = 'pg_ext'
+	ext.gem_spec       = $hoespec.spec
+	ext.ext_dir        = 'ext'
+	ext.lib_dir        = 'lib'
+	ext.source_pattern = "*.{c,h}"
+	ext.cross_compile  = true
+	ext.cross_platform = CrossLibraries.map &:for_platform
+
+	ext.cross_config_options += CrossLibraries.map do |lib|
+		{
+			lib.for_platform => [
+				"--enable-windows-cross",
+				"--with-pg-include=#{lib.static_postgresql_incdir}",
+				"--with-pg-lib=#{lib.static_postgresql_libdir}",
+				# libpq-fe.h resides in src/interfaces/libpq/ before make install
+				"--with-opt-include=#{lib.static_postgresql_libdir}",
+			]
+		}
+	end
+
+	# Add libpq.dll to windows binary gemspec
+	ext.cross_compiling do |spec|
+		# mingw32-platform strings differ (RUBY_PLATFORM=i386-mingw32 vs. x86-mingw32 for rubygems)
+		spec.files << "lib/#{spec.platform.to_s.gsub(/^x86-/, "i386-")}/libpq.dll"
+	end
+end
+
+
+# Use the fivefish formatter for docs generated from development checkout
+if File.directory?( '.hg' )
+	require 'rdoc/task'
+
+	Rake::Task[ 'docs' ].clear
+	RDoc::Task.new( 'docs' ) do |rdoc|
+		rdoc.main = "README.rdoc"
+		rdoc.rdoc_files.include( "*.rdoc", "ChangeLog", "lib/**/*.rb", 'ext/**/*.{c,h}' )
+		rdoc.generator = :fivefish
+		rdoc.title = "PG: The Ruby PostgreSQL Driver"
+		rdoc.rdoc_dir = 'doc'
+	end
+end
+
+
+# Make the ChangeLog update if the repo has changed since it was last built
+file '.hg/branch' do
+	warn "WARNING: You need the Mercurial repo to update the ChangeLog"
+end
+file 'ChangeLog' do |task|
+	if File.exist?('.hg/branch')
+		$stderr.puts "Updating the changelog..."
+		begin
+			include Hoe::MercurialHelpers
+			content = make_changelog()
+		rescue NameError
+			abort "Packaging tasks require the hoe-mercurial plugin (gem install hoe-mercurial)"
+		end
+		File.open( task.name, 'w', 0644 ) do |fh|
+			fh.print( content )
+		end
+	else
+		touch 'ChangeLog'
+	end
+end
+
+# Rebuild the ChangeLog immediately before release
+task :prerelease => 'ChangeLog'
+
+
+desc "Stop any Postmaster instances that remain after testing."
+task :cleanup_testing_dbs do
+    require 'spec/lib/helpers'
+    PgTestingHelpers.stop_existing_postmasters()
+    Rake::Task[:clean].invoke
+end
+
+desc "Update list of server error codes"
+task :update_error_codes do
+	URL_ERRORCODES_TXT = "http://git.postgresql.org/gitweb/?p=postgresql.git;a=blob_plain;f=src/backend/utils/errcodes.txt;hb=HEAD"
+
+	ERRORCODES_TXT = "ext/errorcodes.txt"
+	sh "wget #{URL_ERRORCODES_TXT.inspect} -O #{ERRORCODES_TXT.inspect} || curl #{URL_ERRORCODES_TXT.inspect} -o #{ERRORCODES_TXT.inspect}"
+end
+
+file 'ext/errorcodes.def' => ['ext/errorcodes.rb', 'ext/errorcodes.txt'] do
+	ruby 'ext/errorcodes.rb', 'ext/errorcodes.txt', 'ext/errorcodes.def'
+end
+
+file 'ext/pg_errors.c' => ['ext/errorcodes.def'] do
+	# trigger compilation of changed errorcodes.def
+	touch 'ext/pg_errors.c'
+end
+
+task :gemspec => GEMSPEC
+file GEMSPEC => __FILE__
+task GEMSPEC do |task|
+	spec = $hoespec.spec
+	spec.files.delete( '.gemtest' )
+	spec.version = "#{spec.version}.pre#{Time.now.strftime("%Y%m%d%H%M%S")}"
+	File.open( task.name, 'w' ) do |fh|
+		fh.write( spec.to_ruby )
+	end
+end
+
+CLOBBER.include( GEMSPEC.to_s )
+task :default => :gemspec
+

dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/specifications/dalli-2.7.5.gemspec

@@ -0,0 +1,54 @@
+# -*- encoding: utf-8 -*-
+# stub: dalli 2.7.5 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "dalli"
+  s.version = "2.7.5"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
+  s.authors = ["Peter M. Goldstein", "Mike Perham"]
+  s.date = "2015-12-16"
+  s.description = "High performance memcached client for Ruby"
+  s.email = ["peter.m.goldstein@gmail.com", "mperham@gmail.com"]
+  s.homepage = "https://github.com/petergoldstein/dalli"
+  s.licenses = ["MIT"]
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.rubygems_version = "2.5.0"
+  s.summary = "High performance memcached client for Ruby"
+
+  s.installed_by_version = "2.5.0" if s.respond_to? :installed_by_version
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 4
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<minitest>, [">= 4.2.0"])
+      s.add_development_dependency(%q<mocha>, [">= 0"])
+      s.add_development_dependency(%q<rails>, ["~> 4"])
+      s.add_development_dependency(%q<rake>, [">= 0"])
+      s.add_development_dependency(%q<appraisal>, [">= 0"])
+      s.add_development_dependency(%q<connection_pool>, [">= 0"])
+      s.add_development_dependency(%q<rdoc>, [">= 0"])
+      s.add_development_dependency(%q<simplecov>, [">= 0"])
+    else
+      s.add_dependency(%q<minitest>, [">= 4.2.0"])
+      s.add_dependency(%q<mocha>, [">= 0"])
+      s.add_dependency(%q<rails>, ["~> 4"])
+      s.add_dependency(%q<rake>, [">= 0"])
+      s.add_dependency(%q<appraisal>, [">= 0"])
+      s.add_dependency(%q<connection_pool>, [">= 0"])
+      s.add_dependency(%q<rdoc>, [">= 0"])
+      s.add_dependency(%q<simplecov>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<minitest>, [">= 4.2.0"])
+    s.add_dependency(%q<mocha>, [">= 0"])
+    s.add_dependency(%q<rails>, ["~> 4"])
+    s.add_dependency(%q<rake>, [">= 0"])
+    s.add_dependency(%q<appraisal>, [">= 0"])
+    s.add_dependency(%q<connection_pool>, [">= 0"])
+    s.add_dependency(%q<rdoc>, [">= 0"])
+    s.add_dependency(%q<simplecov>, [">= 0"])
+  end
+end