From bf258146dace26ace852e049cf2d5f4f4ba3c4bb Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 18 Dec 2016 12:14:35 -0500
Subject: [PATCH] added test case for issue #629 and #517

---
 .../629-jackson-datafromat/invoker.properties | 19 ++++++++
 .../src/it/629-jackson-datafromat/pom.xml     | 47 +++++++++++++++++++
 .../629-jackson-datafromat/postbuild.groovy   | 42 +++++++++++++++++
 .../it/629-jackson-datafromat/prebuild.groovy | 28 +++++++++++
 4 files changed, 136 insertions(+)
 create mode 100644 dependency-check-maven/src/it/629-jackson-datafromat/invoker.properties
 create mode 100644 dependency-check-maven/src/it/629-jackson-datafromat/pom.xml
 create mode 100644 dependency-check-maven/src/it/629-jackson-datafromat/postbuild.groovy
 create mode 100644 dependency-check-maven/src/it/629-jackson-datafromat/prebuild.groovy

diff --git a/dependency-check-maven/src/it/629-jackson-datafromat/invoker.properties b/dependency-check-maven/src/it/629-jackson-datafromat/invoker.properties
new file mode 100644
index 000000000..3fc1810a0
--- /dev/null
+++ b/dependency-check-maven/src/it/629-jackson-datafromat/invoker.properties
@@ -0,0 +1,19 @@
+#
+# This file is part of dependency-check-maven.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+#
+
+invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e -Dformat=ALL
diff --git a/dependency-check-maven/src/it/629-jackson-datafromat/pom.xml b/dependency-check-maven/src/it/629-jackson-datafromat/pom.xml
new file mode 100644
index 000000000..f1e6cd154
--- /dev/null
+++ b/dependency-check-maven/src/it/629-jackson-datafromat/pom.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.owasp.test</groupId>
+    <artifactId>test-dataformat-jackson</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+	<dependencies>
+		<dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.4.5</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+            <version>2.4.5</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.dataformat</groupId>
+            <artifactId>jackson-dataformat-cbor</artifactId>
+            <version>2.4.5</version>
+        </dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.dataformat</groupId>
+			<artifactId>jackson-dataformat-xml</artifactId>
+			<version>2.4.5</version>
+		</dependency>
+	</dependencies>
+</project>
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/629-jackson-datafromat/postbuild.groovy b/dependency-check-maven/src/it/629-jackson-datafromat/postbuild.groovy
new file mode 100644
index 000000000..17401a332
--- /dev/null
+++ b/dependency-check-maven/src/it/629-jackson-datafromat/postbuild.groovy
@@ -0,0 +1,42 @@
+/*
+ * This file is part of dependency-check-maven.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang.StringUtils;
+import java.nio.charset.Charset;
+ 
+// Save NVD-CVE for next IT (if not already done)
+File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
+File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
+if (datasDwl.exists() && !datasSave.exists()){
+    System.out.println("Save NVD-CVE into backup");
+    FileUtils.copyFile(datasDwl, datasSave);    
+}
+
+
+
+
+// Check to see if jackson-dataformat-xml-2.4.5.jar was identified.
+//TODO change this to xpath and check for CVE-2016-3720
+String log = FileUtils.readFileToString(new File(basedir, "target/dependency-check-report.xml"), Charset.defaultCharset().name());
+int count = StringUtils.countMatches(log, "<fileName>jackson-dataformat-xml-2.4.5.jar</fileName>");
+if (count == 0){
+    System.out.println(String.format("The update should be unique, it is %s", count));
+    return false;
+    //throw new Exception(String.format("The update should be unique, it is %s", count));
+}
diff --git a/dependency-check-maven/src/it/629-jackson-datafromat/prebuild.groovy b/dependency-check-maven/src/it/629-jackson-datafromat/prebuild.groovy
new file mode 100644
index 000000000..c1e9eda11
--- /dev/null
+++ b/dependency-check-maven/src/it/629-jackson-datafromat/prebuild.groovy
@@ -0,0 +1,28 @@
+/*
+ * This file is part of dependency-check-maven.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+
+import org.apache.commons.io.FileUtils;
+
+// Load NVD-CVE if not exist and had been saved in a previous IT
+File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
+File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
+
+if (!datasDwl.exists() && datasSave.exists()){
+    System.out.println("Load NVD-CVE from backup");
+    FileUtils.copyFile(datasSave, datasDwl);    
+}