Merge pull request #473 from biancajiang/master

Handle bundle-audit not available case and fix RubyBundleAuditAnalyzer test cases

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -83,6 +83,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         final ProcessBuilder builder = new ProcessBuilder(args);
         builder.directory(folder);
         try {
+        	LOGGER.info("Launching: " + args + " from " + folder);
             return builder.start();
         } catch (IOException ioe) {
             throw new AnalysisException("bundle-audit failure", ioe);
@@ -97,7 +98,16 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     @Override
     public void initializeFileTypeAnalyzer() throws Exception {
         // Now, need to see if bundle-audit actually runs from this location.
-        Process process = launchBundleAudit(Settings.getTempDirectory());
+    	Process process = null;
+    	try {
+	        process = launchBundleAudit(Settings.getTempDirectory());
+    	}
+    	catch(AnalysisException ae) {
+    		LOGGER.warn("Exception from bundle-audit process: {}. Disabling {}", ae.getCause(), ANALYZER_NAME);
+            setEnabled(false);
+            throw ae;
+    	}
+    	
         int exitValue = process.waitFor();
         if (0 == exitValue) {
             LOGGER.warn("Unexpected exit code from bundle-audit process. Disabling {}: {}", ANALYZER_NAME, exitValue);
@@ -125,6 +135,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                 }
             }
         }
+    	
         if (isEnabled()) {
             LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
                     + "occasionally to keep its database up to date.");
@@ -194,6 +205,11 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         }
         BufferedReader rdr = null;
         try {
+        	BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
+        	while(errReader.ready()) {
+        		String error = errReader.readLine();
+        		LOGGER.warn(error);
+        	}
             rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
             processBundlerAuditOutput(dependency, engine, rdr);
         } catch (IOException ioe) {

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java

@@ -17,6 +17,12 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+
 import org.junit.After;
 import org.junit.Assume;
 import org.junit.Before;
@@ -26,15 +32,10 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.File;
-
-import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.CoreMatchers.not;
-import static org.junit.Assert.assertThat;
-
 /**
  * Unit tests for {@link RubyBundleAuditAnalyzer}.
  *
@@ -57,6 +58,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
     @Before
     public void setUp() throws Exception {
         try {
+        	Settings.initialize();
             analyzer = new RubyBundleAuditAnalyzer();
             analyzer.setFilesMatched(true);
             analyzer.initialize();
@@ -73,6 +75,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
      */
     @After
     public void tearDown() throws Exception {
+    	Settings.cleanup();
         analyzer.close();
         analyzer = null;
     }
@@ -101,9 +104,36 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
     @Test
     public void testAnalysis() throws AnalysisException, DatabaseException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
-                "ruby/vulnerable/Gemfile.lock"));
+                "ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock"));
         final Engine engine = new Engine();
         analyzer.analyze(result, engine);
-        assertThat(engine.getDependencies().size(), is(not(0)));
+        int size = engine.getDependencies().size();
+        assertThat(size, is(1));
+        
+        Dependency dependency = engine.getDependencies().get(0);
+        assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet"));
+        assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2"));
+    }
+    
+
+    /**
+     * Test when Ruby bundle-audit is not available on the system.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testMissingBundleAudit() throws AnalysisException, DatabaseException {
+    	//set a non-exist bundle-audit
+        Settings.setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, "phantom-bundle-audit");
+        try {
+            //initialize should fail.
+			analyzer.initialize();
+		} catch (Exception e) {
+			//expected, so ignore.
+		}
+        finally {
+	        assertThat(analyzer.isEnabled(), is(false));
+			LOGGER.info("Ruby Bundle Audit Analyzer is disabled as expected.");
+        }
     }
 }

dependency-check-core/src/test/resources/dependencycheck.properties

@@ -100,3 +100,5 @@ analyzer.nexus.enabled=false
 #whether the nexus analyzer uses the proxy
 analyzer.nexus.proxy=true
 
+#Use your own bundle-audit install directory.
+#analyzer.bundle.audit.path=/usr/local/bin/bundle-audit

dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile

@@ -0,0 +1,102 @@
+source 'https://rubygems.org'
+
+gemspec
+
+# This needs to be with require false as it is
+# loaded after loading the test library to
+# ensure correct loading order
+gem 'mocha', '~> 0.14', require: false
+
+gem 'rack-cache', '~> 1.2'
+gem 'jquery-rails', '~> 3.1.0'
+gem 'turbolinks'
+gem 'coffee-rails', '~> 4.0.0'
+
+gem 'sprockets', '~> 3.0.0.rc.1'
+
+# require: false so bcrypt is loaded only when has_secure_password is used.
+# This is to avoid ActiveModel (and by extension the entire framework)
+# being dependent on a binary library.
+gem 'bcrypt', '~> 3.1.7', require: false
+
+# This needs to be with require false to avoid
+# it being automatically loaded by sprockets
+gem 'uglifier', '>= 1.3.0', require: false
+
+group :doc do
+  gem 'sdoc', '~> 0.4.0'
+  gem 'redcarpet', '~> 2.2.2', platforms: :ruby
+  gem 'w3c_validators'
+  gem 'kindlerb', '0.1.1'
+  gem 'mustache', '~> 0.99.8'
+end
+
+# AS
+gem 'dalli', '>= 2.2.1'
+
+# Add your own local bundler stuff
+local_gemfile = File.dirname(__FILE__) + "/.Gemfile"
+instance_eval File.read local_gemfile if File.exist? local_gemfile
+
+group :test do
+  # FIX: Our test suite isn't ready to run in random order yet
+  gem 'minitest', '< 5.3.4'
+
+  platforms :mri_19 do
+    gem 'ruby-prof', '~> 0.11.2'
+  end
+
+  # platforms :mri_19, :mri_20 do
+  #   gem 'debugger'
+  # end
+
+  platforms :mri do
+    gem 'stackprof'
+  end
+
+  gem 'benchmark-ips'
+end
+
+platforms :ruby do
+  gem 'nokogiri', '>= 1.4.5'
+
+  # Needed for compiling the ActionDispatch::Journey parser
+  gem 'racc', '>=1.4.6', require: false
+
+  # AR
+  gem 'sqlite3', '~> 1.3.6'
+
+  group :db do
+    gem 'pg', '>= 0.11.0'
+    gem 'mysql', '>= 2.9.0'
+    gem 'mysql2', '>= 0.3.13', '< 0.4'
+  end
+end
+
+platforms :jruby do
+  gem 'json'
+  if ENV['AR_JDBC']
+    gem 'activerecord-jdbcsqlite3-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+    group :db do
+      gem 'activerecord-jdbcmysql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+      gem 'activerecord-jdbcpostgresql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+    end
+  else
+    gem 'activerecord-jdbcsqlite3-adapter', '>= 1.3.0'
+    group :db do
+      gem 'activerecord-jdbcmysql-adapter', '>= 1.3.0'
+      gem 'activerecord-jdbcpostgresql-adapter', '>= 1.3.0'
+    end
+  end
+end
+
+# gems that are necessary for ActiveRecord tests with Oracle database
+if ENV['ORACLE_ENHANCED']
+  platforms :ruby do
+    gem 'ruby-oci8', '>= 2.0.4'
+  end
+  gem 'activerecord-oracle_enhanced-adapter', github: 'rsim/oracle-enhanced', branch: 'master'
+end
+
+# A gem necessary for ActiveRecord tests with IBM DB
+gem 'ibm_db' if ENV['IBM_DB']

dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock

@@ -0,0 +1,154 @@
+PATH
+  remote: .
+  specs:
+    actionmailer (4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
+      mail (~> 2.5, >= 2.5.4)
+    actionpack (4.1.15)
+      actionview (= 4.1.15)
+      activesupport (= 4.1.15)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    actionview (4.1.15)
+      activesupport (= 4.1.15)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+    activemodel (4.1.15)
+      activesupport (= 4.1.15)
+      builder (~> 3.1)
+    activerecord (4.1.15)
+      activemodel (= 4.1.15)
+      activesupport (= 4.1.15)
+      arel (~> 5.0.0)
+    activesupport (4.1.15)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    rails (4.1.15)
+      actionmailer (= 4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
+      activemodel (= 4.1.15)
+      activerecord (= 4.1.15)
+      activesupport (= 4.1.15)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.1.15)
+      sprockets-rails (~> 2.0)
+    railties (4.1.15)
+      actionpack (= 4.1.15)
+      activesupport (= 4.1.15)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    arel (5.0.1.20140414130214)
+    bcrypt (3.1.10)
+    benchmark-ips (2.3.0)
+    builder (3.2.2)
+    coffee-rails (4.0.1)
+      coffee-script (>= 2.2.0)
+      railties (>= 4.0.0, < 5.0)
+    coffee-script (2.4.1)
+      coffee-script-source
+      execjs
+    coffee-script-source (1.10.0)
+    dalli (2.7.5)
+    erubis (2.7.0)
+    execjs (2.6.0)
+    i18n (0.7.0)
+    jquery-rails (3.1.4)
+      railties (>= 3.0, < 5.0)
+      thor (>= 0.14, < 2.0)
+    json (1.8.3)
+    kindlerb (0.1.1)
+      mustache
+      nokogiri
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    metaclass (0.0.4)
+    mime-types (2.99.1)
+    mini_portile2 (2.0.0)
+    minitest (5.3.3)
+    mocha (0.14.0)
+      metaclass (~> 0.0.1)
+    mustache (0.99.8)
+    mysql (2.9.1)
+    mysql2 (0.3.20)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
+    pg (0.18.4)
+    racc (1.4.14)
+    rack (1.5.5)
+    rack-cache (1.5.1)
+      rack (>= 0.4)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rake (10.5.0)
+    rdoc (4.2.1)
+    redcarpet (2.2.2)
+    ruby-prof (0.11.3)
+    sdoc (0.4.1)
+      json (~> 1.7, >= 1.7.7)
+      rdoc (~> 4.0)
+    sprockets (3.0.3)
+      rack (~> 1.0)
+    sprockets-rails (2.3.3)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.11)
+    stackprof (0.2.8)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    turbolinks (2.5.3)
+      coffee-rails
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    uglifier (2.7.2)
+      execjs (>= 0.3.0)
+      json (>= 1.8.0)
+    w3c_validators (1.2)
+      json
+      nokogiri
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord-jdbcmysql-adapter (>= 1.3.0)
+  activerecord-jdbcpostgresql-adapter (>= 1.3.0)
+  activerecord-jdbcsqlite3-adapter (>= 1.3.0)
+  bcrypt (~> 3.1.7)
+  benchmark-ips
+  coffee-rails (~> 4.0.0)
+  dalli (>= 2.2.1)
+  jquery-rails (~> 3.1.0)
+  json
+  kindlerb (= 0.1.1)
+  minitest (< 5.3.4)
+  mocha (~> 0.14)
+  mustache (~> 0.99.8)
+  mysql (>= 2.9.0)
+  mysql2 (>= 0.3.13, < 0.4)
+  nokogiri (>= 1.4.5)
+  pg (>= 0.11.0)
+  racc (>= 1.4.6)
+  rack-cache (~> 1.2)
+  rails!
+  redcarpet (~> 2.2.2)
+  ruby-prof (~> 0.11.2)
+  sdoc (~> 0.4.0)
+  sprockets (~> 3.0.0.rc.1)
+  sqlite3 (~> 1.3.6)
+  stackprof
+  turbolinks
+  uglifier (>= 1.3.0)
+  w3c_validators
+
+BUNDLED WITH
+   1.11.2