diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index 303180dfa..fd2c0c697 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -58,6 +58,12 @@ import org.owasp.dependencycheck.exception.InitializationException; @Experimental public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "CMAKE"; + /** * The logger. */ @@ -66,8 +72,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { /** * Used when compiling file scanning regex patterns. */ - private static final int REGEX_OPTIONS = Pattern.DOTALL - | Pattern.CASE_INSENSITIVE | Pattern.MULTILINE; + private static final int REGEX_OPTIONS = Pattern.DOTALL | Pattern.CASE_INSENSITIVE | Pattern.MULTILINE; /** * Regex to extract the product information. @@ -82,10 +87,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { * * Group 2: Version */ - private static final Pattern SET_VERSION = Pattern - .compile( - "^ *set\\s*\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)", - REGEX_OPTIONS); + private static final Pattern SET_VERSION = Pattern.compile( + "^ *set\\s*\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)", REGEX_OPTIONS); /** * Detects files that can be analyzed. @@ -149,12 +152,10 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { * analyzing the dependency */ @Override - protected void analyzeDependency(Dependency dependency, Engine engine) - throws AnalysisException { + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File file = dependency.getActualFile(); - final String parentName = file.getParentFile().getName(); final String name = file.getName(); - dependency.setDisplayFileName(String.format("%s%c%s", parentName, File.separatorChar, name)); String contents; try { contents = FileUtils.readFileToString(file, Charset.defaultCharset()).trim(); @@ -162,7 +163,6 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { throw new AnalysisException( "Problem occurred while reading dependency file.", e); } - if (StringUtils.isNotBlank(contents)) { final Matcher m = PROJECT.matcher(contents); int count = 0; @@ -175,6 +175,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.debug("Group 1: {}", group); dependency.addEvidence(EvidenceType.PRODUCT, name, "Project", group, Confidence.HIGH); dependency.addEvidence(EvidenceType.VENDOR, name, "Project", group, Confidence.HIGH); + dependency.setName(group); } LOGGER.debug("Found {} matches.", count); analyzeSetVersionCommand(dependency, engine, contents); @@ -213,7 +214,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { if (count > 1) { //TODO - refactor so we do not assign to the parameter (checkstyle) currentDep = new Dependency(dependency.getActualFile()); - currentDep.setDisplayFileName(String.format("%s:%s", dependency.getDisplayFileName(), product)); + currentDep.setEcosystem(DEPENDENCY_ECOSYSTEM); final String filePath = String.format("%s:%s", dependency.getFilePath(), product); currentDep.setFilePath(filePath); @@ -227,10 +228,12 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { currentDep.setSha1sum(Checksum.getHex(sha1.digest(path))); engine.addDependency(currentDep); } - final String source = currentDep.getDisplayFileName(); + final String source = currentDep.getFileName(); currentDep.addEvidence(EvidenceType.PRODUCT, source, "Product", product, Confidence.MEDIUM); currentDep.addEvidence(EvidenceType.VENDOR, source, "Vendor", product, Confidence.MEDIUM); currentDep.addEvidence(EvidenceType.VERSION, source, "Version", version, Confidence.MEDIUM); + currentDep.setName(product); + currentDep.setVersion(version); } LOGGER.debug("Found {} matches.", count); } @@ -241,9 +244,9 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Returns the sha1 message digest. + * Returns the SHA1 message digest. * - * @return the sha1 message digest + * @return the SHA1 message digest */ private MessageDigest getSha1MessageDigest() { try { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java index 1d2d3a476..b0ef81b68 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java @@ -45,6 +45,12 @@ import org.owasp.dependencycheck.utils.Settings; @ThreadSafe public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "CocoaPod"; + /** * The logger. */ @@ -124,6 +130,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); @@ -140,6 +147,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { if (!name.isEmpty()) { dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "name_project", name, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "name_project", name, Confidence.HIGHEST); + dependency.setName(name); } final String summary = determineEvidence(contents, blockVariable, "summary"); if (!summary.isEmpty()) { @@ -156,14 +164,14 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer { } final String license = determineEvidence(contents, blockVariable, "licen[cs]es?"); if (!license.isEmpty()) { - dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "license", license, Confidence.HIGHEST); + dependency.setLicense(license); } final String version = determineEvidence(contents, blockVariable, "version"); if (!version.isEmpty()) { dependency.addEvidence(EvidenceType.VERSION, PODSPEC, "version", version, Confidence.HIGHEST); + dependency.setVersion(version); } - } setPackagePath(dependency); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index 5613b47e4..a0a7df387 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -47,6 +47,12 @@ import org.owasp.dependencycheck.dependency.EvidenceType; @Experimental public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Composer"; + /** * The logger. */ @@ -105,20 +111,33 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { try (FileInputStream fis = new FileInputStream(dependency.getActualFile())) { final ComposerLockParser clp = new ComposerLockParser(fis); - LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath()); + LOGGER.debug("Checking composer.lock file {}", dependency.getActualFilePath()); clp.process(); + //if dependencies are found in the lock, then there is always an empty shell dependency left behind for the + //composer.lock. The first pass through, reuse the top level dependency, and add new ones for the rest. + boolean processedAtLeastOneDep = false; for (ComposerDependency dep : clp.getDependencies()) { final Dependency d = new Dependency(dependency.getActualFile()); - d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject())); - final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject()); + final String filePath = String.format("%s:%s/%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject(), dep.getVersion()); + d.setName(dep.getProject()); + d.setVersion(dep.getVersion()); + d.setEcosystem(DEPENDENCY_ECOSYSTEM); final MessageDigest sha1 = getSha1MessageDigest(); d.setFilePath(filePath); d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset())))); d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST); d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST); d.addEvidence(EvidenceType.VERSION, COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST); - LOGGER.info("Adding dependency {}", d); + LOGGER.debug("Adding dependency {}", d.getDisplayFileName()); engine.addDependency(d); + //make sure we only remove the main dependency if we went through this loop at least once. + processedAtLeastOneDep = true; + } + // remove the dependency at the end because it's referenced in the loop itself. + // double check the name to be sure we only remove the generic entry. + if (processedAtLeastOneDep && dependency.getDisplayFileName().equalsIgnoreCase("composer.lock")) { + LOGGER.debug("Removing main redundant dependency {}", dependency.getDisplayFileName()); + engine.removeDependency(dependency); } } catch (IOException ex) { LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath()); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 730af7ced..c284fab6c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -73,6 +73,10 @@ import org.slf4j.LoggerFactory; public class JarAnalyzer extends AbstractFileTypeAnalyzer { // + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Java"; /** * The logger. */ @@ -258,6 +262,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { final boolean hasPOM = analyzePOM(dependency, classNames, engine); final boolean addPackagesAsEvidence = !(hasManifest && hasPOM); analyzePackageNames(classNames, dependency, addPackagesAsEvidence); + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); } catch (IOException ex) { throw new AnalysisException("Exception occurred reading the JAR file (" + dependency.getFileName() + ").", ex); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index 6f737a2b2..f318269d4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -55,17 +55,19 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { * The logger. */ private static final Logger LOGGER = LoggerFactory.getLogger(NodePackageAnalyzer.class); - + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "npm"; /** * The name of the analyzer. */ private static final String ANALYZER_NAME = "Node.js Package Analyzer"; - /** * The phase that this analyzer is intended to run in. */ private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; - /** * The file name to scan. */ @@ -124,6 +126,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File file = dependency.getActualFile(); if (!file.isFile() || file.length() == 0) { return; @@ -134,6 +137,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { final Object value = json.get("name"); if (value instanceof JsonString) { final String valueString = ((JsonString) value).getString(); + dependency.setName(valueString); dependency.addEvidence(EvidenceType.PRODUCT, PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); dependency.addEvidence(EvidenceType.VENDOR, PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); @@ -143,8 +147,8 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { } addToEvidence(dependency, EvidenceType.PRODUCT, json, "description"); addToEvidence(dependency, EvidenceType.VENDOR, json, "author"); - addToEvidence(dependency, EvidenceType.VERSION, json, "version"); - dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName())); + final String version = addToEvidence(dependency, EvidenceType.VERSION, json, "version"); + dependency.setVersion(version); } catch (JsonException e) { LOGGER.warn("Failed to parse package.json file.", e); } catch (IOException e) { @@ -159,23 +163,26 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { * @param dep the dependency to add the evidence * @param t the type of evidence to add * @param json information from node.js + * @return the actual string set into evidence * @param key the key to obtain the data from the json information */ - private void addToEvidence(Dependency dep, EvidenceType t, JsonObject json, String key) { + private String addToEvidence(Dependency dep, EvidenceType t, JsonObject json, String key) { + String evidenceStr = null; if (json.containsKey(key)) { final JsonValue value = json.get(key); if (value instanceof JsonString) { - dep.addEvidence(t, PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); - + evidenceStr = ((JsonString) value).getString(); + dep.addEvidence(t, PACKAGE_JSON, key, evidenceStr, Confidence.HIGHEST); } else if (value instanceof JsonObject) { final JsonObject jsonObject = (JsonObject) value; for (final Map.Entry entry : jsonObject.entrySet()) { final String property = entry.getKey(); final JsonValue subValue = entry.getValue(); if (subValue instanceof JsonString) { + evidenceStr = ((JsonString) subValue).getString(); dep.addEvidence(t, PACKAGE_JSON, String.format("%s.%s", key, property), - ((JsonString) subValue).getString(), + evidenceStr, Confidence.HIGHEST); } else { LOGGER.warn("JSON sub-value not string as expected: {}", subValue); @@ -185,5 +192,6 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.warn("JSON value not string or JSON object as expected: {}", value); } } + return evidenceStr; } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index ea4d5a397..30c3834f3 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -45,6 +45,12 @@ import org.owasp.dependencycheck.exception.InitializationException; @ThreadSafe public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "NuGet"; + /** * The logger. */ @@ -140,12 +146,15 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { throw new AnalysisException(ex); } + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); if (np.getOwners() != null) { dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "owners", np.getOwners(), Confidence.HIGHEST); } dependency.addEvidence(EvidenceType.VENDOR, "nuspec", "authors", np.getAuthors(), Confidence.HIGH); dependency.addEvidence(EvidenceType.VERSION, "nuspec", "version", np.getVersion(), Confidence.HIGHEST); dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "id", np.getId(), Confidence.HIGHEST); + dependency.setVersion(np.getVersion()); + dependency.setName(np.getId()); if (np.getTitle() != null) { dependency.addEvidence(EvidenceType.PRODUCT, "nuspec", "title", np.getTitle(), Confidence.MEDIUM); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 697122a27..1bf8f1d7a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -59,6 +59,12 @@ import org.owasp.dependencycheck.dependency.EvidenceType; @ThreadSafe public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Python.Dist"; + /** * Name of egg metadata files to analyze. */ @@ -167,6 +173,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File actualFile = dependency.getActualFile(); if (WHL_FILTER.accept(actualFile)) { collectMetadataFromArchiveFormat(dependency, DIST_INFO_FILTER, @@ -180,7 +188,6 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { if (metadata || PKG_INFO.equals(name)) { final File parent = actualFile.getParentFile(); final String parentName = parent.getName(); - dependency.setDisplayFileName(parentName + "/" + name); if (parent.isDirectory() && (metadata && parentName.endsWith(".dist-info") || parentName.endsWith(".egg-info") || "EGG-INFO" @@ -281,6 +288,9 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { final InternetHeaders headers = getManifestProperties(file); addPropertyToEvidence(dependency, EvidenceType.VERSION, Confidence.HIGHEST, headers, "Version"); addPropertyToEvidence(dependency, EvidenceType.PRODUCT, Confidence.HIGHEST, headers, "Name"); + addPropertyToEvidence(dependency, EvidenceType.PRODUCT, Confidence.MEDIUM, headers, "Name"); + dependency.setName(headers.getHeader("Name", null)); + dependency.setVersion(headers.getHeader("Version", null)); final String url = headers.getHeader("Home-page", null); if (StringUtils.isNotBlank(url)) { if (UrlStringUtils.isUrl(url)) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index abc2a315c..4a237b55e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -48,6 +48,12 @@ import org.owasp.dependencycheck.exception.InitializationException; @ThreadSafe public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Python.Pkg"; + /** * Used when compiling file scanning regex patterns. */ @@ -183,6 +189,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); final File file = dependency.getActualFile(); final File parent = file.getParentFile(); final String parentName = parent.getName(); @@ -190,8 +197,8 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { //by definition, the containing folder of __init__.py is considered the package, even the file is empty: //"The __init__.py files are required to make Python treat the directories as containing packages" //see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html; - dependency.setDisplayFileName(parentName + "/__init__.py"); dependency.addEvidence(EvidenceType.PRODUCT, file.getName(), "PackageName", parentName, Confidence.HIGHEST); + dependency.setName(parentName); final File[] fileList = parent.listFiles(PY_FILTER); if (fileList != null) { @@ -312,6 +319,9 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { final boolean found = matcher.find(); if (found) { dependency.addEvidence(type, source, name, matcher.group(4), confidence); + if (type == EvidenceType.VERSION) { + dependency.setVersion(matcher.group(4)); + } } return found; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java index 42e350cb2..c22335cdf 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java @@ -51,6 +51,11 @@ import org.owasp.dependencycheck.dependency.Dependency; @ThreadSafe public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; + /** * The name of the analyzer. */ @@ -99,7 +104,7 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { super.analyzeDependency(dependency, engine); - + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment" final File gemspecFile = dependency.getActualFile(); final String gemFileName = gemspecFile.getName(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index 36a76574a..436360eda 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -50,6 +50,11 @@ import org.slf4j.LoggerFactory; @ThreadSafe public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle"; /** * The logger. */ @@ -58,17 +63,14 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { * The name of the analyzer. */ private static final String ANALYZER_NAME = "Ruby Gemspec Analyzer"; - /** * The phase that this analyzer is intended to run in. */ private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; - /** * The gemspec file extension. */ private static final String GEMSPEC = "gemspec"; - /** * The file filter containing the list of file extensions that can be * analyzed. @@ -133,6 +135,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); @@ -148,6 +151,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { final String name = addStringEvidence(dependency, EvidenceType.PRODUCT, contents, blockVariable, "name", "name", Confidence.HIGHEST); if (!name.isEmpty()) { dependency.addEvidence(EvidenceType.VENDOR, GEMSPEC, "name_project", name + "_project", Confidence.LOW); + dependency.setName(name); } addStringEvidence(dependency, EvidenceType.PRODUCT, contents, blockVariable, "summary", "summary", Confidence.LOW); @@ -160,9 +164,10 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { blockVariable, "version", "version", Confidence.HIGHEST); if (value.length() < 1) { addEvidenceFromVersionFile(dependency, EvidenceType.VERSION, dependency.getActualFile()); + } else { + dependency.setVersion(value); } } - setPackagePath(dependency); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java index a85b1c444..73953f535 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java @@ -45,6 +45,12 @@ import org.owasp.dependencycheck.utils.Settings; @ThreadSafe public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer + */ + public static final String DEPENDENCY_ECOSYSTEM = "Swift.PM"; + /** * The name of the analyzer. */ @@ -121,6 +127,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); + String contents; try { contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset()); @@ -135,11 +143,18 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer { return; } - //SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies. - //Future interesting metadata: version, license, homepage, author, summary, etc. + // TODO SPM is currently under development for SWIFT 3. Its current metadata includes + // package name and dependencies. + // Future interesting metadata: version, license, homepage, author, summary, + // etc. final String name = addStringEvidence(dependency, EvidenceType.PRODUCT, packageDescription, "name", "name", Confidence.HIGHEST); if (name != null && !name.isEmpty()) { dependency.addEvidence(EvidenceType.VENDOR, SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST); + dependency.setName(name); + } else { + // if we can't get the name from the meta, then assume the name is the name of + // the parent folder containing the package.swift file. + dependency.setName(dependency.getActualFile().getParentFile().getName()); } } setPackagePath(dependency); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java index 929d8a4db..e3b4bae65 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java @@ -60,7 +60,7 @@ public class ComposerLockParser { * @param inputStream the InputStream to parse */ public ComposerLockParser(InputStream inputStream) { - LOGGER.info("Creating a ComposerLockParser"); + LOGGER.debug("Creating a ComposerLockParser"); this.jsonReader = Json.createReader(inputStream); this.composerDependencies = new ArrayList<>(); } @@ -69,7 +69,7 @@ public class ComposerLockParser { * Process the input stream to create the list of dependencies. */ public void process() { - LOGGER.info("Beginning Composer lock processing"); + LOGGER.debug("Beginning Composer lock processing"); try { final JsonObject composer = jsonReader.readObject(); if (composer.containsKey("packages")) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 0165e4649..ee5bb1037 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -126,6 +126,22 @@ public class Dependency extends EvidenceCollection implements Serializable, Comp */ private boolean isVirtual = false; + /** + * Defines the human-recognizable name for the dependency + */ + private String name; + + /** + * Defines the human-recognizable version for the dependency + */ + private String version; + + /** + * A descriptor for the type of dependency based on which analyzer added it + * or collected evidence about it + */ + private String ecosystem; + /** * Returns the package path. * @@ -249,15 +265,22 @@ public class Dependency extends EvidenceCollection implements Serializable, Comp /** * Returns the file name to display in reports; if no display file name has - * been set it will default to the actual file name. + * been set it will default to constructing a name based on the name and + * version fields, otherwise it will return the actual file name. * * @return the file name to display */ public String getDisplayFileName() { - if (displayName == null) { - return this.fileName; + if (displayName != null) { + return displayName; } - return this.displayName; + if (name == null) { + return fileName; + } + if (version == null) { + return name; + } + return name + ":" + version; } /** @@ -487,6 +510,20 @@ public class Dependency extends EvidenceCollection implements Serializable, Comp this.license = license; } + /** + * @return the name + */ + public String getName() { + return name; + } + + /** + * @param name the name to set + */ + public void setName(String name) { + this.name = name; + } + /** * Get the unmodifiable sorted set of vulnerabilities. * @@ -729,4 +766,32 @@ public class Dependency extends EvidenceCollection implements Serializable, Comp public synchronized void addSuppressedVulnerabilities(List vulns) { this.suppressedVulnerabilities.addAll(vulns); } + + /** + * @return the version + */ + public String getVersion() { + return version; + } + + /** + * @param version the version to set + */ + public void setVersion(String version) { + this.version = version; + } + + /** + * @return the ecosystem + */ + public String getEcosystem() { + return ecosystem; + } + + /** + * @param ecosystem the ecosystem to set + */ + public void setEcosystem(String ecosystem) { + this.ecosystem = ecosystem; + } } diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml b/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml index 31f266994..d2fb2d581 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml @@ -158,5 +158,43 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java index 212a3efa0..b87b7c57c 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java @@ -75,6 +75,7 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { /** * Cleanup any resources used. * + * @throws Exception if there is a problem */ @After @Override @@ -135,6 +136,21 @@ public class CMakeAnalyzerTest extends BaseDBTestCase { assertProductEvidence(result, product); } + /** + * Test whether expected evidence is gathered from OpenCV's CVDetectPython. + * + * @throws AnalysisException is thrown when an exception occurs. + */ + @Test + public void testAnalyzeCMakeListsPython() throws AnalysisException { + final Dependency result = new Dependency(BaseTest.getResourceAsFile( + this, "cmake/opencv/cmake/OpenCVDetectPython.cmake")); + analyzer.analyze(result, null); + + //this one finds nothing so it falls through to the filename. Can we do better? + assertEquals("OpenCVDetectPython.cmake", result.getDisplayFileName()); + } + private void assertProductEvidence(Dependency result, String product) { boolean found = false; for (Evidence e : result.getEvidence(EvidenceType.PRODUCT)) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java index b0836e424..53dd3e1a6 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java @@ -32,10 +32,13 @@ import org.owasp.dependencycheck.exception.InitializationException; import java.io.File; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import org.apache.commons.lang3.ArrayUtils; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertThat; +import static org.hamcrest.CoreMatchers.equalTo; /** * Unit tests for NodePackageAnalyzer. @@ -92,6 +95,25 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase { assertTrue(analyzer.accept(new File("composer.lock"))); } + /** + * Test of basic additions to the dependency list by parsing the + * composer.lock file + * + * @throws AnalysisException is thrown when an exception occurs. + */ + @Test + public void testRemoveRedundantParent() throws Exception { + try (Engine engine = new Engine(getSettings())) { + final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "composer.lock")); + //test that we don't remove the parent if it's not redundant by name + result.setDisplayFileName("NotComposer.Lock"); + engine.addDependency(result); + analyzer.analyze(result, engine); + //make sure the composer.lock is not removed + assertTrue(ArrayUtils.contains(engine.getDependencies(), result)); + } + } + /** * Test of inspect method, of class PythonDistributionAnalyzer. * @@ -102,7 +124,17 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase { try (Engine engine = new Engine(getSettings())) { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "composer.lock")); + //simulate normal operation when the composer.lock is already added to the engine as a dependency + engine.addDependency(result); analyzer.analyze(result, engine); + //make sure the redundant composer.lock is removed + assertFalse(ArrayUtils.contains(engine.getDependencies(), result)); + assertEquals(30, engine.getDependencies().length); + Dependency d = engine.getDependencies()[0]; + assertEquals("classpreloader", d.getName()); + assertEquals("2.0.0", d.getVersion()); + assertThat(d.getDisplayFileName(), equalTo("classpreloader:2.0.0")); + assertEquals(ComposerLockAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem()); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java index 9ade6d030..22e99b777 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java @@ -60,6 +60,7 @@ public class JarAnalyzerTest extends BaseTest { file = BaseTest.getResourceAsFile(this, "dwr.jar"); result = new Dependency(file); instance.analyze(result, null); + assertEquals(JarAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); boolean found = false; for (Evidence e : result.getEvidence(EvidenceType.VENDOR)) { if (e.getName().equals("url")) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java index 73d94abf8..b243ea3cd 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java @@ -101,5 +101,8 @@ public class NodePackageAnalyzerTest extends BaseTest { assertThat(vendorString, containsString("dns-sync_project")); assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("dns-sync")); assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("0.1.0")); + assertEquals(NodePackageAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); + assertEquals("dns-sync", result.getName()); + assertEquals("0.1.0", result.getVersion()); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java index 1382988f7..12dc3eaf6 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java @@ -23,8 +23,12 @@ import static org.junit.Assert.assertTrue; import org.junit.Before; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Evidence; import java.io.File; +import org.owasp.dependencycheck.dependency.EvidenceType; public class NuspecAnalyzerTest extends BaseTest { @@ -55,4 +59,31 @@ public class NuspecAnalyzerTest extends BaseTest { public void testGetAnalysisPhaze() { assertEquals(AnalysisPhase.INFORMATION_COLLECTION, instance.getAnalysisPhase()); } + + @Test + public void testNuspecAnalysis() throws Exception { + + File file = BaseTest.getResourceAsFile(this, "nuspec/test.nuspec"); + Dependency result = new Dependency(file); + instance.analyze(result, null); + + assertEquals(NuspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); + + //checking the owner field + assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().toLowerCase().contains("bobsmack")); + + //checking the author field + assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().toLowerCase().contains("brianfox")); + + //checking the id field + assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("TestDepCheck")); + + //checking the title field + assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("Test Package")); + + assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("1.0.0")); + assertEquals("1.0.0", result.getVersion()); + assertEquals("TestDepCheck", result.getName()); + assertEquals("TestDepCheck:1.0.0", result.getDisplayFileName()); + } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java index 89910a90b..3a2ba7c8c 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java @@ -120,8 +120,7 @@ public class PythonDistributionAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile( this, "python/site-packages/Django-1.7.2.dist-info/METADATA")); djangoAssertions(result); - assertEquals("Django-1.7.2.dist-info/METADATA", result.getDisplayFileName()); - } + } private void djangoAssertions(final Dependency result) throws AnalysisException { @@ -136,6 +135,10 @@ public class PythonDistributionAnalyzerTest extends BaseTest { } } assertTrue("Version 1.7.2 not found in Django dependency.", found); + assertEquals("1.7.2",result.getVersion()); + assertEquals("Django",result.getName()); + assertEquals("Django:1.7.2",result.getDisplayFileName()); + assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); } @Test @@ -188,5 +191,9 @@ public class PythonDistributionAnalyzerTest extends BaseTest { } } assertTrue("Version 0.0.1 not found in EggTest dependency.", found); + assertEquals("0.0.1",result.getVersion()); + assertEquals("EggTest",result.getName()); + assertEquals("EggTest:0.0.1",result.getDisplayFileName()); + assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java index b78d32f5d..165db83cb 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java @@ -103,5 +103,9 @@ public class PythonPackageAnalyzerTest extends BaseTest { } } assertTrue("Version 0.0.1 not found in EggTest dependency.", found); + assertEquals("0.0.1",result.getVersion()); + assertEquals("eggtest",result.getName()); + assertEquals("eggtest:0.0.1",result.getDisplayFileName()); + assertEquals(PythonPackageAnalyzer.DEPENDENCY_ECOSYSTEM,result.getEcosystem()); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java index fc8edc102..bcae8fd8a 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java @@ -85,6 +85,7 @@ public class RubyBundlerAnalyzerTest extends BaseTest { public void testSupportsFiles() { assertThat(analyzer.accept(new File("test.gemspec")), is(false)); assertThat(analyzer.accept(new File("specifications" + File.separator + "test.gemspec")), is(true)); + assertThat(analyzer.accept(new File("gemspec.lock")), is(false)); } /** @@ -97,7 +98,7 @@ public class RubyBundlerAnalyzerTest extends BaseTest { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/specifications/dalli-2.7.5.gemspec")); analyzer.analyze(result, null); - + final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString(); assertThat(vendorString, containsString("Peter M. Goldstein")); assertThat(vendorString, containsString("Mike Perham")); @@ -107,5 +108,9 @@ public class RubyBundlerAnalyzerTest extends BaseTest { assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("dalli")); assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("High performance memcached client for Ruby")); assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("2.7.5")); + assertEquals("dalli", result.getName()); + assertEquals("2.7.5", result.getVersion()); + assertEquals(RubyBundlerAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); + assertEquals("dalli:2.7.5", result.getDisplayFileName()); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java index 11dea120a..396d6bd45 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java @@ -84,6 +84,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest { @Test public void testSupportsFiles() { assertThat(analyzer.accept(new File("test.gemspec")), is(true)); + assertThat(analyzer.accept(new File("gemspec.lock")), is(false)); // assertThat(analyzer.accept(new File("Rakefile")), is(true)); } @@ -98,24 +99,33 @@ public class RubyGemspecAnalyzerTest extends BaseTest { "ruby/vulnerable/gems/specifications/rest-client-1.7.2.gemspec")); analyzer.analyze(result, null); final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString(); + assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); assertThat(vendorString, containsString("REST Client Team")); assertThat(vendorString, containsString("rest-client_project")); assertThat(vendorString, containsString("rest.client@librelist.com")); assertThat(vendorString, containsString("https://github.com/rest-client/rest-client")); assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("rest-client")); assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("1.7.2")); + assertEquals("rest-client", result.getName()); + assertEquals("1.7.2", result.getVersion()); + assertEquals("rest-client:1.7.2", result.getDisplayFileName()); } - + /** * Test Rakefile analysis. * * @throws AnalysisException is thrown when an exception occurs. */ - //@Test TODO: place holder to test Rakefile support + //@Test + //TODO: place holder to test Rakefile support public void testAnalyzeRakefile() throws AnalysisException { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/gems/pg-0.18.4/Rakefile")); analyzer.analyze(result, null); - assertTrue(result.size()>0); + assertTrue(result.size() > 0); + assertEquals(RubyGemspecAnalyzer.DEPENDENCY_ECOSYSTEM, result.getEcosystem()); + assertEquals("pg", result.getName()); + assertEquals("0.18.4", result.getVersion()); + assertEquals("pg:0.18.4", result.getDisplayFileName()); } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java index b430f0c21..0c9514245 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java @@ -10,6 +10,7 @@ import org.owasp.dependencycheck.dependency.Dependency; import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.is; import static org.junit.Assert.assertThat; +import static org.hamcrest.CoreMatchers.equalTo; import java.io.File; import org.owasp.dependencycheck.dependency.EvidenceType; @@ -60,7 +61,7 @@ public class SwiftAnalyzersTest extends BaseTest { spmAnalyzer.close(); spmAnalyzer = null; - + super.tearDown(); } @@ -110,9 +111,13 @@ public class SwiftAnalyzersTest extends BaseTest { assertThat(vendorString, containsString("Carlos Vidal")); assertThat(vendorString, containsString("https://github.com/nakiostudio/EasyPeasy")); - assertThat(vendorString, containsString("MIT")); assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("EasyPeasy")); assertThat(result.getEvidence(EvidenceType.VERSION).toString(), containsString("0.2.3")); + assertThat(result.getName(), equalTo("EasyPeasy")); + assertThat(result.getVersion(), equalTo("0.2.3")); + assertThat(result.getDisplayFileName(), equalTo("EasyPeasy:0.2.3")); + assertThat(result.getLicense(), containsString("MIT")); + assertThat(result.getEcosystem(), equalTo(CocoaPodsAnalyzer.DEPENDENCY_ECOSYSTEM)); } /** @@ -127,5 +132,9 @@ public class SwiftAnalyzersTest extends BaseTest { spmAnalyzer.analyze(result, null); assertThat(result.getEvidence(EvidenceType.PRODUCT).toString(), containsString("Gloss")); + assertThat(result.getName(), equalTo("Gloss")); + //TODO: when version processing is added, update the expected name. + assertThat(result.getDisplayFileName(), equalTo("Gloss")); + assertThat(result.getEcosystem(), equalTo(SwiftPackageManagerAnalyzer.DEPENDENCY_ECOSYSTEM)); } } diff --git a/dependency-check-core/src/test/resources/nuspec/test.nuspec b/dependency-check-core/src/test/resources/nuspec/test.nuspec new file mode 100644 index 000000000..7dc2f2029 --- /dev/null +++ b/dependency-check-core/src/test/resources/nuspec/test.nuspec @@ -0,0 +1,17 @@ + + + + 1.0.0 + brianfox + bobsmack + + + + TestDepCheck + Test Package + false + Test package for Dependency Check Analyzer + + + + \ No newline at end of file