github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-16 00:33:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

change in namespace as this is now an OWASP project

Browse Source 
Former-commit-id: dc00f98a142bef2560d90f3b851844f352fbf262
This commit is contained in:
Jeremy Long
2013-03-03 08:57:38 -05:00
parent f6f68655fb
commit ea1fb191a9
141 changed files with 2729 additions and 2330 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
src/test/java/org/owasp/dependencycheck/data/cpe/BaseIndexTestCase.java Normal file
View File

@@ -0,0 +1,140 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.cpe;
import org.owasp.dependencycheck.data.cpe.Index;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URLDecoder;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public abstract class BaseIndexTestCase {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() throws Exception {
ensureIndexExists();
}
@After
public void tearDown() throws Exception {
}
protected static File getDataDirectory() throws IOException {
String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
exePath = exePath.getParentFile();
} else {
exePath = new File(".");
}
File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
path = new File(path.getCanonicalPath());
return path;
}
public static void ensureIndexExists() throws Exception {
//String indexPath = Settings.getString(Settings.KEYS.CPE_INDEX);
String indexPath = getDataDirectory().getCanonicalPath();
java.io.File f = new File(indexPath);
if (!f.exists()) {
f.mkdirs();
FileInputStream fis = null;
ZipInputStream zin = null;
try {
File path = new File(BaseIndexTestCase.class.getClassLoader().getResource("index.cpe.zip").getPath());
fis = new FileInputStream(path);
zin = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
while ((entry = zin.getNextEntry()) != null) {
if (entry.isDirectory()) {
continue;
}
int BUFFER = 2048;
String outputName = indexPath + File.separatorChar + entry.getName();
FileOutputStream fos = null;
BufferedOutputStream dest = null;
try {
File o = new File(outputName);
// File oPath = new File(o.getParent());
// if (!oPath.exists()) {
// oPath.mkdir();
// }
o.createNewFile();
fos = new FileOutputStream(o,false);
dest = new BufferedOutputStream(fos, BUFFER);
byte data[] = new byte[BUFFER];
int count;
while ((count = zin.read(data, 0, BUFFER)) != -1) {
dest.write(data, 0, count);
}
} catch (Exception ex) {
String ignore = ex.getMessage();
} finally {
try {
dest.flush();
dest.close();
dest = null;
} catch (Throwable ex) { String ignore = ex.getMessage(); }
try {
fos.close();
fos = null;
} catch (Throwable ex) { String ignore = ex.getMessage(); }
}
}
} finally {
try {
if (zin!=null) {
zin.close();
}
zin = null;
} catch (Throwable ex) { String ignore = ex.getMessage(); }
try {
if (fis!=null) {
fis.close();
}
fis = null;
} catch (Throwable ex) { String ignore = ex.getMessage(); }
}
}
}
}

155
src/test/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzerTest.java Normal file
View File

@@ -0,0 +1,155 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.cpe;
import org.owasp.dependencycheck.data.cpe.Entry;
import org.owasp.dependencycheck.data.cpe.CPEAnalyzer;
import java.io.File;
import java.io.IOException;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.lucene.index.CorruptIndexException;
import org.apache.lucene.queryparser.classic.ParseException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.analyzer.JarAnalyzer;
import org.junit.Assert;
import org.junit.Test;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class CPEAnalyzerTest extends BaseIndexTestCase {
/**
* Tests of buildSearch of class CPEAnalyzer.
* @throws IOException is thrown when an IO Exception occurs.
* @throws CorruptIndexException is thrown when the index is corrupt.
* @throws ParseException is thrown when a parse exception occurs
*/
@Test
public void testBuildSearch() throws IOException, CorruptIndexException, ParseException {
Set<String> productWeightings = new HashSet<String>(1);
productWeightings.add("struts2");
Set<String> vendorWeightings = new HashSet<String>(1);
vendorWeightings.add("apache");
String vendor = "apache software foundation";
String product = "struts 2 core";
String version = "2.1.2";
CPEAnalyzer instance = new CPEAnalyzer();
String queryText = instance.buildSearch(vendor, product, version, null, null);
String expResult = " product:( struts 2 core ) AND vendor:( apache software foundation ) AND version:(2.1.2^0.7 )";
Assert.assertTrue(expResult.equals(queryText));
queryText = instance.buildSearch(vendor, product, version, null, productWeightings);
expResult = " product:( struts^5 struts2^5 2 core ) AND vendor:( apache software foundation ) AND version:(2.1.2^0.2 )";
Assert.assertTrue(expResult.equals(queryText));
queryText = instance.buildSearch(vendor, product, version, vendorWeightings, null);
expResult = " product:( struts 2 core ) AND vendor:( apache^5 software foundation ) AND version:(2.1.2^0.2 )";
Assert.assertTrue(expResult.equals(queryText));
queryText = instance.buildSearch(vendor, product, version, vendorWeightings, productWeightings);
expResult = " product:( struts^5 struts2^5 2 core ) AND vendor:( apache^5 software foundation ) AND version:(2.1.2^0.2 )";
Assert.assertTrue(expResult.equals(queryText));
}
/**
* Test of open method, of class CPEAnalyzer.
* @throws Exception is thrown when an exception occurs
*/
@Test
public void testOpen() throws Exception {
CPEAnalyzer instance = new CPEAnalyzer();
Assert.assertFalse(instance.isOpen());
instance.open();
Assert.assertTrue(instance.isOpen());
instance.close();
Assert.assertFalse(instance.isOpen());
}
/**
* Test of determineCPE method, of class CPEAnalyzer.
* @throws Exception is thrown when an exception occurs
*/
@Test
public void testDetermineCPE() throws Exception {
File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
JarAnalyzer jarAnalyzer = new JarAnalyzer();
Dependency depends = new Dependency(file);
jarAnalyzer.analyze(depends, null);
File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
Dependency spring = new Dependency(fileSpring);
jarAnalyzer.analyze(spring, null);
File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
Dependency spring3 = new Dependency(fileSpring3);
jarAnalyzer.analyze(spring3, null);
CPEAnalyzer instance = new CPEAnalyzer();
instance.open();
String expResult = "cpe:/a:apache:struts:2.1.2";
String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
instance.determineCPE(depends);
instance.determineCPE(spring);
instance.determineCPE(spring3);
instance.close();
Assert.assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() == 1);
Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult));
Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));
Assert.assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);
//assertTrue("Incorrect match - spring3", spring3.getIdentifiers().get(0).getValue().equals(expResultSpring3));
}
/**
* Test of searchCPE method, of class CPEAnalyzer.
* @throws Exception is thrown when an exception occurs
*/
@Test
public void testSearchCPE() throws Exception {
String vendor = "apache software foundation";
String product = "struts 2 core";
String version = "2.1.2";
String expResult = "cpe:/a:apache:struts:2.1.2";
CPEAnalyzer instance = new CPEAnalyzer();
instance.open();
//TODO - yeah, not a very good test as the results are the same with or without weighting...
Set<String> productWeightings = new HashSet<String>(1);
productWeightings.add("struts2");
Set<String> vendorWeightings = new HashSet<String>(1);
vendorWeightings.add("apache");
List<Entry> result = instance.searchCPE(vendor, product, version, productWeightings, vendorWeightings);
Assert.assertEquals(expResult, result.get(0).getName());
instance.close();
}
}

67
src/test/java/org/owasp/dependencycheck/data/cpe/EntryTest.java Normal file
View File

@@ -0,0 +1,67 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.cpe;
import org.owasp.dependencycheck.data.cpe.Entry;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.Assert;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class EntryTest {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of setName method, of class Entry.
* @throws Exception is thrown when an exception occurs.
*/
@Test
public void testSetName() throws Exception {
String name = "cpe:/a:apache:struts:1.1:rc2";
Entry instance = new Entry();
instance.parseName(name);
Assert.assertEquals(name,instance.getName());
Assert.assertEquals("apache", instance.getVendor());
Assert.assertEquals("struts", instance.getProduct());
Assert.assertEquals("1.1", instance.getVersion());
Assert.assertEquals("rc2", instance.getRevision());
}
}

75
src/test/java/org/owasp/dependencycheck/data/cpe/IndexIntegrationTest.java Normal file
View File

@@ -0,0 +1,75 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.cpe;
import java.io.File;
import java.io.IOException;
import org.apache.lucene.store.Directory;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class IndexIntegrationTest {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of update method, of class Index.
*/
@Test
public void testUpdate() throws Exception {
//deprecated
//Index instance = new Index();
//instance.update();
}
/**
* Test of updateNeeded method, of class Index.
*/
@Test
public void testUpdateNeeded() throws Exception {
//deprecated
//Index instance = new Index();
//instance.updateNeeded();
//if an exception is thrown this test fails. However, because it depends on the
// order of the tests what this will return I am just testing for the exception.
//assertTrue(expResult < result);
}
}

81
src/test/java/org/owasp/dependencycheck/data/cpe/IndexTest.java Normal file
View File

@@ -0,0 +1,81 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.cpe;
import org.owasp.dependencycheck.data.cpe.Index;
import java.io.File;
import java.io.IOException;
import junit.framework.Assert;
import org.apache.lucene.store.Directory;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class IndexTest {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of open method, of class Index.
*/
@Test
public void testOpen() {
Index instance = new Index();
try {
instance.open();
} catch (IOException ex) {
Assert.fail(ex.getMessage());
}
instance.close();
}
/**
* Test of getDirectory method, of class Index.
* @throws Exception
*/
@Test
public void testGetDirectory() throws Exception {
Index index = new Index();
Directory result = index.getDirectory();
String exp = File.separatorChar + "target" + File.separatorChar + "data" + File.separatorChar + "cpe";
Assert.assertTrue(result.toString().contains(exp));
}
}

86
src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java Normal file
View File

@@ -0,0 +1,86 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.cwe;
import org.owasp.dependencycheck.data.cwe.CweDB;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class CweDBTest {
public CweDBTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Method to serialize the CWE HashMap. This is not used in
* production; this is only used once during dev to create
* the serialized hashmap.
*/
// @Test
// public void testUpdate() throws Exception {
// SAXParserFactory factory = SAXParserFactory.newInstance();
// SAXParser saxParser = factory.newSAXParser();
//
// CweHandler handler = new CweHandler();
// File file = new File(this.getClass().getClassLoader().getResource("cwe.2000.xml").getPath());
//
// saxParser.parse(file, handler);
// System.out.println("Found " + handler.getCwe().size() + " cwe entries.");
// Map<String,String> cwe = handler.getCwe();
// FileOutputStream fout = new FileOutputStream("src/main/resources/data/cwe.hashmap.serialized");
// ObjectOutputStream objOut = new ObjectOutputStream(fout);
// objOut.writeObject(cwe);
// objOut.close();
// }
/**
* Test of getCweName method, of class CweDB.
*/
@Test
public void testGetCweName() {
String cweId = "CWE-16";
String expResult = "Configuration";
String result = CweDB.getCweName(cweId);
assertEquals(expResult, result);
}
}

131
src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java Normal file
View File

@@ -0,0 +1,131 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.lucene;
import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
import org.apache.lucene.analysis.miscellaneous.PerFieldAnalyzerWrapper;
import java.util.HashMap;
import org.apache.lucene.queryparser.classic.QueryParser;
import org.apache.lucene.analysis.standard.StandardAnalyzer;
import org.apache.lucene.analysis.Analyzer;
import org.apache.lucene.search.ScoreDoc;
import org.apache.lucene.search.TopScoreDocCollector;
import org.apache.lucene.search.IndexSearcher;
import org.apache.lucene.index.IndexReader;
import org.apache.lucene.search.Query;
import java.io.IOException;
import org.apache.lucene.document.Field;
import org.apache.lucene.document.TextField;
import org.apache.lucene.document.Document;
import org.apache.lucene.index.DirectoryReader;
import org.apache.lucene.index.IndexWriter;
import org.apache.lucene.index.IndexWriterConfig;
import org.apache.lucene.store.RAMDirectory;
import org.apache.lucene.store.Directory;
import org.apache.lucene.util.Version;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class FieldAnalyzerTest {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
@Test
public void testAnalyzers() throws Exception {
Analyzer analyzer = new FieldAnalyzer(Version.LUCENE_40);
Directory index = new RAMDirectory();
String field1 = "product";
String text1 = "springframework";
String field2 = "vendor";
String text2 = "springsource";
createIndex(analyzer, index, field1, text1, field2, text2);
//Analyzer searchingAnalyzer = new SearchFieldAnalyzer(Version.LUCENE_40);
String querystr = "product:\"(Spring Framework Core)\" vendor:(SpringSource)";
SearchFieldAnalyzer searchAnalyzerProduct = new SearchFieldAnalyzer(Version.LUCENE_40);
SearchFieldAnalyzer searchAnalyzerVendor = new SearchFieldAnalyzer(Version.LUCENE_40);
HashMap<String,Analyzer> map = new HashMap<String,Analyzer>();
map.put(field1, searchAnalyzerProduct);
map.put(field2, searchAnalyzerVendor);
PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(new StandardAnalyzer(Version.LUCENE_40), map);
QueryParser parser = new QueryParser(Version.LUCENE_40, field1, wrapper);
Query q = parser.parse(querystr);
//System.out.println(q.toString());
int hitsPerPage = 10;
IndexReader reader = DirectoryReader.open(index);
IndexSearcher searcher = new IndexSearcher(reader);
TopScoreDocCollector collector = TopScoreDocCollector.create(hitsPerPage, true);
searcher.search(q, collector);
ScoreDoc[] hits = collector.topDocs().scoreDocs;
assertEquals("Did not find 1 document?", 1, hits.length);
searchAnalyzerProduct.clear(); //ensure we don't have anything left over from the previous search.
searchAnalyzerVendor.clear();
querystr = "product:(Apache Struts) vendor:(Apache)";
Query q2 = parser.parse(querystr);
//System.out.println(q2.toString());
assertFalse("second parsing contains previousWord from the TokenPairConcatenatingFilter", q2.toString().contains("core"));
}
private void createIndex(Analyzer analyzer, Directory index, String field1, String text1, String field2, String text2) throws IOException {
IndexWriterConfig config = new IndexWriterConfig(Version.LUCENE_40, analyzer);
IndexWriter w = new IndexWriter(index, config);
addDoc(w, field1, text1, field2, text2);
w.close();
}
private static void addDoc(IndexWriter w, String field1, String text1, String field2, String text2) throws IOException {
Document doc = new Document();
doc.add(new TextField(field1, text1, Field.Store.YES));
doc.add(new TextField(field2, text2, Field.Store.YES));
w.addDocument(doc);
}
}

93
src/test/java/org/owasp/dependencycheck/data/lucene/LuceneUtilsTest.java Normal file
View File

@@ -0,0 +1,93 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.lucene;
import org.owasp.dependencycheck.data.lucene.LuceneUtils;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class LuceneUtilsTest {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of appendEscapedLuceneQuery method, of class LuceneUtils.
*/
@Test
public void testAppendEscapedLuceneQuery() {
StringBuilder buf = new StringBuilder();
CharSequence text = "test encoding + - & | ! ( ) { } [ ] ^ \" ~ * ? : \\";
String expResult = "test encoding \\+ \\- \\& \\| \\! \\( \\) \\{ \\} \\[ \\] \\^ \\\" \\~ \\* \\? \\: \\\\";
LuceneUtils.appendEscapedLuceneQuery(buf, text);
assertEquals(expResult, buf.toString());
}
/**
* Test of appendEscapedLuceneQuery method, of class LuceneUtils.
*/
@Test
public void testAppendEscapedLuceneQuery_null() {
StringBuilder buf = new StringBuilder();
CharSequence text = null;
LuceneUtils.appendEscapedLuceneQuery(buf, text);
assertEquals(0, buf.length());
}
/**
* Test of escapeLuceneQuery method, of class LuceneUtils.
*/
@Test
public void testEscapeLuceneQuery() {
CharSequence text = "test encoding + - & | ! ( ) { } [ ] ^ \" ~ * ? : \\";
String expResult = "test encoding \\+ \\- \\& \\| \\! \\( \\) \\{ \\} \\[ \\] \\^ \\\" \\~ \\* \\? \\: \\\\";
String result = LuceneUtils.escapeLuceneQuery(text);
assertEquals(expResult, result);
}
/**
* Test of escapeLuceneQuery method, of class LuceneUtils.
*/
@Test
public void testEscapeLuceneQuery_null() {
CharSequence text = null;
String expResult = null;
String result = LuceneUtils.escapeLuceneQuery(text);
assertEquals(expResult, result);
}
}

138
src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java Normal file
View File

@@ -0,0 +1,138 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.nvdcve;
import org.owasp.dependencycheck.data.cpe.*;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URLDecoder;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import junit.framework.TestCase;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public abstract class BaseDBTestCase extends TestCase {
public BaseDBTestCase(String testName) {
super(testName);
}
@Override
protected void setUp() throws Exception {
super.setUp();
ensureDBExists();
}
protected static File getDataDirectory() throws IOException {
String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
exePath = exePath.getParentFile();
} else {
exePath = new File(".");
}
File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
path = new File(path.getCanonicalPath());
return path;
}
public static void ensureDBExists() throws Exception {
//String indexPath = Settings.getString(Settings.KEYS.CVE_INDEX);
String indexPath = getDataDirectory().getCanonicalPath();
java.io.File f = new File(indexPath);
if (!f.exists()) {
f.mkdirs();
FileInputStream fis = null;
ZipInputStream zin = null;
try {
File path = new File(BaseDBTestCase.class.getClassLoader().getResource("db.nvdcve.zip").getPath());
fis = new FileInputStream(path);
zin = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
while ((entry = zin.getNextEntry()) != null) {
if (entry.isDirectory()) {
continue;
}
int BUFFER = 2048;
String outputName = indexPath + File.separatorChar + entry.getName();
FileOutputStream fos = null;
BufferedOutputStream dest = null;
try {
File o = new File(outputName);
// File oPath = new File(o.getParent());
// if (!oPath.exists()) {
// oPath.mkdir();
// }
o.createNewFile();
fos = new FileOutputStream(o, false);
dest = new BufferedOutputStream(fos, BUFFER);
byte data[] = new byte[BUFFER];
int count;
while ((count = zin.read(data, 0, BUFFER)) != -1) {
dest.write(data, 0, count);
}
} catch (Exception ex) {
String ignore = ex.getMessage();
} finally {
try {
dest.flush();
dest.close();
dest = null;
} catch (Throwable ex) {
String ignore = ex.getMessage();
}
try {
fos.close();
fos = null;
} catch (Throwable ex) {
String ignore = ex.getMessage();
}
}
}
} finally {
try {
if (zin != null) {
zin.close();
}
zin = null;
} catch (Throwable ex) {
String ignore = ex.getMessage();
}
try {
if (fis != null) {
fis.close();
}
fis = null;
} catch (Throwable ex) {
String ignore = ex.getMessage();
}
}
}
}
}

62
src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdaterIntegrationTest.java Normal file
View File

@@ -0,0 +1,62 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.nvdcve.xml;
import org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdater;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class DatabaseUpdaterIntegrationTest {
public DatabaseUpdaterIntegrationTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of update method, of class DatabaseUpdater.
* @throws Exception
*/
@Test
public void testUpdate() throws Exception {
DatabaseUpdater instance = new DatabaseUpdater();
instance.update();
}
}

72
src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve_1_2_HandlerTest.java Normal file
View File

@@ -0,0 +1,72 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.nvdcve.xml;
import org.owasp.dependencycheck.data.nvdcve.xml.NvdCve12Handler;
import java.io.File;
import java.util.List;
import java.util.Map;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class NvdCve_1_2_HandlerTest {
public NvdCve_1_2_HandlerTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
@Test
public void testParse() throws Exception {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2012.xml").getPath());
NvdCve12Handler instance = new NvdCve12Handler();
saxParser.parse(file, instance);
Map<String, List<VulnerableSoftware>> results = instance.getVulnerabilities();
assertTrue("No vulnerable software identified with a previous version in 2012 CVE 1.2?", !results.isEmpty());
}
}

78
src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve_2_0_HandlerTest.java Normal file
View File

@@ -0,0 +1,78 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.nvdcve.xml;
import org.owasp.dependencycheck.data.nvdcve.xml.NvdCve20Handler;
import java.io.File;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class NvdCve_2_0_HandlerTest {
public NvdCve_2_0_HandlerTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
@Test
public void testParse() {
Exception results = null;
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2.0-2012.xml").getPath());
NvdCve20Handler instance = new NvdCve20Handler();
saxParser.parse(file, instance);
} catch (Exception ex) {
results = ex;
}
assertTrue("Exception thrown during parse of 2012 CVE version 2.0?", results == null);
if (results != null) {
System.err.println(results);
}
}
}