diff --git a/dependency-check-core/apidocs/org/owasp/dependencycheck/reporting/EscapeTool.html b/dependency-check-core/apidocs/org/owasp/dependencycheck/reporting/EscapeTool.html new file mode 100644 index 000000000..1ff3b4418 --- /dev/null +++ b/dependency-check-core/apidocs/org/owasp/dependencycheck/reporting/EscapeTool.html @@ -0,0 +1,303 @@ + + + + + + +EscapeTool (Dependency-Check Core 1.2.0 API) + + + + + + + +
+ + + + + +
+
+ + + +
+ +
+
+ + +
+ + +
+ + +
+
org.owasp.dependencycheck.reporting
+

Class EscapeTool

+
+
+ +
+ +
+
+ +
+
+ +
+
+ + +
+ + + + + +
+
+ + + +
+ +
+
+ + +
+ + +
+ +

Copyright © 2012–2014 OWASP. All rights reserved.

+ + diff --git a/dependency-check-core/apidocs/org/owasp/dependencycheck/reporting/class-use/EscapeTool.html b/dependency-check-core/apidocs/org/owasp/dependencycheck/reporting/class-use/EscapeTool.html new file mode 100644 index 000000000..1120512b1 --- /dev/null +++ b/dependency-check-core/apidocs/org/owasp/dependencycheck/reporting/class-use/EscapeTool.html @@ -0,0 +1,117 @@ + + + + + + +Uses of Class org.owasp.dependencycheck.reporting.EscapeTool (Dependency-Check Core 1.2.0 API) + + + + + + + +
+ + + + + +
+
+ + + +
+ +
+ + +
+ +
+

Uses of Class
org.owasp.dependencycheck.reporting.EscapeTool

+
+
No usage of org.owasp.dependencycheck.reporting.EscapeTool
+ +
+ + + + + +
+
+ + + +
+ +
+ + +
+ +

Copyright © 2012–2014 OWASP. All rights reserved.

+ + diff --git a/dependency-check-core/cobertura/org.owasp.dependencycheck.reporting.EscapeTool.html b/dependency-check-core/cobertura/org.owasp.dependencycheck.reporting.EscapeTool.html new file mode 100644 index 000000000..656cecc45 --- /dev/null +++ b/dependency-check-core/cobertura/org.owasp.dependencycheck.reporting.EscapeTool.html @@ -0,0 +1,164 @@ + + + + +Coverage Report + + + + +
Coverage Report - org.owasp.dependencycheck.reporting.EscapeTool
+
 
+ + + + +
Classes in this File Line Coverage Branch Coverage Complexity
EscapeTool
0%
0/8
N/A
N/A
1.667
+
 
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
 1  
 /*
 2  
  * This file is part of dependency-check-core.
 3  
  *
 4  
  * Licensed under the Apache License, Version 2.0 (the "License");
 5  
  * you may not use this file except in compliance with the License.
 6  
  * You may obtain a copy of the License at
 7  
  *
 8  
  *     http://www.apache.org/licenses/LICENSE-2.0
 9  
  *
 10  
  * Unless required by applicable law or agreed to in writing, software
 11  
  * distributed under the License is distributed on an "AS IS" BASIS,
 12  
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13  
  * See the License for the specific language governing permissions and
 14  
  * limitations under the License.
 15  
  *
 16  
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 17  
  */
 18  
 package org.owasp.dependencycheck.reporting;
 19  
 
 20  
 import java.io.UnsupportedEncodingException;
 21  
 import java.net.URLEncoder;
 22  
 import java.util.logging.Level;
 23  
 import java.util.logging.Logger;
 24  
 import org.apache.commons.lang.StringEscapeUtils;
 25  
 
 26  
 /**
 27  
  * An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This
 28  
  * class was created to simplify the velocity configuration and avoid using the "built-in" escape tool.
 29  
  *
 30  
  * @author Jeremy Long <jeremy.long@owasp.org>
 31  
  */
 32  
 public class EscapeTool {
 33  
 
 34  
     /**
 35  
      * The logger.
 36  
      */
 37  0 
     private static final Logger LOGGER = Logger.getLogger(EscapeTool.class.getName());
 38  
 
 39  
     /**
 40  
      * URL Encodes the provided text.
 41  
      *
 42  
      * @param text the text to encode
 43  
      * @return the URL encoded text
 44  
      */
 45  
     public String url(String text) {
 46  
         try {
 47  0 
             return URLEncoder.encode(text, "UTF-8");
 48  0 
         } catch (UnsupportedEncodingException ex) {
 49  0 
             LOGGER.log(Level.WARNING, "UTF-8 is not supported?");
 50  0 
             LOGGER.log(Level.INFO, null, ex);
 51  
         }
 52  0 
         return "";
 53  
     }
 54  
 
 55  
     /**
 56  
      * HTML Encodes the provided text.
 57  
      *
 58  
      * @param text the text to encode
 59  
      * @return the HTML encoded text
 60  
      */
 61  
     public String html(String text) {
 62  0 
         return StringEscapeUtils.escapeHtml(text);
 63  
     }
 64  
 
 65  
     /**
 66  
      * XML Encodes the provided text.
 67  
      *
 68  
      * @param text the text to encode
 69  
      * @return the XML encoded text
 70  
      */
 71  
     public String xml(String text) {
 72  0 
         return StringEscapeUtils.escapeXml(text);
 73  
     }
 74  
 }
+ +
Report generated by Cobertura 2.0.3 on 4/28/14 8:36 AM.
+ + diff --git a/dependency-check-core/xref-test/org/owasp/dependencycheck/BaseTest.html b/dependency-check-core/xref-test/org/owasp/dependencycheck/BaseTest.html new file mode 100644 index 000000000..781f01b27 --- /dev/null +++ b/dependency-check-core/xref-test/org/owasp/dependencycheck/BaseTest.html @@ -0,0 +1,50 @@ + + + +BaseTest xref + + + +
View Javadoc
+1   /*
+2    * Copyright 2014 OWASP.
+3    *
+4    * Licensed under the Apache License, Version 2.0 (the "License");
+5    * you may not use this file except in compliance with the License.
+6    * You may obtain a copy of the License at
+7    *
+8    *      http://www.apache.org/licenses/LICENSE-2.0
+9    *
+10   * Unless required by applicable law or agreed to in writing, software
+11   * distributed under the License is distributed on an "AS IS" BASIS,
+12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+13   * See the License for the specific language governing permissions and
+14   * limitations under the License.
+15   */
+16  package org.owasp.dependencycheck;
+17  
+18  import org.junit.AfterClass;
+19  import org.junit.BeforeClass;
+20  import org.owasp.dependencycheck.utils.Settings;
+21  
+22  /**
+23   *
+24   * @author Jeremy Long <jeremy.long@owasp.org>
+25   */
+26  public class BaseTest {
+27  
+28      @BeforeClass
+29      public static void setUpClass() throws Exception {
+30          Settings.initialize();
+31      }
+32  
+33      @AfterClass
+34      public static void tearDownClass() throws Exception {
+35          Settings.cleanup();
+36      }
+37  }
+
+
+ + + diff --git a/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.html b/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.html new file mode 100644 index 000000000..081edc1c9 --- /dev/null +++ b/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.html @@ -0,0 +1,301 @@ + + + +ArchiveAnalyzerIntegrationTest xref + + + +
View Javadoc
+1   /*
+2    * This file is part of dependency-check-core.
+3    *
+4    * Licensed under the Apache License, Version 2.0 (the "License");
+5    * you may not use this file except in compliance with the License.
+6    * You may obtain a copy of the License at
+7    *
+8    *     http://www.apache.org/licenses/LICENSE-2.0
+9    *
+10   * Unless required by applicable law or agreed to in writing, software
+11   * distributed under the License is distributed on an "AS IS" BASIS,
+12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+13   * See the License for the specific language governing permissions and
+14   * limitations under the License.
+15   *
+16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+17   */
+18  package org.owasp.dependencycheck.analyzer;
+19  
+20  import java.io.File;
+21  import java.util.HashSet;
+22  import java.util.Set;
+23  import static org.junit.Assert.assertEquals;
+24  import static org.junit.Assert.assertTrue;
+25  import org.junit.Test;
+26  import org.owasp.dependencycheck.Engine;
+27  import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+28  import org.owasp.dependencycheck.dependency.Dependency;
+29  import org.owasp.dependencycheck.utils.Settings;
+30  
+31  /**
+32   *
+33   * @author Jeremy Long <jeremy.long@owasp.org>
+34   */
+35  public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+36  
+37      /**
+38       * Test of getSupportedExtensions method, of class ArchiveAnalyzer.
+39       */
+40      @Test
+41      public void testGetSupportedExtensions() {
+42          ArchiveAnalyzer instance = new ArchiveAnalyzer();
+43          Set expResult = new HashSet<String>();
+44          expResult.add("zip");
+45          expResult.add("war");
+46          expResult.add("ear");
+47          expResult.add("jar");
+48          expResult.add("sar");
+49          expResult.add("apk");
+50          expResult.add("nupkg");
+51          expResult.add("tar");
+52          expResult.add("gz");
+53          expResult.add("tgz");
+54          Set result = instance.getSupportedExtensions();
+55          assertEquals(expResult, result);
+56      }
+57  
+58      /**
+59       * Test of getName method, of class ArchiveAnalyzer.
+60       */
+61      @Test
+62      public void testGetName() {
+63          ArchiveAnalyzer instance = new ArchiveAnalyzer();
+64          String expResult = "Archive Analyzer";
+65          String result = instance.getName();
+66          assertEquals(expResult, result);
+67      }
+68  
+69      /**
+70       * Test of supportsExtension method, of class ArchiveAnalyzer.
+71       */
+72      @Test
+73      public void testSupportsExtension() {
+74          String extension = "7z"; //not supported
+75          ArchiveAnalyzer instance = new ArchiveAnalyzer();
+76          boolean expResult = false;
+77          boolean result = instance.supportsExtension(extension);
+78          assertEquals(expResult, result);
+79  
+80          extension = "war"; //supported
+81          expResult = true;
+82          result = instance.supportsExtension(extension);
+83          assertEquals(expResult, result);
+84  
+85          extension = "ear"; //supported
+86          result = instance.supportsExtension(extension);
+87          assertEquals(expResult, result);
+88  
+89          extension = "zip"; //supported
+90          result = instance.supportsExtension(extension);
+91          assertEquals(expResult, result);
+92  
+93          extension = "nupkg"; //supported
+94          result = instance.supportsExtension(extension);
+95          assertEquals(expResult, result);
+96      }
+97  
+98      /**
+99       * Test of getAnalysisPhase method, of class ArchiveAnalyzer.
+100      */
+101     @Test
+102     public void testGetAnalysisPhase() {
+103         ArchiveAnalyzer instance = new ArchiveAnalyzer();
+104         AnalysisPhase expResult = AnalysisPhase.INITIAL;
+105         AnalysisPhase result = instance.getAnalysisPhase();
+106         assertEquals(expResult, result);
+107     }
+108 
+109     /**
+110      * Test of initialize and close methods, of class ArchiveAnalyzer.
+111      */
+112     @Test
+113     public void testInitialize() throws Exception {
+114         ArchiveAnalyzer instance = new ArchiveAnalyzer();
+115         instance.initialize();
+116 
+117         instance.close();
+118 
+119         //no exception means things worked.
+120     }
+121 
+122     /**
+123      * Test of analyze method, of class ArchiveAnalyzer.
+124      */
+125     @Test
+126     public void testAnalyze() throws Exception {
+127         ArchiveAnalyzer instance = new ArchiveAnalyzer();
+128         //trick the analyzer into thinking it is active.
+129         instance.supportsExtension("ear");
+130         try {
+131             instance.initialize();
+132 
+133             File file = new File(this.getClass().getClassLoader().getResource("daytrader-ear-2.1.7.ear").getPath());
+134             Dependency dependency = new Dependency(file);
+135             Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+136             Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+137             Engine engine = new Engine();
+138 
+139             int initial_size = engine.getDependencies().size();
+140             instance.analyze(dependency, engine);
+141             int ending_size = engine.getDependencies().size();
+142 
+143             engine.cleanup();
+144 
+145             assertTrue(initial_size < ending_size);
+146 
+147         } finally {
+148             instance.close();
+149         }
+150     }
+151 
+152     /**
+153      * Test of analyze method, of class ArchiveAnalyzer.
+154      */
+155     @Test
+156     public void testAnalyzeTar() throws Exception {
+157         ArchiveAnalyzer instance = new ArchiveAnalyzer();
+158         //trick the analyzer into thinking it is active so that it will initialize
+159         instance.supportsExtension("tar");
+160         try {
+161             instance.initialize();
+162 
+163             //File file = new File(this.getClass().getClassLoader().getResource("file.tar").getPath());
+164             File file = new File(this.getClass().getClassLoader().getResource("stagedhttp-modified.tar").getPath());
+165             Dependency dependency = new Dependency(file);
+166             Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+167             Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+168             Engine engine = new Engine();
+169 
+170             int initial_size = engine.getDependencies().size();
+171             instance.analyze(dependency, engine);
+172             int ending_size = engine.getDependencies().size();
+173             engine.cleanup();
+174 
+175             assertTrue(initial_size < ending_size);
+176 
+177         } finally {
+178             instance.close();
+179         }
+180     }
+181 
+182     /**
+183      * Test of analyze method, of class ArchiveAnalyzer.
+184      */
+185     @Test
+186     public void testAnalyzeTarGz() throws Exception {
+187         ArchiveAnalyzer instance = new ArchiveAnalyzer();
+188         instance.supportsExtension("zip"); //ensure analyzer is "enabled"
+189         try {
+190             instance.initialize();
+191 
+192             File file = new File(this.getClass().getClassLoader().getResource("file.tar.gz").getPath());
+193             //Dependency dependency = new Dependency(file);
+194             Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+195             Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+196             Engine engine = new Engine();
+197 
+198             int initial_size = engine.getDependencies().size();
+199             //instance.analyze(dependency, engine);
+200             engine.scan(file);
+201             engine.analyzeDependencies();
+202             int ending_size = engine.getDependencies().size();
+203             engine.cleanup();
+204             assertTrue(initial_size < ending_size);
+205 
+206         } finally {
+207             instance.close();
+208         }
+209     }
+210 
+211 //    /**
+212 //     * Test of analyze method, of class ArchiveAnalyzer.
+213 //     */
+214 //    @Test
+215 //    public void testNestedZipFolder() throws Exception {
+216 //        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+217 //        try {
+218 //            instance.initialize();
+219 //
+220 //            File file = new File(this.getClass().getClassLoader().getResource("nested.zip").getPath());
+221 //            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+222 //            Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+223 //            Engine engine = new Engine();
+224 //
+225 //            engine.scan(file);
+226 //            engine.analyzeDependencies();
+227 //
+228 //        } finally {
+229 //            instance.close();
+230 //        }
+231 //    }
+232     /**
+233      * Test of analyze method, of class ArchiveAnalyzer.
+234      */
+235     @Test
+236     public void testAnalyzeTgz() throws Exception {
+237         ArchiveAnalyzer instance = new ArchiveAnalyzer();
+238         instance.supportsExtension("zip"); //ensure analyzer is "enabled"
+239         try {
+240             instance.initialize();
+241 
+242             File file = new File(this.getClass().getClassLoader().getResource("file.tgz").getPath());
+243             Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+244             Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+245             Engine engine = new Engine();
+246 
+247             int initial_size = engine.getDependencies().size();
+248             engine.scan(file);
+249             engine.analyzeDependencies();
+250             int ending_size = engine.getDependencies().size();
+251             engine.cleanup();
+252             assertTrue(initial_size < ending_size);
+253 
+254         } finally {
+255             instance.close();
+256         }
+257     }
+258 
+259     /**
+260      * Test of analyze method, of class ArchiveAnalyzer.
+261      */
+262     @Test
+263     public void testAnalyze_badZip() throws Exception {
+264         ArchiveAnalyzer instance = new ArchiveAnalyzer();
+265         try {
+266             instance.initialize();
+267 
+268             File file = new File(this.getClass().getClassLoader().getResource("test.zip").getPath());
+269             Dependency dependency = new Dependency(file);
+270             Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+271             Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+272             Engine engine = new Engine();
+273             int initial_size = engine.getDependencies().size();
+274 //            boolean failed = false;
+275 //            try {
+276             instance.analyze(dependency, engine);
+277 //            } catch (java.lang.UnsupportedClassVersionError ex) {
+278 //                failed = true;
+279 //            }
+280 //            assertTrue(failed);
+281             int ending_size = engine.getDependencies().size();
+282             engine.cleanup();
+283             assertEquals(initial_size, ending_size);
+284         } finally {
+285             instance.close();
+286         }
+287     }
+288 }
+
+
+ + + diff --git a/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.html b/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.html new file mode 100644 index 000000000..6c30a98cb --- /dev/null +++ b/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.html @@ -0,0 +1,224 @@ + + + +CPEAnalyzerIntegrationTest xref + + + +
View Javadoc
+1   /*
+2    * This file is part of dependency-check-core.
+3    *
+4    * Licensed under the Apache License, Version 2.0 (the "License");
+5    * you may not use this file except in compliance with the License.
+6    * You may obtain a copy of the License at
+7    *
+8    *     http://www.apache.org/licenses/LICENSE-2.0
+9    *
+10   * Unless required by applicable law or agreed to in writing, software
+11   * distributed under the License is distributed on an "AS IS" BASIS,
+12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+13   * See the License for the specific language governing permissions and
+14   * limitations under the License.
+15   *
+16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+17   */
+18  package org.owasp.dependencycheck.analyzer;
+19  
+20  import java.io.File;
+21  import java.io.IOException;
+22  import java.util.HashSet;
+23  import java.util.List;
+24  import java.util.Set;
+25  import org.apache.lucene.index.CorruptIndexException;
+26  import org.apache.lucene.queryparser.classic.ParseException;
+27  import org.junit.Assert;
+28  import org.junit.Test;
+29  import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+30  import org.owasp.dependencycheck.data.cpe.IndexEntry;
+31  import org.owasp.dependencycheck.dependency.Dependency;
+32  import org.owasp.dependencycheck.dependency.Identifier;
+33  
+34  /**
+35   *
+36   * @author Jeremy Long <jeremy.long@owasp.org>
+37   */
+38  public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+39  
+40      /**
+41       * Tests of buildSearch of class CPEAnalyzer.
+42       *
+43       * @throws IOException is thrown when an IO Exception occurs.
+44       * @throws CorruptIndexException is thrown when the index is corrupt.
+45       * @throws ParseException is thrown when a parse exception occurs
+46       */
+47      @Test
+48      public void testBuildSearch() throws IOException, CorruptIndexException, ParseException {
+49          Set<String> productWeightings = new HashSet<String>(1);
+50          productWeightings.add("struts2");
+51  
+52          Set<String> vendorWeightings = new HashSet<String>(1);
+53          vendorWeightings.add("apache");
+54  
+55          String vendor = "apache software foundation";
+56          String product = "struts 2 core";
+57          String version = "2.1.2";
+58          CPEAnalyzer instance = new CPEAnalyzer();
+59  
+60          String queryText = instance.buildSearch(vendor, product, null, null);
+61          String expResult = " product:( struts 2 core )  AND  vendor:( apache software foundation ) ";
+62          Assert.assertTrue(expResult.equals(queryText));
+63  
+64          queryText = instance.buildSearch(vendor, product, null, productWeightings);
+65          expResult = " product:(  struts^5 struts2^5 2 core )  AND  vendor:( apache software foundation ) ";
+66          Assert.assertTrue(expResult.equals(queryText));
+67  
+68          queryText = instance.buildSearch(vendor, product, vendorWeightings, null);
+69          expResult = " product:( struts 2 core )  AND  vendor:(  apache^5 software foundation ) ";
+70          Assert.assertTrue(expResult.equals(queryText));
+71  
+72          queryText = instance.buildSearch(vendor, product, vendorWeightings, productWeightings);
+73          expResult = " product:(  struts^5 struts2^5 2 core )  AND  vendor:(  apache^5 software foundation ) ";
+74          Assert.assertTrue(expResult.equals(queryText));
+75      }
+76  
+77      /**
+78       * Test of determineCPE method, of class CPEAnalyzer.
+79       *
+80       * @throws Exception is thrown when an exception occurs
+81       */
+82      @Test
+83      public void testDetermineCPE_full() throws Exception {
+84          callDetermineCPE_full("hazelcast-2.5.jar", null);
+85          callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:vmware:springsource_spring_framework:2.5.5");
+86          callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0");
+87          callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2");
+88          callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null);
+89          callDetermineCPE_full("ehcache-core-2.2.0.jar", null);
+90      }
+91  
+92      /**
+93       * Test of determineCPE method, of class CPEAnalyzer.
+94       *
+95       * @throws Exception is thrown when an exception occurs
+96       */
+97      public void callDetermineCPE_full(String depName, String expResult) throws Exception {
+98  
+99          File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
+100 
+101         Dependency dep = new Dependency(file);
+102 
+103         FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
+104         fnAnalyzer.analyze(dep, null);
+105 
+106         JarAnalyzer jarAnalyzer = new JarAnalyzer();
+107         jarAnalyzer.analyze(dep, null);
+108         HintAnalyzer hAnalyzer = new HintAnalyzer();
+109         hAnalyzer.analyze(dep, null);
+110 
+111         CPEAnalyzer instance = new CPEAnalyzer();
+112         instance.open();
+113         instance.analyze(dep, null);
+114         instance.close();
+115         FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer();
+116         fp.analyze(dep, null);
+117 
+118 //        for (Identifier i : dep.getIdentifiers()) {
+119 //            System.out.println(i.getValue());
+120 //        }
+121         if (expResult != null) {
+122             Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
+123             Assert.assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().contains(expIdentifier));
+124         } else if (dep.getIdentifiers().isEmpty()) {
+125             Assert.assertTrue("Match found when an Identifier should not have been found: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().isEmpty());
+126         } else {
+127             Assert.assertTrue("Match found when an Identifier should not have been found: { dep:'" + dep.getFileName() + "', identifier:'" + dep.getIdentifiers().iterator().next().getValue() + "' }", dep.getIdentifiers().isEmpty());
+128         }
+129     }
+130 
+131     /**
+132      * Test of determineCPE method, of class CPEAnalyzer.
+133      *
+134      * @throws Exception is thrown when an exception occurs
+135      */
+136     @Test
+137     public void testDetermineCPE() throws Exception {
+138         File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
+139         //File file = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
+140         Dependency struts = new Dependency(file);
+141 
+142         FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
+143         fnAnalyzer.analyze(struts, null);
+144 
+145         JarAnalyzer jarAnalyzer = new JarAnalyzer();
+146         jarAnalyzer.analyze(struts, null);
+147 
+148         File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
+149         Dependency commonValidator = new Dependency(fileCommonValidator);
+150         jarAnalyzer.analyze(commonValidator, null);
+151 
+152         File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
+153         Dependency spring = new Dependency(fileSpring);
+154         jarAnalyzer.analyze(spring, null);
+155 
+156         File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
+157         Dependency spring3 = new Dependency(fileSpring3);
+158         jarAnalyzer.analyze(spring3, null);
+159 
+160         CPEAnalyzer instance = new CPEAnalyzer();
+161         instance.open();
+162         instance.determineCPE(commonValidator);
+163         instance.determineCPE(struts);
+164         instance.determineCPE(spring);
+165         instance.determineCPE(spring3);
+166         instance.close();
+167 
+168         String expResult = "cpe:/a:apache:struts:2.1.2";
+169         Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
+170         String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
+171         String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
+172 
+173         Assert.assertTrue("Apache Common Validator - found an identifier?", commonValidator.getIdentifiers().isEmpty());
+174         Assert.assertTrue("Incorrect match size - struts", struts.getIdentifiers().size() >= 1);
+175         Assert.assertTrue("Incorrect match - struts", struts.getIdentifiers().contains(expIdentifier));
+176         Assert.assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);
+177 
+178         //the following two only work if the HintAnalyzer is used.
+179         //Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
+180         //Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));
+181     }
+182 
+183     /**
+184      * Test of searchCPE method, of class CPEAnalyzer.
+185      *
+186      * @throws Exception is thrown when an exception occurs
+187      */
+188     @Test
+189     public void testSearchCPE() throws Exception {
+190         String vendor = "apache software foundation";
+191         String product = "struts 2 core";
+192         String version = "2.1.2";
+193         String expResult = "cpe:/a:apache:struts:2.1.2";
+194 
+195         CPEAnalyzer instance = new CPEAnalyzer();
+196         instance.open();
+197 
+198         //TODO - yeah, not a very good test as the results are the same with or without weighting...
+199         Set<String> productWeightings = new HashSet<String>(1);
+200         productWeightings.add("struts2");
+201 
+202         Set<String> vendorWeightings = new HashSet<String>(1);
+203         vendorWeightings.add("apache");
+204 
+205         List<IndexEntry> result = instance.searchCPE(vendor, product, productWeightings, vendorWeightings);
+206         //TODO fix this assert
+207         //Assert.assertEquals(expResult, result.get(0).getName());
+208 
+209         instance.close();
+210     }
+211 }
+
+
+ + + diff --git a/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.html b/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.html new file mode 100644 index 000000000..b3438b53e --- /dev/null +++ b/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.html @@ -0,0 +1,127 @@ + + + +HintAnalyzerTest xref + + + +
View Javadoc
+1   /*
+2    * Copyright 2014 OWASP.
+3    *
+4    * Licensed under the Apache License, Version 2.0 (the "License");
+5    * you may not use this file except in compliance with the License.
+6    * You may obtain a copy of the License at
+7    *
+8    *      http://www.apache.org/licenses/LICENSE-2.0
+9    *
+10   * Unless required by applicable law or agreed to in writing, software
+11   * distributed under the License is distributed on an "AS IS" BASIS,
+12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+13   * See the License for the specific language governing permissions and
+14   * limitations under the License.
+15   */
+16  package org.owasp.dependencycheck.analyzer;
+17  
+18  import java.io.File;
+19  import java.util.Set;
+20  import static org.junit.Assert.assertEquals;
+21  import static org.junit.Assert.assertFalse;
+22  import static org.junit.Assert.assertTrue;
+23  import org.junit.Before;
+24  import org.junit.Test;
+25  import org.owasp.dependencycheck.BaseTest;
+26  import org.owasp.dependencycheck.Engine;
+27  import org.owasp.dependencycheck.dependency.Confidence;
+28  import org.owasp.dependencycheck.dependency.Dependency;
+29  import org.owasp.dependencycheck.dependency.Evidence;
+30  import org.owasp.dependencycheck.utils.Settings;
+31  
+32  /**
+33   *
+34   * @author Jeremy Long <jeremy.long@owasp.org>
+35   */
+36  public class HintAnalyzerTest extends BaseTest {
+37  
+38      @Before
+39      public void setUp() throws Exception {
+40          org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
+41      }
+42  
+43      /**
+44       * Test of getName method, of class HintAnalyzer.
+45       */
+46      @Test
+47      public void testGetName() {
+48          HintAnalyzer instance = new HintAnalyzer();
+49          String expResult = "Hint Analyzer";
+50          String result = instance.getName();
+51          assertEquals(expResult, result);
+52      }
+53  
+54      /**
+55       * Test of getAnalysisPhase method, of class HintAnalyzer.
+56       */
+57      @Test
+58      public void testGetAnalysisPhase() {
+59          HintAnalyzer instance = new HintAnalyzer();
+60          AnalysisPhase expResult = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
+61          AnalysisPhase result = instance.getAnalysisPhase();
+62          assertEquals(expResult, result);
+63      }
+64  
+65      /**
+66       * Test of analyze method, of class HintAnalyzer.
+67       */
+68      @Test
+69      public void testAnalyze() throws Exception {
+70          HintAnalyzer instance = new HintAnalyzer();
+71  
+72          File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
+73          //Dependency guice = new Dependency(fileg);
+74          File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
+75          //Dependency spring = new Dependency(files);
+76          Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+77          Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+78          Engine engine = new Engine();
+79  
+80          engine.scan(guice);
+81          engine.scan(spring);
+82          engine.analyzeDependencies();
+83          Dependency gdep = null;
+84          Dependency sdep = null;
+85          for (Dependency d : engine.getDependencies()) {
+86              if (d.getActualFile().equals(guice)) {
+87                  gdep = d;
+88              } else {
+89                  sdep = d;
+90              }
+91          }
+92          final Evidence springTest1 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
+93          final Evidence springTest2 = new Evidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
+94          final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
+95          final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
+96          final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
+97  
+98          Set<Evidence> evidence = gdep.getEvidence().getEvidence();
+99          assertFalse(evidence.contains(springTest1));
+100         assertFalse(evidence.contains(springTest2));
+101         assertFalse(evidence.contains(springTest3));
+102         assertFalse(evidence.contains(springTest4));
+103         assertFalse(evidence.contains(springTest5));
+104 
+105         evidence = sdep.getEvidence().getEvidence();
+106         assertTrue(evidence.contains(springTest1));
+107         assertTrue(evidence.contains(springTest2));
+108         assertTrue(evidence.contains(springTest3));
+109         //assertTrue(evidence.contains(springTest4));
+110         //assertTrue(evidence.contains(springTest5));
+111 
+112     }
+113 
+114 }
+
+
+ + + diff --git a/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.html b/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.html new file mode 100644 index 000000000..3f0f729bc --- /dev/null +++ b/dependency-check-core/xref-test/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.html @@ -0,0 +1,108 @@ + + + +VulnerabilitySuppressionAnalyzerIntegrationTest xref + + + +
View Javadoc
+1   /*
+2    * This file is part of dependency-check-core.
+3    *
+4    * Licensed under the Apache License, Version 2.0 (the "License");
+5    * you may not use this file except in compliance with the License.
+6    * You may obtain a copy of the License at
+7    *
+8    *     http://www.apache.org/licenses/LICENSE-2.0
+9    *
+10   * Unless required by applicable law or agreed to in writing, software
+11   * distributed under the License is distributed on an "AS IS" BASIS,
+12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+13   * See the License for the specific language governing permissions and
+14   * limitations under the License.
+15   *
+16   * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+17   */
+18  package org.owasp.dependencycheck.analyzer;
+19  
+20  import java.io.File;
+21  import static org.junit.Assert.assertEquals;
+22  import static org.junit.Assert.assertTrue;
+23  import org.junit.Test;
+24  import org.owasp.dependencycheck.Engine;
+25  import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+26  import org.owasp.dependencycheck.dependency.Dependency;
+27  import org.owasp.dependencycheck.utils.Settings;
+28  
+29  /**
+30   * Testing the vulnerability suppression analyzer.
+31   *
+32   * @author Jeremy Long <jeremy.long@owasp.org>
+33   */
+34  public class VulnerabilitySuppressionAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+35  
+36      /**
+37       * Test of getName method, of class VulnerabilitySuppressionAnalyzer.
+38       */
+39      @Test
+40      public void testGetName() {
+41          VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
+42          String expResult = "Vulnerability Suppression Analyzer";
+43          String result = instance.getName();
+44          assertEquals(expResult, result);
+45      }
+46  
+47      /**
+48       * Test of getAnalysisPhase method, of class VulnerabilitySuppressionAnalyzer.
+49       */
+50      @Test
+51      public void testGetAnalysisPhase() {
+52          VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
+53          AnalysisPhase expResult = AnalysisPhase.POST_FINDING_ANALYSIS;
+54          AnalysisPhase result = instance.getAnalysisPhase();
+55          assertEquals(expResult, result);
+56      }
+57  
+58      /**
+59       * Test of analyze method, of class VulnerabilitySuppressionAnalyzer.
+60       */
+61      @Test
+62      public void testAnalyze() throws Exception {
+63  
+64          File file = new File(this.getClass().getClassLoader().getResource("FileHelpers.2.0.0.0.nupkg").getPath());
+65          File suppression = new File(this.getClass().getClassLoader().getResource("FileHelpers.2.0.0.0.suppression.xml").getPath());
+66          Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+67          Engine engine = new Engine();
+68          engine.scan(file);
+69          engine.analyzeDependencies();
+70          Dependency dependency = getDependency(engine, file);
+71          assertTrue(dependency.getVulnerabilities().size() > 0);
+72          Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
+73          VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
+74          instance.initialize();
+75          instance.analyze(dependency, engine);
+76          assertTrue(dependency.getVulnerabilities().size() == 0);
+77          engine.cleanup();
+78      }
+79  
+80      /**
+81       * Retrieves a specific dependency from the engine.
+82       *
+83       * @param engine the engine
+84       * @param file the dependency to retrieve
+85       * @return the dependency
+86       */
+87      private Dependency getDependency(Engine engine, File file) {
+88          for (Dependency d : engine.getDependencies()) {
+89              if (d.getFileName().equals(file.getName())) {
+90                  return d;
+91              }
+92          }
+93          return null;
+94      }
+95  }
+
+
+ + + diff --git a/dependency-check-core/xref-test/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.html b/dependency-check-core/xref-test/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.html new file mode 100644 index 000000000..362a9e408 --- /dev/null +++ b/dependency-check-core/xref-test/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.html @@ -0,0 +1,88 @@ + + + +CveDBIntegrationTest xref + + + +
View Javadoc
+1   /*
+2    * This file is part of dependency-check-core.
+3    *
+4    * Licensed under the Apache License, Version 2.0 (the "License");
+5    * you may not use this file except in compliance with the License.
+6    * You may obtain a copy of the License at
+7    *
+8    *     http://www.apache.org/licenses/LICENSE-2.0
+9    *
+10   * Unless required by applicable law or agreed to in writing, software
+11   * distributed under the License is distributed on an "AS IS" BASIS,
+12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+13   * See the License for the specific language governing permissions and
+14   * limitations under the License.
+15   *
+16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+17   */
+18  package org.owasp.dependencycheck.data.nvdcve;
+19  
+20  import java.util.List;
+21  import java.util.Set;
+22  import static org.junit.Assert.assertTrue;
+23  import org.junit.Test;
+24  import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+25  
+26  /**
+27   *
+28   * @author Jeremy Long <jeremy.long@owasp.org>
+29   */
+30  public class CveDBIntegrationTest extends BaseDBTestCase {
+31  
+32      /**
+33       * Pretty useless tests of open, commit, and close methods, of class CveDB.
+34       */
+35      @Test
+36      public void testOpen() throws Exception {
+37          CveDB instance = new CveDB();
+38          instance.open();
+39          instance.commit();
+40          instance.close();
+41      }
+42  
+43      /**
+44       * Test of getCPEs method, of class CveDB.
+45       */
+46      @Test
+47      public void testGetCPEs() throws Exception {
+48          CveDB instance = new CveDB();
+49          try {
+50              String vendor = "apache";
+51              String product = "struts";
+52              instance.open();
+53              Set<VulnerableSoftware> result = instance.getCPEs(vendor, product);
+54              assertTrue(result.size() > 5);
+55          } finally {
+56              instance.close();
+57          }
+58      }
+59  
+60      /**
+61       * Test of getVulnerabilities method, of class CveDB.
+62       */
+63      @Test
+64      public void testGetVulnerabilities() throws Exception {
+65          String cpeStr = "cpe:/a:apache:struts:2.1.2";
+66          CveDB instance = new CveDB();
+67          try {
+68              instance.open();
+69              List result = instance.getVulnerabilities(cpeStr);
+70              assertTrue(result.size() > 5);
+71          } finally {
+72              instance.close();
+73          }
+74      }
+75  }
+
+
+ + + diff --git a/dependency-check-core/xref-test/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.html b/dependency-check-core/xref-test/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.html new file mode 100644 index 000000000..372f7dafa --- /dev/null +++ b/dependency-check-core/xref-test/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.html @@ -0,0 +1,128 @@ + + + +DatabasePropertiesIntegrationTest xref + + + +
View Javadoc
+1   /*
+2    * This file is part of dependency-check-core.
+3    *
+4    * Licensed under the Apache License, Version 2.0 (the "License");
+5    * you may not use this file except in compliance with the License.
+6    * You may obtain a copy of the License at
+7    *
+8    *     http://www.apache.org/licenses/LICENSE-2.0
+9    *
+10   * Unless required by applicable law or agreed to in writing, software
+11   * distributed under the License is distributed on an "AS IS" BASIS,
+12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+13   * See the License for the specific language governing permissions and
+14   * limitations under the License.
+15   *
+16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+17   */
+18  package org.owasp.dependencycheck.data.nvdcve;
+19  
+20  import java.util.Properties;
+21  import static org.junit.Assert.assertEquals;
+22  import static org.junit.Assert.assertTrue;
+23  import org.junit.Test;
+24  import org.owasp.dependencycheck.data.update.NvdCveInfo;
+25  
+26  /**
+27   *
+28   * @author Jeremy Long <jeremy.long@owasp.org>
+29   */
+30  public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
+31  
+32      /**
+33       * Test of isEmpty method, of class DatabaseProperties.
+34       */
+35      @Test
+36      public void testIsEmpty() throws Exception {
+37          CveDB cveDB = new CveDB();
+38          cveDB.open();
+39          DatabaseProperties instance = cveDB.getDatabaseProperties();
+40          boolean expResult = false;
+41          boolean result = instance.isEmpty();
+42          //no exception means the call worked... whether or not it is empty depends on if the db is new
+43          //assertEquals(expResult, result);
+44          cveDB.close();
+45      }
+46  
+47      /**
+48       * Test of save method, of class DatabaseProperties.
+49       */
+50      @Test
+51      public void testSave() throws Exception {
+52          NvdCveInfo updatedValue = new NvdCveInfo();
+53          String key = "test";
+54          long expected = 1337;
+55          updatedValue.setId(key);
+56          updatedValue.setTimestamp(expected);
+57          CveDB cveDB = new CveDB();
+58          cveDB.open();
+59          DatabaseProperties instance = cveDB.getDatabaseProperties();
+60          instance.save(updatedValue);
+61          //reload the properties
+62          cveDB.close();
+63          cveDB = new CveDB();
+64          cveDB.open();
+65          instance = cveDB.getDatabaseProperties();
+66          cveDB.close();
+67          long results = Long.parseLong(instance.getProperty("NVD CVE " + key));
+68          assertEquals(expected, results);
+69      }
+70  
+71      /**
+72       * Test of getProperty method, of class DatabaseProperties.
+73       */
+74      @Test
+75      public void testGetProperty_String_String() throws Exception {
+76          String key = "doesn't exist";
+77          String defaultValue = "default";
+78          CveDB cveDB = new CveDB();
+79          cveDB.open();
+80          DatabaseProperties instance = cveDB.getDatabaseProperties();
+81          cveDB.close();
+82          String expResult = "default";
+83          String result = instance.getProperty(key, defaultValue);
+84          assertEquals(expResult, result);
+85      }
+86  
+87      /**
+88       * Test of getProperty method, of class DatabaseProperties.
+89       */
+90      @Test
+91      public void testGetProperty_String() throws DatabaseException {
+92          String key = "version";
+93          CveDB cveDB = new CveDB();
+94          cveDB.open();
+95          DatabaseProperties instance = cveDB.getDatabaseProperties();
+96          cveDB.close();
+97          String result = instance.getProperty(key);
+98          double version = Double.parseDouble(result);
+99          assertTrue(version >= 2.8);
+100         assertTrue(version <= 10);
+101     }
+102 
+103     /**
+104      * Test of getProperties method, of class DatabaseProperties.
+105      */
+106     @Test
+107     public void testGetProperties() throws DatabaseException {
+108         CveDB cveDB = new CveDB();
+109         cveDB.open();
+110         DatabaseProperties instance = cveDB.getDatabaseProperties();
+111         cveDB.close();
+112         Properties result = instance.getProperties();
+113         assertTrue(result.size() > 0);
+114     }
+115 }
+
+
+ + + diff --git a/dependency-check-core/xref-test/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.html b/dependency-check-core/xref-test/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.html new file mode 100644 index 000000000..dd192a137 --- /dev/null +++ b/dependency-check-core/xref-test/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.html @@ -0,0 +1,168 @@ + + + +ReportGeneratorIntegrationTest xref + + + +
View Javadoc
+1   /*
+2    * This file is part of dependency-check-core.
+3    *
+4    * Licensed under the Apache License, Version 2.0 (the "License");
+5    * you may not use this file except in compliance with the License.
+6    * You may obtain a copy of the License at
+7    *
+8    *     http://www.apache.org/licenses/LICENSE-2.0
+9    *
+10   * Unless required by applicable law or agreed to in writing, software
+11   * distributed under the License is distributed on an "AS IS" BASIS,
+12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+13   * See the License for the specific language governing permissions and
+14   * limitations under the License.
+15   *
+16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+17   */
+18  package org.owasp.dependencycheck.reporting;
+19  
+20  import java.io.File;
+21  import java.io.InputStream;
+22  import javax.xml.XMLConstants;
+23  import javax.xml.transform.stream.StreamSource;
+24  import javax.xml.validation.Schema;
+25  import javax.xml.validation.SchemaFactory;
+26  import javax.xml.validation.Validator;
+27  import org.junit.Before;
+28  import org.junit.Test;
+29  import org.owasp.dependencycheck.BaseTest;
+30  import org.owasp.dependencycheck.Engine;
+31  import org.owasp.dependencycheck.data.nvdcve.CveDB;
+32  import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+33  import org.owasp.dependencycheck.utils.Settings;
+34  
+35  /**
+36   *
+37   * @author Jeremy Long <jeremy.long@owasp.org>
+38   */
+39  public class ReportGeneratorIntegrationTest extends BaseTest {
+40  
+41      @Before
+42      public void setUp() throws Exception {
+43          org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
+44      }
+45  
+46      /**
+47       * Test of generateReport method, of class ReportGenerator.
+48       *
+49       * @throws Exception is thrown when an exception occurs.
+50       */
+51      @Test
+52      public void testGenerateReport() throws Exception {
+53          String templateName = "HtmlReport";
+54  //        File f = new File("target/test-reports");
+55  //        if (!f.exists()) {
+56  //            f.mkdir();
+57  //        }
+58  //        String writeTo = "target/test-reports/Report.html";
+59  //        Map<String, Object> properties = new HashMap<String, Object>();
+60  //        Dependency d = new Dependency();
+61  //        d.setFileName("FileName.jar");
+62  //        d.setActualFilePath("lib/FileName.jar");
+63  //        d.addCPEentry("cpe://a:/some:cpe:1.0");
+64  //
+65  //        List<Dependency> dependencies = new ArrayList<Dependency>();
+66  //        d.getProductEvidence().addEvidence("jar","filename","<test>test", Confidence.HIGH);
+67  //        d.getProductEvidence().addEvidence("manifest","vendor","<test>test", Confidence.HIGH);
+68  //
+69  //        for (Evidence e : d.getProductEvidence().iterator(Confidence.HIGH)) {
+70  //            String t = e.getValue();
+71  //        }
+72  //        dependencies.add(d);
+73  //
+74  //        Dependency d2 = new Dependency();
+75  //        d2.setFileName("Another.jar");
+76  //        d2.setActualFilePath("lib/Another.jar");
+77  //        d2.addCPEentry("cpe://a:/another:cpe:1.0");
+78  //        d2.addCPEentry("cpe://a:/another:cpe:1.1");
+79  //        d2.addCPEentry("cpe://a:/another:cpe:1.2");
+80  //        d2.getProductEvidence().addEvidence("jar","filename","another.jar", Confidence.HIGH);
+81  //        d2.getProductEvidence().addEvidence("manifest","vendor","Company A", Confidence.MEDIUM);
+82  //
+83  //        for (Evidence e : d2.getProductEvidence().iterator(Confidence.HIGH)) {
+84  //            String t = e.getValue();
+85  //        }
+86  //
+87  //        dependencies.add(d2);
+88  //
+89  //        Dependency d3 = new Dependency();
+90  //        d3.setFileName("Third.jar");
+91  //        d3.setActualFilePath("lib/Third.jar");
+92  //        d3.getProductEvidence().addEvidence("jar","filename","third.jar", Confidence.HIGH);
+93  //
+94  //        for (Evidence e : d3.getProductEvidence().iterator(Confidence.HIGH)) {
+95  //            String t = e.getValue();
+96  //        }
+97  //
+98  //        dependencies.add(d3);
+99  //
+100 //        properties.put("dependencies",dependencies);
+101 //
+102 //        ReportGenerator instance = new ReportGenerator();
+103 //        instance.generateReport(templateName, writeTo, properties);
+104         //assertTrue("need to add a real check here", false);
+105     }
+106 
+107     /**
+108      * Generates an XML report containing known vulnerabilities and realistic data and validates the generated XML
+109      * document against the XSD.
+110      *
+111      * @throws Exception
+112      */
+113     @Test
+114     public void testGenerateXMLReport() throws Exception {
+115         String templateName = "XmlReport";
+116 
+117         File f = new File("target/test-reports");
+118         if (!f.exists()) {
+119             f.mkdir();
+120         }
+121         String writeTo = "target/test-reports/Report.xml";
+122 
+123         File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
+124         File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
+125         File jetty = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
+126 
+127         boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+128         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+129         Engine engine = new Engine();
+130         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+131 
+132         engine.scan(struts);
+133         engine.scan(axis);
+134         engine.scan(jetty);
+135         engine.analyzeDependencies();
+136 
+137         CveDB cveDB = new CveDB();
+138         cveDB.open();
+139         DatabaseProperties dbProp = cveDB.getDatabaseProperties();
+140         cveDB.close();
+141 
+142         ReportGenerator generator = new ReportGenerator("Test Report", engine.getDependencies(), engine.getAnalyzers(), dbProp);
+143         generator.generateReport(templateName, writeTo);
+144 
+145         engine.cleanup();
+146 
+147         InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/DependencyCheck.xsd");
+148         StreamSource xsdSource = new StreamSource(xsdStream);
+149         StreamSource xmlSource = new StreamSource(new File(writeTo));
+150         SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+151         Schema schema = sf.newSchema(xsdSource);
+152         Validator validator = schema.newValidator();
+153         validator.validate(xmlSource);
+154     }
+155 }
+
+
+ + + diff --git a/dependency-check-core/xref/org/owasp/dependencycheck/reporting/EscapeTool.html b/dependency-check-core/xref/org/owasp/dependencycheck/reporting/EscapeTool.html new file mode 100644 index 000000000..8483462d1 --- /dev/null +++ b/dependency-check-core/xref/org/owasp/dependencycheck/reporting/EscapeTool.html @@ -0,0 +1,87 @@ + + + +EscapeTool xref + + + +
View Javadoc
+1   /*
+2    * This file is part of dependency-check-core.
+3    *
+4    * Licensed under the Apache License, Version 2.0 (the "License");
+5    * you may not use this file except in compliance with the License.
+6    * You may obtain a copy of the License at
+7    *
+8    *     http://www.apache.org/licenses/LICENSE-2.0
+9    *
+10   * Unless required by applicable law or agreed to in writing, software
+11   * distributed under the License is distributed on an "AS IS" BASIS,
+12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+13   * See the License for the specific language governing permissions and
+14   * limitations under the License.
+15   *
+16   * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+17   */
+18  package org.owasp.dependencycheck.reporting;
+19  
+20  import java.io.UnsupportedEncodingException;
+21  import java.net.URLEncoder;
+22  import java.util.logging.Level;
+23  import java.util.logging.Logger;
+24  import org.apache.commons.lang.StringEscapeUtils;
+25  
+26  /**
+27   * An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This
+28   * class was created to simplify the velocity configuration and avoid using the "built-in" escape tool.
+29   *
+30   * @author Jeremy Long <jeremy.long@owasp.org>
+31   */
+32  public class EscapeTool {
+33  
+34      /**
+35       * The logger.
+36       */
+37      private static final Logger LOGGER = Logger.getLogger(EscapeTool.class.getName());
+38  
+39      /**
+40       * URL Encodes the provided text.
+41       *
+42       * @param text the text to encode
+43       * @return the URL encoded text
+44       */
+45      public String url(String text) {
+46          try {
+47              return URLEncoder.encode(text, "UTF-8");
+48          } catch (UnsupportedEncodingException ex) {
+49              LOGGER.log(Level.WARNING, "UTF-8 is not supported?");
+50              LOGGER.log(Level.INFO, null, ex);
+51          }
+52          return "";
+53      }
+54  
+55      /**
+56       * HTML Encodes the provided text.
+57       *
+58       * @param text the text to encode
+59       * @return the HTML encoded text
+60       */
+61      public String html(String text) {
+62          return StringEscapeUtils.escapeHtml(text);
+63      }
+64  
+65      /**
+66       * XML Encodes the provided text.
+67       *
+68       * @param text the text to encode
+69       * @return the XML encoded text
+70       */
+71      public String xml(String text) {
+72          return StringEscapeUtils.escapeXml(text);
+73      }
+74  }
+
+
+ + + diff --git a/nexus-analyzer.html b/nexus-analyzer.html new file mode 100644 index 000000000..d84cac962 --- /dev/null +++ b/nexus-analyzer.html @@ -0,0 +1,273 @@ + + + + + + + + + dependency-check - Nexus Analyzer + + + + + + + + + + + + + + + + + + + + + Fork me on GitHub + + + + + +
+ + + + + +
+
+
+ + + + + + +
+ +
+ + + + +
+ +
+
+ + + +
+ + + + +
+
+
+ + built with maven + + + developed using + + + built on cloudbees + +
+
+
+ + +
+ +

Nexus Analyzer

+

Dependency Check includes an analyzer which will check for the Maven GAV (Group/Artifact/Version) information for artifacts in the scanned area. By default the information comes from Maven Central, but can be configured to use a local repository if necessary. If the artifact’s hash is found in the configured Nexus repository, its GAV is recorded as an Identifier and the Group is collected as Vendor evidence, the Artifact is collected as Product evidence, and the Version is collected as Version evidence.

+
+

Default Configuration

+

By default, the Nexus analyzer uses the Sonatype Nexus Repository to search for SHA-1 hashes of dependencies. If the proxy is configured for Dependency Check, that proxy is used in order to connect to the Nexus Central repository. So if you’re using --proxyurl on the command-line, the proxyUrl setting in the Maven plugin, or the proxyUrl attribute in the Ant task, that proxy will be used by default. Also, the proxy port, user, and password configured globally are used as well.

+
+

Overriding Defaults

+

If you have an internal Nexus repository you want to use, Dependency Check can be configured to use this repository rather than Sonatype. This needs to be a Nexus repository (support for Artifactory is planned). For a normal installation of Nexus, you would append /service/local/ to the root of the URL to your Nexus repository. This URL can be set as:

+ +
    + +
  • analyzer.nexus.url in dependencycheck.properties
    • + +
  • --nexus <url> in the CLI
    • + +
  • The nexusUrl property in the Maven plugin
    • + +
  • The nexusUrl attribute in the Ant task
    • +
+

If this repository is internal and should not use the proxy, you can disable the proxy for just the Nexus analyzer. Setting this makes no difference if a proxy is not configured.

+ +
    + +
  • analyzer.nexus.proxy=false in dependencycheck.properties
    • + +
  • --nexusUsesProxy false in the CLI
    • + +
  • The nexusUsesProxy property in the Maven plugin
    • + +
  • The nexusUsesProxy attribute in the Ant task
    • +
+

Finally, the Nexus analyzer can be disabled altogether.

+ +
    + +
  • analyzer.nexus.enabled=false in dependencycheck.properties
    • + +
  • --disableNexus in the CLI
    • + +
  • nexusAnalyzerEnabled property in the Maven plugin
    • + +
  • nexusAnalyzerEnabled attribute in the Ant task
    • +
+
+

Logging

+

You may see a log message similar to the following during analysis:

+ +
+
Mar 31, 2014 9:15:12 AM org.owasp.dependencycheck.analyzer.NexusAnalyzer initializeFileTypeAnalyzer
+WARNING: There was an issue getting Nexus status. Disabling analyzer.
+
+

At the beginning of analysis, a check is made by the Nexus analyzer to see if it is able to reach the configured Nexus service, and if it cannot be reached, the analyzer will be disabled. If you see this message, you can use the configuration settings described above to resolve the issue, or disable the analyzer altogether.

+
+
+
+ +
+ + + +